Client's challenge
When a major security breach at a leading US university compromised personal information, the university did what it was required to by law: it notified the parties affected—students, parents and alumni donors alike. It also did something else. At the highest levels of the university, it formally acknowledged the challenges in protecting privacy and enforcing security within the open and decentralized computing environment so critical to higher education’s mission.
It wasn’t just that the institution’s reputation was at stake—as potentially was its ability to sustain donor trust and contribution levels. Also on the line was the university’s ability to balance the educational, research and administrative services it offered with appropriate safeguards—in a culture of laptops and wireless access, a culture of intense data collection and use. Seeking a better understanding about how to protect data flows across its applications and networks—and in a remarkably open and public manner—the university’s cabinet and its CFO and CIO turned to PwC for answers.
PricewaterhouseCoopers Advisory solution
PricewaterhouseCoopers (PwC) Advisory focused its review on the information practices and policies that pertained to personally identifiable information—particularly that of alumni, faculty, students, donors, employees and research subjects. Using a PwC assessment methodology that examines the information lifecycle, the PwC team conducted interviews, document reviews and data protection analyses to determine how data was collected, used, shared and retained. Working with the university’s IT team, PwC Advisory tracked how personal information traveled through university and third-party vendor applications—looking carefully at where data passed between users, applications and databases, when encryption was employed, and where policies were in place to protect data in storage or transit.
PwC also examined application and system security, assessed access-related policies and practices, provided input to the encryption analysis and technology selection process and conducted tests of information security and privacy control effectiveness. Using PwC Advisory’s framework for strategic security planning, SecurityATLAS™, the team also helped the university establish a regulatory baseline to help manage its complex and overlapping compliance requirements related to regulations such as the Family Educational Rights and Privacy Act, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act and state-specific regulations governing research practices.
Impact on client's business
As a result of this work, the university gained a better understanding of where and how its policies, practices and technical infrastructure placed personal information at risk. The analysis and documentation of critical data flows gave the university the ability to mitigate future incidents not just by writing new security policies but also by rethinking data collection activities, turning off data flows, re-routing traffic or focusing new processes and technologies on high-risk areas.
The university is now developing a two-year roadmap to strengthen campus-wide data governance and provide targeted security training and resources to the university’s IT team. Collectively, these steps have helped the university recover from the initial security breach, take important steps to protect its reputation, and place itself at the forefront of protecting privacy and security in a campus environment as a model for other universities to follow.
