Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE.

Slides:



Advertisements
Similar presentations
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Advertisements

Women in Technology 2009 Mary Henthorn. Security Prevent loss, theft, or inappropriate access Privacy Ensure freedom from intrusion or disturbance Security.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Auditing Computer Systems
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Security Controls – What Works
Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Developing a Records & Information Retention & Disposition Program:
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Information Systems Security Officer
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Stephen S. Yau CSE , Fall Security Strategies.
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
Session 3 – Information Security Policies
© 2003, EDUCAUSE Information Privacy: Public Policy and Institutional Policies Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
Accessibility, Integrity, & Confidentiality: Security Challenges for E-Business Rodney J. Petersen University of Maryland & Educause/Internet2 Security.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
© 2008 CH2M HILL, Inc Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 1 The CSU System-wide Policy Project Communications.
Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Director, Computer Policy & Security
Electronic Records Management: What Management Needs to Know May 2009.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA COMPLIANCE WITH DELL
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Security considerations for mobile devices in GoRTT
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
EDUCAUSE Center for Applied Research Security Survey Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.
Information Systems Security Operational Control for Information Security.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Chapter 2 Securing Network Server and User Workstations.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.
Welcome and Introduction to the Security Task Force Peter Siegel Co-Chair, Security Task Force Chief Information Officer and Vice Provost University of.
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Welcome to the ICT Department Unit 3_5 Security Policies.
Demystifying cybersecurity: Best practices to help strengthen your program Chris Candela Senior Consultant Business Consulting Services Charles Schwab.
Security Standard: “reasonable security”
Introduction to the Federal Defense Acquisition Regulation
I have many checklists: how do I get started with cyber security?
Director, Computer Policy & Security
IT Development Initiative: Status and Next Steps
General Counsel and Chief Privacy Officer
Presentation transcript:

Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE

Security Task Force Goals:  Education and Awareness  Standards, Policies, and Procedures  Security Architecture and Tools  Organization and Information Sharing Working Groups  Awareness and Training  Policies and Legal Issues  Risk Assessment  Effective Practices and Solutions Annual Security Professionals Conference

Security Goals: C-I-A Availability - computers, systems and networks must be available on a timely basis to meet mission requirements or to avoid substantial losses. Integrity - computers, systems, and networks that contain information must be protected from unauthorized, unanticipated, or unintentional modification. Confidentiality - computers, systems, and networks that contain information require protection from unauthorized use or disclosure.

Security Approaches People – awareness, training, policies, roles and responsibilities, staffing, etc. Process – procedures, work flows, systems, physical security, compliance, etc. Technology – layered security, vulnerability scanning, access controls, o/s and s/w updates, etc.

ECAR IT Security Study The Headlines You Won’t Read in the Chronicle of Higher Ed or New York Times: The respondents feel more secure today than two years ago despite being in a perceived riskier environment. Respondents feel that the academic community has become more sensitive to security and privacy in the last two years. ECAR IT Security Study, 2006

IT Security Incidents Ten percent of the respondents in our survey indicated that they had an IT security incident in the last twelve months, which had been reported to the press (down from 19 percent in 2003). A majority of institutions (74.2 percent) report that the number of incidents is about the same or less in the past twelve months as compared with the year before. The primary perceived risks are viruses (72.6 percent), theft of personal financial information (64.8 percent), and spoofing and spyware (55.3 percent). ECAR IT Security Study, 2006

Data Security Incidents Stolen Laptops Missing Media Unauthorized access to systems Incident response teams Notification to affected individuals Identity theft and other types of fraud Data Incident Notification Toolkit

Blueprint for Handling Data Step 1: Create a security risk-aware culture that includes an information security risk management program Step 2: Define institutional data types Step 3: Clarify responsibilities and accountability for safeguarding confidential/sensitive data Step 4: Reduce access to confidential/sensitive data not absolutely essential to institutional processes Step 5: Establish and implement stricter controls for safeguarding confidential/sensitive data Step 6: Provide awareness and training Step 7: Verify compliance routinely with your policies and procedures

Step 1: Risk Aware Culture 1.1 Institution-wide security risk management program 1.2 Roles and responsibilities defined for overall information security at the central and distributed level 1.3 Executive leadership support in the form of policies and governance actions

Risk Management Framework

Risks Incurred ECAR IT Security Study, 2006 DamagePercent Business application, including , unavailable33.7% Network unavailable29.4% Information confidentiality compromised26.0% Damage to software21.5% Damage to data12.5% Negative publicity in the press10.0% Identity theft8.4% Damage to hardware7.4% Financial losses6.4%

Risk Assessments 55 percent do some type of risk assessment But less than 9 percent cover all institutional systems and data. ECAR IT Security Study, 2006

Responsibility for IT Security IT Security Officer (up to 35% from 22%) CIO (up to 14% from 8%) Other IT Directors ( down to 50% from 67%)

IT Security Plan 11.2 percent - a comprehensive IT security plan is in place 66.6 percent - a partial plan is in place percent - no IT security plan is in place ECAR IT Security Study, 2006

Policies in Place Individual employee responsibilities for information security practices (73%) Protection of organizational assets (73%) Managing privacy issues, including breaches of personal information (72%) Incident reporting and response (69%) Disaster recovery contingency planning (68%)

Policies in Place Investigation and correction of the causes of security failures (68%) Notification of security events to: individuals, the law, etc. (67%) Sharing, storing, and transmitting data (51%) Data classification, retention, and destruction (51%) Identity Management (50%)

Step 1: Risk Aware Culture 1.1 Institution-wide security risk management program 1.2 Roles and responsibilities defined for overall information security at the central and distributed level 1.3 Executive leadership support in the form of policies and governance actions

Step 2: Define Data Types 2.1 Compliance with applicable federal and state laws and regulations - as well as contractual obligations - related to privacy and security of data held by the institution (also consider applicable international laws) 2.2 Data classification schema developed with input from legal counsel and data stewards 2.3 Data classification schema assigned to institutional data to the extent possible or necessary

Step 3: Clarify Responsibilities 3.1 Data stewardship roles and responsibilities 3.2 Legally binding third party agreements that assign responsibility for secure data handling

Step 4: Reduce Access to Data 4.1 Data collection processes (including forms) should request only the minimum necessary confidential/sensitive information 4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information 4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices 4.4 Eliminate unnecessary confidential/sensitive data on servers, desktops, and mobile devices 4.5 Eliminate dependence on SSNs as primary identifiers and as a form of authentication

Step 5: Controls 5.1 Inventory and review/remediate security of devices 5.2 Configuration standards for applications, servers, desktops, and mobile devices 5.3 Network level protections 5.4 Encryption strategies for data in transit and at rest 5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage 5.6 Identity management and resource provisioning processes 5.7 Secure disposal of equipment and data 5.8 Consider background checks on individuals handling confidential/sensitive data

Security Approaches in Place Perimeter firewalls77% Centralized backups77% VPNs for remote access75% Enterprise directory75% Interior network firewalls65% Intrusion detection62% Active filtering59% Intrusion prevention 44% ( up from 33%) Security Standards for Applications 32% ( up from 27%) ECAR IT Security Study, 2006

Step 6: Awareness and Training 6.1 Make confidential/sensitive data handlers aware of privacy and security requirements 6.2 Require acknowledgment by data users of their responsibility for safeguarding such data 6.3 Enhance general privacy and security awareness programs to specifically address safeguarding confidential/sensitive data 6.4 Clearly communicate how to safeguard data so that collaboration mechanisms such as have strengths and limitations in terms of access control

Awareness Programs ECAR IT Security Study, 2006 StudentsFacultyStaff Program %38.2%42.2% Program %68.8%69.1% Percent change23.1%30.6%26.9%

Step 7: Verify Compliance 7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption 7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance 7.3 Routinely audit access privileges 7.4 Procurement procedures and contract language to ensure proper data handling is maintained 7.5 System development methodologies that prevent new data handling problems from being introduced into the environment 7.6 Utilize audit function within the institution to verify compliance 7.7 Incident response policies and procedures 7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed

FTC Guide: Protecting Personal Information Take stock. Know what personal information you have in your files and on your computers. Scale down. Keep only what you need for your business. Lock it. Protect the information that you keep. Pitch it. Properly dispose of what you no longer need. Plan ahead. Create a plan to respond to security incidents.

Characteristics of Successful IT Security Programs Institutions with IT security plans in place characterize their IT security programs as more successful and feel more secure today. The respondents who believe their institution provides necessary resources give higher ratings for IT security program success and their current sense of IT security. The biggest barrier to IT security is lack of resources (64.4 percent) and especially at smaller institutions, followed by an academic culture of openness and autonomy (49.6 percent), and lack of awareness (36.4 percent). ECAR IT Security Study, 2006

For more information Rodney Petersen Phone: EDUCAUSE/Internet2 Security Task Force EDUCAUSE Center for Applied Research Blueprint for Handling Sensitive Data wiki.internet2.edu/confluence/display/secguide

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.