Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Slides:

Advertisements

Similar presentations

University of Minnesota

Advertisements

IT Security Policy Framework

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

Security Controls – What Works

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Data Security At Cornell Steve Schuster. Questions I’d like to Answer ► Why do we care about data security? ► What are our biggest challenges at Cornell?

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Stephen S. Yau CSE , Fall Security Strategies.

Payment Card Industry (PCI) Data Security Standard

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Accessibility, Integrity, & Confidentiality: Security Challenges for E-Business Rodney J. Petersen University of Maryland & Educause/Internet2 Security.

University of Missouri System 1 Security – Defending your Customers from Themselves StateNets Annual Meeting February, 2004.

PBA. Observations  Growth, projects, busy-ness –Doing an incredible amount of work  Great Quality of work  Concern about being perfect  Attitudes.

Privacy and Security Risks in Higher Education

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Data Privacy and Security: Sort of Urgency Praveen Panchal, CIO.

Security Awareness Norfolk State University Policies.

No one questions that Microsoft can write great software. Customers want to know if we can be innovative, scalable, reliable in the cloud. (1996) 450M+

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Rodney Petersen Security Task Force Coordinator EDUCAUSE

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

Evolving IT Framework Standards (Compliance and IT)

HIPAA COMPLIANCE WITH DELL

1 General Awareness Training Security Awareness Module 1 Overview and Requirements.

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

Chapter 6 of the Executive Guide manual Technology.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Stanford Computer Security and You . Higher Education  Higher education environment is open, sharing, exploratory, experimental  Many information assets.

Information Systems Security Operations Security Domain #9.

Eliza de Guzman HTM 520 Health Information Exchange.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Note1 (Admi1) Overview of administering security.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

CU – Boulder Security Incidents Jon Giltner. Our Challenge.

Designing Services for Security: Information Security Management throughout the Service Lifecycle Sarah Irwin & Craig Haynal 2015 Penn State Security Conference,

STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES 1 The Technical Services Stuff in IT Services A brief tour of the technical and service offering plethora.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &

5/18/2006 Department of Technology Services Security Architecture.

STANFORD UNIVERSITY RESEARCH COMPUTING Are we outliers? Institutional minimum security requirements RUTH MARINSHAW OCTOBER 14, 2015.

Csci5233 Computer Security & Integrity 1 Overview of Security & Java (based on GS: Ch. 1)

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Information Security Services. Overview  Administrative Systems Security  Legislative Requirements  SUNet Security  Individual Security Awareness.

Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Data Access & New Banner Admin UI Professional Development Session May 11, am Presented by: Management Information Center.

Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.

I have many checklists: how do I get started with cyber security?

IT Development Initiative: Status & Next Steps

Presentation transcript:

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident Analysis – Patron Credit Card Information Disclosed Incident Communications Management – Publicize Service Restoration – Change Business Practices Incident Impact – Significant Image, Regulatory and Financial Issues Remedial Actions – Campus-Level Policy, Process and Architectural Reviews

“Federal and state laws relating to privacy and information technology security have become increasingly complex in nature, and the practical effect of these laws on colleges and universities is just beginning to unfold.” -A Legal Perspective Prepared for the EDUCAUSE/Internet2 Computer and Network Security Task Force 2003

Family Educational Rights and Privacy Act (FERPA) 97 “FERPA generally imposes a cloak of confidentiality around student educational records, prohibiting institutions from disclosing “personally identifiable education information,” Health Insurance Portability and Accountability Act (HIPAA) 5 “HIPAA generally requires covered entities to (i) adopt written privacy procedures that describe, among other things, who has access to protected information, how such information will be used, and when the information may be disclosed; (ii) require their business associates to protect the privacy of health information; (iii) train their employees in their privacy policies and procedures; (iv) take steps to protect against unauthorized disclosure of personal health records; and (v) designate an individual to be responsible for ensuring the procedures are followed.” Gramm-Leach-Bliley Act (GLBA) 106 “The GLBA includes requirements to take steps to ensure the security of personally identifying information of financial institution customers, such as names, addresses, account and credit information, and Social Security numbers.” Cardholder Information Security Program (CISP) 12 VISA compliance 220 sensitive data servers scattered across 39 Academic, Research and Administrative units -what steps should be taken to mitigate this risk-

Layered Security Approach for Securing GT’s IT Infrastructure Campus border filters FW = FirewallIDS = Intrusion Detection SystemVPN = Virtual Private Network Education, Awareness & Training - Students - Faculty - Staff - CSR/CSS IDS border Policy Development - Finish unit-level policies - Sensitive/unit server (create) - Wireless (create) - Data access (revise) - Data retention (create) - Backup and recovery (create) Risk Management - Unit-level self assessment - Business process review for all sensitive servers - System acquisition reviews/ system connection - Operations monitoring IDS and firewalls 24x7 - Internal Audit & OIT IS joint review of audit findings - Centralized vulnerability assessment I 1 I 2 Router - FW - VPN - IDS Router - Education - Policy -Host-based Security -Secured Services - FW - VPN - IDS Router - Education - Policy -Host-based Security -Secured Services - IDS Router - Education - Policy -Host-based Security -Secured Services - FW - VPN - IDS Router - Education - Policy -Host-based Security -Secured Services Technical Measures Non-Technical Measures Student DomainEducation DomainAdmin DomainPrivate Services Architectural Reviews Unit Level Measures Buzzcard System Building Access Controls Environmental Controls Digital Signage Other Sensitive Systems As required Campus Vulnerability Scanning ResNet/EastNet

Layered Security Issues Building CSR/CSS skill sets – commitment of training $ Tool Repositories – for Solaris, Linux &Windows Supported OS builds (Solaris/Linux/Windows) System administration guidance – in addition to GT’s Sans guides Current patch lists (Solaris/Linux/Windows) – can we maintain this? patch management Decision support guidelines – before you purchase or accept donation Spam – costing us in system processing and human time Intrusion Prevention (opt in?) – we know who to block – how can we Architectural options/decisions – separate admin/academic networks, firewall ResNet from other campus domains Campus information security advisory committee External information security advisory board