1. Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE

2. Security Task Force Goals:  Education and Awareness  Standards, Policies, and Procedures  Security Architecture and Tools  Organization and Information Sharing Working Groups  Awareness and Training  Policies and Legal Issues  Risk Assessment  Effective Practices and Solutions Annual Security Professionals Conference

3. Security Goals: C-I-A Availability - computers, systems and networks must be available on a timely basis to meet mission requirements or to avoid substantial losses. Integrity - computers, systems, and networks that contain information must be protected from unauthorized, unanticipated, or unintentional modification. Confidentiality - computers, systems, and networks that contain information require protection from unauthorized use or disclosure.

4. Security Approaches People – awareness, training, policies, roles and responsibilities, staffing, etc. Process – procedures, work flows, systems, physical security, compliance, etc. Technology – layered security, vulnerability scanning, access controls, o/s and s/w updates, etc.

5. ECAR IT Security Study The Headlines You Won’t Read in the Chronicle of Higher Ed or New York Times: The respondents feel more secure today than two years ago despite being in a perceived riskier environment. Respondents feel that the academic community has become more sensitive to security and privacy in the last two years. ECAR IT Security Study, 2006

6. IT Security Incidents Ten percent of the respondents in our survey indicated that they had an IT security incident in the last twelve months, which had been reported to the press (down from 19 percent in 2003). A majority of institutions (74.2 percent) report that the number of incidents is about the same or less in the past twelve months as compared with the year before. The primary perceived risks are viruses (72.6 percent), theft of personal financial information (64.8 percent), and spoofing and spyware (55.3 percent). ECAR IT Security Study, 2006

7. Data Security Incidents Stolen Laptops Missing Media Unauthorized access to systems Incident response teams Notification to affected individuals Identity theft and other types of fraud Data Incident Notification Toolkit

8. Blueprint for Handling Data Step 1: Create a security risk-aware culture that includes an information security risk management program Step 2: Define institutional data types Step 3: Clarify responsibilities and accountability for safeguarding confidential/sensitive data Step 4: Reduce access to confidential/sensitive data not absolutely essential to institutional processes Step 5: Establish and implement stricter controls for safeguarding confidential/sensitive data Step 6: Provide awareness and training Step 7: Verify compliance routinely with your policies and procedures

9. Step 1: Risk Aware Culture 1.1 Institution-wide security risk management program 1.2 Roles and responsibilities defined for overall information security at the central and distributed level 1.3 Executive leadership support in the form of policies and governance actions

10. Risk Management Framework

11. Risks Incurred ECAR IT Security Study, 2006 DamagePercent Business application, including e-mail, unavailable33.7% Network unavailable29.4% Information confidentiality compromised26.0% Damage to software21.5% Damage to data12.5% Negative publicity in the press10.0% Identity theft8.4% Damage to hardware7.4% Financial losses6.4%

12. Risk Assessments 55 percent do some type of risk assessment But less than 9 percent cover all institutional systems and data. ECAR IT Security Study, 2006

13. Responsibility for IT Security IT Security Officer (up to 35% from 22%) CIO (up to 14% from 8%) Other IT Directors ( down to 50% from 67%)

14. IT Security Plan 11.2 percent - a comprehensive IT security plan is in place 66.6 percent - a partial plan is in place. 20.4 percent - no IT security plan is in place ECAR IT Security Study, 2006

15. Policies in Place Individual employee responsibilities for information security practices (73%) Protection of organizational assets (73%) Managing privacy issues, including breaches of personal information (72%) Incident reporting and response (69%) Disaster recovery contingency planning (68%)

16. Policies in Place Investigation and correction of the causes of security failures (68%) Notification of security events to: individuals, the law, etc. (67%) Sharing, storing, and transmitting data (51%) Data classification, retention, and destruction (51%) Identity Management (50%)

17. Step 1: Risk Aware Culture 1.1 Institution-wide security risk management program 1.2 Roles and responsibilities defined for overall information security at the central and distributed level 1.3 Executive leadership support in the form of policies and governance actions

18. Step 2: Define Data Types 2.1 Compliance with applicable federal and state laws and regulations - as well as contractual obligations - related to privacy and security of data held by the institution (also consider applicable international laws) 2.2 Data classification schema developed with input from legal counsel and data stewards 2.3 Data classification schema assigned to institutional data to the extent possible or necessary

19. Step 3: Clarify Responsibilities 3.1 Data stewardship roles and responsibilities 3.2 Legally binding third party agreements that assign responsibility for secure data handling

20. Step 4: Reduce Access to Data 4.1 Data collection processes (including forms) should request only the minimum necessary confidential/sensitive information 4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information 4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices 4.4 Eliminate unnecessary confidential/sensitive data on servers, desktops, and mobile devices 4.5 Eliminate dependence on SSNs as primary identifiers and as a form of authentication

21. Step 5: Controls 5.1 Inventory and review/remediate security of devices 5.2 Configuration standards for applications, servers, desktops, and mobile devices 5.3 Network level protections 5.4 Encryption strategies for data in transit and at rest 5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage 5.6 Identity management and resource provisioning processes 5.7 Secure disposal of equipment and data 5.8 Consider background checks on individuals handling confidential/sensitive data

22. Security Approaches in Place Perimeter firewalls77% Centralized backups77% VPNs for remote access75% Enterprise directory75% Interior network firewalls65% Intrusion detection62% Active filtering59% Intrusion prevention 44% ( up from 33%) Security Standards for Applications 32% ( up from 27%) ECAR IT Security Study, 2006

23. Step 6: Awareness and Training 6.1 Make confidential/sensitive data handlers aware of privacy and security requirements 6.2 Require acknowledgment by data users of their responsibility for safeguarding such data 6.3 Enhance general privacy and security awareness programs to specifically address safeguarding confidential/sensitive data 6.4 Clearly communicate how to safeguard data so that collaboration mechanisms such as e-mail have strengths and limitations in terms of access control

24. Awareness Programs ECAR IT Security Study, 2006 StudentsFacultyStaff Program 200339.2%38.2%42.2% Program 200562.3%68.8%69.1% Percent change23.1%30.6%26.9%

25. Step 7: Verify Compliance 7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption 7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance 7.3 Routinely audit access privileges 7.4 Procurement procedures and contract language to ensure proper data handling is maintained 7.5 System development methodologies that prevent new data handling problems from being introduced into the environment 7.6 Utilize audit function within the institution to verify compliance 7.7 Incident response policies and procedures 7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed

26. FTC Guide: Protecting Personal Information Take stock. Know what personal information you have in your files and on your computers. Scale down. Keep only what you need for your business. Lock it. Protect the information that you keep. Pitch it. Properly dispose of what you no longer need. Plan ahead. Create a plan to respond to security incidents.

27. Characteristics of Successful IT Security Programs Institutions with IT security plans in place characterize their IT security programs as more successful and feel more secure today. The respondents who believe their institution provides necessary resources give higher ratings for IT security program success and their current sense of IT security. The biggest barrier to IT security is lack of resources (64.4 percent) and especially at smaller institutions, followed by an academic culture of openness and autonomy (49.6 percent), and lack of awareness (36.4 percent). ECAR IT Security Study, 2006

28. For more information Rodney Petersen Email: rpetersen@educause.edu Phone: 202.331.5368 EDUCAUSE/Internet2 Security Task Force www.educause.edu/security EDUCAUSE Center for Applied Research www.educause.edu/ECAR Blueprint for Handling Sensitive Data wiki.internet2.edu/confluence/display/secguide