Presentation is loading. Please wait.

Presentation is loading. Please wait.

Director, Computer Policy & Security

Published byHadi Santoso Modified over 6 years ago

Similar presentations

Presentation on theme: "Director, Computer Policy & Security"— Presentation transcript:

1 Director, Computer Policy & Security
A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations David Escalante Director, Computer Policy & Security Boston College Monday, July 30, 2007, 8:30am-12:00pm Campus Technology 2007 Washington, DC 8:00 a.m. Registration 8:30 a.m. Introduction and Overview to Seminar 9:00 a.m. Creating a Security Risk-Aware Culture 9:30 a.m. Defining Institutional Data Types 10:15 a.m. Break 10:30 a.m. Reducing Access to Data Not Absolutely Essential Noon Lunch 1:00 p.m. Establishing and Implementing Stricter Controls 2:00 p.m. Providing Awareness and Training 2:30 p.m. Verifying Compliance 2:45 p.m. Break 3:00 p.m. Putting it All Together:  Moving from Planning to Action 4:00 p.m. Wrap-Up 4:30 p.m. Adjourn

2 Seminar Goals At the end of this session:
You should feel comfortable discussing common cybersecurity risks plaguing higher education and computer users in general. You will have a list of key strategies to pursue for stopping the leakage of confidential/sensitive data. You will be introduced to several security resources and best practices to help you apply the key strategies.

3 Agenda (1) Overview and Introductions
Creating a Security Risk-Aware Culture Defining Institutional Data Types Clarifying Responsibility and Accountability Reducing Access to Data Not Absolutely Essential

4 Agenda (2) Establishing & Implementing Stricter Controls
Providing Awareness and Training Managing Sensitive Data Outreach Programs Verifying Compliance Putting It All Together Evaluation and Wrap-Up

5 Icebreaker Human Scavenger Hunt Instructions:
Take a moment to read entire list (front and back) Obtain as many signatures as possible in the time allotted An individual may sign your sheet only once Fill in the blanks when space is provided

6 The Blueprint Confidential Data Handling Blueprint Purpose
To provide a list of key strategies to follow for stopping the leakage of confidential/sensitive data. To provide a toolkit that constructs resources pertaining to confidential/sensitive data handling.  secguide/Confidential+Data+Handling+Blueprint Many of the EDUCAUSE/Internet2 Security Task Force working groups are working on components of the toolkit, but a consolidation of resources would anchor the overarching themes related to information protection.

7 The Blueprint Confidential Data Handling Blueprint Introduction
Steps and ensuing sub-items are intended to provide a general roadmap Institutions will be at varying stages of progress Organized in a sequence that allows you to logically follow through each step Each item is recommended as an effective practice; state/local legal requirements, institutional policy, or campus culture might leave each institution approaching this differently Some will start with the need to establish actions in the areas of policies, processes, or technology.  Some will be ready to implement, and some will be able to revise and fine-tune their processes.

8 Ingredients for Success
Systems must be built and technologies deployed to adhere to policies Policies must be developed, communicated, maintained, and enforced Process Technology People Processes must be developed that show how policies will be implemented People must understand their roles and responsibilities according to policies Policy implementation depends on processes being in place, technology being utilized to enforce policy, and users understanding the policy and how it relates to them (their responsibilities) We must set the policy, ensure compliance, enforce when out of compliance conditions are found, and utilize technology where ever possible to reduce reliance and burden on people Example of model – Policy on passwords, process on how to reset passwords, system developed to ensure passwords are 8 characters, users understand that they can not share their passwords

9 Step 1 Create a security risk-aware culture that includes an information security risk management program Sub-steps 1.1 Institution-wide security risk management program 1.2 Roles and responsibilities defined for overall information security at the central and distributed level 1.3 Executive leadership support in the form of policies and governance actions

10 Step 1 Create a security risk-aware culture that includes an information security risk management program Sub-steps 1.1 Institution-wide security risk management program 1.2Roles and responsibilities defined for overall information security at the central and distributed level 1.3 Executive leadership support in the form of policies and governance actions

11 Risk Management Framework

12 Risk Assessment Framework
Phase 0: Establish Risk Assessment Criteria for the Identification and Prioritization of Critical Assets Phase 1: Develop Initial Security Strategies Phase 2: Technological View – Identify Infrastructure Vulnerabilities Phase 3: Develop Security Strategy and Plans

13 Risks Incurred ECAR IT Security Study, 2006 Damage Percent
Business application, including , unavailable 33.7% Network unavailable 29.4% Information confidentiality compromised 26.0% Damage to software 21.5% Damage to data 12.5% Negative publicity in the press 10.0% Identity theft 8.4% Damage to hardware 7.4% Financial losses 6.4% ECAR IT Security Study, 2006

14 Risk Assessments 55 percent do some type of risk assessment
But less than 9 percent cover all institutional systems and data. ECAR IT Security Study, 2006

15 Step 1 Create a security risk-aware culture that includes an information security risk management program Sub-steps 1.1 Institution-wide security risk management program 1.2 Roles and responsibilities defined for overall information security at the central and distributed level 1.3 Executive leadership support in the form of policies and governance actions

16 Best Practices & Metrics
Information Security Program Elements: Governance Boards/Senior Executives/Shared Governance Management Directors and Managers Technical Central and Distributed IT Support Staff CISWG Final Report on Best Practices & Metrics

17 Governance Oversee Risk Management and Compliance Programs Pertaining to Information Security (e.g., Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley) Approve and Adopt Broad Information Security Program Principles and Approve Assignment of Key Managers Responsible for Information Security Strive to Protect the Interests of all Stakeholders Dependent on Information Security Review Information Security Policies Regarding Strategic Partners and Other Third-parties Strive to Ensure Business Continuity Review Provisions for Internal and External Audits of the Information Security Program Collaborate with Management to Specify the Information Security Metrics to be Reported to the Board CISWG Final Report on Best Practices & Metrics

18 Management Establish Information Security Management Policies and Controls and Monitor Compliance Assign Information Security Roles, Responsibilities, Required Skills, and Enforce Role-based Information Access Privileges Assess Information Risks, Establish Risk Thresholds and Actively Manage Risk Mitigation Ensure Implementation of Information Security Requirements for Strategic Partners and Other Third-parties Identify and Classify Information Assets Implement and Test Business Continuity Plans Approve Information Systems Architecture during Acquisition, Development, Operations, and Maintenance Protect the Physical Environment Ensure Internal and External Audits of the Information Security Program with Timely Follow-up Collaborate with Security Staff to Specify the Information Security Metrics to be Reported to Management CISWG Final Report on Best Practices & Metrics

19 Technical User Identification and Authentication
User Account Management User Privileges Configuration Management Event and Activity Logging and Monitoring Communications, , and Remote Access Security Malicious Code Protection, Including Viruses, Worms, and Trojans Software Change Management, including Patching Firewalls Data Encryption Backup and Recovery Incident and Vulnerability Detection and Response Collaborate with Management to Specify the Technical Metrics to be Reported to Management CISWG Final Report on Best Practices & Metrics

20 Responsibility for IT Security
IT Security Officer (up to 35% from 22%) CIO (up to 14% from 8%) Other IT Directors (down to 50% from 67%)

21 IT Security Plan 11.2 percent - a comprehensive IT security plan is in place 66.6 percent - a partial plan is in place 20.4 percent - no IT security plan is in place ECAR IT Security Study, 2006

22 Characteristics of Successful IT Security Programs
Institutions with IT security plans in place characterize their IT security programs as more successful and feel more secure today. The respondents who believe their institution provides necessary resources give higher ratings for IT security program success and their current sense of IT security. The biggest barrier to IT security is lack of resources (64.4 percent) and especially at smaller institutions, followed by an academic culture of openness and autonomy (49.6 percent), and lack of awareness (36.4 percent). ECAR IT Security Study, 2006

23 Step 1 Create a security risk-aware culture that includes an information security risk management program Sub-steps 1.1 Institution-wide security risk management program 1.2 Roles and responsibilities defined for overall information security at the central and distributed level 1.3 Executive leadership support in the form of policies and governance actions

24 Information Security Governance
If businesses, educational institutions, and non-profit organizations are to make significant progress securing their information assets, executives must make information security an integral part of core business operations. There is no better way to accomplish this goal than to highlight it as part of the existing internal controls and policies that constitute corporate governance. Information Security Governance Report: Executive Summary

25 InfoSec Governance Self Assessment
Organizational Reliance on IT E.g., What is the impact of major system downtime on operations? Risk Management E.g., Has your organization conducted a risk assessment and identified critical assets? People E.g., Is there a person or organization that has information security as their primary duty? Processes E.g., Do you have official written information security policies and procedures? Technology E.g., Is sensitive data encrypted? Information Security Governance Assessment Tool for Higher Education

26 Policies in Place Individual employee responsibilities for information security practices (73%) Protection of organizational assets (73%) Managing privacy issues, including breaches of personal information (72%) Incident reporting and response (69%) Disaster recovery contingency planning (68%)

27 Policies in Place Investigation and correction of the causes of security failures (68%) Notification of security events to: individuals, the law, etc. (67%) Sharing, storing, and transmitting data (51%) Data classification, retention, and destruction (51%) Identity Management (50%)

28 Step 2 Define institutional data types Sub-steps
2.1 Compliance with applicable federal and state laws and regulations - as well as contractual obligations - related to privacy and security of data held by the institution (also consider applicable international laws) 2.2 Data classification schema developed with input from legal counsel and data stewards 2.3 Data classification schema assigned to institutional data to the extent possible or necessary

29 Step 2 Define institutional data types Sub-steps
2.1 Compliance with applicable federal and state laws and regulations - as well as contractual obligations - related to privacy and security of data held by the institution (also consider applicable international laws) 2.2 Data classification schema developed with input from legal counsel and data stewards 2.3 Data classification schema assigned to institutional data to the extent possible or necessary

30 All-In-One Compliance
What When Where Why Wrath FERPA amendments National Protect student records No federal funding GLBA 1999 Protect financial records Fines, up to 5 years in jail ECPA/CFAA 1984, ‘86 + amendments Protect computers various SB1386 2003 California Disclose breaches Cost to comply + civil suit PATRIOT Act 2001 Allow law enforcement access Generally increased other penalties HIPAA 1996 thru 2003 Protect health records max $250, years in jail PCI 2004 Protect credit cards Restitution + fines = $$$

31 Step 2 Define institutional data types Sub-steps
2.1 Compliance with applicable federal and state laws and regulations - as well as contractual obligations - related to privacy and security of data held by the institution (also consider applicable international laws) 2.2 Data classification schema developed with input from legal counsel and data stewards 2.3 Data classification schema assigned to institutional data to the extent possible or necessary

32 Data Classification Policy
Provides the framework necessary to: Identify and classify data in order to assess risk and implement an appropriate level of security protection based on categorization. Comply with legislation, regulations, and internal policies that govern the protection of data. Facilitate and make the Incident Response process more efficient. The level in which the data is classified determines the level of response. Legislation and Regulatory Requirements The Gramm Leach and Bliley Act (GLBA) The Health Insurance Portability & Accountability Act (HIPPA) Family Educational Rights and Privacy Act (FERPA) Internal University Policies

33 NIST Security Categorization
Example: An Enterprise Information System FIPS 199 LOW MODERATE HIGH Confidentiality The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Integrity The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Availability The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Mapping Information Types to FIPS 199 Security Categories SP

34 Data Classification at GW
Privacy Levels Operations Levels Public Official Confidential Highest Security Highest Operations Enterprise System 2 2 1 1 Department Server 3 2 Lowest Security Lowest Operations Desktop/ Laptop 2 3 4 Note, numbers in boxes suggest the priority levels for mitigating risks.

35 Stanford Data Classification

36 U of Texas-Austin Data Categories

37 Qualitative Risk Assessment Exercise
Confidentiality (H, M, L) Integrity Availability Total (H=3, L=1) Bookstore Cash Register System Blackboard/ WebCT (CMS) Library Catalog Admissions Main web site Time Sheet Entry

38 BREAK

39 Step 3 Clarify responsibilities and accountability for safeguarding confidential/sensitive data Sub-steps 3.1Data stewardship roles and responsibilities 3.2Legally binding third party agreements that assign responsibility for secure data handling

40 Step 3 Clarify responsibilities and accountability for safeguarding confidential/sensitive data Sub-steps 3.1Data stewardship roles and responsibilities 3.2Legally binding third party agreements that assign responsibility for secure data handling

41 Example – University of North Carolina
Data Trustee: Data trustees are senior University officials (or their designees) who have planning and policy-level responsibility for data within their functional areas and management responsibilities for defined segments of institutional data. Responsibilities include assigning data stewards, participating in establishing policies, and promoting data resource management for the good of the entire University. Data Steward: Data stewards are University officials having direct operational-level responsibility for information management – usually department directors. Data stewards are responsible for data access and policy implementation issues. Data Custodian: Information Technology Services is the data custodian. The custodian is responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users as authorized by data trustees or their designees (usually the data stewards), and implementing and administering controls over the information. Data User: Data users are individuals who need and use University data as part of their assigned duties or in fulfillment of assigned roles or functions within the University community. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of those data.

42 Step 3 Clarify responsibilities and accountability for safeguarding confidential/sensitive data Sub-steps 3.1Data stewardship roles and responsibilities 3.2Legally binding third party agreements that assign responsibility for secure data handling

43 Outsourced Data Handling
Some Drivers Security of Commercial Software – addressed elsewhere (Step 7.4) Incidents: Mishandling by 3rd Parties GLB Act: Oversight of Service Providers PCI requirement Federal Contracts and Grant Sample Contract Language instructor for a copy

44 Step 4 Reduce access to confidential/sensitive data not absolutely essential to institutional processes Sub-steps 4.1 Data collection processes (including forms) should request only the minimum necessary confidential/sensitive information 4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information 4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices

45 Step 4 continued… Reduce access to confidential/sensitive data not absolutely essential to institutional processes Sub-steps continued 4.4 Eliminate unnecessary confidential/sensitive data on servers, desktops, and mobile devices 4.5 Eliminate dependence on SSNs as primary identifiers and as a form of authentication* *Note: SSNs may need to be used for certain things (e.g., student employees, student financial aid, etc.) and we recommend that schools limit the use of SSNs to necessary processes only.

46 Step 4 Reduce access to confidential/sensitive data not absolutely essential to institutional processes Sub-steps 4.1 Data collection processes (including forms) should request only the minimum necessary confidential/sensitive information 4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information 4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices

47 Fair Information Practices and Privacy
General Principles of Fair Information Practice: Openness Individual Participation Collection Limitation Data Quality Finality Security Accountability Privacy Statements Privacy Policies

48 Step 4 Reduce access to confidential/sensitive data not absolutely essential to institutional processes Sub-steps 4.1 Data collection processes (including forms) should request only the minimum necessary confidential/sensitive information 4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information 4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices

49 Step 4 Reduce access to confidential/sensitive data not absolutely essential to institutional processes Sub-steps 4.1 Data collection processes (including forms) should request only the minimum necessary confidential/sensitive information 4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information 4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices

50 Step 4 continued… Reduce access to confidential/sensitive data not absolutely essential to institutional processes Sub-steps continued 4.4 Eliminate unnecessary confidential/sensitive data on servers, desktops, and mobile devices 4.5 Eliminate dependence on SSNs as primary identifiers and as a form of authentication* *Note: SSNs may need to be used for certain things (e.g., student employees, student financial aid, etc.) and we recommend that schools limit the use of SSNs to necessary processes only.

51 Solutions Safety Analyzer (George Washington University)
Sensitive Data Detection SSNs with heuristics Credit Card numbers with Luhn algorithm validation Compromise Detection Trojan file detection Kernel-level rootkit detection IR-related data harvesting Spider (Cornell University) SENF! (Sensitive Number Finder) (University of Texas at Austin)

52 Step 4 continued… Reduce access to confidential/sensitive data not absolutely essential to institutional processes Sub-steps continued 4.4 Eliminate unnecessary confidential/sensitive data on servers, desktops, and mobile devices 4.5 Eliminate dependence on SSNs as primary identifiers and as a form of authentication* *Note: SSNs may need to be used for certain things (e.g., student employees, student financial aid, etc.) and we recommend that schools limit the use of SSNs to necessary processes only.

53 Elimination of SSNs Federal and state law requires the collection of your Social Security number (SSN) for certain purposes (for example, IRS reporting forms). However, widespread use of an individual's SSN is a major privacy concern. With incidents of identity theft increasing, steps to secure an individual's SSN become more important. A large number of colleges and universities use SSNs as primary identifiers for faculty, staff, and students, which exposes institutions to risk because of changing legal and security environments. Therefore, many institutions are planning for the migration away from SSN use as a primary identifier. Undertaking such a task raises issues, challenges, and opportunities for any institution. EDUCAUSE has identified links concerning the elimination of SSNs as primary identifiers that may be useful to the higher education community.

54 Where to be with SSNs University Processes & Supporting Systems
SSNs requested only when essential SSNs provided only when essential SSN access authorized to least # of people Clear SSN use policy exists SSNs stored only in highly secured devices and file cabinets Responsibilities for SSN protection well communicated Compliance verification processes in place

55 Step 5 Establish and implement stricter controls for safeguarding confidential/sensitive data Sub-steps 5.1 Inventory and review/remediate security of devices 5.2 Configuration standards for applications, servers, desktops, and mobile devices 5.3 Network level protections 5.4 Encryption strategies for data in transit and at rest

56 Step 5 continued… Establish and implement stricter controls for safeguarding confidential/sensitive data Sub-steps continued 5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage 5.6 Identity management and resource provisioning processes 5.7 Secure disposal of equipment and data 5.8 Consider background checks on individuals handling confidential/sensitive data

57 Step 5 Establish and implement stricter controls for safeguarding confidential/sensitive data Sub-steps 5.1 Inventory and review/remediate security of devices 5.2 Configuration standards for applications, servers, desktops, and mobile devices 5.3 Network level protections 5.4 Encryption strategies for data in transit and at rest

58 Inventory Devices Network Registration (NetReg)
Commercial NAC solutions (Cisco, etc) Commercial desktop management products Altiris, etc. Manual Inventories Review Security of Devices* Network vulnerability scans Local tools such as Microsoft’s Baseline Security Analyzer (MBSA) Manage your anti-virus for review/remediate Trick here is that there are multiple ways of handling inventory: Network inventory Using a commercial product with an agent Just doing it the old-fashioned manual way In any case, you can’t forget printers and other non-”computer” devices that might hold data or be used as attack points in your inventory. In the security review of devices, there’s just too much to do on a typical campus; this is why we pose the question “which devices?” The answer is that you should have figured out which ones are the highest priority in either 1.1, the risk management program, or sections 2-3 when you did data classification. If you have not done these steps yet and you’re working on this one, it’s going to be a very imposing task. *which ones???

59 Step 5 Establish and implement stricter controls for safeguarding confidential/sensitive data Sub-steps 5.1 Inventory and review/remediate security of devices 5.2 Configuration standards for applications, servers, desktops, and mobile devices 5.3 Network level protections 5.4 Encryption strategies for data in transit and at rest

60 Configuration Standards
There are recommendations available from various sources on the Internet Vendors themselves Center for Internet Security ( NSA ( How to Implement at your institution Use your own published procedures Publish links to sources above Create and use “Images” Don’t Forget Applications Web servers Mail servers FTP servers Consider standards as part of the Software Development Life Cycle Configuration Standards Microsoft, Apple have them

61 Step 5 Establish and implement stricter controls for safeguarding confidential/sensitive data Sub-steps 5.1 Inventory and review/remediate security of devices 5.2 Configuration standards for applications, servers, desktops, and mobile devices 5.3 Network level protections 5.4 Encryption strategies for data in transit and at rest

62 Network Level Protections
Intrusion Detection System Snort, Dragon, NFR Intrusion Prevention System Tipping Point, Intrushield Extrusion Prevention System Vontu, Reconnecx, Fidelis Database protection systems Guardium, Tizor, etc. Network Anomaly Detection Q1 Radar, Arbor, Mazu,etc. (flow analysis)

63 Step 5 Establish and implement stricter controls for safeguarding confidential/sensitive data Sub-steps 5.1 Inventory and review/remediate security of devices 5.2 Configuration standards for applications, servers, desktops, and mobile devices 5.3 Network level protections 5.4 Encryption strategies for data in transit and at rest

64 Encryption & Data in Transit
Strategies for Data in Transit Encrypt before sending(e.g. PGP) Encrypt on the fly (e.g. SSL) Issues for Data in Transit Key exchange Performance Choice of algorithm Protocols SSL SSH Proprietary (in which case check the algorithm)

65 Encryption and Data at Rest
Problems with Data at Rest Theft by a network intruder Physical theft -- for example, a laptop Data at Rest Strategies Whole disk encryption File encryption Issues Key escrow Cost if not using O/S vendor’s file encryption Very low adoption rate in higher ed market

66 Step 5 continued… Establish and implement stricter controls for safeguarding confidential/sensitive data Sub-steps continued 5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage 5.6 Identity management and resource provisioning processes 5.7 Secure disposal of equipment and data 5.8 Consider background checks on individuals handling confidential/sensitive data

67 Data on Mobile Devices Data has wings Compensating Policy
PDAs and music players USB memory fobs Cyber-cafes Home computers Compensating Policy Written mandates Practical assistance Enforcement or checking is exceedingly difficult Which does not mean you should not do it, if nothing else it can be used to justify discipline

68 Protection of Mobile Data
OMB Memo: Protection of Sensitive Agency Information NIST Checklist: Protection of Remote Information

69 Step 5 continued… Establish and implement stricter controls for safeguarding confidential/sensitive data Sub-steps continued 5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage 5.6 Identity management and resource provisioning processes 5.7 Secure disposal of equipment and data 5.8 Consider background checks on individuals handling confidential/sensitive data

70 ID Management Access control lists (ACLs) Account creation
Account deletion Process issues Fragmentation can be addressed By process improvement Via technology Rich area of research & development Also commercial solutions Active Directory LDAP solutions

71 EDUCAUSE Identity Management Resources
Recent Library Submissions (3) CIC Identity Management Conference Session: Federated Identity Management and Sharing Resources (2007) by Jim Phelps, IT Architect in Academia Identity Management Conference Report (2007)by Committee on Institutional Cooperation A Report on the Identity Management Summit (2007) by Norma Holland, Ann West and Steve Worona, EDUCAUSE Most Popular Library Content (3) Top-Ten IT Issues, 2006 (2006) by Barbara I. Dewey, Peter B. DeBlois, and the 2006 EDUCAUSE Current Issues Committee, EDUCAUSE Safeguarding the Tower: IT Security in Higher Education 2006 (2006) by Robert B. Kvavik, with John Voloudakis, ECAR Identity Management in Higher Education: A Baseline Study (2006) by Ronald Yanosky, with Gail Salaway, ECAR

72 Step 5 continued… Establish and implement stricter controls for safeguarding confidential/sensitive data Sub-steps continued 5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage 5.6 Identity management and resource provisioning processes 5.7 Secure disposal of equipment and data 5.8 Consider background checks on individuals handling confidential/sensitive data

73 Equipment and Data Disposal
Classic examples are lost backup tapes Magnetic media destruction can be done physically (sledgehammer) or magnetically (degaussed or multi-pass formatted) or both Do not ignore hard-copy data Shredders This step can be both expensive and inconvenient

74 Data Sanitization Guidelines
NIST Special Publication Guidelines for Media Sanitization EDUCAUSE/Internet2 Security Task Force Practical Data Sanitization Guidelines for Higher Education Michigan State University Best Practices in Disposal of Computers and Electronic Storage Media

75 Step 5 continued… Establish and implement stricter controls for safeguarding confidential/sensitive data Sub-steps continued 5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage 5.6 Identity management and resource provisioning processes 5.7 Secure disposal of equipment and data 5.8 Consider background checks on individuals handling confidential/sensitive data

76 Background Checks Kinds of checks Why? How? Criminal Credit Resume
Education Why? How? Do you save it once it’s complete? Do results stay in H/R or go to hiring manager? If running criminal checks, how wide a net do you cast and how legitimate can you be?

77 Security Approaches in Place
Perimeter firewalls 77% Centralized backups 77% VPNs for remote access 75% Enterprise directory 75% Interior network firewalls 65% Intrusion detection 62% Active filtering 59% Intrusion prevention 44% (up from 33%) Security Standards for Applications 32% (up from 27%) ECAR IT Security Study, 2006

78 Step 6 Provide awareness and training Sub-steps
6.1 Make confidential/sensitive data handlers aware of privacy and security requirements 6.2 Require acknowledgement by data users of their responsibility for safeguarding such data 6.3 Enhance general privacy and security awareness programs to specifically address safeguarding confidential/sensitive data 6.4 Collaboration mechanisms such as have strengths and limitations in terms of access control, which must be clearly communicated and understood so that the data will be safe-guarded

79 Awareness & Training Who needs “awareness” (consciousness-raising)? All Users! Executives Faculty Staff Students Users of Sensitive Data IT Staff Training (skills development) Especially for data stewards, IT staff, and information security team

80 Why? Who’s the Threat?

81 Cybersecurity Awareness Resources CD
The Awareness and Training Working Group of the EDUCAUSE/Internet2 Security Task Force compiled cybersecurity awareness resources distributed on a CD which are now on the web site. The resources were collected to showcase the variety of security awareness efforts underway at institutions of higher education and to provide resources for colleges and universities that are looking to jump-start a program for their organization.  Rodney, do you still have CDs? enough to distribute? I borrowed this slide and the next slide from the Campus and National Approaches to Improving Cyber Security Awareness presentation on October 6, 2004 More than 175 materials from 34 Universities Thank and acknowledge the National Cyber Security Alliance for its financial support of this effort.

82 What’s on the Web Site? Book Marks Brochures Checklists Flyers Games
Government Resources Handouts Industry Resources Links to School’s Security Web Page(s) Pamphlets Post Cards Presentations Security Awareness Documents Security Cards Security Tools Security Quizzes Surveys Videos Every attendee at the EDUCAUSE Annual Conference that will be held October 19 – 22 in Denver, Colorado will receive

83 Awareness Programs Students Faculty Staff Program 2003 39.2% 38.2%
42.2% Program 2005 62.3% 68.8% 69.1% Percent change 23.1% 30.6% 26.9% ECAR IT Security Study, 2006

84 When I Go To U.Va…. Collaborators: Concept and story board – IT Publications staff Video production – School of Continuing & Professional Studies Actors: children of IT staff Closed captioning – local commercial firm Cost was less that $3,000

85 Security Awareness Exercise
Outline a Plan for a Security Awareness Campaign About Managing Sensitive Data Who is your target audience? How will you market it? What are your key messages? What method of delivery will you use? How will you measure its effectiveness?

86 Step 7 Verify compliance routinely with your policies and procedures
Sub-steps 7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption 7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance 7.3 Routinely audit access privileges 7.4 Procurement procedures and contract language to ensure proper data handling is maintained

87 Step 7 continued… Verify compliance routinely with your policies and procedures Sub-steps continued 7.5 System development methodologies that prevent new data handling problems from being introduced into the environment 7.6 Utilize audit function within the institution to verify compliance 7.7 Incident response policies and procedures 7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed

88 Step 7 Verify compliance routinely with your policies and procedures
Sub-steps 7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption 7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance 7.3 Routinely audit access privileges 7.4 Procurement procedures and contract language to ensure proper data handling is maintained

89 Routine Testing Network Admission Control (NAC)
Test(s) at network registration But not all weaknesses are caught by commercial testing programs (scanners) Encryption can be tricky Network sniffing Examine configuration files Applications can imply things like re-running regression testing after changes

90 Step 7 Verify compliance routinely with your policies and procedures
Sub-steps 7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption 7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance 7.3 Routinely audit access privileges 7.4 Procurement procedures and contract language to ensure proper data handling is maintained

91 Routine Scanning Vulnerability Scanners
Nessus ISS GFI LANGuard eEye Retina Local confidential data scanners* GW Safety Analyzer Cornell Spider U.Texas SENF (Sensitive Number Finder) *follow-up on 4.3

92 Step 7 Verify compliance routinely with your policies and procedures
Sub-steps 7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption 7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance 7.3 Routinely audit access privileges 7.4 Procurement procedures and contract language to ensure proper data handling is maintained

93 Routine Audits Copy your external auditors 
What persons, groups, or roles have access? Should have access? Check terminated employees against list Transfers to new internal jobs as well Unclear as to wisdom of letting them know you’re coming

94 Step 7 Verify compliance routinely with your policies and procedures
Sub-steps 7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption 7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance 7.3 Routinely audit access privileges 7.4 Procurement procedures and contract language to ensure proper data handling is maintained

95 Procurement Practices
Contracts in the U.S. establish your rights -- very few rights are guaranteed Are any vendors subject to your policies, or to any other statute governing their handling of your data? Does their contract acknowledge this? How are the vendors liable? Your judgment, theirs, or a court’s?

96 Step 7 continued… Verify compliance routinely with your policies and procedures Sub-steps continued 7.5 System development methodologies that prevent new data handling problems from being introduced into the environment 7.6 Utilize audit function within the institution to verify compliance 7.7 Incident response policies and procedures 7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed

97 System Development Add security to your software development life cycle When Requirements Vendor analysis or architecture development Test Turnover Consider canned methodologies only if they incorporate security

98 Step 7 continued… Verify compliance routinely with your policies and procedures Sub-steps continued 7.5 System development methodologies that prevent new data handling problems from being introduced into the environment 7.6 Utilize audit function within the institution to verify compliance 7.7 Incident response policies and procedures 7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed

99 Audit Function Auditor -- friend or enemy?
Audit reports generally go higher in the organization than security memos Audit staff has some skills at compliance and testing against a process or procedure Use them to double-check yourself and to check things that you can’t due to time or political constraints

100 Step 7 continued… Verify compliance routinely with your policies and procedures Sub-steps continued 7.5 System development methodologies that prevent new data handling problems from being introduced into the environment 7.6 Utilize audit function within the institution to verify compliance 7.7 Incident response policies and procedures 7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed

101 Incident Response An incident response structure is a necessity
Rich vein of material on this -- blueprint has links Cut down time data is exposed

102 Step 7 continued… Verify compliance routinely with your policies and procedures Sub-steps continued 7.5 System development methodologies that prevent new data handling problems from being introduced into the environment 7.6 Utilize audit function within the institution to verify compliance 7.7 Incident response policies and procedures 7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed

103 Continuous Improvement
Keep it current Keep them current Keep within the law Keep exploiting new technology

104 FTC Guide: Protecting Personal Information
Take stock. Know what personal information you have in your files and on your computers. Scale down. Keep only what you need for your business. Lock it. Protect the information that you keep. Pitch it. Properly dispose of what you no longer need. Plan ahead. Create a plan to respond to security incidents.

105 Putting it All Together
Moving from Planning to Action! 8:00 a.m. Registration 8:30 a.m. Introduction and Overview to Seminar 9:00 a.m. Creating a Security Risk-Aware Culture 9:30 a.m. Defining Institutional Data Types 10:15 a.m. Break 10:30 a.m. Reducing Access to Data Not Absolutely Essential Noon Lunch 1:00 p.m. Establishing and Implementing Stricter Controls 2:00 p.m. Providing Awareness and Training 2:30 p.m. Verifying Compliance 2:45 p.m. Break 3:00 p.m. Putting it All Together:  Moving from Planning to Action 4:00 p.m. Wrap-Up 4:30 p.m. Adjourn

106 The Blueprint Discussion How will you use the blueprint?
Do you have suggestions to improve it? Do you have resources or effective practices to submit?

107 Wrap-Up Question & Answer Seminar Evaluation & Feedback
Program ends at 12:00pm

108 For more information David Escalante Phone: EDUCAUSE/Internet2 Security Task Force EDUCAUSE Center for Applied Research Blueprint for Handling Sensitive Data wiki.internet2.edu/confluence/display/secguide

109 Case Study Group Discussion:
Who do you need to include (or other consult) as part of the emergency meeting? What core messages will you plan to deliver at the press conference? What kinds of questions should you anticipate from reporters or potential victims?

Download ppt "Director, Computer Policy & Security"

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.

Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.
Network security policy: best practices

Network security policy: best practices
© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J.

© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
Information Asset Classification

Information Asset Classification
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Rodney Petersen Security Task Force Coordinator EDUCAUSE

Rodney Petersen Security Task Force Coordinator EDUCAUSE

Similar presentations

Ads by Google