Skip over navigation

Managing risk to the University's information

This section is intended for all individuals who have access to University information to describe how the University determines the sensitivity of information, and how that determination should affect our handling of the information we use.

Information everywhere is at risk

Over the past few years, many commercial organizations and academic institutions have had sensitive information captured by individuals who can use this information for financial gain through identity theft, sale of institutional information and research, and many other malicious acts. 

According to the ID Theft Resource Center statistics collected between 2006 and 2011, nearly 600 educational institutions experienced a data breach that potentially exposed information that could be used for identity theft purposes affecting over 9,400,000 individuals.

In recent studies, as much as eighty percent of these data breaches have not been the result of the failure of technology systems, but of human error.  Often, such errors are the result of individuals who handle information not fully understanding the sensitivity of the information to which they have access, the legal requirements or the threats to that information.

With the growing identity theft risk, governmental agencies at both the federal and local levels have enacted numerous pieces of privacy legislation describing the level of protection that is required of all organizations that process information that could be used for identity theft purposes.

The primary causes

Over 80% of organizations that experienced a data breach did so not because of technology inadequacy or failure, but because of human errors, such as...

  • Not following procedures for protecting logical keys (i.e., passwords) and physical keys.
  • Not knowing enough about the information  (e.g., What pieces of information are sensitive? For what purposes may specific pieces of information be used? With whom may the information be shared? How must the information be protected?),
  • Not being aware of security risks and countermeasures,
  • Losing laptops and removable media, such as USB keys, CDs, DVDs, etc.

Our most important defense is awareness of the importance of our information, the threats to that information, and measures we can take to protect it.  That's what our information security policy is all about.

What makes securing information so complex?

The risks to information are similar to any tangible object (e.g., a car, jewelry).  Primarily, the owner is concerned about the risks of theft and destruction.  And, if the owner entrusts another individual with a tangible object or a piece of information, the owner must communicate how he or she expects the information to be protected.

However, a number of factors make protecting information a far more complex task:

  • Information can be in many places at any given time: on a computer hard drive, travelling over a network, on a diskette, on a printed page, in someone's memory, etc.
  • Additional copies can be freely made.
  • Each copy of a piece of information carries the same value as the original.

This implies that there are many information "borrowers" who need to know what level of protection is necessary, lest a piece of critical information be compromised by an intruder who finds a weak link.

Information is only as secure as its least secure location. Thus, effective communication between individuals who "own" the information and those who handle it is essential.

Securing information begins with knowing who "owns" it

When considering ways to reduce risk for a tangible object, such as an automobile, the person making decisions on how to protect the automobile would probably be the automobile's "owner" - the person who holds title to the automobile. But who is responsible for making such calls when we are attempting to reduce risk for a piece of information? Unfortunately, it is not uncommon for individuals in an organization to assume that "someone" is making these decisions. But often, that "someone" is "no one" or is an individual who does not have the appropriate knowledge or authority to make risk management decisions. It is in those environments where information is most at risk.

The most appropriate "owners" are those individuals who best understand the information's value and threats, and have the authority to balance risk against cost. Usually, the owners of specific pieces of information are the managers of the areas that are most associated with the information, e.g., the Vice President of Human Resources would "own" University personnel information, the Dean of Undergraduate Students would "own" undergraduate student information, an Academic Department Chair would "own" information associated with a specific academic department, and so on.  At Princeton University, we refer to these owners as "Information Guardians."

Clearly, it would be unreasonable to expect the heads of University departments to personally perform the task of assessing the security-related needs of each piece of information owned by their departments. For this reason, it is far more common for each Information Guardian to designate appropriate individuals on staff to make security-related assessments for specific subsets of the department's information. However, regardless of the number of designates assigned, it is critical that the Information Guardian be aware of and support the decisions made by these designated individuals, especially in cases where certain pieces of information are protected by legislation.

Owners or "Guardians" decide the level of security needed

Each "owner" or Information Guardian, as it is referred to in the University's Information Security Policy, is responsible for assessing to what extent each piece of information that he or she "owns" must be protected. 

When deciding how to protect a tangible object, such as a car, jewelry, collectables, etc., against theft or destruction, we would probably assess the value of the object and risk that such a loss would occur. When assessing risk, we would consider the likelihood that someone would attempt to steal or destroy the object, and the opportunity that an individual might have to complete the task.  Then, we would most likely attempt to come up with a cost-effective way to protect the object and ourselves.

What if an individual borrows a tangible object? The owner of the object would normally expect the object to be protected in a satisfactory manner. In the above example, the owner of the $30,000 car would certainly be entitled to expect that an individual borrowing the car would engage the anti-theft device. How does the borrower know what is expected? Communication with the owner.

With information, things are a little more complicated in that information can be "borrowed" by many people all at the same time.  Thus, communication is even more critical between the owner and the "borrower."  The situation is even more complex in that there are an enormous number of pieces of information we collect.  With this in mind, our policy defines simple ways that information can be categorized and its sensitivity conveyed to anyone authorized to use it.

Due to the enormous number of data elements that we collect, it would be extremely impractical to assess information on an element-by-element basis. Rather, it is common practice for organizations to group logically-related data elements into groups called "information resources" and then to assess the security-related needs of each information resource as a single entity.

For example, the Human Resources Department collects a variety of information for each employee. Some pieces of that information could be considered public in nature (e.g., name, title, office address) while other pieces are meant to be private (e.g., salary information, birth date, SSN). In a simple scenario, we might choose to refer to all public pieces of information about our employees as the "public HR information" and the remaining information as the "private HR Information." Then, we would only need to perform two assessments.

How security requirements are assessed

Once the information has been categorized into manageable information resources, the Information Guardian, working with the University IT Security Officer, begins the task of assessing the security-related needs of those resources. The evaluation focuses on the following three areas:

  • Confidentiality:  the need for information to be protected against being viewed by unauthorized individuals,
  • Integrity:  the need for information to be protected against being altered in any unauthorized manner, and
  • Availability:  the need for information to be available during specific time periods.

Some sample assessment questions an Information Guardian might use are listed below:

  • Who should be able to view the information:
    • anyone from anywhere?
    • only members of the University community?
    • only members of specific department(s)?
    • only individuals serving in specific functions?
    • only a limited number of named individuals?
  • Who should be able to alter the information:
    • anyone from anywhere?
    • only members of the University community?
    • only members of specific department(s)?
    • only individuals serving in specific functions?
    • only a limited number of named individuals?
  • How high is the risk to the University's assets and/or reputation if the information is viewed by unauthorized individuals?
    • high
    • medium
    • low
  • Is it important to know when the information is altered and by whom? (Yes/No)
  • Is it important to know when the information is viewed and by whom? (Yes/No)
  • When does the information need to be available?
    • during normal business hours?
    • 24 hours a day, 7 days a week?
    • non-standard time frame specified by the owner?
  • How long can the information be unavailable when needed without causing significant difficulty? (minutes, hours, days)
  • How high is the University's risk if the information is not available when needed?
    • high
    • medium
    • low

Departmental procedures must satisfy security requirements

Once the security-related needs for an information resource have been determined, it is the responsibility of the managers of the departments that use, store, transmit or process the information to determine the most effective ways to satisfy the needs defined by the Information Guardian or designate. However, this division of duties does not free the Information Guardian or designate from participation in the "solution process". The Information Guardian or designate must review the proposed solutions and approve the options that he or she believes satisfy the security requirements.

In cases where access to an information resource is controlled, Information Guardians and designates also are responsible for "authorizing" access to their resources, i.e., determining on an ongoing basis who should have access to the resource and conveying this information to appropriate administrators. This does not necessarily imply that each Information Guardian or designate needs to approve access on a person-by-person basis. In many cases, the Information Guardian or designate may only need to convey which departments and/or job functions would be permitted to access the resource and in what manner.

The benefit of this role-based approach is that, as each individual takes on a specific role and is identified to our systems as being a member of that group, he or she would be able to automatically obtain access to appropriate resources without having to go through an authorization process for each individual resource. Similarly, when an individual leaves a specific role and is removed from the appropriate group, he or she would relinquish all access associated with that role.

Our responsibilities in protecting information

With over 80% of all information breaches being associated with human error, often related to individuals being tricked into giving out information inappropriately, it is critical that we each have a solid understanding of what protection we must afford the information that has been placed in our care.

We all are responsible for protecting every piece of information to which we have access in a manner that is consistent with the requirements defined by its Information Guardian. 

This implies that we know:

  • what department "owns" that information,
  • for what purposes the information can be used,
  • with whom the information can be shared,
  • what level of protection is required,
  • what departmental procedures are in place to protect that information;

and that we diligently prevent unauthorized individuals from gaining access to information by:

  • maintaining strong passwords,
  • being discerning when sharing information,
  • following safe computing practices to protect your system against malicious activities.