Information Security Policy
Anyone who's ever filled out paperwork on campus -- or even grabbed lunch with a Mastercard at the union -- has benefited from Joanna Grama's work to protect personal data. As Purdue's information security policy and compliance director, Grama is responsible for writing the policies and guidance documents that ensure that the wealth of information the University collects is safeguarded properly.
A former local lawyer, Grama broadened her horizons last year. In May, she was appointed to the 20-member Data Privacy and Integrity Advisory Committee of the U.S. Department of Homeland Security.
What are you responsibilities in your job at Purdue? What is a typical day like?
No one day is ever the same. On a typical day, I might answer questions about the guidance documents we've put out. I'll help other people in our department read and review laws and determine what we need to implement as far as security goes with some of the systems here at Purdue.
I have two employees, and each one is a subject matter expert in a particular law or regulation that has many security ramifications. They work with external departments and units here at the University to make sure they are in compliance with those laws.
Which laws most directly affect data security here at Purdue?
There are quite a few, actually. One set of regulations deals with how credit card information is used. It's called PCI, or the Payment Card Industry standards. At Purdue, we spend a lot of time making sure the way we accept and take credit card payments complies with PCI.
We also deal with HIPAA, or the Health Insurance Portability and Accountability Act, which is the law that protects health information. You probably see that with your doctors -- they'll ask you to sign a HIPAA form each year and give you a notice of their privacy practices. That's the very visible part of that law, but that law also has a portion called the security rule, which talks about how institutions secure the medical data they have. We deal a lot with that.
Which projects are you working on now, and how will they help improve information security at Purdue?
This summer, I will be working on a project to help reliably measure Purdue's information security posture. We are going to look at creating metrics for our information security program, and we will use those metrics to determine if our activities are reducing the University's information security risk. It is a really neat project. I'm excited to learn where we are best protecting the University and its data -- and where we can do an even better job.
How did you come to be appointed to the Homeland Security committee?
Back in 2009, there was an advertisement in the Federal Register, which is the daily news service for the federal government. They were seeking members for this advisory committee. I had actually given it to my boss initially and said, "You should apply for this." And then he said, "No, why don't you?"
It ended up taking two years to go through the appointment and vetting process before I was actually officially appointed to the committee.
What are the committee's responsibilities?
Well, the chief privacy officer of the DHS requests advice from this committee on certain initiatives that office wants to undertake. The appointments are for three years, and we're serving in our capacity as citizens.
If, for example, they're considering a new information system, they might ask this committee to give its opinion on the privacy implications of the new system. They might ask, "What should we be worried about from a privacy perspective?" So our focus is really on individually identifiable information -- and then how that data is kept private, and how its integrity is maintained, which means that the data is correct and continues to be correct.
What's at stake when you do your job here at Purdue?
There are really high stakes for the University. All of the laws we mentioned have provisions in them where, if the University were to improperly disclose data, we'd have to report that to a regulatory authority. The University could have to pay fines if we handle data improperly, and those fines could be quite substantial.
It also hurts the University's reputation if we have a data breach, so we're helping protect that, as well.
There's a lot that's rewarding about this job. I like the knowledge that comes with encountering a problem and managing to solve it in a way that protects the security of the information but still allows business to continue relatively unimpeded. Fixing problems -- that's a really good feeling.