 Good morning. It's great to see you here. We appreciate you're coming to our session and we especially welcome those of you online to our session With as soon as we get it up on the screen here You'll see that we're talking about the game of risk. Are you guys familiar with that board game risk? I'm going to start by asking you a few questions If you had to describe risk in a word or a phrase that board game Give me some some thoughts. What what kind of things would you say about risk and for those of you online? type it in the chat and I have someone that will will read those off on the microphone for us Anybody have a comment about the game of risk? What comes to mind? Excellent complicated Anything else? Strategic aren't these great words? Yes And if anybody else is it intuitive? Would you say I mean if you just picked up the game would you need to read the rules? Would you need to know the rules to play it? You know, we're getting a lot of head shaking that it is not intuitive. It's not intuitive Okay, so so you kind of see where we're going with this concept of the game of risk as we compare it to information security Unfortunately about this time last year Lehigh realized or was told that we were I Think I have to stand back here Playing the wrong game and it gave my wow away. We were playing the wrong game. Let me give you some background on that Our problem started in about October 2012 When Zeus came to Lehigh, how many people remember Zeus? Well Zeus came in October and stayed through November December January when Isaacs was was sending us emails every day and It was just finding new places to crop up in January when it hit our advancement office And they lost of days worth of work It really came to a head At that time I wasn't part of information security. I was at Lehigh and identity and access management but I was Kind of drafted over to information security because obviously our security program was ineffective and Asked to try to make this whole thing go away and respond to our administration About what's happening and what we're doing to fix it I didn't have any security background. So it was quite a challenge for me. I felt quite overwhelmed and So I did what I knew how to do I pulled people together Experts together to help me figure out what we would do Called outside consultants and asked for their help. What do I do about Zeus? What does this, you know? What can we do? Pull together the experts at Lehigh in our IT. We we actually met for the whole semester Every two weeks with our networking guys System analysts our enterprise system programmers desktop support We even invited outside of IT Risk our risk people general counsel and internal audit. We were trying to cover everything I Also joined ren Isaac Great great thing. I highly recommend it Was a great help to us took advantage of that jacuzzi came to the conference last year had a mentor You know took advantages of the resources oh yes, and Unfortunately, I had to look for new Information security officer that in the long run. It was a great thing because we have Keith on board now and The fifth thing we did was we put an RFP out for a Penetration testing and vulnerability assessment So we did all this and then the CAO asked me to put together a report That would be shared with our administration, which was an incident response plus What are you doing that type of thing and the president asked us to then Take the report and meet with the audit committee of the board of trustees to go over this and To also create an executive summary that went to all the trustees So we had become a very high-profile area of the university in just a few months and So we went to the beating in May. It was very Intimidating much more people than are sitting here, believe it or not We have the interim the audit the audit committee of the board chairman of the board President provost by president of finance administration a lot of administrative people in the room and The CIO was to give the report. He barely got out one line until we were bombarded with questions about what are you doing? How are you handling this? You know, this is what we do in industry and so forth. It was quite Quite nerve-wracking to say the least and I think some of you probably saw This very brilliant member of the board said to us we we see you're very you're doing a lot of things It's great. We like that. However You're attacking information security like a whack-a-mole Wow Think of that here. I am thinking we're playing the game of risk. We're being strategic It you know, we have this complicated thing going and and all of a sudden he's telling me you're playing whack-a-mole Is that strategic is? Is it complicated? Do you need to know the rules? I think you just take a mallet and go for it, right? That's what I he was saying to us and I think he was right He asked us three questions How are you prioritizing your initiatives? What data are you looking at? What data are you going to protect? What what's what's your big concern and where are we at risk? Have you done an analysis? What are your strategies? Are you making the right strategies? Fortunately as I said Keith came on board July 1st and With our experts and with Keith and all the input we've had we put together An answer to those questions because believe it believe me we were asked to come back in October to address the questions and We started with a secure framework where we're using the sands 20 to critical controls ISO 2002 and Thirdly we've been very made ourselves very visible to the campus in outreach communication and of course user awareness The second question we addressed by really putting a bull's-eye on the data. We were most concerned about so we've We've identified that most restricted data and that's where we would put our priorities and Third was our risk on the quadrant of severity versus likelihood Unfortunately, we find ourselves in the top fourth quadrant Because we found we are collecting and storing data on a large number of people people that we don't need to be storing PII on anymore and We're we have it all over campus people are writing reports with PII in it there We're making clones of things and and storing it and so forth so of course our goal is to reduce the number of people for which we collect or store PII and also to reduce the number of locations isn't Necessary to store the the social security number that type of thing so that eventually we can move down here so Keith's going to Take over now to discuss how we're how we're trying to move ourselves from the fourth quadrant down to the first Excuse me. Thanks. Thanks Sarah Yeah, a bit of a complicated process when you're looking at the whole idea and the game of risk and and You know, we talked about it not being an intuitive game And some of the things that you need to gather up are the rules and in our case in the case of data reduction What we're looking to protect with the data? We're looking at gathering the laws regulations looking at our assets and doing some valuation of risk and I think the biggest thing that we found at Lehigh and I think the thing that we want to communicate to you folks is Knowing something about the players. I mean really pulling together the players It was interesting that in the keynote Was talked about information security existing in that space and and I would agree with that wholeheartedly We have kind of infused ourselves in different spaces. I think at Lehigh In places that we Information security did not exist before and I think I think it has added some value to the organization chance for some of the online folks and and for you folks to participate if you like Just a little quick poll I do ask the question, you know, since we talked about it a little bit what game What game is your organization playing? And some of the responses I have here are whack-a-mole it pops up We chase does anybody feel like they're in that mode in the audience? Okay, that's good War you get some cards dealt and you just kind of go with the flow shoots and ladders up days down days Kerplunk or Jenga everything's working fine as long as somebody doesn't pull out that one stick or block that causes a problem or Are you at you know playing risk or strategic strategic ego a more strategic game something where you know, you've you've got a handle on things and You know what is going on in your organization? And and I think those questions are questions that you know every organization should ask and You know this diagrams kind of kind of to show information security in the position of being the bridge in being in that place the location between what I call the governance side of the house Legal risk management and I and I put executives here although I would tell you that that's a whole host of Folks that might have demands for the data not necessarily your data stewards data users entry people But folks in executive management upper-level management, maybe even faculty Might be if you run a medical college It might be doctors or the medical staff That fit into that role and then the other side of things I've called them data users here because I think there's a transition from being a data user to being a good data Steward and we're going to talk about that here with respect to records and records redaction and The data custodians and I would also tell you that data custodians is a higher level You know you have system administrators network administrators. Do they make the transition to network? custodians and and I think it's our our job as information security folks to Bridge those those two sides of the house. I also think it's it's our responsibility to Make sure that folks are working within those. I hate to call them silos, but amongst those groups as well To give you just a couple quick examples We have information in information security have been infused in the process for reviewing purchasing Especially cloud service hosting purchasing agreements so legal risk management and Purchasing if you include purchasing in that group are asking us for input when we go and start put data Organizations look to put data out in the cloud and how it's protected over on the other side between the data custodians and the data users We as information security Sarah has been great about this have been calling the data steward meetings and Have been directing security initiatives through those meetings But also the data users are bringing up functionality issues with things like our banner installation and whatnot and and really it's not a game of One side versus the other that we're trying to be the the peacemaker between the two It's really a game of the risk where we're all trying to protect the same thing We're all trying to protect that chunk of data, you know The the the information that we house that is you know the sensitive critical information and The program that you know that we've been really pushing and taking out to our these groups and Communicating to these groups is this idea of risk reduction through remove redact and restrict and That's and that's really where we focus now I'll end up visiting this slide a couple times or a slide like it Because we really stress to those end user groups the idea of removing The three Rs has worked very very very good well with in our within our organization And again, I'll tell you that the object of the game is not One side versus the other it really ends up being can we convert the different groups? from data hoarders to data stewards The data users can we partner with all those groups and have data users that? You know respond with with properly with records retention policies and That become good data stewards in our organization, and it didn't play That's okay at the process that that we look at the process that I've looked at to get there is Simply rock, and I've asked folks, you know, do you want to rock in your organization and The acronym standing for recruit organize communicate and kickstart, and I'm going to really go through those phases as kind of a Cookbook if you will to get your users I think from from those data users to data stewards when all is said and done so the idea of Recruiting the appropriate team members again. That was something that was talked about in the keynote And I think it's very important and when I say organize organize assets. What's most important to your organization? Organize policies. What should you take out? To to communicate and then the possible solutions and then communicate those I Think doing some homework to end up with some quick wins is important as as well So in the game of risk we build armies We end up, you know coming with a strategy where we want to attack the problem and Again looking at the two sides The governance side and I'll say the data use or utilization protection, you know kind of the operations side of the house We as information security have gathered two teams The first team we call the governance Team the GRC team And the GRC team is made up of a representative from legal risk management, and we have some faculty staff representatives we have some executive representatives It's designed really to look at policy and direction and and compliance Issues and then to be able to carry that water and communicate over to the other side to the to the data users and and data Custodians and and communicate some of those policy issues So we meet we have a representative group we try to meet once a month and And you know raise some of those issues and then we have a data e-security Committee where we test out Some of the solutions that we're seeing To provide they might be technical solutions They might be you know with this policy work, and then we kind of carries those solutions To more of a broader audience when we move on to some of the other areas now I will tell you some of the attributes that come into play. I Like to ask the question, you know, and I have a poll after this But how many folks here have dedicated legal counsel on there at their university? Okay, we have about a show of about I'll say 30 40 percent of hands. How many folks have dedicated risk management? Okay, about the same loop maybe a slightly smaller group and we are fortunate in that we have both and both Continue to ask us from the information security side of things to Have input as I said in purchase purchasing decisions With the risk management folks, we do have cyber insurance. I'll ask that question How many colleges universities have cyber insurance that are here? Okay, that's also about the same about the same representation as amount of risk management Just know there's a lot of bang for the buck with the cyber insurance. I mentioned this in a couple of presentations yesterday our particular insurer Beasley we do get Access to things like posters policy templates. There's webinars. There's all kinds of great stuff, you know Similar to being involved in in ren Isaac If your institution's purchasing cyber insurance, there's a good chance that there's a lot of free resources Available through that so it's it's something worth taking advantage of And Again, you know for anyone who would if it eventually gets there. That's the fun of taking a chance with polling For anyone who would like to respond and I'll skip that I do do have an active poll With some of the questions I asked here to kind of get a distribution of folks who have Legal and risk management on their team The other thing I would tell you want to do organize Arm yourself with policies, especially the policies that are necessary to really make a difference to enact some some data Reduction in your organization to get away from the data hoarding So, you know the game again comes down to the data hoarders versus versus the data stewards and we want to get them to the data stewards and Sarah brought this up before I don't care how you've classified your data We can quibble all you want on this should be here or there The bottom line is communicate that data classification policy out to your membership Where can you store data and I'm going to talk about this a little bit later when in in the communicate the sea of the rock but but you Certainly want to be armed with your data classification and define data to the users. That's important You know, you want to you want to be armed with data classification and you want them to be familiar with it as well I usually start out those sessions by asking questions like You know, you tell me what kind of data is sensitive What kind of data is breach? Notifiable and and folks respond back. So I think they they get that Information and the second and I think the thing area. I'd like to focus is is data retention We found in particular at at Lehigh The our legal department had vetted the trustees had approved a data retention policy It was communicated out to the data stewards and and those data users and custodians and said Basically go to it. Here you go Remove the data Take care of it. You know not not a direction of The connection of how to and again, I think that's a bridge you can you can build But you definitely want to be armed with your data retention policy Now how many folks in the audience have data retention policies at their university? Okay, all right And I'll tell you if you don't Or if you're just constructing one there are some resources I have actually here in the in the links I'm going to just open a couple first off Edge cause That's why maybe so it's nice when you lose your connection and then I'll throw it up for everyone in the world to say Really? Yes and Here this way Edge cause does have some resources on on their site a Collection in a library for data retention policies It's always wonderful when things work great when you have them disconnected and there we go So there is a library of Data retention policies on the edge cause site if you do a search for them Those are kind of nice. I'm going to tell you that one of the things that I have in the PowerPoint presentation here is a link The American Institute of CPAs and this may take just a second to load In doing some research for data retention policies now Lehigh had one But again, how to best communicate that to the data stewards and the end users was was very important to me And when we're talking to finance and administration people finance administration people just love when you're talking About finance and administration bodies that have you know given some guidance to what they should do And this document in particular a practice aid for records records retention I absolutely love It's not super long. It's actually a pretty quick read and In particular, I think all I had to do and I'm not expecting you to read here Was really bring up two pages, which was pages five and six of this document. How is a record? retention strategy developed and some of the key components the wise and show that to them and then some elements of a good policy and I also like the section. How do I develop my records retention policy? and there is I'm going to tell you there is nothing here that I Would say is any different from a data retention policy versus, you know, the this is designed for information security by the American Institute of CPAs, so this is this is very well done and again Kind of gives you a little bit of a connection to street cred if you will to your your data users from finance and administration and last but not least I Will hyperlink here just quickly to our data retention policy You can look at other samples as well figure that throws ours up here One of the things I think that is very important with a good data retention or records retention policy And is done here is is kind of simple matrices for the departments To easily define what records that the particular department is responsible for and What the you know record retention amounts for that data are something that's very clearly defined and If you're meeting like I would I had met with athletics if you're meeting with finance and administration Take their sections and deliver them. Don't give them the whole document You know and say read or hey, this is important. Give them the sections that are important To them that match up with theirs Just to plug another Entity, I don't know if we have anybody from Cornell here in session But Cornell has a policy records retention policy that they have out on the web and it's structured very much the same way And I happen to like it a lot as well so we definitely want to You know be armed with our data retention policy some clear goals for retention Defined categories we we we saw that as as well and again, I'm going to go back to this idea of remove redact and restrict data And the sea of the rock process communicate so we went out communicating the three R's and Our first step when I say communicate and I mean it our first step is Removal Removal and I can't stress that enough Removal and I joke with our our folks in the administration and I you know of all Folks I quote Miyagi from the karate kid, you know best way to avoid punch. No be there Best way to avoid breach Data no be there Okay, do we need to collect it Do we have old data? Why are we keeping it? I mean really ask those questions and I'm gonna tell you those questions go a long way because the Administrative folks they they do ask that of themselves. They do say gee really, you know, we've had this information We've had this spreadsheet. We've had this report for you know It's sat sat in in a common drive for since 2006. Do we still need it? No get rid of it You know, it's ways to reduce You know that that risk and that's what we're looking for. Yes a question. I just want to second those remarks We just went through a similar process at our institution. We discovered that our You know our campus card database Was retaining information going back many many years And the earlier records were still based on no social security number and once we looked at that People realized that's not a good thing. They were very cooperative and removing it But had we not asked that question they wouldn't necessarily have known that it was there likewise our business intelligence warehouse Which is collecting data from repositories all all over the campus We recently got them to agree that well They really don't need the social security number included in that in the delivery of that information Yeah, and that's a that thank you That's a fantastic comment that you've had there too because do we even need to do we need to keep it? Do we need even need to collect it? Not too long ago at a discussion with our parking services and to pay fines They were going to allow outsiders to create an account to pay fines via credit card And process the credit card through a third party But the data they wanted to collect to create a unique user account was The driver's license and I said do we really do you really need to collect driver's license? And when I pointed out that first I said you're collecting a breach Notifiable item in the state of Pennsylvania. So so if they enter it great, but second We have no ties to the you know, Pennsylvania New Jersey Department of Motor Vehicles to validate whether that's a real number or Not so not only are we collecting data that's breach notifiable, but we have no way to validate whether it's correct or not So why bother? You know, what else can we do? Oh, well, we can set it up that you know They can use their email or a unique email address great that that is not something that we're gonna have to breach notify on so getting involved in the process to of of Early on of removing that information. I think I think is very very important and that's why I stress stress the remove It's interesting. I I Know a lot of folks and you know a lot of presentations and I'll be one here, too We we end up quoting to to our users because we're a university that you know talking about the University of Maryland breach And the fact that they went through a records reduction afterwards that that claimed to reduce records by 75% So we want to be proactive. I actually use a a much larger example I don't know folks are aware of the the South Carolina Department of Revenue breach But that that breach was somewhere around 3.3 to 3.6 million records most of which was supposed to be record due to records retention expunged from the system, so It's just you know want to get rid of it and the other thing that we tell the users, too Is that there's this fountain effect this kind of waterfall effect? If we can remove the data and lessen the risk, we don't have to come in with that last item perhaps as vigorously and restrict acts I say restrict access we still want to restrict access but a lot of times Information technology people want to apply technical solutions to restrict multi-factor authentication And you know let's let's use some of the tools and I'm not downplaying those in fact I'll talk about them later But but that should be our last line that should be you know Hey, the reason we end up talking about implementing greater restrictions and multi-factor authentication some of the reasons Yes, is the importance of the data and the importance of the asset But it's also the fact that you know that's that seems to be the option that information Technology has because we can't come to some agreement to remove and reduce the data and reduce the risk So I think that becomes extremely important. So again, I mentioned the the South Carolina Department of Revenue that that Little graphic actually hyperlinks to a description Some of the credit card information that was obtained in that breach was so old That the credit card companies didn't care It was it was the breach was 2013 the credit card information that was obtained was 2003 and prior so they actually had credit card information stored in excess of 10 years and You know, it just does not need to be there The other thing I would tell you with communications and and we ourselves are working on this I think I've seen a couple matrices of this. I could bring up Stanford's Where they map where data can be stored based on its classification with the storage technologies that they provide This is something that that we're also working on as well And that includes different onsite cloud services, etc I think if you come to your users with that because you're going to get asked a question Well, if I can't send it via or I can't keep it stored on a common drive or here. Where can I put it? You're going to get asked those questions and we certainly did So I will tell you be prepared to answer them The other thing I will tell you is again the two graphics on this page the cloud and the confidential We did develop a cloud storage policy and a cloud services guide for vetting vendors for for security for storage of data in the cloud and our purchasing and legal departments Use those guides and we try and put all purchasing agreements for Outsourcing through the review of legal purchasing information security and the cloud services guide You folks are, you know, certainly welcome to to access those. I'm not sure which one I have first I have the policy first and the guides kind of Say the guides is actually longer than the than our policy You know where we you know tell purchasing to our purchasing folks to take a look at some specifics of access privileges, etc When we're moving data out into the cloud So we take a look at that as well And and I'm going to say again, you know when we finally reach restrict We've probably reached the point of You know last resort kind of thing and that's where you know applying some of the technology solutions is a good thing The online trust alliance 76 percent of breaches Were the result of stolen account credentials and we try and communicate that to our users as well Again some of the rationale for protecting their account credentials We revisit fishing and the importance of that as well and protecting the data but again, that's all part of the communication process and I think I'd be remiss if I didn't have the you know, what does it mean on a per record basis? the thing that we did find very important in communicating with our membership with the $200 per record breach and and there's varying numbers on that the thing we did found very find very effective was our cyber insurer does have a deductible and Communicating that look based on that. We're responsible for the first X amount of records You know as a deductible so be aware. There's there's a cost to this. It's not oh insurer covers this Some of the ways that we do the outreach With our membership meeting with the data stewards users. We pitch the steps. You got to get out in front of folks What I say here at doing your homework for quick wins Is is is really kind of the next step and the next step of the rock process the K is the kickstart process Go for quick wins Again as the information security group if you will the information security professionals Making that bridge between compliance now now we need to talk to the data custodians We need to talk to the data users and we need to come up with some proposals And that's what we've done at our meetings come up with some proposals for some quick wins in data reduction We have X amount of records that we found that are Can we remove them and we basically put it up like it's like it's a proposal for a vote And and that's how we had to quick wins so along the way we proposed some key targets For data removal, and I think that's rather important Don't just again ask them to go back and and and you know pull their information out and do all the work Make some proposals Ask your stewards. Yes, ask them to identify You know one of the things we found in the very first meeting was yeah You're proposing that we remove these records that'll get you about you know a reduction of about 20,000 in places that You know you don't want it But gee we have these test instances where we've replicated data And we really aren't doing anything to protect that and that came you know from from one of our our DBA Folks and you know here's some things we can do wow all right So our quick win was trumped by your quick win and and I look at that as as Extremely successful communication when we go there. We thought this was a good way to go you thought differently. That's great and Then the thing you have to do and again I it's not that that I'm you know saying that You know our legal department did any in any way shape or form a bad job of communicating But you know somebody coming back and then seeing if it was complied if the project was completed if the data was successfully Removed monitoring and maintaining that and keeping momentum for other projects So that's another spot where I think information security and and the metrics and following up what dated Were we able to remove and and how did that go? So just a few quick wins stories I Actually don't have one of our initial quick wins stories was not a large amount of records. We we used a malware incident in the provost office to meet with the administrators of the provost office and report on what we found Had occurred and happened with with the malware incident. It was crypto locker And I think many of you're familiar with crypto locker and after we covered You know what we did forensically and discovered with you know what occurred with crypto locker, you know We start talking about you know their processes and simply ask the question, you know Here's the important data, you know We didn't have any issues with with this kind of sensitive data in this incident perhaps But you know what can you do to reduce remove and it was it was kind of a nice joint application Meeting I sat I've sat in many of them and this was rather nice because the users just all kicked around You know, yeah, we get applicants. We have social security numbers. We haven't stored here We don't need to send them though on we can redact the data we can and they and they solved You know some of our security issues By kicking that around and then reported back, you know that they had they had gone through that and done that with Some of the image scans and and some of the information that they had stored Which was an absolute win in in so many ways, you know, not just the the data reduction Which was not a tremendous amount of records, maybe 2000 3000 am I right on that Sarah it's that close But but just the fact that they were recognizing that that process could be changed was important We've met with our finance administration The leaders there actually had their folks go through and and look at records for records reduction they've come back to us now and and asked us can we run some of the technology scans run some identity finder scans or You know and and look and see if they've missed anything and and I again I consider that a huge victory because that's the data stewards themselves taking a look. We don't need this data Hey, can you give us some technology to take a look at what we missed and you know help us make decisions on that as well So so that that's that's kind of a nice Full circle as well We've had some PII in more globally viewable locations that I don't say globally viewable certainly to a greater audience of users that we've reduced and Again, the the wind of looking at Duplicated data in test instances, you know, what can we do with some of the test instances as well? And then as a I'll say a last resort kind of thing You know deploy the technology The interesting thing is versus telling users we're going to do it I thought the really cool thing with finance and administration was They were asking for it Can we go the next step? Can we do some scans? And I and again, I think that's that's a that's a big victory there because they're asking the process questions And then they're asking for the you know technological oversight for for some help And whatever the tools are that you use there were a bunch, you know a bunch of vendors here Some which are represented up there or Oracle presentation I sat in on if you know like us a Banner school Oracle back end data protection those, you know Some of the most critical assets, you know, can we deploy the technology now? And I could add an s to the rock to rocks and you know, the big thing is sustainability That again, we don't just drop this in the lap of the end users, but we're able to revisit it it create a repeatable process So tell me if I'm on time. That's always nice to know and then it won't shut up. That's even better There we go Finger doesn't work Review technology tools for automating the process Again, you know, what can we bring in to keep this this momentum rolling? Revisit timelines and record schedules You know see, you know, we had every year you've got new applicants So every year you're going to have data that actually can be expunged if you have a five-year six-year two-year applicant record retention policy That PI I can be reduced Absolutely, and and you know make sure you report on results I Tell Sarah all the time this will be you know an effort that goes unnoticed except when we write up a report and and submit it to You know Risk management so they can go get pricing on cyber insurance. What have you done the last year? I just wrote that That paper for them to go out and get cyber insurance pricing What types of things are? Programs or projects are you initiating and handed that off to them and hopefully next year We can give you know a little bit more of a detailed report and a report where you know Here's here's our records count this year. Here's where we've worked at at reducing records So I think I think that monitoring and feedback is important as well So I'll ask yet again another online poll if you care to participate but a poll in here Where would you say that you're your folks exist? How many how many schools think we've they've got data hoarders How many schools think they've got somewhere in between? We've got some data hoarders. We've got some Okay, and you know, I would tell you in those roles Identifying you know the those key areas sometimes it's it's gonna have some great importance If the data hoarding is occurring in your most prized asset and and the numbers are very high That might be extremely important Anybody here who's winning winning the game of rest how many data stewards we've got it covered Well, it's nice that you would attend Everyone thank you. Thank you Any questions comments Yes, I'll I'll say yes in the in the departments that we asked to do it, but I'm going to tell you that Here's where we probably had greater success with paper records and and doing the redaction then then we did with Our data records Again, that's that's another place where we're gonna. I think we're gonna end up having to go visit for a solution for those folks and Offer it up that they might use it Yeah, and I and I and I understand that you know again, it's a kind of an extra step in the process We had The provost office in particular They were talking about sending out to multiple copies and they were they actually Removed the data because the end users they were sending to might be interviewing a candidate They didn't need to know the candidates PII so so they they were not redacting. They were actually removing the information The question that he asked was about redaction and I think one of the problems we we found that was interesting is Is you know when? We were asked to remove social security numbers as our IDs. I'm sure all of you went through similar processes We did it centrally banner now, you know, we have a li high identification number and so forth But what happened is the department still kept the same business practices if they wanted that social security number in 2005 they were still keeping that on their reports But one of the things I think we're challenged with with redaction of course and and Oracle has a type of redaction is Redaction option in their security Options is that When we clone our test instances or our reporting instances of banner There needs to be some investment in doing that type of redaction where people can still run intelligent reports And that's quite a challenge and we're still Pushing to do that. So that has not been a win for us as far as the big most important data anyone else Any from our online audience? I'd like to thank you for coming. Please if there are any Individual questions we can answer. Please stop see us Contact information and be happy to give out cards and contact information Been a great group. Thanks for participating