TAG Meeting Notes 2013-11-06

11 11 2013

TAG Meeting November 6, 2013 2:00pm-2:50pm

Attendees:
Paul Cutrufello, Kim Daniloski, Dave Dzurec, Jim Franceschelli, Eugeniu Grigorescu, Andrew LaZella, Kristen Yarmey

1. Brief Reports

Desire2Learn (Eugeniu)

Eugeniu (CTLE) and Connie Wisdo (ITDA) sent an email to all-faculty detailing the schedule and plan for our LMS conversion from Angel to Desire2Learn.  CIO Jerry DeSanto would be joining Eugeniu and Connie for a presentation to Faculty Senate scheduled for November 8. CTLE will host Desire2Learn showcases for faculty on Monday, November 11 (3:00 – 4:00pm) and November 12 (4:00 – 5:00pm) in Brennan 228.  CTLE has also scheduled several Desire2Learn training workshops for faculty.

Identity Finder (Kristen)

Adam Edwards (Information Security) and Joe Dreisbach went to a recent IRB meeting to discuss options for encrypting research data to better ensure subject confidentiality. Adam proposed two tools (TrueCrypt and Identity Finder’s built-in Audit Vault) as options, though if possible he would like to settle on one as a campus standard. Adam asked Bryan Burnham to try both tools and report back with any issues or concerns. [Update 2014-07-03: Support for TrueCrypt has been discontinued, so Information Security no recommends using 7Zip for encrypting sensitive or confidential data.]

TAG members have been piloting automated Identity Finder scans, which are running each Friday at noon. No TAG members had experienced any performance issues. However, Kristen is concerned that the scans are essentially invisible to the user – that is, there is neither notification prior to the scan beginning nor confirmation with report results at the conclusion of the scan. She would like users to be able to see a log of the scans and results from their computers (even if only on an opt-in basis). Adam is looking into this. Ordinarily, users do not know their scan results – Adam meets one-on-one with users, based on how high the risk is (e.g., large number of hits for PII – personally identifiable information – especially if stored in unsecured folders or applications like Dropbox = higher risk).

Adam has offered to give a demonstration of Identity Finder so that faculty can better understand what Information Security sees in the reports and how they work. TAG members present decided to ask for a small TAG demo first, after which we will determine whether or not a demonstration should be given to the full Faculty Senate. Kristen will contact Adam to schedule a TAG demo in December.

2. Items for Discussion

Budget Priorities – Specialized Software and Labs

At our October meeting, we talked about gathering faculty feedback relating to specialized software an computer labs, to better prepare for future discussions about budgeting priorities. We decided in October to compose a survey for faculty members. We spent much of the November meeting working on a draft of the survey, which will ideally be disseminated to all faculty on or around November 13 (such that results can be shared with Information Resources by early December). Kristen will send the revised survey draft to all TAG members for further comment and review.

Jeremy Brees (in absentia) had suggested that TAG give the academic deans a heads-up about the survey, since it may prompt questions from faculty. Jeremy, Paul, Dave, and Kristen will talk to their respective deans prior to the survey being sent out.

Adjournment

The meeting adjourned at 3:00pm. This was our final scheduled meeting for Fall 2013. Kristen and Dave will coordinate scheduling for Spring 2014 meetings.


Comments : Leave a Comment »
Tags: , , , , , , , ,
Categories : Angel and Desire2Learn, Announcements, Minutes, Security

Identity Finder and confidential data

14 04 2013

At our last TAG meeting, IT Services Director Jim Franceschelli and Information Security Director Adam Edwards invited faculty feedback on their Identity Finder Proposal on Automated Scans. For those just joining us, Identity Finder software scans your (Windows) computer for sensitive, unsecured Personally Identifiable Information (PII). The Information Security Office and IT Client Services are jointly proposing implementation of weekly, automated, required Identity Finder scans (see the proposal for details). During the meeting, TAG members shared some concerns about scheduling and performance effects. After the meeting, we received additional concerns from Bryan Burnham (Psychology), a member of the Institutional Review Board, that Identity Finder scans of machines storing human research subject data or client files (from a counseling practice, for example) would breach subject confidentiality. Concerns are paraphrased here:

There are privacy issues related to data collected on human research subjects that must be considered before automated Identity Finder scans of machines can occur. Specifically, we (IRBs, DRBs, PIs – primary investigators) ensure complete and total privacy of our human research subjects’ data, especially sensitive information (names, emails, Royal IDs, social security numbers), some of which is undoubtedly stored on computer hard drives. [The same is true for client files maintained by counselors or clinicians.]

“Subject confidentiality” means that knowledge of a person’s participation in a research study is between the human subject and only the PI. That is, a subject is guaranteed by the PI that knowledge of their participation as well as their personal and sensitive data will not be open or available to any third party – meaning anyone not associated with the research project. The automated Identity Finder scans would, in effect, view confidential human research subject data and client information that, by definition, cannot be viewed by others.

It should be noted that the Identity Finder reports that the Information Security office receives are redacted, showing a masked version of a potentially problematic file and the location where it was found, and are only accessible to the Information Security Director (Adam) and the Information Security Engineer (Scott Finlon). However, Bryan noted that the scan itself is the issue: third parties (including other University divisions/employees and University-owned software) are not allowed to access or see confidential subject information.

Bryan, Jeremy, Kristen, Adam, and Scott got together on Friday to get a better understanding of this issue and what options there might be for general campus implementation of automated Identity Finder scans without violating subject confidentiality.

We discussed a few options that IR and TAG  could consider for Identity Finder, each with varying advantages/disadvantages. A significant complication, however, is that at this point we don’t know how many researchers on campus have this kind of data, where it’s stored (faculty, staff, student, and/or lab machines? cloud storage?), and whether it’s encrypted or otherwise protected against security breaches (malicious or inadvertent). Bryan stressed that researchers are responsible for their own data and for ensuring subject confidentiality, and neither the IRB nor the University can impose or require specific data management practices, at least under current IRB policies.

Scott noted that the Identity Finder question is only the top layer of broader issues of privacy, security, and digital records management on campus, and that research data stored on a researcher’s hard drive or in cloud storage could be vulnerable to external attack. Both Adam and Scott mentioned that Identity Finder, used appropriately, could help researchers protect subject confidentiality by locating vulnerable information and prompting the researcher to take further steps towards securing it. We agreed, though, that educating researchers about data security and encouraging more secure data management practices (encryption, password protection, etc) will be a longer, more involved, and more inclusive conversation – but a conversation that needs to happen nonetheless.

Next steps: Bryan will bring this discussion to the IRB at their April 16th meeting for additional input and will share any relevant guidelines from grant agencies (e.g., Department of Health & Human Services), and his and others’ own digital data management practices. Adam and Scott will reach out to Identity Finder and other university security offices re: how others have handled this issue. They are willing to continue discussing accommodations for researchers storing sensitive data, if we can find all of them or somehow get them to self-identify. TAG might be able to help survey the faculty on this question (yes/no/unsure) – multiple outlets should be used to try to catch everyone’s attention. The IRB, ORSP, and TAG may want to coordinate a faculty forum on this topic.

We’re still early on in this discussion, so please contact TAG if you have any insight, concerns, or questions that we might not have considered yet.

 


Comments : Leave a Comment »
Tags: , , , , ,
Categories : Announcements, Network and Infrastructure, Security