{"628721":{"#nid":"628721","#data":{"type":"news","title":"Tech Responds to Student Data Disclosure","body":[{"value":"\u003Cp\u003E\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Ch5\u003EAs part of its commitment to keeping campus informed, the following represents an overview of the developments and progress in the aftermath of Georgia Tech\u0026rsquo;s 2019 data disclosure.\u003Cbr \/\u003E\r\n\u0026nbsp;\u003C\/h5\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EApr. 28, 2020, update: \u003C\/strong\u003EGeorgia Tech\u0026rsquo;s data security task force continues to make progress in improving the Institute\u0026rsquo;s data governance, policies, and practices. Under the leadership of Professor Raheem Beyah, the team has established the following controls organized into the three-pronged strategy: Know, Protect, and Govern:\u003C\/p\u003E\r\n\r\n\u003Ch6\u003EMandatory Training Campaign; Upcoming Policy and DLP Rules\u003C\/h6\u003E\r\n\r\n\u003Cul\u003E\r\n\t\u003Cli\u003EGeorgia Tech\u0026rsquo;s Data Management Security Fundamentals training campaign ended Monday, April 20. However, employees are still encouraged to complete the mandatory training by the end of this week in preparation for new and refined policy and data loss prevention (DLP) rules that were introduced Monday, April 27. Moving forward, this compliance training will be required on an annual basis for all employees.\u003C\/li\u003E\r\n\t\u003Cli\u003ENew DLP rules will restrict sharing protected data such as employee records, student information, financial data, and regulated research data via email and require employees to use Institute-supported file storage solutions such as OneDrive or Dropbox for sharing this type of information. Learn more about how to leverage these tools at \u003Ca href=\u0022http:\/\/b.gatech.edu\/protecteddatapractices\u0022\u003Eb.gatech.edu\/protecteddatapractices\u003C\/a\u003E.\u003C\/li\u003E\r\n\t\u003Cli\u003EThe new standards also establish safeguards that restrict removing data tags or manipulating files that contain data tags. These policy revisions standardize business practices across the Institute and lower the risk of accidental data exposure.\u003C\/li\u003E\r\n\u003C\/ul\u003E\r\n\r\n\u003Ch6\u003EEndpoint Management and Protection Compliance\u003C\/h6\u003E\r\n\r\n\u003Cul\u003E\r\n\t\u003Cli\u003ETo ensure the security of protected data, full adoption of endpoint management and protection solutions will be required for all Institute-owned devices by Nov. 1, 2020. To accommodate employees\u0026rsquo; transition to online instruction and remote work, the compliance deadline for securing laptops and any desktops that have been taken home from campus has been extended from May 15 to June 30.\u003C\/li\u003E\r\n\t\u003Cli\u003EEmployees are encouraged to work with their local IT professionals to ensure that the appropriate endpoint solution is installed on their devices by the June 30 deadline. Additional information can be found about endpoint management and protection at \u003Ca href=\u0022http:\/\/b.gatech.edu\/endpointcompliance\u0022\u003Eb.gatech.edu\/endpointcompliance\u003C\/a\u003E.\u003C\/li\u003E\r\n\u003C\/ul\u003E\r\n\r\n\u003Cp\u003EThe Office of Information Technology (OIT) will communicate additional details around these changes. Online training, tips, and information on how to file storage and sharing solutions is available at \u003Ca href=\u0022http:\/\/b.gatech.edu\/protecteddatapractices\u0022\u003Eb.gatech.edu\/protecteddatapractices\u003C\/a\u003E.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E_______________\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EMar. 12, 2020, update:\u0026nbsp;\u003C\/strong\u003EProfessor Raheem Beyah\u0026#39;s cross-functional team has worked to establish more effective controls for managing Institute data for the long term. We are rolling these controls out now to also prevent the risk of data leakages in the event that teleworking and online instruction are required. As part of efforts to protect data, a series of actions will occur in the coming days:\u003C\/p\u003E\r\n\r\n\u003Cp\u003EMANDATORY TRAINING STARTING MONDAY, MARCH 16\u003C\/p\u003E\r\n\r\n\u003Cul\u003E\r\n\t\u003Cli\u003EAll employees are asked to complete data governance, data security, and Family Educational Rights and Privacy Act (FERPA) compliance training, which will be available from Monday, March 16, to Monday, April 13. The Office of Information Technology (OIT) will communicate training details.\u003C\/li\u003E\r\n\t\u003Cli\u003EMoving forward this compliance training will be required on an annual basis for all employees.\u003C\/li\u003E\r\n\u003C\/ul\u003E\r\n\r\n\u003Cp\u003ESTORING AND SHARING PROTECTED DATA\u003C\/p\u003E\r\n\r\n\u003Cul\u003E\r\n\t\u003Cli\u003EFollowing mandatory training, new safe data handling practices will go into effect. Sharing protected data such as employee records, student information, financial data, and regulated research data via email will be restricted. All employees will be required to use Institute-supported file storage solutions such as OneDrive or Dropbox for sharing this type of information. The new standards also establish safeguards that restrict removing data tags or manipulating files that contain data tags. These policy revisions standardize business practices across the Institute and lower the risk of accidental data exposure.\u003C\/li\u003E\r\n\t\u003Cli\u003ETo ensure the security of student data, full adoption of endpoint management and protection solutions will be required for all Institute-owned devices by the end of the year. Windows and Mac laptops will be first and must be in compliance by May 15.\u003C\/li\u003E\r\n\u003C\/ul\u003E\r\n\r\n\u003Cp\u003EDATA MINIMIZATION AND CLEANUP\u003C\/p\u003E\r\n\r\n\u003Cp\u003EData minimization refers to measures that limit the personal data collected and processed to include only information that is relevant or necessary to accomplish work. Current best practices include:\u003C\/p\u003E\r\n\r\n\u003Cul\u003E\r\n\t\u003Cli\u003EIf student data is needed to perform work, limit the data request to information that is necessary to complete the task. When attempting to email a group of students, for example, do not request or take ownership of a file that has demographic information.\u003C\/li\u003E\r\n\t\u003Cli\u003ERegularly review files stored on the computer as well as on file storage services such as network file shares and cloud-based file sync and storage. Reviews should look for old files that are no longer necessary and can be deleted as well as files that must be retained but contain sensitive personal information that should be encrypted or deleted. Reviews should occur every six to 12 months.\u003C\/li\u003E\r\n\t\u003Cli\u003EAs part of the Enterprise Data Governance effort, further details regarding data retention and cleanup will be forthcoming. Additional resources and FAQs regarding data security activities are available at \u003Ca href=\u0022http:\/\/b.gatech.edu\/datasecurity\u0022\u003Eb.gatech.edu\/datasecurity\u003C\/a\u003E.\u003C\/li\u003E\r\n\u003C\/ul\u003E\r\n\r\n\u003Cp\u003E_______________\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EMar. 11, 2020, update\u0026mdash;\u003C\/strong\u003EDidier Contis, director of Technology Services for the College of Engineering (CoE), has been \u003Ca href=\u0022https:\/\/www.news.gatech.edu\/2020\/03\/11\/didier-contis-tapped-lead-institutes-data-strategy-efforts\u0022\u003Enamed interim associate vice president for Data Strategy and Analytics\u003C\/a\u003E, effective March 1. He will be reporting to Raheem Beyah in his temporary role that reports to the president. Contis\u0026rsquo; position provides vision and strategic leadership for all data management activities and is responsible for global data management, utilization, security, governance, and privacy across the Institute.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E_______________\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EDec. 20, 2019, update:\u003C\/strong\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cem\u003EThe following message was sent to all Georgia Tech staff from the Office of Information Technology:\u003C\/em\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003EAs part of Georgia Tech\u0026rsquo;s continued enterprise data loss prevention (DLP) efforts, the Office of Information Technology is deploying a new DLP rule, effective today, that will further reduce the risk of accidental data exposure.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThis new rule is focused on detecting attachments that may contain student data and are sent to mailing lists. This rule is using newly introduced document labeling mechanisms for sensitive FERPA information.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EUsers who attempt to email files with any of this data type will receive a bounce back which will prevent them from sharing. If this a valid business case, users can still allow the message to be sent by resending with \u0026quot;[Allow Send]\u0026quot; in the subject line.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe ultimate goal of the DLP program is to manage vulnerabilities, reduce risk, and prevent the transmission and unauthorized access of any data protected under regulations such as FERPA, HIPAA, and PCI DSS. A list of Frequently Asked Questions (FAQs) are provided below. Additional FAQs and support information are also available at:\u0026nbsp;\u003Ca href=\u0022https:\/\/faq.oit.gatech.edu\/dlp\u0022 title=\u0022https:\/\/faq.oit.gatech.edu\/dlp\u0022\u003Ehttps:\/\/faq.oit.gatech.edu\/dlp\u003C\/a\u003E.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EQuestions and comments can be directed to \u003Ca href=\u0022mailto:datagovernance@gatech.edu\u0022\u003Edatagovernance@gatech.edu\u003C\/a\u003E.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E_______________\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EDec. 11, 2019, update:\u0026nbsp;\u003C\/strong\u003E Georgia Tech continues to make progress in improving the Institute\u0026rsquo;s data governance policies and practices.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EUnder the leadership of Professor Raheem Beyah, the effort has been organized around a three-pronged strategy: Know, Protect, and Govern. Planned activities under this strategy will occur over the next few months.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cem\u003EKnow:\u003C\/em\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003EA cross-functional team continues an in-depth audit of Georgia Tech systems housing sensitive data, prioritizing student data. Further consultations will focus on documenting data-related business processes and associated workflows.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cem\u003EProtect:\u003C\/em\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Ca href=\u0022https:\/\/faq.oit.gatech.edu\/content\/dlp-data-loss-prevention\u0022\u003EData Loss Prevention (DLP) protections\u003C\/a\u003E have been enabled, providing some protections for sensitive information within the Office365 email environment. The cross-functional DLP team will keep monitoring and improving this initial implementation as well as beginning to focus on the deployment of an Enterprise Data Loss prevention program encompassing the Institute\u0026rsquo;s entire data and IT environment.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cem\u003EGovern:\u003C\/em\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe Institute will continue to implement a comprehensive \u003Ca href=\u0022https:\/\/edm.gatech.edu\/data-governance\/overview\u0022\u003EEnterprise Data Governance\u003C\/a\u003E program ensuring compliance with Institute and USG policies as well as implementing improvements to the data environment. To accelerate this process, the Institute has selected and will soon engage with outside expertise. Student data will be the initial focus of this engagement.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe Enterprise Data Governance program rollout will include resources dedicated to partnering with the campus community to transition to new data management practices.\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EQuestions and comments can be directed to \u003Ca href=\u0022mailto:datagovernance@gatech.edu\u0022\u003Edatagovernance@gatech.edu\u003C\/a\u003E.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E_______________\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003ENov. 22, 2019, update:\u003C\/strong\u003E Professor Raheem Beyah briefed President \u0026Aacute;ngel Cabrera and his cabinet on Tuesday, Nov. 19, regarding the progress of Georgia Tech\u0026rsquo;s response to the recent inadvertent data disclosure. During his presentation, Beyah outlined a three-pronged strategy: Know, Protect, and Govern.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EIn support of this strategy, the following has been put in place:\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cem\u003EKnow Georgia Tech data:\u003C\/em\u003E\u003C\/p\u003E\r\n\r\n\u003Cul\u003E\r\n\t\u003Cli\u003EFollowing an initial review of the complex Georgia Tech data ecosystem, further consultations with campus data constituents continue. The focus is on how sensitive student data are being used and documenting associated business processes.\u003C\/li\u003E\r\n\t\u003Cli\u003EA cross-functional team, composed of members of the Office of Information Technology (OIT) and Enterprise Data Management (EDM), with assistance from the Registrar\u0026rsquo;s office, will conduct an in-depth audit of Georgia Tech\u0026rsquo;s student data reporting systems. The audit has begun and will continue for several weeks.\u003C\/li\u003E\r\n\u003C\/ul\u003E\r\n\r\n\u003Cp\u003E\u003Cem\u003EProtect Georgia Tech data:\u003C\/em\u003E\u003C\/p\u003E\r\n\r\n\u003Cul\u003E\r\n\t\u003Cli\u003EA team from Cyber Security, OIT, and EDM are conducting a security risk assessment of the Office of Diversity, Equity, and Inclusion.\u003C\/li\u003E\r\n\t\u003Cli\u003EThe cross-functional Data Loss Prevention (DLP) team has consulted with vendors and local experts. The team completed an initial assessment of DLP technologies within Office365. Based on the results, an initial set of DLP rules will be enabled on Monday, Nov. 25. DLP rules will identify specific types of sensitive data. This is a first step toward building an enterprise data loss prevention program. An upcoming communication from OIT will provide details on the additional changes to email services. The team is also creating documentation and support processes.\u003C\/li\u003E\r\n\u003C\/ul\u003E\r\n\r\n\u003Cp\u003E\u003Cem\u003EGovern Georgia Tech data:\u003C\/em\u003E\u003C\/p\u003E\r\n\r\n\u003Cul\u003E\r\n\t\u003Cli\u003EGeorgia Tech continues to receive proposals from outside experts for assistance in accelerating data governance. Proposals are now under review. It is anticipated that a vendor selection process will be completed in the coming weeks, with targeted engagement kickoff in early December 2019.\u003C\/li\u003E\r\n\u003C\/ul\u003E\r\n\r\n\u003Cp\u003EQuestions and comments can be directed to \u003Ca href=\u0022mailto:datagovernance@gatech.edu\u0022\u003Edatagovernance@gatech.edu\u003C\/a\u003E.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E_______________\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003ENov. 15, 2019, update:\u0026nbsp;\u003C\/strong\u003E An inadvertent disclosure originated within the Office of Diversity, Equity, and Inclusion (DEI). In response, immediate actions have included:\u003C\/p\u003E\r\n\r\n\u003Cul\u003E\r\n\t\u003Cli\u003EEnacting new short-term restrictions on mass communications in DEI.\u003C\/li\u003E\r\n\t\u003Cli\u003EInitiating a security risk assessment for DEI beginning Nov. 18.\u003C\/li\u003E\r\n\t\u003Cli\u003ETraining DEI staff on data security and FERPA.\u003C\/li\u003E\r\n\u003C\/ul\u003E\r\n\r\n\u003Cp\u003ELooking more broadly at campus policies and practices concerning the use and sharing of sensitive data, the small group led by Professor Raheem Beyah has:\u003C\/p\u003E\r\n\r\n\u003Cul\u003E\r\n\t\u003Cli\u003EDistributed \u003Ca href=\u0022https:\/\/news.gatech.edu\/sites\/default\/files\/preliminary_data_guidance_for_campus.pdf\u0022\u003Enew guidance on data stewardship and separation of duties\u003C\/a\u003E to campus leadership;\u003C\/li\u003E\r\n\t\u003Cli\u003EReceived a proposal from the \u003Ca href=\u0022https:\/\/edm.gatech.edu\/home\u0022\u003EEnterprise Data Management \u003C\/a\u003Eteam for short-term data governance actions;\u003C\/li\u003E\r\n\t\u003Cli\u003EStarted consultation with campus data constituents at large, including data stewards, end users, and application owners, to identify areas for risk reduction; and\u003C\/li\u003E\r\n\t\u003Cli\u003EContinued to receive proposals from outside experts for assistance in accelerating data governance.\u003C\/li\u003E\r\n\u003C\/ul\u003E\r\n\r\n\u003Cp\u003EIn addition, a cross-functional project team that includes leadership in the Office of Information Technology; Jimmy Lummis, chief information security officer; Didier Contis, director of Technology Services in the College of Engineering; and SGA Vice President of Information Technology Sidartha Rakuram has been formed to assess short-, medium-, and long-term risk reduction and improve protections for data loss prevention (DLP). Its first action items, such as initiating DLP technologies within Office365, will be completed Friday, Nov. 15. The project team is consulting with local experts and colleagues at other University System of Georgia institutions on DLP guidance and rapid implementation. A long-term DLP strategy with more effective controls will require a new institutional approach to identifying and monitoring sensitive data and classifications at their source.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EQuestions and comments can be directed to \u003Ca href=\u0022mailto:datagovernance@gatech.edu\u0022\u003Edatagovernance@gatech.edu\u003C\/a\u003E.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E_______________\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003ENov. 12, 2019, update:\u003C\/strong\u003E The small group led by Professor Raheem Beyah to review campus policies and practices concerning the use and sharing of sensitive data has released a \u003Ca href=\u0022http:\/\/news.gatech.edu\/sites\/default\/files\/preliminary_data_guidance_for_campus.pdf\u0022\u003Epreliminary recommendation\u003C\/a\u003E as a first step toward reducing the risk of accidental exposure. The guideline recommends that the individual with permission to generate datasets containing sensitive data\u0026nbsp;should be separate from the individual who communicates with large constituencies.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EAll users with access to sensitive databases are expected to comply with Institute policy, including the Data Access Policy:\u0026nbsp;\u003Ca href=\u0022http:\/\/policylibrary.gatech.edu\/information-technology\/data-access\u0022\u003Ehttp:\/\/policylibrary.gatech.edu\/information-technology\/data-access\u003C\/a\u003E.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EQuestions and comments can be directed to \u003Ca href=\u0022mailto:datagovernance@gatech.edu\u0022\u003Edatagovernance@gatech.edu\u003C\/a\u003E.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E_______________\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003ENov. 8, 2019, update: \u003C\/strong\u003EPresident \u0026Aacute;ngel Cabrera sent a message to campus earlier today announcing Electrical and Computer Engineering \u003Ca href=\u0022http:\/\/rbeyah.ece.gatech.edu\u0022\u003EProfessor Raheem Beyah\u003C\/a\u003E will lead a review to address \u0026quot;existing vulnerabilities in data access across the Institute and implement whatever changes are necessary to deal with the most critical of them.\u0026quot;\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EProfessor Beyah, who is also vice president of Interdiciplinary Research for Georgia Tech,\u0026nbsp;will coordinate the work of the Office of Information Technology (OIT) and other administrative and academic units and will engage internal and external consultants as needed.\u0026nbsp;Didier Contis, director of Technology Services for the College of Engineering, will assist Beyah in leading the review.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E_______________\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003ENov. 7, 2019: \u003C\/strong\u003EGeorgia Tech is taking steps to correct its internal policies and protocols following an inadvertent disclosure of protected student information.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EYesterday, a Georgia Tech staff member sent an email to approximately 1,100 students that erroneously included a file attachment with student names, ethnicity, Georgia Tech ID numbers, Georgia Tech e-mail addresses, and GPAs. The file did not include social security numbers or birthdates.\u003C\/p\u003E\r\n\r\n\u003Cp\u003ESince being notified of the incident, the Office of Information Technology has worked to recall as many of the emails as possible. Students affected by this mistake were notified last evening.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EAn emergency response team has been convened. The team will work to implement immediate corrective action and enact comprehensive changes to Georgia Tech\u0026rsquo;s data governance enterprise.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EInstitute leadership will provide further details in the coming days to keep the campus informed on how it plans to prevent future disclosures.\u003C\/p\u003E\r\n","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":[{"value":"\u003Cp\u003EGeorgia Tech is taking steps to correct its internal policies and protocols following an inadvertent disclosure of protected student information.\u003C\/p\u003E\r\n","format":"limited_html"}],"field_summary_sentence":[{"value":"Georgia Tech is taking steps to correct its internal policies and protocols following an inadvertent disclosure of protected student information."}],"uid":"27299","created_gmt":"2019-11-07 16:09:20","changed_gmt":"2020-04-28 13:29:25","author":"Michael Hagearty","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2020-04-28T00:00:00-04:00","iso_date":"2020-04-28T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"625904":{"id":"625904","type":"image","title":"Tech Tower","body":null,"created":"1568119621","gmt_created":"2019-09-10 12:47:01","changed":"1568119621","gmt_changed":"2019-09-10 12:47:01","alt":"photograph of Tech Tower","file":{"fid":"238292","name":"original.jpg","image_path":"\/sites\/default\/files\/images\/original_8.jpg","image_full_path":"http:\/\/hg.gatech.edu\/\/sites\/default\/files\/images\/original_8.jpg","mime":"image\/jpeg","size":859076,"path_740":"http:\/\/hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/original_8.jpg?itok=_22eBAH8"}}},"media_ids":["625904"],"related_links":[{"url":"https:\/\/security.gatech.edu\/","title":"Georgia Tech Cyber Security"}],"groups":[{"id":"1317","name":"News Briefs"}],"categories":[{"id":"129","name":"Institute and Campus"}],"keywords":[],"core_research_areas":[],"news_room_topics":[{"id":"71871","name":"Campus and Community"}],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003E\u003Ca href=\u0022mailto:denise.ward@comm.gatech.edu\u0022\u003EDenise Ward\u003C\/a\u003E\u003Cbr \/\u003E\r\nInstitute Communications\u003C\/p\u003E\r\n","format":"limited_html"}],"email":[],"slides":[],"orientation":[],"userdata":""}}}