1 / 24

End User Security Awareness Program

End User Security Awareness Program. University of Toledo Educational and Information Technology Presented by: Interim Chief Information Officer, Joseph Sawasky Communications Administrator, Melissa Crabtree. What’s in an end user security program for you?.

emily
Download Presentation

End User Security Awareness Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. End User Security Awareness Program University of Toledo Educational and Information Technology Presented by: Interim Chief Information Officer, Joseph Sawasky Communications Administrator, Melissa Crabtree

  2. What’s in an end user security program for you? • Despite IT’s best efforts (firewall, passwords, encryption, directory permissions, anti-virus, anti-spyware, facility controls, video surveillance etc…), one careless or malicious end user can cause major problems for you – it will happen on your campus! • Ensures IT AND end user departments have shared “skin in the game” • Shows due diligence • Shows IT is proactively addressing area of high potential security risk outside the data center • It’s relatively cheap • You’ll have ready answers when the local media visits and when angry students, parents, employees and bosses call • (and it reduces the chances that the previous bullet will occur!) • Steal with pride! That’s what OHECC is for!

  3. “It’s not if it will happen..it’s when!” • Stolen laptop at University of CA, Berkeley causes breach of 98,400 SSN’s • Hacker comprises security at Boston College, breach of 120,000 • Dishonest insider at University of Hawaii leaks 150,000 SSN’s • Ohio Incidents – Closer to Home • University of Toledo • Faculty member posts grades and SSN’s of 56 students • Faculty member posts grades and SSN’s of 155 students • 4 stolen laptops breach approximately 2,200 SSN’s • Rule of thumb – notification costs ~$2.00 per record compromised Data Source: Privacy Rights Clearninghouse - http://www.privacyrights.org/ar/ChronDataBreaches.htm

  4. What we’ll talk about today • The University of Toledo – Educational and Information Technology • End User Awareness Training and Best Practices “Recommendations” • Departmental Auditing Procedures • CyberAngel and PowerGREP • Looking to the future

  5. The University of Toledo • 20,000 Students • 2,200 Faculty and Staff • 10,000+ computers • Educational and Information Technology • 79 FTE’s • 1 Full Time Network Security Analyst • Team created from existing employees for security awareness and audit procedure • Central Response Unit for security breaches • Provide University-wide information security best practices • Promote Security Awareness and Education of Employees

  6. Security Awareness and Training Program • Lunch and Learn Program • The Presentation • What is Sensitive Information? • Their role and responsibility • Three methods of security – Physical, Computer, and Procedural (Social Engineering) • Guidelines for Information Security for Faculty/Staff tri-fold • Video on Information Security

  7. Security Awareness and Training Program • Lunch and Learn Program Continued • Participant’s Next Steps • Personal Security Action Plan • Each user should go through their computers and verify that all “Sensitive Data” is secure using the PSAP • Computer Security Checklist • Prepares user for and Information Security Audit • Information Security Audit • Send follow up email to Business Unit Manager and request audit of department

  8. Security Awareness and Training Program • Statistics on Lunch and Learn Program • Conducted six targeted programs since program inception (January 2006) • 3 future programs planned • Over 180 Faculty and Staff have gone through the program • Led to the audit of 5 major business units

  9. Information SecurityAudit Procedure • Announcement Letter or Web Audit Request • Preliminary Review • Date of Audit, Time, Mgr. uses checklist to choose what should be audited, and any special details • Audit • Audit team uses Security Checklist to complete the audit of the selected users • Remote audit of PC’s and Servers conducted using PowerGREP • Audit results sent to Mgr. and CIO • Includes all supporting documentation • Follow-up Review • EIT conducts follow-up audit on any security issues found • Installation of CyberAngel for users that handle large amounts of sensitive data

  10. Information SecurityAudit Procedure • Sample Documentation • E-mail of Audit Results • Compiled Security Checklist • PowerGREP results

  11. Information SecurityAudit Procedure • Audit Statistics/Benefits • Audited 5 major business units (including Enrollment Services, EIT, and ERP which include 65% of data owners) • Proactively found 108,000 SSN’s in over 15,000 documents • Awareness is branching out to other departments • 4 audits in queue

  12. CyberAngel Security Software • Creates an encrypted drive – preventing unauthorized access to files if computer is stolen • 8 different available algorithms, including Rijndael-AES 256 • If an incorrect or no password is given, users don’t see the drive or files stored there • HIPAA, GLB, FERPA, and new Sub HB 104 compliant • Offers Single or Two-Factor Authentication • Tracks, Locates and Recovers Lost or Stolen Computers • 92% return rate • CyberAngel Incident Report used to obtain search warrants and subpoena’s

  13. CyberAngel Security Software • Provides “Real-Time” Security for Data and Information Protection • Prohibits Unauthorized VPN Access • Prevents Unauthorized Application Use • Locks Communication Ports • Sends Notification of Unauthorized Access

  14. CyberAngel Security Software • Simple and Customizable Login Screen • Encrypted “P:\Drive” works like a standard folder, making it easy for your Staff to use

  15. CyberAngel Security Software • 24-hour support hotline and theft reporting – IT involvement is not necessary • Customizable hotkey to disable and re-enable encrypted drive • CyberAngel Configuration Manager • Does not have to be installed on machine • Create a “Master” password for University • Assign a different drive letter • Change encrypted size of drive • Uninstall and reinstall software • User can change password

  16. CyberAngel Security Software • Statistics/Benefits • Already installed on 125 “data owner” machines • Purchases are being made by the departments • $62.50 for a 5-year license (when 100 – 500 are purchased) • Discount pricing for students – CyberAngel assumes all responsibility

  17. PowerGREP Software • A powerful Windows grep tool • Ability to extract statistics and knowledge from log files and large data sets • Find files and information anywhere on a PC or network • Simple user interface • Full-featured text and hex built-in editor

  18. PowerGREP Software • Unique Abilities • Search through specific file sections • Split files into records before searching • Post-process replacement text • Permanent Undo History • Compatibilities • Perl, Java and .Net compatible regular expressions • Extensive text encoding support • Search through zip archives

  19. PowerGREP Software

  20. PowerGREP Software

  21. PowerGREP Software • Statistics/Benefits • Proactively found 108,000 instances of SSN’s in first round of audit • Easily identify file locations for users • Uses beyond just PC searches • 80-gig hard drive in just under an hour and half (on the network!) • Only $149

  22. Looking to the Future • Likelihood of more rigorous external requirements and more severe penalties • Expanded audits • Increased faculty awareness • More automation in audit process • Challenge of providing information to decision-makers and providing more security

  23. Summary • Be proactive and provide leadership – create your own end user security program • Promote it across campus – market and communicate • You’ll be happy you did WHEN the next incident occurs • Reduce the MTBsF • Borrow anything you can from UT – we’re happy to help

  24. Any Questions? • Joseph Sawasky: jsawask@utnet.utoledo.edu • Melissa Crabtree: mcrabtr@utnet.utoledo.edu • “Motivational” backgrounds • The Sourcefire Computer Security Calendar • Security Breaches - Privacy Rights Clearninghouse • http://www.privacyrights.org/ar/ChronDataBreaches.htm • The CyberAngel Inc – • http://www.thecyberangel.com/ • PowerGREP • http://www.powergrep.com/ • UT - Educational and Information Technology • http://www.eit.utoledo.edu • http://www.eitnetwork.utoledo.edu/security.asp

More Related