Tech Responds to Student Data Disclosure

Contact

Denise Ward
Institute Communications

Sidebar Content
No sidebar content submitted.
Summaries

Summary Sentence:

Georgia Tech is taking steps to correct its internal policies and protocols following an inadvertent disclosure of protected student information.

Full Summary:

Georgia Tech is taking steps to correct its internal policies and protocols following an inadvertent disclosure of protected student information.

Media
  • Tech Tower Tech Tower
    (image/jpeg)

 

As part of its commitment to keeping campus informed, the following represents an overview of the developments and progress in the aftermath of Georgia Tech’s recent data disclosure.
 

Dec. 11, 2019, update:  Georgia Tech continues to make progress in improving the Institute’s data governance policies and practices.

Under the leadership of Professor Raheem Beyah, the effort has been organized around a three-pronged strategy: Know, Protect, and Govern. Planned activities under this strategy will occur over the next few months.

Know:

A cross-functional team continues an in-depth audit of Georgia Tech systems housing sensitive data, prioritizing student data. Further consultations will focus on documenting data-related business processes and associated workflows.

Protect:

Data Loss Prevention (DLP) protections have been enabled, providing some protections for sensitive information within the Office365 email environment. The cross-functional DLP team will keep monitoring and improving this initial implementation as well as beginning to focus on the deployment of an Enterprise Data Loss prevention program encompassing the Institute’s entire data and IT environment.

Govern:

The Institute will continue to implement a comprehensive Enterprise Data Governance program ensuring compliance with Institute and USG policies as well as implementing improvements to the data environment. To accelerate this process, the Institute has selected and will soon engage with outside expertise. Student data will be the initial focus of this engagement.

The Enterprise Data Governance program rollout will include resources dedicated to partnering with the campus community to transition to new data management practices. 

Questions and comments can be directed to datagovernance@gatech.edu.

_______________

Nov. 22, 2019, update: Professor Raheem Beyah briefed President Ángel Cabrera and his cabinet on Tuesday, Nov. 19, regarding the progress of Georgia Tech’s response to the recent inadvertent data disclosure. During his presentation, Beyah outlined a three-pronged strategy: Know, Protect, and Govern.

In support of this strategy, the following has been put in place:

Know Georgia Tech data:

  • Following an initial review of the complex Georgia Tech data ecosystem, further consultations with campus data constituents continue. The focus is on how sensitive student data are being used and documenting associated business processes.
  • A cross-functional team, composed of members of the Office of Information Technology (OIT) and Enterprise Data Management (EDM), with assistance from the Registrar’s office, will conduct an in-depth audit of Georgia Tech’s student data reporting systems. The audit has begun and will continue for several weeks.

Protect Georgia Tech data:

  • A team from Cyber Security, OIT, and EDM are conducting a security risk assessment of the Office of Diversity, Equity, and Inclusion.
  • The cross-functional Data Loss Prevention (DLP) team has consulted with vendors and local experts. The team completed an initial assessment of DLP technologies within Office365. Based on the results, an initial set of DLP rules will be enabled on Monday, Nov. 25. DLP rules will identify specific types of sensitive data. This is a first step toward building an enterprise data loss prevention program. An upcoming communication from OIT will provide details on the additional changes to email services. The team is also creating documentation and support processes.

Govern Georgia Tech data:

  • Georgia Tech continues to receive proposals from outside experts for assistance in accelerating data governance. Proposals are now under review. It is anticipated that a vendor selection process will be completed in the coming weeks, with targeted engagement kickoff in early December 2019.

Questions and comments can be directed to datagovernance@gatech.edu.

_______________

Nov. 15, 2019, update:  An inadvertent disclosure originated within the Office of Diversity, Equity, and Inclusion (DEI). In response, immediate actions have included:

  • Enacting new short-term restrictions on mass communications in DEI.
  • Initiating a security risk assessment for DEI beginning Nov. 18.
  • Training DEI staff on data security and FERPA.

Looking more broadly at campus policies and practices concerning the use and sharing of sensitive data, the small group led by Professor Raheem Beyah has:

  • Distributed new guidance on data stewardship and separation of duties to campus leadership;
  • Received a proposal from the Enterprise Data Management team for short-term data governance actions;
  • Started consultation with campus data constituents at large, including data stewards, end users, and application owners, to identify areas for risk reduction; and
  • Continued to receive proposals from outside experts for assistance in accelerating data governance.

In addition, a cross-functional project team that includes leadership in the Office of Information Technology; Jimmy Lummis, chief information security officer; Didier Contis, director of Technology Services in the College of Engineering; and SGA Vice President of Information Technology Sidartha Rakuram has been formed to assess short-, medium-, and long-term risk reduction and improve protections for data loss prevention (DLP). Its first action items, such as initiating DLP technologies within Office365, will be completed Friday, Nov. 15. The project team is consulting with local experts and colleagues at other University System of Georgia institutions on DLP guidance and rapid implementation. A long-term DLP strategy with more effective controls will require a new institutional approach to identifying and monitoring sensitive data and classifications at their source.

Questions and comments can be directed to datagovernance@gatech.edu.

_______________

Nov. 12, 2019, update: The small group led by Professor Raheem Beyah to review campus policies and practices concerning the use and sharing of sensitive data has released a preliminary recommendation as a first step toward reducing the risk of accidental exposure. The guideline recommends that the individual with permission to generate datasets containing sensitive data should be separate from the individual who communicates with large constituencies.

All users with access to sensitive databases are expected to comply with Institute policy, including the Data Access Policy: http://policylibrary.gatech.edu/information-technology/data-access.

Questions and comments can be directed to datagovernance@gatech.edu.

_______________

Nov. 8, 2019, update: President Ángel Cabrera sent a message to campus earlier today announcing Electrical and Computer Engineering Professor Raheem Beyah will lead a review to address "existing vulnerabilities in data access across the Institute and implement whatever changes are necessary to deal with the most critical of them." 

Professor Beyah, who is also vice president of Interdiciplinary Research for Georgia Tech, will coordinate the work of the Office of Information Technology (OIT) and other administrative and academic units and will engage internal and external consultants as needed. Didier Contis, director of Technology Services for the College of Engineering, will assist Beyah in leading the review.

_______________

Nov. 7, 2019: Georgia Tech is taking steps to correct its internal policies and protocols following an inadvertent disclosure of protected student information.

Yesterday, a Georgia Tech staff member sent an email to approximately 1,100 students that erroneously included a file attachment with student names, ethnicity, Georgia Tech ID numbers, Georgia Tech e-mail addresses, and GPAs. The file did not include social security numbers or birthdates.

Since being notified of the incident, the Office of Information Technology has worked to recall as many of the emails as possible. Students affected by this mistake were notified last evening.

An emergency response team has been convened. The team will work to implement immediate corrective action and enact comprehensive changes to Georgia Tech’s data governance enterprise.

Institute leadership will provide further details in the coming days to keep the campus informed on how it plans to prevent future disclosures.

Related Links

Additional Information

Groups

News Briefs

Categories
Institute and Campus
Related Core Research Areas
No core research areas were selected.
Newsroom Topics
Campus and Community
Keywords
No keywords were submitted.
Status
  • Created By: Michael Hagearty
  • Workflow Status: Published
  • Created On: Nov 7, 2019 - 11:09am
  • Last Updated: Dec 11, 2019 - 2:58pm