Information Security Services. Overview  Administrative Systems Security  Legislative Requirements  SUNet Security  Individual Security Awareness.

Slides:

Advertisements

Similar presentations

IT Security Policy Framework

Advertisements

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.

Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,

Amber LaFountain Project Archivist - Private Practices, Public Health Center for the History of Medicine Francis A. Countway Library of Medicine Harvard.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

Global Marketing Overview of Supply Chain Security Assurance Certification/membership in supply chain security programs –Different programs focus on particular.

Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.

Challenges and Incidents in Higher Ed. About->Presenter Zach Jansen Information Security Officer, Calvin College.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Presented by: Dan Landsberg August 12, Agenda  What is Social Media?  Social Media’s Professional Side  Benefits of Social Media  Regulatory.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Consumers Online: Privacy, Security and Identity Professor Margaret Jackson and Marita Shelly Presentation to the RMIT Financial Literacy, Banking & Identity.

Security Controls – What Works

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

Information System Security Engineering and Management

Data Security Overview ORSP Staff AT Desktop Service Team November 18th, 2014.

IT Security Challenges In Higher Education Steve Schuster Cornell University.

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

1 Information Technology Security Services at The University of Michigan Paul Howell Chief Information Technology Security Officer.

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

Electronic Records Management: What Management Needs to Know May 2009.

Chapter 3 Internal Controls.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

An Educational Computer Based Training Program CBTCBT.

1 General Awareness Training Security Awareness Module 1 Overview and Requirements.

Sensitive Data Accessibility Financial Management College of Education Michigan State University.

Responding to a Security Incident Maryland Security Day March 2, 2004 Joy Hughes, CIO

2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

Orphaned Servers and Broken Processes 2007 Security Professionals Conference April 12, 2007.

Stanford Computer Security and You . Higher Education  Higher education environment is open, sharing, exploratory, experimental  Many information assets.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

September 12, 2004 Simplifying the Administration of HIPAA Security Angel Hoffman, RN, MSN Director, Corporate Compliance University of Pittsburgh Medical.

1 National Audioconference Sponsored by the HIPAA Summit June 6, 2002 Chris Apgar, CISSP Data Security & HIPAA Compliance Officer Providence Health Plan.

IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

CU – Boulder Security Incidents Jon Giltner. Our Challenge.

STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES 1 The Technical Services Stuff in IT Services A brief tour of the technical and service offering plethora.

Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &

Managing your Institution-Specific HIPAA Compliance Policies and Procedures Cutting Edge Issues Thursday, December 13, 2007.

9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK

Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.

STANFORD UNIVERSITY RESEARCH COMPUTING Are we outliers? Institutional minimum security requirements RUTH MARINSHAW OCTOBER 14, 2015.

IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.

Welcome and Introduction to the Security Task Force Peter Siegel Co-Chair, Security Task Force Chief Information Officer and Vice Provost University of.

IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster This work is the intellectual property of.

1 Research Compliance at HMS: What is it Why it is important Who is involved How it affects you and how you can get help Postdoctoral Fellow Orientation.

Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)

Sorting out IT Policy at Poly U. Ron Heasley Will Krause Tim Logan Mary Schoeler.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

E-FINANCE CHAPTER 6 RISK AND CHALLENGES Risk and Challenges, V.C joshi (2004), E-finance Log into the future, 2nd Edition, Thousand Oakes, London, E-finance:

The Medical College of Georgia HIPAA Privacy Rule Orientation.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.

Educause/Internet 2 Computer and Network Security Task Force

A New Model for Managing Data Security and Privacy

Unit 7 – Organisational Systems Security

Disability Services Agencies Briefing On HIPAA

Securing and Protecting Citizens' Data

Compliance….GlobalSearch……WHAT?!?!

Anthem Data Breach Group 2: Jing Jiang, Dongjie Wang, Haitao Huang, Binju Gaire, Parneet Toor.

Presentation transcript:

Information Security Services

Overview  Administrative Systems Security  Legislative Requirements  SUNet Security  Individual Security Awareness  What’s Next

Improve Administrative Systems Security  Joined the project and support teams  Delphi, Peoplesoft  System administration  Security reviews  Peoplesoft, Delphi, Authority Manager, WebAuth, VOIP, MyApps, Workflow, TMIS, Apply Yourself, CashNet, etc.  Designed multi-tier firewall architecture  Emphasizing industry best practices Improve Administrative Systems Security

Categories of Data Criteria: Use these criteria to determine which data category is appropriate for a particular information or infrastructure system. A positive response to the highest category in any row is sufficient to place that system into that Category. Category A (highest, most sensitive) Category B (moderate level of sensitivity) Category C (very low, but still some sensitivity) Legal requirements Protection of data is required by law (see attached list for specific HIPAA and FERPA data elements) Stanford has a contractual obligation to protect the data Reputation risk High MediumLow Other Institutional Risks Information which provides access to resources, physical or virtual Smaller subsets of Category A data from a school, large part of a school, department Data about very few people or other sensitive data assets Examples  Medical  Students  Prospective Students  Personnel  Donor or prospect  Financial  Contracts  Physical plant detail  Credit Card numbers  Certain management information  Information resources with access to Category-A data  Research detail or results that are not Category-A  Library transactions (e.g., catalog, circulation, acquisitions)  Financial transactions which do not include Category-A data (e.g., telephone billing)  Very small subsets of Category A data Improve Administrative Systems Security

Firewall Architecture (c onceptual) Improve Administrative Systems Security

Legislation: Support Issues  FERPA  Protect private student information  HIPAA  Protect personal health information (PHI)  GLBA  Protect “banking” transaction information  SEVIS  Provide foreign student information  DMCA  Protect copyrighted information  California Law  May not use SSN as identifier  Must disclose compromise of private information Improve Administrative Systems Security

SUNet Security  Filter high-risk traffic at the border  Support distributed firewalls  Vaden  Controller’s Office  Sample all five Internet feeds  2.2 Gb/sec  Maintaining 5GB day logs x 8 weeks for forensic purposes  Previously sampling only two feeds  Constraining traffic to 200Mb/sec Improve Overall SUNet Security

SUNet Security, cont.  Scan Entire Network  Looking for vulnerabilities only  Started in residences with ResComp  Of 4,000 machines, found 300 vulnerable  All 300 repaired before break-ins  Continuing to re-scan periodically  Scanning all other network segments  Working with local support groups Improve Overall SUNet Security

Significant Security Payoff Improve Overall SUNet Security

Campus-Wide Security Leaders Group  Sub-group on Policy Development  Improvements to Admin Guide  Additional practices and procedures  Subgroup on Security Awareness  Create a security awareness and education program Improve Individual Security Awareness

Awareness Campaign  Launched on April 7  Postcards sent to every employee  Web site ready  Self-check security tool  Enter a drawing  Student focus in Fall  Approaching Stanford  Packets on beds  Residence hall contest  Ongoing activities  Stanford 101  Communicating with returning students  Technical security training  Continuing to expand web site Improve Individual Security Awareness

Other Awareness Activities  Security Alerts  Highly focused alerts  Stanford focused  alerts to broad distribution list  Posted to web site  Presentations  Meet with groups to continue to educate Improve Individual Security Awareness

Other Activities  Incident response  Continue to aim at reducing incidents  Work with various Stanford Offices  Office of General Counsel  Internal Audit  Privacy Officer  Judicial Affairs  Residential Deans  ResComp  Med School, Hospital, and other security groups at Stanford  Participating at the industry and national levels  EDUCAUSE/Internet 2 Security Task Force  USENIX  SANS  Networld + Interop

Beyond Today  Continue to improve Stanford security  Reach steady-state for administrative applications  Improve network security  Improve individual security  Additional services  Provide deeper and broader security training  Work with faculty  Better protection for intellectual capital  Work with Networking  Offer more and better security options through network architecture improvements What’s Next