Uncovering Hidden Risks 1.11.23
Ep 5 | 1.11.23

Tips for Internal Investigations While Maintaining Privacy

Transcript

Erica Toelle: Hello, and welcome to "Uncovering Hidden Risks," a new podcast from Microsoft where we explore how organizations can take a holistic approach to data protection and reduce their overall risk. I'm your host, Erica Toelle, senior product marketing manager on the Microsoft Purview team. And now let's get into this week's episode.

Erica Toelle: Welcome to another episode of the "Uncovering Hidden Risks" podcast. In today's episode, we will discuss how organizations approach internal investigations for a variety of purposes. The reasons for an internal investigation can vary depending on an organization's industry, the regulations they must follow, and their policies. But when we look at the process for an internal investigation, most share a few common requirements. For example, it's important to protect end user privacy. To explore this topic further, today's episode will explore a specific internal investigation case study from Prince William County Public Schools, located in the state of Virginia in the United States. 

Erica Toelle: But first, let's introduce today's guest host, who will join us for the discussion. Christophe is a product manager in the Microsoft security division, focused on our insider risk solutions and specifically communication compliance. He's passionate about helping customers with their digital transformation. Christophe's worked in technical, marketing and engineering roles in the U.S. and Europe. Welcome, Christophe. 

Christophe Fiessinger: Thank you, Erica. I'm glad to be here. This is definitely a topic dear to my heart, having three kids myself and trying to see how technology can make a difference. 

Erica Toelle: Perfect. Now let's introduce today's guest. Randy Newman is the CISO for Prince William County Schools and oversees the planning, operation and management of information security for the school divisions' network infrastructure, data and student information systems. He provides planning of information technology initiatives including enhancement of current infrastructure, integration of systems, risk exposure and mitigation, and regulatory compliance. Randy, thank you so much for joining us today. 

Randy Newman: Thank you so much for having me. Glad to be here. 

Erica Toelle: Now let's jump right into the episode topic. 

Christophe Fiessinger: Great. So to start, can you tell us more about Prince William's (ph) County Public Schools, Randy? 

Randy Newman: Be happy to. Prince William County is located in Virginia. We're very near Washington, D.C. We have approximately 101 schools, nearly 96,000 students. We're the second-largest school population school district in the state of Virginia and the 34th largest in the country. As everyone's gone through the pandemic, we've rolled out our 1-to-1 devices out to all our students to be able to bring them a better learning experience. And that, by itself, also adds on some complexities. But we're a rather large school system facing some of the same issues and problems that other school systems around the country are facing. 

Christophe Fiessinger: Thank you, Randy. So you recently completed an initiative involving internal investigations. Can you tell us more about that? 

Randy Newman: We have to have FERPA and CIPA compliance. We also have FOIA requests and internal requests and legal holds that go on, that we have to be able to account for the information - the communications back and forth between staff and students, students going outside of PWCS, also among board members in higher ed city council. We're on the hook to be able to provide that in a meaningful manner. 

Randy Newman: But one of the investigations that we continuously go through and do is also keeping our students safe. What that means is students are always interacting with the communications, particularly the Prince William County email system. They'll send out emails. They'll talk to their - other students. And sometimes, those emails can be disturbing and, in fact, that they could lead to some additional issues and problems. For instance, if a child is - suicidal thoughts, who wants to hurt themselves or hurt others or those kinds of thing (ph), the emotional well-being, we have to get involved with that. So that means we have to build a monitor to those types of conversations for the safety and well-being of those students. So a couple investigations we'll talk about today - or just one that we'll talk about is to go through what the day in the life on that looks like and kind of the burdens and what we have. Also, to couple that, being a school system, we're not deep-benched. And so we're asked to do a lot of things in many different ways. And so that's part of the challenge that we face as a public K-12 system. 

Erica Toelle: Randy, when we were preparing for the podcast, you mentioned to us how important it is to maintain privacy for students and for faculty during these types of investigations. So I'm wondering what principles guided this initiative to ensure user privacy. 

Randy Newman: First off, we all have a lot of rules and regulations for data privacy. As I mentioned earlier, the Fourth Amendment right to privacy, search and seizure - those things we have to be very careful of. We have to weigh those. So we've created robust policies and SOPs when it comes to looking at these types of things. So we only open up to a very select few individuals that have the authority based on legal, Prince William County legal, and also risk to be able to pull back these conversations, to look at these types of things. It has to be directed, where you can't go out and go rogue and do it on your own. You have to be told by the individuals in legal that they're sanctioned and only particular left and right parameters of what you can search for and the dates and times and those types of things to be able to bring that information back. And it's kept close hold. We file additional NDAs amongst the individuals who look at this data, and we bring them back into a secured environment so only the individuals can see. That data is audited and tagged. Anybody's looking at that that shouldn't be looking at that, we tip off. So we try to keep those things very close hold for - not only for the safety of the students as well as the privacy, but also the reputation of Prince William County. 

Christophe Fiessinger: Thanks, Randy, for the clarification on the process that you follow - the thorough process to respect individuals' privacy. I assume this is the same process you have for not just students, but for staff as well? 

Randy Newman: Yes, that's absolutely correct. The processes are the same for both of those. The individuals - you may have an access to it, but you don't have a need to know. That has to come with from legal, position of authority. And we tag that into any searches or any information we pull back, and it's highly audited and locked down. And we're audited yearly on that to make sure that we're compliant not only with our internal policies, but any internal policies, procedures and regulations outside of Prince William County. 

Erica Toelle: Thanks for giving us that overview of the business processes, how you approached privacy and how you approached the business requirements. Curious, how did you design the technical solution to meet those requirements? 

Randy Newman: That's been an ongoing - it's adapting and changing based on what legal has interpreted in Prince William County. We also based that, of course, on local and Virginia state law, as well as federal regulations, to adhere to those guidelines to make sure that we are doing due diligence to not only investigate the issues and problems, but protect those individuals that we're collecting information that we currently have in Prince William County. So it has been something that we are always working on strive to do better, but we, as individuals here, try to adhere to that. 

Randy Newman: We don't try to do anything we're not supposed to do, where, again, things are on a routine basis. Those audit logs are in a place that legal has access to, and they can randomly pull information out. And then individuals who are doing these are held accountable to a higher standard to understand what they're doing and why you're doing it. And that's the kind of thing, I think, that they - basically holding us to - our feet to the fire to make sure we are - and doing this with honesty and integrity. 

Erica Toelle: So I think we've gotten a pretty good overview of the solution that you built and how you went about it. Curious, what outcomes did you achieve with this type of solution? Do you have any examples of how this really helped a student? 

Randy Newman: Yes. I can talk about one just recently in broad terms. As I mentioned earlier, we have responsibility to keep staff and students safe. And that's not only from outside organizations coming in or somebody trying to solicit - or adult graphic images or graphic content, those types of things, but, also, we have to be able to look at the social well-being, mental well-being of our students to make sure that there's no issues and problems. And part of that is to monitor email communications for certain words that may stand out that could cause them harm, or they could basically be asking for help or having some issues. 

Randy Newman: One of the recent cases we had now, just recently, a student was contemplating a suicide. And because of the processes that we had in place to monitor that, we were able to pick it up early. We were able to set some rules around it. We were able to set alerts. Those alerts, we were able to activate, automate to get to individuals that needed to be seen at the schools as well as risk, the 24-hour dispatch at Prince William County - received the alert. They developed their SOP to reach out to local law enforcements to do a well check at this particular residence to make sure the child was safe. All that stuff is documented and then put back. And legal was able to - next day to go in and look at how that process was followed. But the important thing was the services that the student needed, that child needed at the time was given to them, and then appropriate organizations were notified, and those counselors take the actions they need to - for the health and well-being of that student. 

Randy Newman: Basically, the system worked. We protected the integrity of the data. We protected the information. The information given out was only what they needed to do their job. The data was anonymized, so it wouldn't track back to a particular user. That way - that those individuals who took the steps, both law enforcement, but also our counselors, staff and medical personnel that may have had to been involved - that's all isolated. In the end, it's all documented. And then that way it's traceable - and that basically in the end, the most important thing is that the student was able to receive the health and safety and interventions they needed. 

Christophe Fiessinger: Thank you, Randy. That's a pretty touchy example, and we appreciate the transparency on the process that you were able to have at PWCS. Any learnings out of that incident, what could be done better in the future? 

Randy Newman: Yes. Having - living in the IT world, we think IT. We have to realize that people outside of our organization, like risk, and then we look at - counselors don't necessarily speak IT. As an IT person, I don't speak counselor; I don't speak risk. Words have meanings. But we find out that that word has different meanings to different people. And we realized that it's just - we have to reach out to those individuals that are going to be affected, like risk and accountability and student services. What we learned out of all this is opening up a dialogue, breaking down those barriers so we'll now be able to go horizontally across, understanding what they need, how we can help them, how they can help us, understanding that flow process. So we give them the alert, we understand what the next steps are going to be and how we help them along. So it's not just us versus them. We realize it's a Prince William County problem, not an IT problem, not a counselor problem. So being able to develop those clear lines of communications, understanding what's going to be done with the data, how it's going to be used so there's no confusion and then being able to exercise those from the initial understanding where we've got the alert to initial end and then back through a whole 360 picture. So breaking down those barriers, realizing who else you have to deal with within Prince William County and also outside of Prince William County as well and how do you engage those stakeholders in the end, those are some of the lessons that we learned. And we're working on those and fold those back into our guidance and standard operating procedures and basically having better communication plans amongst our peers, even in Prince William County school system, to be able to help that process be smoother and timelier. 

Erica Toelle: I think you mentioned earlier sometimes IT departments are having to work with very limited resources and a small staff to set up this type of a solution. I'm just curious, having gone through it, what other tips and advice do you have for an organization that's maybe just starting on this journey or had a false start? 

Randy Newman: Don't be afraid. Pause. Take a deep breath, realizing a little bit of progress adds up each day. Kind of basically when you look at it, it is very daunting. The analogy is you can't eat the whole elephant in one bite. You have to work on small pieces of it, or else you become overwhelmed, and you can never get to where you need to go. But don't be afraid to ask for help. Reach out to your neighboring school systems. Get involved with those school systems. And in the end, you may not have to reinvent the wheel. We did just that. We reached out to other school systems here and around the country. And what are you doing? What are your SOPs? What other kinds of things are you seeing, you know, technology you're using? How deep is your bench? What kind of things you can do? So we're kind of looking at maybe crowdsourcing this out, helping other organizations, especially K-12, to say, hey, we're Prince William County, this is how we do it, but, again, not one size fits all - kind of give you the help when you reach out. We can help you and hopefully we can find organizations to help us as well, trying to go through and streamline those processes that may work for those individual institutions. 

Randy Newman: I think the hardest thing is just where to start and asking for help. That would have been something that'd been nice if we had someplace to go to to be able to say, here's other organizations in your area that are doing this now, and here's what they're doing. Here's those contacts to be able to reach out and be able to start that process. Because the technical aspect is one piece of it, but it's - also the policy is the bigger piece and why you're doing what you're doing and then having that policy to back you up so you're not going out there (inaudible) things you shouldn't and giving (inaudible) that policy piece of it. Again, reaching out to those who've already done it so you don't have to reinvent the wheel, and that's also a way to help start so at least you're not starting from ground zero. 

Christophe Fiessinger: Thanks, Randy. Hopefully with this podcast and the recent case study, we can get others to start, to your point, that the hardest part was just to get started. I also really like your point of starting small because I don't think doing nothing is acceptable, yet iterating and learning along the way. So I think that's a great takeaway for all the listener that you don't have to, as you point out, go after the entire elephant, but you can start small and get allies across the districts and learn on the way and expand that program. So great insights on best practices for others to learn from. 

Randy Newman: Thank you. 

Erica Toelle: I'm curious if you have any other lessons learned to share about how to work kind of with the other people at the organization. I think one of the things IT always struggles with is working with the business side. Do you have any lessons learned in that area? 

Randy Newman: I think that's the key. You have to realize it is the human side. You're dealing with a real, live person. We sort of in the IT world think of everything as zeros and ones going through wires in the network. Realizes somebody and that - that affects these individuals and people, especially the students. We have to be very aware of what they're going through and those types of things and reaching out to the business of Prince William County. And that's education, providing what we can for our students, the best services possible, providing a safe learning environment. And this is just part of the environment; understanding walking a day in the shoes of instructional staff, the counselors, understanding what they're kind of going through and realizing, as I mentioned earlier, words have meaning, different meanings to different organizations, understanding what those words mean to them and how they relate, how to communicate with them. Even when we're speaking the same language, sometimes we don't quite communicate the same way; understanding those types of things. 

Randy Newman: And one of the other lessons learned I like to touch on, if I could circle back on, is everyone has their culture. Everybody has their language they speak. But within that, you have subcultures, and they come in and play. Basically, how kids talk today is very different than kids talked years ago. And a lot of times, as an adult, I don't understand a lot of that. There's a lot of slang. There's a lot of emojis going out there. Understanding what those are, that's kind of daunting, and getting help with that and using resources, that can kind of help you with that, basically, through, like, artificial intelligence or things that can help you say, this is what this really means, explain this - to regular language that you're using, whether it be Arabic or Spanish or Russian, which we have a lot of in our system. What's that mean? A certain phrase or term in one language being said doesn't mean a whole lot, but somebody else reading it could be offended by it. And what makes it particularly difficult in adding to that, you have no context around it because you're working and using words. You don't have the person's visual cueing behind it when they say something, and so it makes it difficult to be able to add that context to it. And you have to be able to take that sentiment analysis in those words and how they're being used to kind of have some kind of idea of what they mean by it. So there are some lessons learned that we've looked at. We're still trying to look at ways of trying to make that better for us, and I think it's a continuous, ongoing problem that we're always going to have. And I think that if we can share our experience with others and learn from other individuals, I think that might make that process a little easier. 

Christophe Fiessinger: Thank you, Randy. I think that's a great point around language. And by nature, it keeps evolving based on trends, pop culture and other influence. It's not so much about always being on top of what can be said that could be offensive, but just basically staying not too far behind whatever is being said in the schoolyard or elsewhere. It's a great point about trying to stay not too far behind humans' creativity to use potential risky language. 

Randy Newman: And then, Christophe, getting back to your point there, you're spot on as far as it's a constant, evolving situation. You can't play one-on-one. You have to play zone. We don't have a deep bench because things are constantly changing, and we have a vast demographics and diversity in our student population that also adds additional hindrance and stuff we have to be able to get around, whether it be their language or what they say and how they say it, what they're not saying and things like that. It's very daunting for any organization, especially a K-12 that doesn't have those deep bench, to be able to try to get their hands around this. And some individuals will say, well, if I don't look at it, I don't see it, it's not there. That's not the right answer. We have to be proactive, and we sometimes have to do things not because they're easy but because they're hard. Have to be done in the best interest of the students and doing what you can for them. 

Christophe Fiessinger: Yeah, definitely a lot of empathy because, I think, to make this even more challenging, the way kids communicate in 2022 is very different than how some of us communicated back then when we were in school. And, you know, for instance, the use of images and GIPHYs and videos, that's things we didn't have back then when, you know, phones were not prevalent or didn't exist. And yet that's a new medium that's not necessarily tech space but could have - could be as impactful in a negative way as a sentence. 

Randy Newman: Yes. Yes, it can, especially if you use a lot of slang, like, you know, like BFF. They're using a lot of these things now, and it's hard to figure out what those are. You almost have to have a little scorecard. What's that mean? What's this mean? So it makes it harder to be able to look at that - for instance, just in here, in the United States, if you just go different places, some people for - a sub is a sub. Some people know it a hoagie. Some people know it as a hero. Some people know it as a grinder, you know, and stuff like - or a wedge. And that's just even in our country in different parts of the north, south and west. It's just - so if we're having those issues, imagine what diverse population coming in is going to have, and we're going to see that in some of the kind of microcosms we see here in Prince William County Schools. And I'm sure that other school systems are feeling the same issues and trying to get their hands around this. It's kind of like a pretzel. It twists your mind up to try to get around it. But again, that's the challenge, and that's the kind of thing that keeps you, like, wanting to come back. But at the end of the day, what bothers me is not what we're finding; it's what we're not finding that keeps me awake at night. 

Erica Toelle: Well, I feel like we could talk about this all day, but I think we're about out of time for this episode, unfortunately. So to close the podcast, we have a tradition of asking our guests a question. So, Randy, what are some words of wisdom or words that you live by that you'd like to leave us with? 

Randy Newman: I think, basically, being a jack of all trades and master of some serves you well. I think humble yourself. If you don't know, it means you don't know. Ask for help, and realize that help can be given, and just realize you're not going in alone. Again, just breathe, be calm, step back, and the storm will pass, and things will get better. But always remember, there's always somebody out there to help. You're not alone. 

Erica Toelle: That's great advice. Thank you so much, Randy from Prince William County Public Schools, for joining us today on the "Uncovering Hidden Risks" podcast. 

Randy Newman: Erica, thank you very much for having me. I appreciate it. It was an honor to be here today. Thank you. 

Erica Toelle: And thank you so much to Christophe for joining us as the guest host. 

Christophe Fiessinger: Thank you, Erica, for inviting me. And thank you, Randy, for your sheer knowledge. 

Randy Newman: Christopher, thank you, too. 

Erica Toelle: We had a great time uncovering hidden risks with you today. Keep an eye out for our next episode. And don't forget to tweet us at @msftsecurity or email us at uhr@microsoft.com. We want to know the topics you'd like to hear on a future episode. Be sure to subscribe to "Uncovering Hidden Risks" on your favorite podcast platform. And you can catch up on past episodes on our website - uncoveringhiddenrisks.com. Until then, remember that opportunity and risk come in pairs, and it's up to you where to focus.