Information & Communication Technologies 08 2014 NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Slides:



Advertisements
Similar presentations
Financial Services Workshop Margaret Umphrey ECU Information Security Officer March 12, IT Security, East Carolina University.
Advertisements

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Springfield Technical Community College Security Awareness Training.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.
Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
9/20/07 STLSecurity is Everyone's Responsibility 1 FHDA Technology Security Awareness.
Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Data Security At Cornell Steve Schuster. Questions I’d like to Answer ► Why do we care about data security? ► What are our biggest challenges at Cornell?
Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.
New Faculty Orientation to Privacy and Security at UF Susan Blair, Chief Privacy Officer Kathy Bergsma, Information Security.
IT Security Challenges In Higher Education Steve Schuster Cornell University.
Why Comply with PCI Security Standards?
Sensitive Data Accessibility Financial Management College of Education Michigan State University.
INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.
© 2003, EDUCAUSE Information Privacy: Public Policy and Institutional Policies Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
New Data Regulation Law 201 CMR TJX Video.
Information Security Information Technology and Computing Services Information Technology and Computing Services
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Securing Information in the Higher Education Office.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Information Security Technological Security Implementation and Privacy Protection.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
General Awareness Training
Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.
Challenges of Securing Clinical Data in a Cloud- centric World Patty Furukawa – Assistant Dean for IT University of California-Irvine School of Law Doug.
Security Awareness ITS SECURITY TRAINING. Why am I here ? Isn’t security an IT problem ?  Technology can address only a small fraction of security risks.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
1 General Awareness Training Security Awareness Module 1 Overview and Requirements.
Anderson School of Management University of New Mexico.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
ENCRYPTION Team 2.0 Pamela Dornan, Thomas Malone, David Kotar, Nayan Thakker, and Eddie Gallon.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
SPH Information Security Update September 10, 2010.
Small Business Security Keith Slagle April 24, 2007.
Designing Services for Security: Information Security Management throughout the Service Lifecycle Sarah Irwin & Craig Haynal 2015 Penn State Security Conference,
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Data Security at Duke DECEMBER What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Society & Computers PowerPoint
Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.
What lessons can we learn from other data breaches? Target Sentry Insurance Dynacare Laboratories 1 INTRODUCTION.
Contingency Management Indiana University of Pennsylvania John P. Draganosky.
Payment Card Industry (PCI) Rules and Standards
Michael Wright • Chief Security Officer • Tech Lock
Performing Risk Analysis and Testing: Outsource or In-house
Information Security Program
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Regulatory Compliance
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Red Flags Rule An Introduction County College of Morris
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Higher Education Privacy Update
Ransomware and Data breaches in public libraries
School of Medicine Orientation Information Security Training
Presentation transcript:

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva NMSU Chief Information Officer John Roberts NMSU Chief Information Security Officer October 2, 2014

Information & Communication Technologies NMSU All About Discovery! Data Privacy Laws/Regulations FERPA – Family Educational Rights and Privacy Act HIPAA – Health Insurance Portability and Accountability Act GLBA – Gramm-Leach-Bliley Act RFR – Red Flags Rule of the Federal Trade Commission FISMA – Federal Information Security Management Act PCI DSS – Payment Card Industry Data Security Standards Others exist, but the above are primary 2

Information & Communication Technologies NMSU All About Discovery! General Institutional Requirements FERPA, HIPAA, GLBA, RFR, FISMA, and PCI- DSS require the following: –Designated information security responsibility –Risk-based information security program –Data security policies and procedures –Monitoring and incident handling/compliance –Data security training and awareness 3

Information & Communication Technologies NMSU All About Discovery! Consequences of Noncompliance FERPA – Loss of federal funding to institution HIPAA – Monetary penalties of up to $6M / year GLBA – Fines and imprisonment RFR – Federal fines FISMA – Loss of research and contract funding PCI DSS –Fines –Removal of institution’s ability to take credit card payments 4

Information & Communication Technologies NMSU All About Discovery! Recent Higher Ed Data Breaches Butler University, June 2014 –163,000 records taken Iowa State University (NMSU peer), April 2014 –48,729 records taken North Dakota University, March 2014 –291,465 records taken Indiana University, February 2014 –146,000 records taken University of Maryland, February 2014 –309,079 records taken 5

Information & Communication Technologies NMSU All About Discovery! Hard Costs Related to Breaches Maricopa Community College District for last year's data breach costs are approaching $20 million University of Maryland to pay $2.6M just for credit monitoring of data breach victims. Other costs TBD Target estimates data breach costs at nearly $150 million and shares are down These are just a few examples… 6

Information & Communication Technologies NMSU All About Discovery! NMSU’s Risk If hackers compromised Banner, how many unique social security numbers would they have access to? A. 10,000 B. 25,000 C. 50,000 D. I already have enough trouble sleeping at night 7

Information & Communication Technologies NMSU All About Discovery! ~ 500,000 (including the SSNs of the people sitting to your right and left) 8

Information & Communication Technologies NMSU All About Discovery! NMSU’s Risk (continued) 9 In addition to social security numbers and other Personally Identifiable Information (PII), NMSU’s systems contain other regulated data Not all regulated data resides centrally --- desktop/shadow systems and departmental servers may also contain regulated data We still get reports of PII data being transmitted “in the clear” despite NMSU data security policy

Information & Communication Technologies NMSU All About Discovery! Estimated Cost of a Data Breach Based on 2013 Study by Ponemon Institute & Symantec –$111 per record at US universities and colleges –$136 per record across industry Estimated cost of a breach at NMSU –$55,500,000 based on loss of 500,000 records at $111 per record Includes costs associated with loss of public confidence, reputation, etc. 10

Information & Communication Technologies NMSU All About Discovery! Breaches Bring Greater Focus Higher education institutions are reacting to data breaches by committing to improved data security –University of Maryland created a President's Task Force on Cybersecurity, adding more staff and purchasing expensive security tools –Iowa State University is creating policies and deploying security tools, etc. 11

Information & Communication Technologies NMSU All About Discovery! NMSU is being proactive Enhancing security practices within the technology – network, servers, software Implementing new security tools Beefing up training & awareness, compliance across the institution Working to establish a risk-based information security program Doing what we can with available resources, but more is needed 12

Information & Communication Technologies NMSU All About Discovery! Changing IT Landscape Factors that are now shaping IT –Greater and very real threats to institutional data –Integration of information technology into all areas of NMSU’s business, requiring a strategic versus strictly operational perspective of IT –Competition for IT resources is growing, requiring better planning, resource allocation, and sharing A move to IT Governance is key! 13

Information & Communication Technologies NMSU All About Discovery! Information Technology Governance Just what is IT Governance? –The processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. (Gartner) What does IT Governance do for NMSU? –Ensures the effective evaluation, selection, prioritization, and funding of competing IT investments –Optimizes resources –Lowers risk –Enhances measurement of institutional IT performance 14

Information & Communication Technologies NMSU All About Discovery! IT Governance, Then Data Governance Data governance is born of IT governance –Once IT governance is established, data governance follows 15

Information & Communication Technologies NMSU All About Discovery! Governance Leads to Security IT and Data Governance are the foundation of data security, culminating in protection that is based on identified risk –Awareness is the first step –Information security is everyone’s responsibility Appropriate governance ensures that the university is in compliance with data security laws and NMSU policies 16

Information & Communication Technologies NMSU All About Discovery!17 To successfully protect our data, we need your support!

Information & Communication Technologies NMSU All About Discovery! How do we do this? 1)Safe Computing practices –Password protection on computer (physically lock computer when you walk away) –Anti Virus –Malware –Firewall –Automatic Updates

Information & Communication Technologies NMSU All About Discovery! How do we do this? (Cont.) 2) Data Protection –All mobile storage devices need to be encrypted Jump drives, Laptops, External Storage Devices –All devices where regulated data is stored needs to be encrypted. –Options File Encryption (If you inadvertently send to the wrong person it is protected) Device Encryption

Information & Communication Technologies NMSU All About Discovery! File Encryption

Information & Communication Technologies NMSU All About Discovery! How do we do this? (Cont.) 3) Data Discovery –Identity Finder – tool to assist –End user police – Do we have a bad practice running somewhere? 4)Password Strength –Develop a password phrase

Information & Communication Technologies NMSU All About Discovery! How do we do this with Phishing –How can I tell? What should I do? –Don’t click and don’t open attachments Targeted Phishing & Social Engineering assessments –NMSU generated spam Etiquette –Be aware of the TO & CC especially when sending to a list

Information & Communication Technologies NMSU All About Discovery! How do we do this with the VPN What is a Virtual Private Network (VPN) –Your own end to end encrypted network path How do I get it and use it. –Go to vpn.nmsu.edu and enter your credentials: auto install/manual install –Use it everywhere including Aggie Air till 2015 –Types: Full (NMSU-Full) vs. Not so Full (NMSU) –What’s coming next?

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU Questions? Thanks Norma Grijalva John Roberts

Information & Communication Technologies NMSU All About Discovery!