Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Privacy and Security: Sort of Urgency Praveen Panchal, CIO.

Published byPearl Williams Modified over 9 years ago

Similar presentations

Presentation on theme: "Data Privacy and Security: Sort of Urgency Praveen Panchal, CIO."— Presentation transcript:

1 Data Privacy and Security: Sort of Urgency Praveen Panchal, CIO

2 Why?...Because Within little over one year there were 237 reported security breaches… Compromising more than 97 million records containing personal information 83 or 35% incidents involved High Ed institutions Source – Privacy Rights Clearinghouse

3 Early threats were targeted on servers and computers connected to network to destroy them or use them to launch subsequent attacks Now threats are no longer operating systems, networks, or control of machines but rather… Personal data about the users on these machines for profit Changing Nature of Threats “Attackers are increasingly seeking financial gain rather than mere notoriety. During the past year we have seen a significant decrease in the number of large scale global virus outbreaks and, instead, are observing that attackers are moving towards smaller, more focused attacks” Vincent Weafer – Senior Director at Symantec Corporation

4 Furious Constituents Negative Publicity Tarnished Reputation Public Embarrassment Investigations Lawsuits, Fines and Penalties Financial Losses Waste of Valuable Resources Implications

5 Implement Technological Solutions Adopt “Soft” IT Security Approaches Change the Campus Culture Combination of all the above What we can do? Note: All the points addressed here have been adopted as an activity in the CUNY Security Plan.

6 Perimeter and Interior Firewalls Virtual Private Network Intrusion Detection and Prevention System Enterprise Directory Filtering Technology Network Behavior Analysis Technological Solutions

7 Planning Develop w ell-thought-out comprehensive IT security plan, risk assessment and IT security implementation strategy which is standards-based, flexible, mission-driven, adaptable, simple and measurable Implementation Implement IT security plan and make it intrinsic part of day- to-day operations of the campus Auditing Periodically examine, assess and analyze security of central and local applications, networks, and data Policies and Procedures Develop policies and procedures for data backup, authentication and authorization, physical security, employee responsibilities, disaster recovery, formal incident-response procedures, etc. “Soft” IT Security Approach

8 Invigorate Senior Management Interest and Support in IT Security (“Buck Stops Here!”) Garner “political” support which is critical to provide credibility to IT security program implementation Define IT Security Functions (“Who Does What?”) Implement governance structure to institute CUNY mandated policies and procedures and empower Internet Security Officer (ISO) to implement these policies and procedures Training and Awareness (“Think IT Security First!”) Provide training on current techniques, security awareness programs, change in institutional culture to respect for private information of our constituents and restrict the distribution of sensitive data Maintain Assets Inventory (“What We Got?”) Identify and classify assets that require protection through classifications such as regulatory compliance, confidential, internal and public Change the Campus Culture

9 Security Communication and Training Seminars and Workshops - Wireless Technology, Intrusion Management, Vulnerability Management and Microsoft Security Security Policy, Advisement and Procedures Security alerts and advisories - Phishing, Email/Passwords, Private Information and Spam Email Security procedure authored and adopted for Breach Reporting Security policies (18) authored and adopted - Access to Sensitive or Non-Public University Data/Systems, Authentication, User IDs, Severance of Computer Accounts, Review of Computer Access, Student/Part-time Employees/Contractor User IDs, Passwords, Privileged Access, Mobile Devices, Incident Response and Reporting, Change of Data in Permanent Records, Centralized Data Management, Grade Changes, Changes in Information Systems, Vulnerability Assessments, Web Accessible Data, Management Responsibility, Information Security Policy Governance CUNY Security Initiatives

10 Security Incident Response Reporting and notification protocols and consistent follow through their execution Information Security Strategy University Security Plan oriented towards providing security services and increased capabilities to benefit the Colleges and the University while maintaining the collaborative approach with CUNY constituents E-Signature Initiative Initiative to gather input from University and College constituents to assess and recommend e-Signature opportunities for consideration during ERP implementation CUNY Security Initiatives

11 Data Warehouse Formal review and approval process for vetting all requests to access the data warehouse (forms are published at security.cuny.edu) security.cuny.edu Security Technology Selection Intrusion Management Program - Network behavior analysis appliances from Mazu Networks and signature-based intrusion detection appliances from Symantec Assessments CIS Portal Vulnerability Assessment, University Web Services Assessment and external vendor (Liveperson.com)Liveperson.com Security Integration – CIS Projects EDS Credit Card Processing/PCI Compliance, Enterprise Directory, Crystal Developer/Enterprise, CO LAN, Portal Authentication/Identity conflicts, Wireless Network Architecture, email Architecture, and VPN/firewall port requests (approver) CUNY Security Initiatives

12 Family Educational Rights and Privacy Act (FERPA) Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Communications Assistance for Law Enforcement Act (CALEA) Payment Card Industry Data Security Standard (PCIDSS) Federal Information Security Management Act (FISMA) Information Security Laws and Regulations

13 Conclusion Senior-Level Support and Involvement Enterprise view of Information Security rather than just specific department Alignment of Technologies, Processes and Campus Culture with Information Security Flexible Information Security efforts to more easily adapt to new threats as they emerge

14 Questions?

15 Thank You! Acknowledgement: This presentation was made possible with the help of Mr. Carl Cammarata, CUNY Chief Information Security Officer and selected articles from Educause Review, September/October 2006.

Download ppt "Data Privacy and Security: Sort of Urgency Praveen Panchal, CIO."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
IT Security Policy Framework

IT Security Policy Framework
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Information & Communication Technologies 08 2014 NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Data Security At Cornell Steve Schuster. Questions I’d like to Answer ► Why do we care about data security? ► What are our biggest challenges at Cornell?

Data Security At Cornell Steve Schuster. Questions I’d like to Answer ► Why do we care about data security? ► What are our biggest challenges at Cornell?
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.

Similar presentations

Ads by Google