State Privacy Law, IT Security, and Technology Data Privacy Advisory Committee (TDPAC) Update

April 6,2017

Agenda

• 2016 State Privacy Law & Jeffco’s Progress • Information Security Update • Data Governance Update • TDPAC Update • Questions - Wrap Up

2016 State Privacy Law - Privacy Law Expectations (C.R.S. 22-16-101)

2016 State Privacy Law - Progress Update

The District’s focus on protecting student data privacy is our culture

• Information privacy policies • Software review/transparency • Work with state/local districts • Data Governance work

Information Security Infrastructure Update

Security Awareness Update: Staff Training

Security Basics Course Topics

• Common threats to Jeffco • Keeping your computer physically safe • Password best practices • Keeping your system up to date • Online safety • Data storage best practices • Incident response

• Data Governance is one of the key mechanisms we use to continuously improve Jeffco’s stance on data privacy.

• To that end, we have built an operating model and maturity plan for engaging all the necessary parts of the business to ensure data privacy laws and best practices are met or exceeded.

• One of the critical outcomes of the work is to improve our understanding of precisely where student data resides within Jeffco, where it flows across systems and out of Jeffco, and what the acceptable usage rules are for each piece of student data.

Jeffco’s 2016 State Privacy Law Progress Update

Jeffco’s 2016 State Privacy Law Our Data Governance Approach

• Jeffco’s Data Governance Committee (DGC) has representation from all core departments and meets regularly to coordinate organization-wide DG/DQ efforts, many of which directly impact Data Privacy.

• Jeffco has adopted the Data Management Maturity (DMM) model to identify, prioritize, and measure progress.

• Our DMM focus areas are maturing our operating model and governance policies, expanding our business glossary, and improving data quality within critical business applications.

Jeffco’s 2016 State Privacy Law Recent Examples of Outcomes

• Jeffco’s Data Quality Office partners with application owners to identify critical data areas that are candidates for data quality improvements.

• The Data Quality Office utilizes a DQ scorecard (Certify™) which validates data against business rules and alerts users to errors on a daily basis with guidance for fixing the issue.

• Business Glossary: The Data Quality Office is building a system and processes to collect data definitions, usage rules, lineage, and more so we have consistency, transparency, and an understanding of exactly where data flows within and out of Jeffco.

• With the DQ Scorecard and the Business Glossary, we will have cleaner data and a better understanding of its flow and usage.

Sped: $1.1M additional funding over 2 years Other potential opportunities in CTE, Medicaid - should look at all sources of district reimbursements/funding

Immunizations: 800 hrs/yr est. reduction in work effort for ?who??? Sped: Reduced low value (correcting state submissions) work and increased high value (managing providers for students) work.

Sped: Documented providers for each student Immunizations: Automatic generation of unimmunized/under immunized students real-time (for outbreaks)

Jeffco’s 2016 State Privacy Law Progress Update

Transparency Website • Clear information, understandable to

layperson on the student Personally Identifiable Information (PII) collected and maintained

• Link to data inventory and dictionary or CDE index of data elements

• List of school service contract providers, service on-demand providers

Information Security - Moving Forward

1. Inventory, Devices 2. Inventory, Software 3. Secure Configurations 4. Continuous Vulnerability Assessment

& Remediation 5. Controlled Use of Admin Privileges 6. Audit Logs 7. Email and Web Browser Protections 8. Malware Defenses 9. Control Of Network Services 10.Data Recovery Capability

11.) Secure Configurations for Network Devices 12.) Boundary Defense 13.) Data Protection 14.) Controlled Access 15.) Wireless Access Control 16.) Account Monitoring and Control 17.) Security Skills Assessment and Appropriate Training 18.) Application software Security 19.)Incident Response and Management 20.)Penetration Tests

Controls

TDPAC Update - 2016/17

September - New members introduced, charter review, roles expectations October - Colorado Data Privacy Law introduction/discussion November - Cancelled December - 2020 vision presentation, tech plan introduction February - Reviewed data privacy practices & standards April/May - Data Governance update/progress

Questions from the BOE