Presentation is loading. Please wait.

Presentation is loading. Please wait.

+ Privacy, Security, and Identity Management for Research Environments Peter M. Siegel UC Davis Co-chair, Educause-I2 Security Task Force Chair, Internet2.

Published bySara Nelson Modified over 9 years ago

Similar presentations

Presentation on theme: "+ Privacy, Security, and Identity Management for Research Environments Peter M. Siegel UC Davis Co-chair, Educause-I2 Security Task Force Chair, Internet2."— Presentation transcript:

1 + Privacy, Security, and Identity Management for Research Environments Peter M. Siegel UC Davis Co-chair, Educause-I2 Security Task Force Chair, Internet2 Research Advisory Council

2 + Security Task Force Updates Effective IT Security Practices Guide Hosted on I2 wiki Categories will correspond with ISO27002 Standards for easy reference Will include conference presentations and seminars to help institutions take a “standards-based” approach to building their IT security programs ☞ Go to wiki.internet2.edu and select IT Security Guide 2

3 + Security Task Force Updates Contractual Themes for Outsourcing of Data Handling Toolkit documenting privacy and security issues critical to outsourcing services Where data will be held by third parties Includes model contract language Available as part of the Effective IT Security Practices Guide 3

4 + Security Task Force Updates Preparations for a National Cyber-security Awareness Campaign STF is developing a security awareness campaign To be unveiled in the summer of 2009 Assist institutions with observing October as National Cyber- security Awareness Month A cooperative agreement with the Department of Homeland Security and the National Cyber-security Alliance Coming Soon! 4

5 + Security Task Force Updates Educause-Internet2 Security Professionals Conference April 20-22, 2009 Atlanta, Georgia Send your campus ISO, security staff, or other IT staff (e.g. in administrative services!) Featured speakers/events: ISO from AT&T Chief of the California Office of Privacy Protection REN-ISAC face-to-face meeting Pre- and post-conference seminars April 20-22, 2009 5

6 + Security Task Force Updates Research and Education Networking Information Sharing and Analysis Center REN-ISAC The central resource for threat and warning information A trusted community of security professionals in higher education Modest membership fee effective July 2009 For more information: Go to www.ren-isac.netwww.ren-isac.net 6

7 + Cybersecurity – Campus View Common Elements - I Changing Threats, Changing Priorities Networks, administrative systems, wireless, PDAs, … Phishing not going away How to prove web site or email is legitimate? Security programs must be policy-based and clear Security funding often at risk, especially during fiscal crises Based on presentation by Bob Ono, UC Davis 7

8 + Cybersecurity – Campus View Common Elements - II Changing Threats, Changing Priorities- Research compliance is critical: Meeting institutional responsibilities Human subjects, IRB Financial, reporting, audit Data Access Expectations E.g. NIH/NSF Data Sharing Policy Integrity of researcher data, not just research administration Cloud computing, grids, shared resources Problems and opportunities Can we please address them together? Based on presentation by Bob Ono, UC Davis 8

9 + Cybersecurity – Campus View Common Elements - III Campus constituents need to participate Monitoring of compliance essential – IT Audits and other mechanisms Respond to gaps between reality and standards Communications and Marketing: Communicate, communicate, communicate! Everyone must participate, but focus on large risk areas But don’t forget individual PIs with large amounts of private data! Exceptions need to be formal and documented Based on presentation by Bob Ono, UC Davis 9

10 + Cybersecurity – Campus View Different Paths to Excellence Placing compliance responsibility at senior level vs. with each unit Exception approval within units vs. via CIO Central funding or subsidy vs. mandated unit-level solutions Ensuring compliance through formal annual plans vs. sanctions (disconnection, audit “findings”) Central security staff to oversee unit compliance vs. to provide security services to units Based on presentation by Bob Ono, UC Davis 10

11 + Cybersecurity Growing Threat – Mobile Devices Key Issues Often have access to all your email including attachments If stolen, may provide access to all your files Local data often poorly encrypted, if at all Disincentive for encryption, lacking decryption programs or features (e.g. Word, PDF, etc) Passwords may be weak (iPhone!) Most executives don’t use password feature consistently, if at all Spam and viruses can clog PDAs 11

12 + Cybersecurity Growing Threat – Mobile Devices Actions to consider Really, really encrypt confidential or sensitive files Your security policies may cover PDAs, but users may not be aware Issues: telco networks vs. campus wireless Create or reinforce security policies to cover mobile devices Password protect all devices Backup PDAs to PCs for recovery from viruses etc. Train your users, especially executives. They may not think they need it, but they do. Treat PDAs like laptops, only more likely to be lost or stolen Lobby mobile device companies to provide effective security tools 12

13 + Cybersecurity Growing Opportunity – IdM(*) Brilliant idea – documents and enforces key compliance issues in software as part of risk management Ties security to business needs including audit Identity Management Services are major tools in effective cybersafety and security Define roles, groups, and rules for access to information Can provide real-time mapping of individuals to roles, through well-established campus tools for HR, student enrollment, etc. Often those campus tools must be modernized first Can include not only “who”, but “when” and “where” Worth their sizeable investment! IdM: Identity Management, aka IAM, Identity & Access Mgmt 13

14 + Cybersecurity Growing Opportunity - IdM But IdM is not a panacea Cost is significant, but the IdM software is the easy part Vendor component can be small Cultural change is an issue, not just process re-engineering Each campus seems to be reinventing the wheel Burton / Gartner etc. being asked same basic questions… Kuali Identity Management provides a framework, but vendor or other community s/w needs to be assessed and integrated Internet SIGNET demonstrates the complexity //middleware.internet2.edu/signet/ Campus execs may not all see the value proposition, but risk-mgmt and audit seem to get it 14

15 + Cybersecurity Growing Opportunity - IdM Solution More of a common community requirements, best-practices, and software development approach? Avoid reinventing the wheel one consulting contract at a time Work towards more community-built tools, where feasible Vendor advocacy needs to be community driven, not ad hoc Continued / Growing leadership from Educause and Internet2 Increased recognition of role of IdM as a business solution for risk management Recognition of strong ties to campus risk / security strategies Create visibility within campus administrative leadership on the priority Encourage solutions that work in a federated world Join InCommon: www.incommonfederation.org National organizations need to “walk the walk” along with us 15

16 + Closing Observations Let’s invest now! Together! The Information Security Community is moving forward. Models from other campuses abound. Use them! Threats keep changing. Your work is never done. Identity Management and Access Services are critical to managing institutional risk Federated IdM-aware services now! Community source and advocacy with vendors essential Leadership from within academia is needed 16

Download ppt "+ Privacy, Security, and Identity Management for Research Environments Peter M. Siegel UC Davis Co-chair, Educause-I2 Security Task Force Chair, Internet2."

Similar presentations

Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.

Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.

Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Copyright 2004 Turning Point Solutions Establishing Lines Of Communication Before a Crisis.

Copyright 2004 Turning Point Solutions Establishing Lines Of Communication Before a Crisis.
Security Controls – What Works

Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Prepared: October, 2005 1 Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.

Prepared: October, Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.
Identity, Privacy, and Security: Higher Education Policy and Practice Rodney Petersen Government Relations Officer Director of Cybersecurity Initiative.

Identity, Privacy, and Security: Higher Education Policy and Practice Rodney Petersen Government Relations Officer Director of Cybersecurity Initiative.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
University of California, Davis1 Draft Wireless Network Policy Administrative Computing Coordinating Council September 10, 2001.

University of California, Davis1 Draft Wireless Network Policy Administrative Computing Coordinating Council September 10, 2001.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.

Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
1 EDUCAUSE Midwest Regional Conference Top Strategies for Working with Stakeholders: Synopses of Recommendations from the Identity Management Summit Mark.

1 EDUCAUSE Midwest Regional Conference Top Strategies for Working with Stakeholders: Synopses of Recommendations from the Identity Management Summit Mark.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
Steering Committee CSRIC Working Group 2A Cyber Security Best Practices October 7, 2010.

Steering Committee CSRIC Working Group 2A Cyber Security Best Practices October 7, 2010.

Similar presentations

Ads by Google