Session 2886 in the OAUG section.

Monica Nelmes Elliott
PeopleSoft Product Marketing
Approva

Dr Marilyn Prosch, Ph.D., CIPP
Department of Accounting
Arizona State University

Monica is beginning the session by talking about when she was victimized by identity theft a few years back. A Fortune 100 company using PeopleSoft had someone access her account, open up several lines of credit. Big nightmare. So she's very passionate about this issue now.

Prior to bringing Dr. Prosch up, she takes a few questions. One was about being able to monitor specific users in PeopleSoft (maybe some new call center employees that you're worried are trying to pull up too many accounts or something). She said that Approva announced a partnership at the conference with a company, Lumigent, that does database monitoring (here is the press release )

Now Dr. Prosch is up. She's been in this area for about 7 years, came in from systems background. Has several slides showing all of the different organizations that have had privacy breaches in 2007. She mentioned that Arizona (where she is from) is now ranked first in the U.S. for identity theft, and that the governor there has just appointed 2 new positions for this.

Dr. Prosch says that PeopleSoft is used in many the organizations involved in these breaches. Most are not system hacks, but data downloads where the data/laptops get stolen or from backups that get lost/stolen.

39 states now have identity breach laws, but she does not believe that the federal government is going to do anything soon, so you're essentially required to know about the rules for all of the places that you do business (ed: of course, this is true globally as well).

Talking about FTC being more likely to be lenient if you are at least showing that you are taking action

The Federal Trade Commission is going after some big cases now. These can have a pretty significant financial impact on an organization. However, she believes that the FTC is more likely to show some leniency if you can show that you were taking action towards preventing breaches before the breach occurred.

The discussion then went into the concept of GAPP; Generally Accepted Privacy Principles. Much like GAAP (Generally Accepted Accounting Principles), the idea is to codify best practices for privacy. These are available to download for free and can be applied in your organization today. If you want someone to verify/audit your compliance with GAPP (maybe a business partner mandates this), then you can pay an auditor. The GAPP framework should address most major privacy legislation (domestic and international). It has 66 principles across 10 categories.

Dr. Prosch is now talking about the concept of Continuous Privacy Monitoring. She's showing a 5 stage "privacy lifecycle" chart. Stage 1 is ad-hoc efforts around privacy, stage 4 is being ready for a GAPP audit, and stage 5 is continuously monitoring privacy within your organization (ed: to continue the accounting analogy; being able to close the books at any time, instead of just at month's end).

Monica is back now talking about defining security rules for roles and permission lists in spreadsheets. How many people can answer who has access to a given piece of data after PeopleSoft has been running for awhile?

She's giving a list of example fields to monitor in different PeopleSoft products (the actual field names in PeopleSoft, not just what the fields are). Approva can monitor all uses of sensitive fields in PeopleSoft. Joel Hutchison is an ex-PeopleSoft person who is the main developer for this. He's sitting in the audience, but can take questions.

It would have been nice to see a bit more detail about this or maybe a demo, but overall it was a very good session.

Labels: 2008, Collaborate, Security