a blueprint for handling sensitive data security privacy and other considerations n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations PowerPoint Presentation
Download Presentation
A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations

Loading in 2 Seconds...

play fullscreen
1 / 109

A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations - PowerPoint PPT Presentation


  • 159 Views
  • Uploaded on

A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations. David Escalante Director, Computer Policy & Security Boston College Monday, July 30, 2007, 8:30am-12:00pm Campus Technology 2007 Washington, DC. Seminar Goals. At the end of this session:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations' - templeton


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
a blueprint for handling sensitive data security privacy and other considerations

A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations

David Escalante

Director, Computer Policy & Security

Boston College

Monday, July 30, 2007, 8:30am-12:00pm

Campus Technology 2007

Washington, DC

seminar goals
Seminar Goals

At the end of this session:

  • You should feel comfortable discussing common cybersecurity risks plaguing higher education and computer users in general.
  • You will have a list of key strategies to pursue for stopping the leakage of confidential/sensitive data.
  • You will be introduced to several security resources and best practices to help you apply the key strategies.
agenda 1
Agenda (1)
  • Overview and Introductions
  • Creating a Security Risk-Aware Culture
  • Defining Institutional Data Types
  • Clarifying Responsibility and Accountability
  • Reducing Access to Data Not Absolutely Essential
agenda 2
Agenda (2)
  • Establishing & Implementing Stricter Controls
  • Providing Awareness and Training
  • Managing Sensitive Data Outreach Programs
  • Verifying Compliance
  • Putting It All Together
  • Evaluation and Wrap-Up
icebreaker
Icebreaker
  • Human Scavenger Hunt
  • Instructions:
    • Take a moment to read entire list (front and back)
    • Obtain as many signatures as possible in the time allotted
    • An individual may sign your sheet only once
    • Fill in the blanks when space is provided
the blueprint
The Blueprint

ConfidentialData Handling Blueprint

Purpose

  • To provide a list of key strategies to follow for stopping the leakage of confidential/sensitive data.
  • To provide a toolkit that constructs resources pertaining to confidential/sensitive data handling. 

https://wiki.internet2.edu/confluence/display/secguide/Confidential+Data+Handling+Blueprint

the blueprint1
The Blueprint

ConfidentialData Handling Blueprint

Introduction

  • Steps and ensuing sub-items are intended to provide a general roadmap
  • Institutions will be at varying stages of progress
  • Organized in a sequence that allows you to logically follow through each step
  • Each item is recommended as an effective practice; state/local legal requirements, institutional policy, or campus culture might leave each institution approaching this differently
ingredients for success
Ingredients for Success

Systems must be built and technologies deployed to adhere to policies

Policies must be developed, communicated, maintained, and enforced

Process

Technology

People

Processes must

be developed that

show how policies

will be implemented

People must understand their roles and responsibilities according to policies

step 1
Step 1
  • Create a security risk-aware culture that includes an information security risk management program
  • Sub-steps

1.1 Institution-wide security risk management program

1.2 Roles and responsibilities defined for overall information security at the central and distributed level

1.3 Executive leadership support in the form of policies and governance actions

step 11
Step 1
  • Create a security risk-aware culture that includes an information security risk management program
  • Sub-steps

1.1 Institution-wide security risk management program

1.2Roles and responsibilities defined for overall information security at the central and distributed level

1.3 Executive leadership support in the form of policies and governance actions

risk assessment framework
Risk Assessment Framework
  • Phase 0: Establish Risk Assessment Criteria for the Identification and Prioritization of Critical Assets
  • Phase 1: Develop Initial Security Strategies
  • Phase 2: Technological View – Identify Infrastructure Vulnerabilities
  • Phase 3: Develop Security Strategy and Plans
risks incurred
Risks Incurred

ECAR IT Security Study, 2006

risk assessments
Risk Assessments
  • 55 percent do some type of risk assessment
  • But less than 9 percent cover all institutional systems and data.

ECAR IT Security Study, 2006

step 12
Step 1
  • Create a security risk-aware culture that includes an information security risk management program
  • Sub-steps

1.1 Institution-wide security risk management program

1.2 Roles and responsibilities defined for overall information security at the central and distributed level

1.3 Executive leadership support in the form of policies and governance actions

best practices metrics
Best Practices & Metrics

Information Security Program Elements:

  • Governance
    • Boards/Senior Executives/Shared Governance
  • Management
    • Directors and Managers
  • Technical
    • Central and Distributed IT Support Staff

CISWG Final Report on Best Practices & Metrics

governance
Governance
  • Oversee Risk Management and Compliance Programs Pertaining to Information Security (e.g., Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley)
  • Approve and Adopt Broad Information Security Program Principles and Approve Assignment of Key Managers Responsible for Information Security
  • Strive to Protect the Interests of all Stakeholders Dependent on Information Security
  • Review Information Security Policies Regarding Strategic Partners and Other Third-parties
  • Strive to Ensure Business Continuity
  • Review Provisions for Internal and External Audits of the Information Security Program
  • Collaborate with Management to Specify the Information Security Metrics to be Reported to the Board

CISWG Final Report on Best Practices & Metrics

management
Management
  • Establish Information Security Management Policies and Controls and Monitor Compliance
  • Assign Information Security Roles, Responsibilities, Required Skills, and Enforce Role-based Information Access Privileges
  • Assess Information Risks, Establish Risk Thresholds and Actively Manage Risk Mitigation
  • Ensure Implementation of Information Security Requirements for Strategic Partners and Other Third-parties
  • Identify and Classify Information Assets
  • Implement and Test Business Continuity Plans
  • Approve Information Systems Architecture during Acquisition, Development, Operations, and Maintenance
  • Protect the Physical Environment
  • Ensure Internal and External Audits of the Information Security Program with Timely Follow-up
  • Collaborate with Security Staff to Specify the Information Security Metrics to be Reported to Management

CISWG Final Report on Best Practices & Metrics

technical
Technical
  • User Identification and Authentication
  • User Account Management
  • User Privileges
  • Configuration Management
  • Event and Activity Logging and Monitoring
  • Communications, Email, and Remote Access Security
  • Malicious Code Protection, Including Viruses, Worms, and Trojans
  • Software Change Management, including Patching
  • Firewalls
  • Data Encryption
  • Backup and Recovery
  • Incident and Vulnerability Detection and Response
  • Collaborate with Management to Specify the Technical Metrics to be Reported to Management

CISWG Final Report on Best Practices & Metrics

responsibility for it security
Responsibility for IT Security
  • IT Security Officer (up to 35% from 22%)
  • CIO (up to 14% from 8%)
  • Other IT Directors (down to 50% from 67%)
it security plan
IT Security Plan
  • 11.2 percent - a comprehensive IT security plan is in place
  • 66.6 percent - a partial plan is in place
  • 20.4 percent - no IT security plan is in place

ECAR IT Security Study, 2006

characteristics of successful it security programs
Characteristics of Successful IT Security Programs
  • Institutions with IT security plans in place characterize their IT security programs as more successful and feel more secure today.
  • The respondents who believe their institution provides necessary resources give higher ratings for IT security program success and their current sense of IT security.
  • The biggest barrier to IT security is lack of resources (64.4 percent) and especially at smaller institutions, followed by an academic culture of openness and autonomy (49.6 percent), and lack of awareness (36.4 percent).

ECAR IT Security Study, 2006

step 13
Step 1
  • Create a security risk-aware culture that includes an information security risk management program
  • Sub-steps

1.1 Institution-wide security risk management program

1.2 Roles and responsibilities defined for overall information security at the central and distributed level

1.3 Executive leadership support in the form of policies and governance actions

information security governance
Information Security Governance

If businesses, educational institutions, and non-profit organizations are to make significant progress securing their information assets, executives must make information security an integral part of core business operations. There is no better way to accomplish this goal than to highlight it as part of the existing internal controls and policies that constitute corporate governance.

Information Security Governance Report: Executive Summary

infosec governance self assessment
InfoSec Governance Self Assessment
  • Organizational Reliance on IT
    • E.g., What is the impact of major system downtime on operations?
  • Risk Management
    • E.g., Has your organization conducted a risk assessment and identified critical assets?
  • People
    • E.g., Is there a person or organization that has information security as their primary duty?
  • Processes
    • E.g., Do you have official written information security policies and procedures?
  • Technology
    • E.g., Is sensitive data encrypted?

Information Security Governance Assessment Tool for Higher Education

policies in place
Policies in Place
  • Individual employee responsibilities for information security practices (73%)
  • Protection of organizational assets (73%)
  • Managing privacy issues, including breaches of personal information (72%)
  • Incident reporting and response (69%)
  • Disaster recovery contingency planning (68%)
policies in place1
Policies in Place
  • Investigation and correction of the causes of security failures (68%)
  • Notification of security events to: individuals, the law, etc. (67%)
  • Sharing, storing, and transmitting data (51%)
  • Data classification, retention, and destruction (51%)
  • Identity Management (50%)
step 2
Step 2
  • Define institutional data types
  • Sub-steps

2.1 Compliance with applicable federal and state laws and regulations - as well as contractual obligations - related to privacy and security of data held by the institution (also consider applicable international laws)

2.2 Data classification schema developed with input from legal counsel and data stewards

2.3 Data classification schema assigned to institutional data to the extent possible or necessary

step 21
Step 2
  • Define institutional data types
  • Sub-steps

2.1 Compliance with applicable federal and state laws and regulations - as well as contractual obligations - related to privacy and security of data held by the institution (also consider applicable international laws)

2.2Data classification schema developed with input from legal counsel and data stewards

2.3 Data classification schema assigned to institutional data to the extent possible or necessary

step 22
Step 2
  • Define institutional data types
  • Sub-steps

2.1 Compliance with applicable federal and state laws and regulations - as well as contractual obligations - related to privacy and security of data held by the institution (also consider applicable international laws)

2.2 Data classification schema developed with input from legal counsel and data stewards

2.3 Data classification schema assigned to institutional data to the extent possible or necessary

data classification policy
Data Classification Policy

Provides the framework necessary to:

  • Identify and classify data in order to assess risk and implement an appropriate level of security protection based on categorization.
  • Comply with legislation, regulations, and internal policies that govern the protection of data.
  • Facilitate and make the Incident Response process more efficient. The level in which the data is classified determines the level of response.
nist security categorization

SP 800-60

NIST Security Categorization

Example: An Enterprise Information System

Mapping Information Types to FIPS 199 Security Categories

data classification at gw
Data Classification at GW

Privacy Levels

Operations

Levels

Public

Official

Confidential

Highest Security

Highest Operations

Enterprise

System

2

2

1

1

Department

Server

3

2

Lowest Security

Lowest Operations

2

Desktop/

Laptop

3

4

Note, numbers in boxes suggest the priority levels for mitigating risks.

step 3
Step 3
  • Clarify responsibilities and accountability for safeguarding confidential/sensitive data
  • Sub-steps

3.1Data stewardship roles and responsibilities

3.2Legally binding third party agreements that assign responsibility for secure data handling

step 31
Step 3
  • Clarify responsibilities and accountability for safeguarding confidential/sensitive data
  • Sub-steps

3.1Data stewardship roles and responsibilities

3.2Legally binding third party agreements that assign responsibility for secure data handling

example university of north carolina
Example – University of North Carolina
  • Data Trustee: Data trustees are senior University officials (or their designees) who have planning and policy-level responsibility for data within their functional areas and management responsibilities for defined segments of institutional data. Responsibilities include assigning data stewards, participating in establishing policies, and promoting data resource management for the good of the entire University.
  • Data Steward: Data stewards are University officials having direct operational-level responsibility for information management – usually department directors. Data stewards are responsible for data access and policy implementation issues.
  • Data Custodian: Information Technology Services is the data custodian. The custodian is responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users as authorized by data trustees or their designees (usually the data stewards), and implementing and administering controls over the information.
  • Data User: Data users are individuals who need and use University data as part of their assigned duties or in fulfillment of assigned roles or functions within the University community. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of those data.

http://its.uncg.edu/Policy_Manual/Data/

step 32
Step 3
  • Clarify responsibilities and accountability for safeguarding confidential/sensitive data
  • Sub-steps

3.1Data stewardship roles and responsibilities

3.2Legally binding third party agreements that assign responsibility for secure data handling

outsourced data handling
Outsourced Data Handling
  • Some Drivers
    • Security of Commercial Software – addressed elsewhere (Step 7.4)
    • Incidents: Mishandling by 3rd Parties
    • GLB Act: Oversight of Service Providers
    • PCI requirement
    • Federal Contracts and Grant
  • Sample Contract Language
    • E-mail instructor for a copy
step 4
Step 4
  • Reduce access to confidential/sensitive data not absolutely essential to institutional processes
  • Sub-steps

4.1 Data collection processes (including forms) should request only the minimum necessary confidential/sensitive information

4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information

4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices

step 4 continued
Step 4 continued…
  • Reduce access to confidential/sensitive data not absolutely essential to institutional processes
  • Sub-steps continued

4.4 Eliminate unnecessary confidential/sensitive data on servers, desktops, and mobile devices

4.5 Eliminate dependence on SSNs as primary identifiers and as a form of authentication*

*Note: SSNs may need to be used for certain things (e.g., student employees, student financial aid, etc.) and we recommend that schools limit the use of SSNs to necessary processes only.

step 41
Step 4
  • Reduce access to confidential/sensitive data not absolutely essential to institutional processes
  • Sub-steps

4.1 Data collection processes (including forms) should request only the minimum necessary confidential/sensitive information

4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information

4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices

fair information practices and privacy
Fair Information Practices and Privacy
  • General Principles of Fair Information Practice:
    • Openness
    • Individual Participation
    • Collection Limitation
    • Data Quality
    • Finality
    • Security
    • Accountability
  • Privacy Statements
  • Privacy Policies
step 42
Step 4
  • Reduce access to confidential/sensitive data not absolutely essential to institutional processes
  • Sub-steps

4.1 Data collection processes (including forms) should request only the minimum necessary confidential/sensitive information

4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information

4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices

step 43
Step 4
  • Reduce access to confidential/sensitive data not absolutely essential to institutional processes
  • Sub-steps

4.1 Data collection processes (including forms) should request only the minimum necessary confidential/sensitive information

4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information

4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices

step 4 continued1
Step 4 continued…
  • Reduce access to confidential/sensitive data not absolutely essential to institutional processes
  • Sub-steps continued

4.4 Eliminate unnecessary confidential/sensitive data on servers, desktops, and mobile devices

4.5 Eliminate dependence on SSNs as primary identifiers and as a form of authentication*

*Note: SSNs may need to be used for certain things (e.g., student employees, student financial aid, etc.) and we recommend that schools limit the use of SSNs to necessary processes only.

solutions
Solutions
  • Safety Analyzer (George Washington University)
    • Sensitive Data Detection
      • SSNs with heuristics
      • Credit Card numbers with Luhn algorithm validation
    • Compromise Detection
      • Trojan file detection
      • Kernel-level rootkit detection
      • IR-related data harvesting
  • Spider(Cornell University)
  • SENF! (Sensitive Number Finder)(University of Texas at Austin)
step 4 continued2
Step 4 continued…
  • Reduce access to confidential/sensitive data not absolutely essential to institutional processes
  • Sub-steps continued

4.4 Eliminate unnecessary confidential/sensitive data on servers, desktops, and mobile devices

4.5 Eliminate dependence on SSNs as primary identifiers and as a form of authentication*

*Note: SSNs may need to be used for certain things (e.g., student employees, student financial aid, etc.) and we recommend that schools limit the use of SSNs to necessary processes only.

elimination of ssns
Elimination of SSNs
  • Federal and state law requires the collection of your Social Security number (SSN) for certain purposes (for example, IRS reporting forms). However, widespread use of an individual's SSN is a major privacy concern. With incidents of identity theft increasing, steps to secure an individual's SSN become more important.
  • A large number of colleges and universities use SSNs as primary identifiers for faculty, staff, and students, which exposes institutions to risk because of changing legal and security environments. Therefore, many institutions are planning for the migration away from SSN use as a primary identifier. Undertaking such a task raises issues, challenges, and opportunities for any institution.
  • EDUCAUSE has identified links concerning the elimination of SSNs as primary identifiers that may be useful to the higher education community.
  • http://www.educause.edu/Browse/645?PARENT_ID=701
slide54

Where to be with SSNs

University

Processes &

Supporting

Systems

SSNs requested

only when essential

SSNs provided

only when essential

SSN access authorized

to least # of people

Clear SSN use policy exists

SSNs stored only in

highly secured devices

and file cabinets

Responsibilities for SSN protection well communicated

Compliance verification processes in place

step 5
Step 5
  • Establish and implement stricter controls for safeguarding confidential/sensitive data
  • Sub-steps

5.1 Inventory and review/remediate security of devices

5.2 Configuration standards for applications, servers, desktops, and mobile devices

5.3 Network level protections

5.4 Encryption strategies for data in transit and at rest

step 5 continued
Step 5 continued…
  • Establish and implement stricter controls for safeguarding confidential/sensitive data
  • Sub-steps continued

5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage

5.6 Identity management and resource provisioning processes

5.7 Secure disposal of equipment and data

5.8 Consider background checks on individuals handling confidential/sensitive data

step 51
Step 5
  • Establish and implement stricter controls for safeguarding confidential/sensitive data
  • Sub-steps

5.1 Inventory and review/remediate security of devices

5.2 Configuration standards for applications, servers, desktops, and mobile devices

5.3 Network level protections

5.4 Encryption strategies for data in transit and at rest

inventory devices
Inventory Devices
  • Network Registration (NetReg)
    • Commercial NAC solutions (Cisco, etc)
  • Commercial desktop management products
    • Altiris, etc.
  • Manual Inventories
  • Review Security of Devices*
    • Network vulnerability scans
    • Local tools such as Microsoft’s Baseline Security Analyzer (MBSA)
    • Manage your anti-virus for review/remediate

*which ones???

step 52
Step 5
  • Establish and implement stricter controls for safeguarding confidential/sensitive data
  • Sub-steps

5.1 Inventory and review/remediate security of devices

5.2 Configuration standards for applications, servers, desktops, and mobile devices

5.3 Network level protections

5.4 Encryption strategies for data in transit and at rest

configuration standards
Configuration Standards
  • There are recommendations available from various sources on the Internet
    • Vendors themselves
    • Center for Internet Security (http://www.cisecurity.org/)
    • NSA (http://www.nsa.gov/snac/)
  • How to Implement at your institution
    • Use your own published procedures
    • Publish links to sources above
    • Create and use “Images”
  • Don’t Forget Applications
    • Web servers
    • Mail servers
    • FTP servers
    • Consider standards as part of the Software Development Life Cycle
step 53
Step 5
  • Establish and implement stricter controls for safeguarding confidential/sensitive data
  • Sub-steps

5.1 Inventory and review/remediate security of devices

5.2 Configuration standards for applications, servers, desktops, and mobile devices

5.3 Network level protections

5.4 Encryption strategies for data in transit and at rest

network level protections
Network Level Protections
  • Intrusion Detection System
    • Snort, Dragon, NFR
  • Intrusion Prevention System
    • Tipping Point, Intrushield
  • Extrusion Prevention System
    • Vontu, Reconnecx, Fidelis
  • Database protection systems
    • Guardium, Tizor, etc.
  • Network Anomaly Detection
    • Q1 Radar, Arbor, Mazu,etc. (flow analysis)
step 54
Step 5
  • Establish and implement stricter controls for safeguarding confidential/sensitive data
  • Sub-steps

5.1 Inventory and review/remediate security of devices

5.2 Configuration standards for applications, servers, desktops, and mobile devices

5.3 Network level protections

5.4 Encryption strategies for data in transit and at rest

encryption data in transit
Encryption & Data in Transit
  • Strategies for Data in Transit
    • Encrypt before sending(e.g. PGP)
    • Encrypt on the fly (e.g. SSL)
  • Issues for Data in Transit
    • Key exchange
    • Performance
    • Choice of algorithm
  • Protocols
    • SSL
    • SSH
    • Proprietary (in which case check the algorithm)
encryption and data at rest
Encryption and Data at Rest
  • Problems with Data at Rest
    • Theft by a network intruder
    • Physical theft -- for example, a laptop
  • Data at Rest Strategies
    • Whole disk encryption
    • File encryption
  • Issues
    • Key escrow
    • Cost if not using O/S vendor’s file encryption
    • Very low adoption rate in higher ed market
step 5 continued1
Step 5 continued…
  • Establish and implement stricter controls for safeguarding confidential/sensitive data
  • Sub-steps continued

5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage

5.6 Identity management and resource provisioning processes

5.7 Secure disposal of equipment and data

5.8 Consider background checks on individuals handling confidential/sensitive data

data on mobile devices
Data on Mobile Devices
  • Data has wings
    • PDAs and music players
    • USB memory fobs
    • Cyber-cafes
    • Home computers
  • Compensating Policy
    • Written mandates
    • Practical assistance
  • Enforcement or checking is exceedingly difficult
    • Which does not mean you should not do it, if nothing else it can be used to justify discipline
protection of mobile data
Protection of Mobile Data
  • OMB Memo: Protection of Sensitive Agency Informationhttp://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf
  • NIST Checklist:Protection of Remote Information
step 5 continued2
Step 5 continued…
  • Establish and implement stricter controls for safeguarding confidential/sensitive data
  • Sub-steps continued

5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage

5.6 Identity management and resource provisioning processes

5.7 Secure disposal of equipment and data

5.8 Consider background checks on individuals handling confidential/sensitive data

id management
ID Management
  • Access control lists (ACLs)
  • Account creation
  • Account deletion
  • Process issues
  • Fragmentation can be addressed
    • By process improvement
    • Via technology
  • Rich area of research & development
  • Also commercial solutions
    • Active Directory
    • LDAP solutions
educause identity management resources
EDUCAUSE Identity Management Resources

Recent Library Submissions (3)

  • CIC Identity Management Conference Session: Federated Identity Management and Sharing Resources (2007) by Jim Phelps, IT Architect in Academia
  • Identity Management Conference Report (2007)by Committee on Institutional Cooperation
  • A Report on the Identity Management Summit (2007) by Norma Holland, Ann West and Steve Worona, EDUCAUSE

Most Popular Library Content (3)

  • Top-Ten IT Issues, 2006 (2006) by Barbara I. Dewey, Peter B. DeBlois, and the 2006 EDUCAUSE Current Issues Committee, EDUCAUSE
  • Safeguarding the Tower: IT Security in Higher Education 2006 (2006) by Robert B. Kvavik, with John Voloudakis, ECAR
  • Identity Management in Higher Education: A Baseline Study (2006) by Ronald Yanosky, with Gail Salaway, ECAR
  • http://www.educause.edu/Browse/645?PARENT_ID=679
step 5 continued3
Step 5 continued…
  • Establish and implement stricter controls for safeguarding confidential/sensitive data
  • Sub-steps continued

5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage

5.6 Identity management and resource provisioning processes

5.7 Secure disposal of equipment and data

5.8 Consider background checks on individuals handling confidential/sensitive data

equipment and data disposal
Equipment and Data Disposal
  • Classic examples are lost backup tapes
  • Magnetic media destruction can be done physically (sledgehammer) or magnetically (degaussed or multi-pass formatted) or both
  • Do not ignore hard-copy data
    • Shredders
  • This step can be both expensive and inconvenient
data sanitization guidelines
Data Sanitization Guidelines
  • NIST Special Publication 800-88 Guidelines for Media Sanitizationhttp://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf
  • EDUCAUSE/Internet2 Security Task ForcePractical Data Sanitization Guidelines for Higher Educationhttps://wiki.internet2.edu/confluence/display/secguide/Guidelines+for+Data+Sanitization
  • Michigan State University Best Practices in Disposal of Computers and Electronic Storage Media http://computing.msu.edu/msd/documents/safecomputerdisposal.pdf
step 5 continued4
Step 5 continued…
  • Establish and implement stricter controls for safeguarding confidential/sensitive data
  • Sub-steps continued

5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage

5.6 Identity management and resource provisioning processes

5.7 Secure disposal of equipment and data

5.8 Consider background checks on individuals handling confidential/sensitive data

background checks
Background Checks
  • Kinds of checks
    • Criminal
    • Credit
    • Resume
    • Education
  • Why?
  • How?
    • Do you save it once it’s complete?
    • Do results stay in H/R or go to hiring manager?
    • If running criminal checks, how wide a net do you cast and how legitimate can you be?
security approaches in place
Security Approaches in Place
  • Perimeter firewalls 77%
  • Centralized backups 77%
  • VPNs for remote access 75%
  • Enterprise directory 75%
  • Interior network firewalls 65%
  • Intrusion detection 62%
  • Active filtering 59%
  • Intrusion prevention 44% (up from 33%)
  • Security Standards for Applications 32% (up from 27%)

ECAR IT Security Study, 2006

step 6
Step 6
  • Provide awareness and training
  • Sub-steps

6.1 Make confidential/sensitive data handlers aware of privacy and security requirements

6.2 Require acknowledgement by data users of their responsibility for safeguarding such data

6.3 Enhance general privacy and security awareness programs to specifically address safeguarding confidential/sensitive data

6.4 Collaboration mechanisms such as e-mail have strengths and limitations in terms of access control, which must be clearly communicated and understood so that the data will be safe-guarded

awareness training
Awareness & Training
  • Who needs “awareness” (consciousness-raising)? All Users!
    • Executives
    • Faculty
    • Staff
    • Students
    • Users of Sensitive Data
    • IT Staff
  • Training (skills development)
    • Especially for data stewards, IT staff, and information security team
cybersecurity awareness resources cd
Cybersecurity Awareness Resources CD
  • The Awareness and Training Working Group of the EDUCAUSE/Internet2 Security Task Force compiled cybersecurity awareness resources distributed on a CD which are now on the web site.
  • The resources were collected to showcase the variety of security awareness efforts underway at institutions of higher education and to provide resources for colleges and universities that are looking to jump-start a program for their organization. 
what s on the web site
What’s on the Web Site?
  • Book Marks
  • Brochures
  • Checklists
  • Flyers
  • Games
  • Government Resources
  • Handouts
  • Industry Resources
  • Links to School’s Security Web Page(s)
  • Pamphlets
  • Post Cards
  • Presentations
  • Security Awareness Documents
  • Security Cards
  • Security Tools
  • Security Quizzes
  • Surveys
  • Videos
awareness programs
Awareness Programs

ECAR IT Security Study, 2006

when i go to u va
When I Go To U.Va….

http://www.itc.virginia.edu/pubs/docs/RespComp/videos/when-I-go-to-UVA-lg.mov

security awareness exercise
Security Awareness Exercise

Outline a Plan for a Security Awareness Campaign About Managing Sensitive Data

  • Who is your target audience?
  • How will you market it?
  • What are your key messages?
  • What method of delivery will you use?
  • How will you measure its effectiveness?
step 7
Step 7
  • Verify compliance routinely with your policies and procedures
  • Sub-steps

7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption

7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance

7.3 Routinely audit access privileges

7.4 Procurement procedures and contract language to ensure proper data handling is maintained

step 7 continued
Step 7 continued…
  • Verify compliance routinely with your policies and procedures
  • Sub-steps continued

7.5 System development methodologies that prevent new data handling problems from being introduced into the environment

7.6 Utilize audit function within the institution to verify compliance

7.7 Incident response policies and procedures

7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed

step 71
Step 7
  • Verify compliance routinely with your policies and procedures
  • Sub-steps

7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption

7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance

7.3 Routinely audit access privileges

7.4 Procurement procedures and contract language to ensure proper data handling is maintained

routine testing
Routine Testing
  • Network Admission Control (NAC)
  • Test(s) at network registration
  • But not all weaknesses are caught by commercial testing programs (scanners)
  • Encryption can be tricky
    • Network sniffing
    • Examine configuration files
  • Applications can imply things like re-running regression testing after changes
step 72
Step 7
  • Verify compliance routinely with your policies and procedures
  • Sub-steps

7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption

7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance

7.3 Routinely audit access privileges

7.4 Procurement procedures and contract language to ensure proper data handling is maintained

routine scanning
Routine Scanning
  • Vulnerability Scanners
    • Nessus
    • ISS
    • GFI LANGuard
    • eEye Retina
  • Local confidential data scanners*
    • GW Safety Analyzer
    • Cornell Spider
    • U.Texas SENF (Sensitive Number Finder)

*follow-up on 4.3

step 73
Step 7
  • Verify compliance routinely with your policies and procedures
  • Sub-steps

7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption

7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance

7.3 Routinely audit access privileges

7.4 Procurement procedures and contract language to ensure proper data handling is maintained

routine audits
Routine Audits
  • Copy your external auditors 
  • What persons, groups, or roles have access?
    • Should have access?
  • Check terminated employees against list
  • Transfers to new internal jobs as well
  • Unclear as to wisdom of letting them know you’re coming
step 74
Step 7
  • Verify compliance routinely with your policies and procedures
  • Sub-steps

7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption

7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance

7.3 Routinely audit access privileges

7.4 Procurement procedures and contract language to ensure proper data handling is maintained

procurement practices
Procurement Practices
  • Contracts in the U.S. establish your rights -- very few rights are guaranteed
  • Are any vendors subject to your policies, or to any other statute governing their handling of your data?
  • Does their contract acknowledge this?
  • How are the vendors liable?
    • Your judgment, theirs, or a court’s?
step 7 continued1
Step 7 continued…
  • Verify compliance routinely with your policies and procedures
  • Sub-steps continued

7.5 System development methodologies that prevent new data handling problems from being introduced into the environment

7.6 Utilize audit function within the institution to verify compliance

7.7 Incident response policies and procedures

7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed

system development
System Development
  • Add security to your software development life cycle
  • When
    • Requirements
    • Vendor analysis or architecture development
    • Test
    • Turnover
  • Consider canned methodologies only if they incorporate security
step 7 continued2
Step 7 continued…
  • Verify compliance routinely with your policies and procedures
  • Sub-steps continued

7.5 System development methodologies that prevent new data handling problems from being introduced into the environment

7.6 Utilize audit function within the institution to verify compliance

7.7 Incident response policies and procedures

7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed

audit function
Audit Function
  • Auditor -- friend or enemy?
  • Audit reports generally go higher in the organization than security memos
  • Audit staff has some skills at compliance and testing against a process or procedure
  • Use them to double-check yourself and to check things that you can’t due to time or political constraints
step 7 continued3
Step 7 continued…
  • Verify compliance routinely with your policies and procedures
  • Sub-steps continued

7.5 System development methodologies that prevent new data handling problems from being introduced into the environment

7.6 Utilize audit function within the institution to verify compliance

7.7 Incident response policies and procedures

7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed

incident response
Incident Response
  • An incident response structure is a necessity
  • Rich vein of material on this -- blueprint has links
  • Cut down time data is exposed
step 7 continued4
Step 7 continued…
  • Verify compliance routinely with your policies and procedures
  • Sub-steps continued

7.5 System development methodologies that prevent new data handling problems from being introduced into the environment

7.6 Utilize audit function within the institution to verify compliance

7.7 Incident response policies and procedures

7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed

continuous improvement
Continuous Improvement
  • Keep it current
  • Keep them current
  • Keep within the law
  • Keep exploiting new technology
ftc guide protecting personal information
FTC Guide: Protecting Personal Information
  • Take stock.Know what personal information you have in your files and on your computers.
  • Scale down.Keep only what you need for your business.
  • Lock it.Protect the information that you keep.
  • Pitch it.Properly dispose of what you no longer need.
  • Plan ahead.Create a plan to respond to security incidents.
putting it all together
Putting it All Together

Moving from Planning to Action!

the blueprint2
The Blueprint
  • Discussion
    • How will you use the blueprint?
    • Do you have suggestions to improve it?
    • Do you have resources or effective practices to submit?
wrap up
Wrap-Up
  • Question & Answer
  • Seminar Evaluation & Feedback
  • Program ends at 12:00pm
for more information
For more information
  • David EscalanteEmail: david.escalante@bc.eduPhone: 617-552-6060
  • EDUCAUSE/Internet2 Security Task Forcewww.educause.edu/security
  • EDUCAUSE Center for Applied Researchwww.educause.edu/ECAR
  • Blueprint for Handling Sensitive Datawiki.internet2.edu/confluence/display/secguide
case study
Case Study

Group Discussion:

  • Who do you need to include (or other consult) as part of the emergency meeting?
  • What core messages will you plan to deliver at the press conference?
  • What kinds of questions should you anticipate from reporters or potential victims?