Stanford Information Security - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Stanford Information Security

Description:

The Tone at the Top. Stanford relies on its managers to carry out its policies ... System administrators need training and must implement industry best practices ... – PowerPoint PPT presentation

Number of Views:16
Avg rating:3.0/5.0
Slides: 22
Provided by: oraSta
Category:

less

Transcript and Presenter's Notes

Title: Stanford Information Security


1
Stanford Information Security
  • Managing at Stanford
  • July 14, 2005
  • Tina Darmohray
  • Stanford Information Security Officer
  • Eric Nakagawa
  • Information Systems Security Specialist

2
Stanford Diversity
  • Stanfords technical environments expand beyond
    the confines of a traditional business
    infrastructure
  • Student residences
  • Classrooms
  • Research labs
  • Professional schools
  • Business infrastructure
  • Faculty residences
  • Staff residences

3
Stanford Information Assets
  • Stanfords diversity results in many different
    types of information assets which the University
    wishes to protect
  • Legal requirements
  • Contractual obligations
  • Ethical considerations
  • Strategic or proprietary worth
  • Business continuity
  • Data integrity
  • Prudent stewardship

4
Why Information Security?
  • Its essential to protect Stanfords confidential
    information, no matter what medium it is stored
    in
  • Information that is stored and accessed
    electronically poses special risks
  • Large amounts of data
  • Widely accessible
  • Can transfer data rapidly
  • Doesnt require physical access
  • Penalties can be extreme and costly

5
The Cost of a Compromise
  • Campus-wide non destructive infection
    1.6 M
  • Credit card data tenfold increase fines and
    liability
  • Stolen laptop
    reputation
  • Breached system with protected data
    reputation
  • Student experience
    Priceless

6
What is the Risk?
  • Risk Attractiveness Vulnerability
  • Stanfords reputation makes it a highly
    attractive target
  • Stanfords network is attacked more than a
    million times a day
  • Vulnerable machines are compromised within hours
    of connecting to the network

7
The Tone at the Top
  • Stanford relies on its managers to carry out its
    policies
  • Managers make decisions which include
  • Data classification
  • Data stewardship
  • Appropriate risk

8
Stanfords Information Security policy
  • Administrative Guide Memo 63 Information
    Security, lays the foundation for Stanfords
    information security
  • Defines
  • Data Classification Levels
  • Category A Data
  • Responsibilities

9
Category A Data
  • Use this common sense rule of thumb
  • Is it Stanfords or someones private
    information
  • Some examples
  • Credit card numbers
  • Bank account numbers
  • Student grades
  • Social security numbers
  • Health information
  • Personnel records
  • Donor information
  • securecomputing/dataclass.html
  • If there is any question, follow up

10
Stanfords FERPA Policies
  • Family Educational Rights and Privacy Act of 1974
  • Administrative Guide Memo 1 University Code of
    Conduct establishes guidelines for
    confidentiality and privacy of student records

11
Stanfords HIPAA Policies
  • Health Insurance Portability and Accountability
    Act of 1996
  • Privacy Regulations effective April 2003
  • Security Regulations effective April 2005
  • Administrative Guide Memo 23.10 Privacy and
    Security of Health Information establishes HIPAA
    policies and guidelines at Stanford

12
Stanfords Electronic Commerce Policy
  • Administrative Guide Memo 64 Electronic
    Commerce establishes guidelines for electronic
    commerce at Stanford
  • Payment Card Industry Customer Information
    Security Program (CISP)

13
Stanford Social Security Numbers
  • California Civil Code 1798.85 protects the
    confidentiality of Social Security Numbers for
    California residents
  • Stanford does not use SSNs for University
    identification purposes

14
Make It Happen
  • Desktop security
  • Management oversight of system security
  • Know your data
  • Weigh the risks
  • Take action!

15
Desktop Hygiene
  • Set passwords
  • Antivirus
  • Windows update
  • BigFix
  • Encrypt data
  • http//securecomputing.stanford.edu/pc_practices.h
    tml

16
System Best Practices
  • Set passwords and change default settings
  • Restrict access
  • Limit services
  • Encrypt data, and access
  • http//securecomputing.stanford.edu/guidelines.htm
    l

17
Information Security Incident Response
  • In the event data has been compromised,
    Administrative Guide Memo 67 Information
    Security Incident Response outlines Stanfords
    information security incident response
  • Employees should report information security
    incidents to the Information Security Office
  • The ISO performs an initial assessment and, if
    necessary, forms an incident response team

18
Case Studies
  • Stolen laptop
  • System breach
  • Inadequate system design
  • Change management development environments

19
Awareness and Education
  • Every user needs the fundamentals
  • Managers need to understand the risks and their
    decision-making roles
  • Engineers and designers must take security into
    account
  • System administrators need training and must
    implement industry best practices

20
Information Security Components
21
Questions?
  • Tina Darmohray
  • Email tmd_at_stanford.edu
  • Vmail (650) 724-7661
  • Eric Nakagawa
  • Email eric.nakagawa_at_stanford.edu
  • Vmail (650) 736-2247
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Stanford Information Security" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!