STANFORD UNIVERSITY RESEARCH COMPUTING Are we outliers? Institutional minimum security requirements RUTH MARINSHAW OCTOBER 14, 2015.

Slides:

Advertisements

Similar presentations

IT Security Policy Framework

Advertisements

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

NAU HIPAA Awareness Training

Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Protect Your Data, Protect Yourself Tech Briefing August 6, 2010 Turing Auditorium.

Information Security Policies Larry Conrad September 29, 2009.

Security Controls – What Works

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Payment Card Industry (PCI) Data Security Standard

What is personally identifiable information (PII)? KDE Employee Training Data Security Video Series 1 of 3 October 2014.

HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)

Network security policy: best practices

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

HIPAA PRIVACY AND SECURITY AWARENESS.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

HIPAA Training Developed for Ridgeview Institute 2012 Hospital Wide Orientation.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

Stanford Computer Security and You . Higher Education  Higher education environment is open, sharing, exploratory, experimental  Many information assets.

Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.

Speak HIPAA Like a Native A Guide to Common HIPAA Nomenclature University of Miami Ethics Programs.

Administrative Services Workshop May 8, 2008 Overview Classified Hiring ProcessClassified Hiring Process Processing Classified IntentsProcessing Classified.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

SPH Information Security Update September 10, 2010.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

HIPAA BASIC TRAINING MODULE 1C – Overview (For staff who do not generally create Protected Health Information) Anderson Health Information Systems, Inc.

IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.

TIF-Security Update Robert Ono, IT Security Coordinator October 2010.

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

Chapter 2 Securing Network Server and User Workstations.

STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES 1 The Technical Services Stuff in IT Services A brief tour of the technical and service offering plethora.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.

Data Security at Duke DECEMBER What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.

QIP Education Session INFORMATION SECURITY Joseph Zurba Information Security & IT Compliance Officer Harvard Medical School February 16, 2015.

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

What is HIPAA? Health Insurance Portability and Accountability Act of HIPAA is a major law primarily concentrating on the prolongation of health.

The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.

HIPAA Privacy What Every Staff Member Needs to Know.

IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.

BlueCross BlueShield of Tennessee, Inc., an Independent Licensee of the BlueCross BlueShield Association. This document has been classified as public Information.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.

HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.

Wednesday, November 7, 2012.

Payment card industry data security standards

Streamline your HR document management processes

Cyber Protections: First Step, Risk Assessment

Chapter 27: System Security

Disability Services Agencies Briefing On HIPAA

HIPAA Pros - Minimum Necessary

EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO

SENSITIVE DATA STANDARDS

The Health Insurance Portability and Accountability Act

Presentation transcript:

STANFORD UNIVERSITY RESEARCH COMPUTING Are we outliers? Institutional minimum security requirements RUTH MARINSHAW OCTOBER 14, 2015

Low Risk Data and systems are classified as Low Risk if they are not considered to be Moderate or High Risk, and: 1. The data is intended for public disclosure, or 2. The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on our mission, safety, finances or reputation. Stanford University Risk Classifications Moderate Risk Data and systems are classified as Moderate Risk if they are not considered to be High Risk, and: 1. The data is not generally available to the public, or 2. The loss of confidentiality, integrity, or availability of the data or system could have a mildly adverse impact on our mission, safety, finances or reputation. High Risk Data and systems are classified as High Risk if: 1. Protection of the data is required by law /regulation 2. Stanford is required to self- report to the government and/or provide notice to the individual if the data is inappropriately accessed, or 3. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances or reputation.

Low Risk  Research data (at data owner’s discretion)  SUNet IDs  Information authorized to be available on or through Stanford’s website without SUNet ID authentication  Policy & procedure manuals designated by the owner as public  Job postings  University contact information not designated by the individual as “private” in StanfordYou  Information in the public domain  Publicly available campus maps Examples Moderate Risk Unpublished research data (at data owner’s discretion) Student records & admission applications Faculty/staff employment applications, personnel files, benefits, salary, birth date, personal contact information Non-public Stanford policies & policy manuals Non-public contracts Stanford internal memos & , non-public reports, budgets, plans, financial info University and employee ID numbers PTA numbers Engineering, design & operational information regarding Stanford infrastructure High Risk Health Information, including Protected Health Information (PHI) Health Insurance Policy ID #s Social Security #s Credit card #s Financial account #s Export controlled information under US laws Driver’s license, Passport & Visa #s Donor contact information & non-public gift information

Special note to Stanford researchers: Except for regulated data such as protected health information (PHI), Social Security Numbers, and financial account numbers, research data and systems predominately fall into the Low Risk classification.

StandardsWhat to doLMH  Patching*  Inventory*  Firewall  Credentials & Access Control  2-step Authentication*  Centralized logging  Sysadmin training*  Vulnerability Management*  Malware Protection*  Intrusion Detection*  Physical Protection  Dedicated Admin Workstation  Security, Privacy & Legal Review*  Regulated Data Security Controls  Based on NVD, patch high severity within 7 days, medium severity within 14, low within 28; supported OS  Review/update NetDB & SUSI quarterly  Default deny, permit minimum necessary services  Review accounts & privileges quarterly. Enforce password complexity. Recommend login via Kerberos.  Require Duo for all interactive & administrator logins  Send logs to remote server; SU Splunk recommended  Attend 2 days of SU Info Sec Academy annually  Monthly Qualys scans. Remediate severity 5 within 7 days, severity 4 within 14, severity 3 within 28 days  Deploy Bit9 in high enforcement mode  Bit9 on supported platforms else OSSEC or Tripwire  Place system hardware in a data center  Admin accounts accessed only from an approved Personal Bastion Host  Request review & implement recommendations before deployment  Implement PCI DSS, HIPAA or export controls as applicable Minimum Security Standards: Servers

Questions and Discussion