1 / 25

Security Is Everyone’s Responsibility

Security Is Everyone’s Responsibility. October 22, 2014. Agenda. Introduction – Scott Douglass Legal Issues – Laure Ergin Risk & Challenges - Kirk Die What IT is Seeing & Doing – Jason Cash Unit & Employee Responsibilities – Karl Hassler Sensitive Data – Karl Hassler

Download Presentation

Security Is Everyone’s Responsibility

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Is Everyone’s Responsibility October 22,2014

  2. Agenda • Introduction – Scott Douglass • Legal Issues – Laure Ergin • Risk & Challenges - Kirk Die • What IT is Seeing & Doing – Jason Cash • Unit & Employee Responsibilities – Karl Hassler • Sensitive Data – Karl Hassler • Wrap Up / Discussion - Scott Douglass • Resources

  3. Introduction • Today’s Reality • More Organizations are revealing they’ve been breached • Public pressure • Disclosure laws • Why We’re Here • Begin a dialogue • Raise awareness • Educate • Provide resources

  4. Legal Issues • Which law applies depends on: • Location of institution • Type of information • Role of person storing the information • How the information was obtained? • Privacy / Security • Privacy – the freedom from having information from being disclosed without one’s consent • Security – the mechanism(s) in place to protect the privacy of information

  5. Applicable Laws • Family Educational Rights & Privacy Act (FERPA) – protects student educationalrecords • Gramm Leach Bliley Act (GLBA) – protects financial informationof customers • Health Insurance Portability & Accountability Act Of 1996 (HIPAA) – protects patient information • Payment Card Industry-Data Security Standard (PCI-DSS) – protects credit card information • Delaware Breach Notification Law - Del. Code, Title 6, Sec. 12B-101 et seq. – requires breach notification in the event of a data breach • The Jeanne Clery Disclosure of Campus Security Policy & Campus Crime Statistics Act (Clery Act) – requires reporting of crime statistics to general public and federal government • Computer Fraud & Abuse Act – crimializes hacking into computers and computer networks • Communications Decency Act – regulates obscenity in cyberspace • Children’s Online Privacy Protection Act (COPPA) – regulates commercial operators that are directing services to children under 13 • Communications Assistance for Law Enforcement Act (CALEA) – regulates assistance that must be provided to law enforcement for phone tapping purposes • Federal Information Security Management Act (FISMA) – regulates how federal information and computers and networks are secured through contracts and possibly soon grant documents.

  6. Types of Laws • Some laws are about what we can and can’t do with information we have – focus is protecting information. • Some laws are about information we have that we must share with individuals, our community and report to state and federal governments – focus is disclosure. • Some laws are about what you can and can’t do on your computer or on the internet – focus is on regulating conduct and behavior through or on the internet • Some laws go beyond securing information and want to make sure your information systems (computers and networks) are secure and protected.

  7. Potential Risks • Legal Compliance • Failure to comply with privacy laws and regulations can result in significant legal sanctions, liability, fines, and other unpleasant consequences. • Regulatory agencies are stepping up enforcement – meaning surveys are being sent out, questions are being posed, and ultimately on site audits are conducted. • State attorneys general have enforcement power for state privacy/security laws plus they can enforce certain federal laws, too (HIPAA, COPPA). Privacy and security laws are expanding in their coverage.

  8. Other Potential Risks • Reputational Injuries • Damage to Student Well-Being • Damage to Employee Well-Being • Soured Relationships • Financial Injuries • Time and Resources

  9. University Data Security Challenges • Open Environment – many have access to records, control their own data • Social Security number as a student identifier – resides on many systems • Data Retention – tend to archive vs. delete • Research – studies can use vast amounts of sensitive information • Sharing – culturally much data is shared among colleagues

  10. Target Rich Environment • In General – need to allow less access • Social Security number and other personal identifiers – retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate initiative to secure research data • Sharing – be more careful on what we share and how

  11. What IT Is Seeing • 171 UDELNET accounts compromised • 20 machines disabled on average per week due to malware, etc.

  12. http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/

  13. http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

  14. What IT Is Doing • Created: • IT Security & Compliance Office (modernize policies) • Technical Security Group • Locate old data (SSNs) • Protect current data (more than SSNs!) • Detect intrusions • FireEye, snort, NGFW, etc.

  15. What does IT need? • Process PII/SSNs scan results. • Desktop and laptop PII scanning software coming soon. • More SSNs. No, really.

  16. Unit Responsibilities Some Action Items • Follow UD Policies • Develop Information Security Plan - Inventory data and devices (Know what you have) - Classify (Assess Sensitivity and Risk)- Establish protocols to Manage, Access and Use (Playbook) - Protect Data - Limit Use + Retention -Evaluate Processes (Where + How is data at risk?)

  17. Employee Responsibilities Some Action Items • Unit Administrators - Inventory - Classify - Protect - Communicate • Employees - Understand responsibilities and requirements - Ask questions!

  18. Employee ResponsibilitiesSome Action Items • Perform periodic reviews • Encrypt Sensitive Regulated data that must be retained • Purge or Archive unneeded data • Management standards followed? • New control gaps? • Report the loss or misuse of devices immediately

  19. Types of Sensitive Data (1) • Confidential PII (Personally Identifiable Information) • First Name or Initial and Last Name, along with: • Social Security Number; • Driver’s License Number or State-Issued ID Number; • Alien Registration or Government Passport Number; or • Financial Information: Account, credit or debit card number

  20. Types of Sensitive Data (2) • Student Data • Health Information • Financial Account Information, Credit Card #s • Certain Employment Data • Personally Identifiable Human Subject Research Data • UDelNet account passwords

  21. Discussion

  22. Resources & Tools • UD Policies • 1-15 - http://www.udel.edu/ExecVP/policies/administrative/1-15.html • 1-22 - http://www.udel.edu/ExecVP/policies/administrative/1-22.html • Privacy & Confidentiality -http://www.udel.edu/it/security/policies/employees/privacy.html • Security Reporting -http://www.udel.edu/it/security/secreporting.html

  23. Security Is Everyone’s Responsibility September 30, 2014

More Related