A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations

1
A Blueprint for Handling Sensitive Data
Security, Privacy, and Other Considerations

• David Escalante
• Director, Computer Policy Security
• Boston College
• Monday, July 30, 2007, 830am-1200pm
• Campus Technology 2007
• Washington, DC

2
Seminar Goals

• At the end of this session
• You should feel comfortable discussing common
  cybersecurity risks plaguing higher education and
  computer users in general.
• You will have a list of key strategies to pursue
  for stopping the leakage of confidential/sensitive
  data.
• You will be introduced to several security
  resources and best practices to help you apply
  the key strategies.

3
Agenda (1)

• Overview and Introductions
• Creating a Security Risk-Aware Culture
• Defining Institutional Data Types
• Clarifying Responsibility and Accountability
• Reducing Access to Data Not Absolutely Essential

4
Agenda (2)

• Establishing Implementing Stricter Controls
• Providing Awareness and Training
• Managing Sensitive Data Outreach Programs
• Verifying Compliance
• Putting It All Together
• Evaluation and Wrap-Up

5
Icebreaker

• Human Scavenger Hunt
• Instructions
• Take a moment to read entire list (front and
  back)
• Obtain as many signatures as possible in the time
  allotted
• An individual may sign your sheet only once
• Fill in the blanks when space is provided

6
The Blueprint

• Confidential Data Handling Blueprint
• Purpose
• To provide a list of key strategies to follow for
  stopping the leakage of confidential/sensitive
  data.
• To provide a toolkit that constructs resources
  pertaining to confidential/sensitive data
  handling. 
• https//wiki.internet2.edu/confluence/display/se
  cguide/ConfidentialDataHandlingBlueprint

7
The Blueprint

• Confidential Data Handling Blueprint
• Introduction
• Steps and ensuing sub-items are intended to
  provide a general roadmap
• Institutions will be at varying stages of
  progress
• Organized in a sequence that allows you to
  logically follow through each step
• Each item is recommended as an effective
  practice state/local legal requirements,
  institutional policy, or campus culture might
  leave each institution approaching this
  differently

8
Ingredients for Success
Systems must be built and technologies deployed
to adhere to policies
Policies must be developed, communicated,
maintained, and enforced
Process
Technology
People
Processes must be developed that show how
policies will be implemented
People must understand their roles and
responsibilities according to policies
9
Step 1

• Create a security risk-aware culture that
  includes an information security risk management
  program
• Sub-steps
• 1.1 Institution-wide security risk management
  program
• 1.2 Roles and responsibilities defined for
  overall information security at the central and
  distributed level
• 1.3 Executive leadership support in the form of
  policies and governance actions

10
Step 1

• Create a security risk-aware culture that
  includes an information security risk management
  program
• Sub-steps
• 1.1 Institution-wide security risk management
  program
• 1.2Roles and responsibilities defined for overall
  information security at the central and
  distributed level
• 1.3 Executive leadership support in the form of
  policies and governance actions

11
Risk Management Framework
12
Risk Assessment Framework

• Phase 0 Establish Risk Assessment Criteria for
  the Identification and Prioritization of Critical
  Assets
• Phase 1 Develop Initial Security Strategies
• Phase 2 Technological View Identify
  Infrastructure Vulnerabilities
• Phase 3 Develop Security Strategy and Plans

13
Risks Incurred
Damage Percent
Business application, including e-mail, unavailable 33.7
Network unavailable 29.4
Information confidentiality compromised 26.0
Damage to software 21.5
Damage to data 12.5
Negative publicity in the press 10.0
Identity theft 8.4
Damage to hardware 7.4
Financial losses 6.4

• ECAR IT Security Study, 2006

14
Risk Assessments

• 55 percent do some type of risk assessment
• But less than 9 percent cover all institutional
  systems and data.
• ECAR IT Security Study, 2006

15
Step 1

• Create a security risk-aware culture that
  includes an information security risk management
  program
• Sub-steps
• 1.1 Institution-wide security risk management
  program
• 1.2 Roles and responsibilities defined for
  overall information security at the central and
  distributed level
• 1.3 Executive leadership support in the form of
  policies and governance actions

16
Best Practices Metrics

• Information Security Program Elements
• Governance
• Boards/Senior Executives/Shared Governance
• Management
• Directors and Managers
• Technical
• Central and Distributed IT Support Staff
• CISWG Final Report on Best Practices Metrics

17
Governance

• Oversee Risk Management and Compliance Programs
  Pertaining to Information Security (e.g.,
  Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley)
• Approve and Adopt Broad Information Security
  Program Principles and Approve Assignment of Key
  Managers Responsible for Information Security
• Strive to Protect the Interests of all
  Stakeholders Dependent on Information Security
• Review Information Security Policies Regarding
  Strategic Partners and Other Third-parties
• Strive to Ensure Business Continuity
• Review Provisions for Internal and External
  Audits of the Information Security Program
• Collaborate with Management to Specify the
  Information Security Metrics to be Reported to
  the Board
• CISWG Final Report on Best Practices Metrics

18
Management

• Establish Information Security Management
  Policies and Controls and Monitor Compliance
• Assign Information Security Roles,
  Responsibilities, Required Skills, and Enforce
  Role-based Information Access Privileges
• Assess Information Risks, Establish Risk
  Thresholds and Actively Manage Risk Mitigation
• Ensure Implementation of Information Security
  Requirements for Strategic Partners and Other
  Third-parties
• Identify and Classify Information Assets
• Implement and Test Business Continuity Plans
• Approve Information Systems Architecture during
  Acquisition, Development, Operations, and
  Maintenance
• Protect the Physical Environment
• Ensure Internal and External Audits of the
  Information Security Program with Timely
  Follow-up
• Collaborate with Security Staff to Specify the
  Information Security Metrics to be Reported to
  Management
• CISWG Final Report on Best Practices Metrics

19
Technical

• User Identification and Authentication
• User Account Management
• User Privileges
• Configuration Management
• Event and Activity Logging and Monitoring
• Communications, Email, and Remote Access Security
• Malicious Code Protection, Including Viruses,
  Worms, and Trojans
• Software Change Management, including Patching
• Firewalls
• Data Encryption
• Backup and Recovery
• Incident and Vulnerability Detection and Response
• Collaborate with Management to Specify the
  Technical Metrics to be Reported to Management
• CISWG Final Report on Best Practices Metrics

20
Responsibility for IT Security

• IT Security Officer (up to 35 from 22)
• CIO (up to 14 from 8)
• Other IT Directors (down to 50 from 67)

21
IT Security Plan

• 11.2 percent - a comprehensive IT security plan
  is in place
• 66.6 percent - a partial plan is in place
• 20.4 percent - no IT security plan is in place
• ECAR IT Security Study, 2006

22
Characteristics of Successful IT Security Programs

• Institutions with IT security plans in place
  characterize their IT security programs as more
  successful and feel more secure today.
• The respondents who believe their institution
  provides necessary resources give higher ratings
  for IT security program success and their current
  sense of IT security.
• The biggest barrier to IT security is lack of
  resources (64.4 percent) and especially at
  smaller institutions, followed by an academic
  culture of openness and autonomy (49.6 percent),
  and lack of awareness (36.4 percent).
• ECAR IT Security Study, 2006

23
Step 1

• Create a security risk-aware culture that
  includes an information security risk management
  program
• Sub-steps
• 1.1 Institution-wide security risk management
  program
• 1.2 Roles and responsibilities defined for
  overall information security at the central and
  distributed level
• 1.3 Executive leadership support in the form of
  policies and governance actions

24
Information Security Governance

• If businesses, educational institutions, and
  non-profit organizations are to make significant
  progress securing their information assets,
  executives must make information security an
  integral part of core business operations. There
  is no better way to accomplish this goal than to
  highlight it as part of the existing internal
  controls and policies that constitute corporate
  governance.
• Information Security Governance Report
  Executive Summary

25
InfoSec Governance Self Assessment

• Organizational Reliance on IT
• E.g., What is the impact of major system downtime
  on operations?
• Risk Management
• E.g., Has your organization conducted a risk
  assessment and identified critical assets?
• People
• E.g., Is there a person or organization that has
  information security as their primary duty?
• Processes
• E.g., Do you have official written information
  security policies and procedures?
• Technology
• E.g., Is sensitive data encrypted?
• Information Security Governance Assessment Tool
  for Higher Education

26
Policies in Place

• Individual employee responsibilities for
  information security practices (73)
• Protection of organizational assets (73)
• Managing privacy issues, including breaches of
  personal information (72)
• Incident reporting and response (69)
• Disaster recovery contingency planning (68)

27
Policies in Place

• Investigation and correction of the causes of
  security failures (68)
• Notification of security events to individuals,
  the law, etc. (67)
• Sharing, storing, and transmitting data (51)
• Data classification, retention, and destruction
  (51)
• Identity Management (50)

28
Step 2

• Define institutional data types
• Sub-steps
• 2.1 Compliance with applicable federal and state
  laws and regulations - as well as contractual
  obligations - related to privacy and security of
  data held by the institution (also consider
  applicable international laws)
• 2.2 Data classification schema developed with
  input from legal counsel and data stewards
• 2.3 Data classification schema assigned to
  institutional data to the extent possible or
  necessary

29
Step 2

• Define institutional data types
• Sub-steps
• 2.1 Compliance with applicable federal and state
  laws and regulations - as well as contractual
  obligations - related to privacy and security of
  data held by the institution (also consider
  applicable international laws)
• 2.2 Data classification schema developed with
  input from legal counsel and data stewards
• 2.3 Data classification schema assigned to
  institutional data to the extent possible or
  necessary

30
All-In-One Compliance
What When Where Where Why Wrath
FERPA 1974 amendments National Protect student records Protect student records No federal funding
GLBA 1999 National Protect financial records Protect financial records Fines, up to 5 years in jail
ECPA/CFAA 1984, 86 amendments National Protect computers Protect computers various
SB1386 2003 California Disclose breaches Disclose breaches Cost to comply civil suit
PATRIOT Act 2001 National Allow law enforcement access Allow law enforcement access Generally increased other penalties
HIPAA 1996 thru 2003 National Protect health records Protect health records max 250,000 10 years in jail
PCI 2004 National Protect credit cards Protect credit cards Restitution fines
31
Step 2

• Define institutional data types
• Sub-steps
• 2.1 Compliance with applicable federal and state
  laws and regulations - as well as contractual
  obligations - related to privacy and security of
  data held by the institution (also consider
  applicable international laws)
• 2.2 Data classification schema developed with
  input from legal counsel and data stewards
• 2.3 Data classification schema assigned to
  institutional data to the extent possible or
  necessary

32
Data Classification Policy

• Provides the framework necessary to
• Identify and classify data in order to assess
  risk and implement an appropriate level of
  security protection based on categorization.
• Comply with legislation, regulations, and
  internal policies that govern the protection of
  data.
• Facilitate and make the Incident Response process
  more efficient. The level in which the data is
  classified determines the level of response.

33
NIST Security Categorization
Example An Enterprise Information System
FIPS 199 LOW MODERATE HIGH
Confidentiality The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Integrity The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Availability The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Mapping Information Types to FIPS 199 Security
Categories
34
Data Classification at GW
Privacy Levels
Operations Levels
Confidential
Official
Public
Highest Security Highest Operations
Enterprise System
2
2
1
1
Department Server
3
2
Lowest Security Lowest Operations
2
Desktop/ Laptop
3
4
Note, numbers in boxes suggest the priority
levels for mitigating risks.
35
Stanford Data Classification
36
U of Texas-Austin Data Categories
37
Qualitative Risk Assessment Exercise
Confidentiality (H, M, L) Integrity (H, M, L) Availability (H, M, L) Total (H3, L1)
Bookstore Cash Register System
Blackboard/ WebCT (CMS)
Library Catalog
Admissions
Main web site
E-mail
Time Sheet Entry
38

• BREAK

39
Step 3

• Clarify responsibilities and accountability for
  safeguarding confidential/sensitive data
• Sub-steps
• 3.1Data stewardship roles and responsibilities
• 3.2Legally binding third party agreements that
  assign responsibility for secure data handling

40
Step 3

• Clarify responsibilities and accountability for
  safeguarding confidential/sensitive data
• Sub-steps
• 3.1Data stewardship roles and responsibilities
• 3.2Legally binding third party agreements that
  assign responsibility for secure data handling

41
Example University of North Carolina

• Data Trustee Data trustees are senior University
  officials (or their designees) who have planning
  and policy-level responsibility for data within
  their functional areas and management
  responsibilities for defined segments of
  institutional data. Responsibilities include
  assigning data stewards, participating in
  establishing policies, and promoting data
  resource management for the good of the entire
  University.
• Data Steward Data stewards are University
  officials having direct operational-level
  responsibility for information management
  usually department directors. Data stewards are
  responsible for data access and policy
  implementation issues.
• Data Custodian Information Technology Services
  is the data custodian. The custodian is
  responsible for providing a secure infrastructure
  in support of the data, including, but not
  limited to, providing physical security, backup
  and recovery processes, granting access
  privileges to system users as authorized by data
  trustees or their designees (usually the data
  stewards), and implementing and administering
  controls over the information.
• Data User Data users are individuals who need
  and use University data as part of their assigned
  duties or in fulfillment of assigned roles or
  functions within the University community.
  Individuals who are given access to sensitive
  data have a position of special trust and as such
  are responsible for protecting the security and
  integrity of those data.
• http//its.uncg.edu/Policy_Manual/Data/

42
Step 3

• Clarify responsibilities and accountability for
  safeguarding confidential/sensitive data
• Sub-steps
• 3.1Data stewardship roles and responsibilities
• 3.2Legally binding third party agreements that
  assign responsibility for secure data handling

43
Outsourced Data Handling

• Some Drivers
• Security of Commercial Software addressed
  elsewhere (Step 7.4)
• Incidents Mishandling by 3rd Parties
• GLB Act Oversight of Service Providers
• PCI requirement
• Federal Contracts and Grant
• Sample Contract Language
• E-mail instructor for a copy

44
Step 4

• Reduce access to confidential/sensitive data not
  absolutely essential to institutional processes
• Sub-steps
• 4.1 Data collection processes (including forms)
  should request only the minimum necessary
  confidential/sensitive information
• 4.2 Application outputs (e.g., queries, hard copy
  reports, etc.) should provide only the minimum
  necessary confidential/sensitive information
• 4.3 Inventory and review access to existing
  confidential/sensitive data on servers,
  desktops, and mobile devices

45
Step 4 continued

• Reduce access to confidential/sensitive data not
  absolutely essential to institutional processes
• Sub-steps continued
• 4.4 Eliminate unnecessary confidential/sensitive
  data on servers, desktops, and mobile devices
• 4.5 Eliminate dependence on SSNs as primary
  identifiers and as a form of authentication
• Note SSNs may need to be used for certain
  things (e.g., student employees, student
  financial aid, etc.) and we recommend that
  schools limit the use of SSNs to necessary
  processes only.

46
Step 4

• Reduce access to confidential/sensitive data not
  absolutely essential to institutional processes
• Sub-steps
• 4.1 Data collection processes (including forms)
  should request only the minimum necessary
  confidential/sensitive information
• 4.2 Application outputs (e.g., queries, hard copy
  reports, etc.) should provide only the minimum
  necessary confidential/sensitive information
• 4.3 Inventory and review access to existing
  confidential/sensitive data on servers,
  desktops, and mobile devices

47
Fair Information Practices and Privacy

• General Principles of Fair Information Practice
• Openness
• Individual Participation
• Collection Limitation
• Data Quality
• Finality
• Security
• Accountability
• Privacy Statements
• Privacy Policies

48
Step 4

• Reduce access to confidential/sensitive data not
  absolutely essential to institutional processes
• Sub-steps
• 4.1 Data collection processes (including forms)
  should request only the minimum necessary
  confidential/sensitive information
• 4.2 Application outputs (e.g., queries, hard copy
  reports, etc.) should provide only the minimum
  necessary confidential/sensitive information
• 4.3 Inventory and review access to existing
  confidential/sensitive data on servers,
  desktops, and mobile devices

49
Step 4

• Reduce access to confidential/sensitive data not
  absolutely essential to institutional processes
• Sub-steps
• 4.1 Data collection processes (including forms)
  should request only the minimum necessary
  confidential/sensitive information
• 4.2 Application outputs (e.g., queries, hard copy
  reports, etc.) should provide only the minimum
  necessary confidential/sensitive information
• 4.3 Inventory and review access to existing
  confidential/sensitive data on servers,
  desktops, and mobile devices

50
Step 4 continued

• Reduce access to confidential/sensitive data not
  absolutely essential to institutional processes
• Sub-steps continued
• 4.4 Eliminate unnecessary confidential/sensitive
  data on servers, desktops, and mobile devices
• 4.5 Eliminate dependence on SSNs as primary
  identifiers and as a form of authentication
• Note SSNs may need to be used for certain
  things (e.g., student employees, student
  financial aid, etc.) and we recommend that
  schools limit the use of SSNs to necessary
  processes only.

51
Solutions

• Safety Analyzer (George Washington University)
• Sensitive Data Detection
• SSNs with heuristics
• Credit Card numbers with Luhn algorithm
  validation
• Compromise Detection
• Trojan file detection
• Kernel-level rootkit detection
• IR-related data harvesting
• Spider(Cornell University)
• SENF! (Sensitive Number Finder)(University of
  Texas at Austin)

52
Step 4 continued

• Reduce access to confidential/sensitive data not
  absolutely essential to institutional processes
• Sub-steps continued
• 4.4 Eliminate unnecessary confidential/sensitive
  data on servers, desktops, and mobile devices
• 4.5 Eliminate dependence on SSNs as primary
  identifiers and as a form of authentication
• Note SSNs may need to be used for certain
  things (e.g., student employees, student
  financial aid, etc.) and we recommend that
  schools limit the use of SSNs to necessary
  processes only.

53
Elimination of SSNs

• Federal and state law requires the collection of
  your Social Security number (SSN) for certain
  purposes (for example, IRS reporting forms).
  However, widespread use of an individual's SSN is
  a major privacy concern. With incidents of
  identity theft increasing, steps to secure an
  individual's SSN become more important.
• A large number of colleges and universities use
  SSNs as primary identifiers for faculty, staff,
  and students, which exposes institutions to risk
  because of changing legal and security
  environments. Therefore, many institutions are
  planning for the migration away from SSN use as a
  primary identifier. Undertaking such a task
  raises issues, challenges, and opportunities for
  any institution.
• EDUCAUSE has identified links concerning the
  elimination of SSNs as primary identifiers that
  may be useful to the higher education community.
• http//www.educause.edu/Browse/645?PARENT_ID701

54
Where to be with SSNs
University Processes Supporting Systems
SSNs requested only when essential
SSNs provided only when essential
SSN access authorized to least of people
SSNs stored only in highly secured devices and
file cabinets
Clear SSN use policy exists
Responsibilities for SSN protection well
communicated
Compliance verification processes in place
55
Step 5

• Establish and implement stricter controls for
  safeguarding confidential/sensitive data
• Sub-steps
• 5.1 Inventory and review/remediate security of
  devices
• 5.2 Configuration standards for applications,
  servers, desktops, and mobile devices
• 5.3 Network level protections
• 5.4 Encryption strategies for data in transit and
  at rest

56
Step 5 continued

• Establish and implement stricter controls for
  safeguarding confidential/sensitive data
• Sub-steps continued
• 5.5 Policies regarding confidential/sensitive
  data on mobile devices and home computers and
  for data archival/storage
• 5.6 Identity management and resource provisioning
  processes
• 5.7 Secure disposal of equipment and data
• 5.8 Consider background checks on individuals
  handling confidential/sensitive data

57
Step 5

• Establish and implement stricter controls for
  safeguarding confidential/sensitive data
• Sub-steps
• 5.1 Inventory and review/remediate security of
  devices
• 5.2 Configuration standards for applications,
  servers, desktops, and mobile devices
• 5.3 Network level protections
• 5.4 Encryption strategies for data in transit and
  at rest

58
Inventory Devices

• Network Registration (NetReg)
• Commercial NAC solutions (Cisco, etc)
• Commercial desktop management products
• Altiris, etc.
• Manual Inventories
• Review Security of Devices
• Network vulnerability scans
• Local tools such as Microsofts Baseline Security
  Analyzer (MBSA)
• Manage your anti-virus for review/remediate

which ones???
59
Step 5

• Establish and implement stricter controls for
  safeguarding confidential/sensitive data
• Sub-steps
• 5.1 Inventory and review/remediate security of
  devices
• 5.2 Configuration standards for applications,
  servers, desktops, and mobile devices
• 5.3 Network level protections
• 5.4 Encryption strategies for data in transit and
  at rest

60
Configuration Standards

• There are recommendations available from various
  sources on the Internet
• Vendors themselves
• Center for Internet Security (http//www.cisecurit
  y.org/)
• NSA (http//www.nsa.gov/snac/)
• How to Implement at your institution
• Use your own published procedures
• Publish links to sources above
• Create and use Images
• Dont Forget Applications
• Web servers
• Mail servers
• FTP servers
• Consider standards as part of the Software
  Development Life Cycle

61
Step 5

• Establish and implement stricter controls for
  safeguarding confidential/sensitive data
• Sub-steps
• 5.1 Inventory and review/remediate security of
  devices
• 5.2 Configuration standards for applications,
  servers, desktops, and mobile devices
• 5.3 Network level protections
• 5.4 Encryption strategies for data in transit and
  at rest

62
Network Level Protections

• Intrusion Detection System
• Snort, Dragon, NFR
• Intrusion Prevention System
• Tipping Point, Intrushield
• Extrusion Prevention System
• Vontu, Reconnecx, Fidelis
• Database protection systems
• Guardium, Tizor, etc.
• Network Anomaly Detection
• Q1 Radar, Arbor, Mazu,etc. (flow analysis)

63
Step 5

• Establish and implement stricter controls for
  safeguarding confidential/sensitive data
• Sub-steps
• 5.1 Inventory and review/remediate security of
  devices
• 5.2 Configuration standards for applications,
  servers, desktops, and mobile devices
• 5.3 Network level protections
• 5.4 Encryption strategies for data in transit and
  at rest

64
Encryption Data in Transit

• Strategies for Data in Transit
• Encrypt before sending(e.g. PGP)
• Encrypt on the fly (e.g. SSL)
• Issues for Data in Transit
• Key exchange
• Performance
• Choice of algorithm
• Protocols
• SSL
• SSH
• Proprietary (in which case check the algorithm)

65
Encryption and Data at Rest

• Problems with Data at Rest
• Theft by a network intruder
• Physical theft -- for example, a laptop
• Data at Rest Strategies
• Whole disk encryption
• File encryption
• Issues
• Key escrow
• Cost if not using O/S vendors file encryption
• Very low adoption rate in higher ed market

66
Step 5 continued

• Establish and implement stricter controls for
  safeguarding confidential/sensitive data
• Sub-steps continued
• 5.5 Policies regarding confidential/sensitive
  data on mobile devices and home computers and
  for data archival/storage
• 5.6 Identity management and resource provisioning
  processes
• 5.7 Secure disposal of equipment and data
• 5.8 Consider background checks on individuals
  handling confidential/sensitive data

67
Data on Mobile Devices

• Data has wings
• PDAs and music players
• USB memory fobs
• Cyber-cafes
• Home computers
• Compensating Policy
• Written mandates
• Practical assistance
• Enforcement or checking is exceedingly difficult
• Which does not mean you should not do it, if
  nothing else it can be used to justify discipline

68
Protection of Mobile Data

• OMB Memo Protection of Sensitive Agency
  Informationhttp//www.whitehouse.gov/omb/memorand
  a/fy2006/m06-16.pdf
• NIST ChecklistProtection of Remote Information

69
Step 5 continued

• Establish and implement stricter controls for
  safeguarding confidential/sensitive data
• Sub-steps continued
• 5.5 Policies regarding confidential/sensitive
  data on mobile devices and home computers and for
  data archival/storage
• 5.6 Identity management and resource provisioning
  processes
• 5.7 Secure disposal of equipment and data
• 5.8 Consider background checks on individuals
  handling confidential/sensitive data

70
ID Management

• Access control lists (ACLs)
• Account creation
• Account deletion
• Process issues
• Fragmentation can be addressed
• By process improvement
• Via technology
• Rich area of research development
• Also commercial solutions
• Active Directory
• LDAP solutions

71
EDUCAUSE Identity Management Resources

• Recent Library Submissions (3)
• CIC Identity Management Conference Session
  Federated Identity Management and Sharing
  Resources (2007) by Jim Phelps, IT Architect in
  Academia
• Identity Management Conference Report (2007)by
  Committee on Institutional Cooperation
• A Report on the Identity Management Summit (2007)
  by Norma Holland, Ann West and Steve Worona,
  EDUCAUSE
• Most Popular Library Content (3)
• Top-Ten IT Issues, 2006 (2006) by Barbara I.
  Dewey, Peter B. DeBlois, and the 2006 EDUCAUSE
  Current Issues Committee, EDUCAUSE
• Safeguarding the Tower IT Security in Higher
  Education 2006 (2006) by Robert B. Kvavik, with
  John Voloudakis, ECAR
• Identity Management in Higher Education A
  Baseline Study (2006) by Ronald Yanosky, with
  Gail Salaway, ECAR
• http//www.educause.edu/Browse/645?PARENT_ID679

72
Step 5 continued

• Establish and implement stricter controls for
  safeguarding confidential/sensitive data
• Sub-steps continued
• 5.5 Policies regarding confidential/sensitive
  data on mobile devices and home computers and for
  data archival/storage
• 5.6 Identity management and resource provisioning
  processes
• 5.7 Secure disposal of equipment and data
• 5.8 Consider background checks on individuals
  handling confidential/sensitive data

73
Equipment and Data Disposal

• Classic examples are lost backup tapes
• Magnetic media destruction can be done
  physically (sledgehammer) or magnetically
  (degaussed or multi-pass formatted) or both
• Do not ignore hard-copy data
• Shredders
• This step can be both expensive and inconvenient

74
Data Sanitization Guidelines

• NIST Special Publication 800-88 Guidelines for
  Media Sanitizationhttp//csrc.nist.gov/publicatio
  ns/nistpubs/800-88/NISTSP800-88_rev1.pdf
• EDUCAUSE/Internet2 Security Task ForcePractical
  Data Sanitization Guidelines for Higher
  Educationhttps//wiki.internet2.edu/confluence/di
  splay/secguide/GuidelinesforDataSanitization
• Michigan State University Best Practices in
  Disposal of Computers and Electronic Storage
  Media http//computing.msu.edu/msd/documents/safec
  omputerdisposal.pdf

75
Step 5 continued

• Establish and implement stricter controls for
  safeguarding confidential/sensitive data
• Sub-steps continued
• 5.5 Policies regarding confidential/sensitive
  data on mobile devices and home computers and for
  data archival/storage
• 5.6 Identity management and resource provisioning
  processes
• 5.7 Secure disposal of equipment and data
• 5.8 Consider background checks on individuals
  handling confidential/sensitive data

76
Background Checks

• Kinds of checks
• Criminal
• Credit
• Resume
• Education
• Why?
• How?
• Do you save it once its complete?
• Do results stay in H/R or go to hiring manager?
• If running criminal checks, how wide a net do you
  cast and how legitimate can you be?

77
Security Approaches in Place

• Perimeter firewalls 77
• Centralized backups 77
• VPNs for remote access 75
• Enterprise directory 75
• Interior network firewalls 65
• Intrusion detection 62
• Active filtering 59
• Intrusion prevention 44 (up from 33)
• Security Standards for Applications 32 (up from
  27)
• ECAR IT Security Study, 2006

78
Step 6

• Provide awareness and training
• Sub-steps
• 6.1 Make confidential/sensitive data handlers
  aware of privacy and security requirements
• 6.2 Require acknowledgement by data users of
  their responsibility for safeguarding such data
• 6.3 Enhance general privacy and security
  awareness programs to specifically address
  safeguarding confidential/sensitive data
• 6.4 Collaboration mechanisms such as e-mail have
  strengths and limitations in terms of access
  control, which must be clearly communicated and
  understood so that the data will be safe-guarded
  

79
Awareness Training

• Who needs awareness (consciousness-raising)?
  All Users!
• Executives
• Faculty
• Staff
• Students
• Users of Sensitive Data
• IT Staff
• Training (skills development)
• Especially for data stewards, IT staff, and
  information security team

80
Why? Whos the Threat?
81
Cybersecurity Awareness Resources CD

• The Awareness and Training Working Group of the
  EDUCAUSE/Internet2 Security Task Force compiled
  cybersecurity awareness resources distributed on
  a CD which are now on the web site.
• The resources were collected to showcase the
  variety of security awareness efforts underway at
  institutions of higher education and to provide
  resources for colleges and universities that are
  looking to jump-start a program for their
  organization. 

82
Whats on the Web Site?

• Pamphlets
• Post Cards
• Presentations
• Security Awareness Documents
• Security Cards
• Security Tools
• Security Quizzes
• Surveys
• Videos

• Book Marks
• Brochures
• Checklists
• Flyers
• Games
• Government Resources
• Handouts
• Industry Resources
• Links to Schools Security Web Page(s)

83
Awareness Programs
Students Faculty Staff
Program 2003 39.2 38.2 42.2
Program 2005 62.3 68.8 69.1
Percent change 23.1 30.6 26.9

• ECAR IT Security Study, 2006

84
When I Go To U.Va.
http//www.itc.virginia.edu/pubs/docs/RespComp/vid
eos/when-I-go-to-UVA-lg.mov
85
Security Awareness Exercise

• Outline a Plan for a Security Awareness Campaign
  About Managing Sensitive Data
• Who is your target audience?
• How will you market it?
• What are your key messages?
• What method of delivery will you use?
• How will you measure its effectiveness?

86
Step 7

• Verify compliance routinely with your policies
  and procedures
• Sub-steps
• 7.1 Routinely test network-connected devices and
  services for weaknesses in operating systems,
  applications, and encryption
• 7.2 Routinely scan servers, desktops, mobile
  devices, and networks containing
  confidential/sensitive data to verify compliance
  
• 7.3 Routinely audit access privileges
• 7.4 Procurement procedures and contract language
  to ensure proper data handling is maintained

87
Step 7 continued

• Verify compliance routinely with your policies
  and procedures
• Sub-steps continued
• 7.5 System development methodologies that prevent
  new data handling problems from being introduced
  into the environment
• 7.6 Utilize audit function within the institution
  to verify compliance
• 7.7 Incident response policies and procedures
• 7.8 Conduct regular meetings with stakeholders
  such as data stewards, legal counsel, compliance
  officers, public safety, public relations, and
  IT groups to review institutional risk and
  compliance and to revise existing policies and
  procedures as needed

88
Step 7

• Verify compliance routinely with your policies
  and procedures
• Sub-steps
• 7.1 Routinely test network-connected devices and
  services for weaknesses in operating systems,
  applications, and encryption
• 7.2 Routinely scan servers, desktops, mobile
  devices, and networks containing
  confidential/sensitive data to verify compliance
• 7.3 Routinely audit access privileges
• 7.4 Procurement procedures and contract language
  to ensure proper data handling is maintained

89
Routine Testing

• Network Admission Control (NAC)
• Test(s) at network registration
• But not all weaknesses are caught by commercial
  testing programs (scanners)
• Encryption can be tricky
• Network sniffing
• Examine configuration files
• Applications can imply things like re-running
  regression testing after changes

90
Step 7

• Verify compliance routinely with your policies
  and procedures
• Sub-steps
• 7.1 Routinely test network-connected devices and
  services for weaknesses in operating systems,
  applications, and encryption
• 7.2 Routinely scan servers, desktops, mobile
  devices, and networks containing
  confidential/sensitive data to verify compliance
  
• 7.3 Routinely audit access privileges
• 7.4 Procurement procedures and contract language
  to ensure proper data handling is maintained

91
Routine Scanning

• Vulnerability Scanners
• Nessus
• ISS
• GFI LANGuard
• eEye Retina
• Local confidential data scanners
• GW Safety Analyzer
• Cornell Spider
• U.Texas SENF (Sensitive Number Finder)

follow-up on 4.3
92
Step 7

• Verify compliance routinely with your policies
  and procedures
• Sub-steps
• 7.1 Routinely test network-connected devices and
  services for weaknesses in operating systems,
  applications, and encryption
• 7.2 Routinely scan servers, desktops, mobile
  devices, and networks containing
  confidential/sensitive data to verify compliance
• 7.3 Routinely audit access privileges
• 7.4 Procurement procedures and contract language
  to ensure proper data handling is maintained

93
Routine Audits

• Copy your external auditors ?
• What persons, groups, or roles have access?
• Should have access?
• Check terminated employees against list
• Transfers to new internal jobs as well
• Unclear as to wisdom of letting them know youre
  coming

94
Step 7

• Verify compliance routinely with your policies
  and procedures
• Sub-steps
• 7.1 Routinely test network-connected devices and
  services for weaknesses in operating systems,
  applications, and encryption
• 7.2 Routinely scan servers, desktops, mobile
  devices, and networks containing
  confidential/sensitive data to verify compliance
• 7.3 Routinely audit access privileges
• 7.4 Procurement procedures and contract language
  to ensure proper data handling is maintained

95
Procurement Practices

• Contracts in the U.S. establish your rights --
  very few rights are guaranteed
• Are any vendors subject to your policies, or to
  any other statute governing their handling of
  your data?
• Does their contract acknowledge this?
• How are the vendors liable?
• Your judgment, theirs, or a courts?

96
Step 7 continued

• Verify compliance routinely with your policies
  and procedures
• Sub-steps continued
• 7.5 System development methodologies that prevent
  new data handling problems from being introduced
  into the environment
• 7.6 Utilize audit function within the institution
  to verify compliance
• 7.7 Incident response policies and procedures
• 7.8 Conduct regular meetings with stakeholders
  such as data stewards, legal counsel, compliance
  officers, public safety, public relations, and IT
  groups to review institutional risk and
  compliance and to revise existing policies and
  procedures as needed

97
System Development

• Add security to your software development life
  cycle
• When
• Requirements
• Vendor analysis or architecture development
• Test
• Turnover
• Consider canned methodologies only if they
  incorporate security

98
Step 7 continued

• Verify compliance routinely with your policies
  and procedures
• Sub-steps continued
• 7.5 System development methodologies that prevent
  new data handling problems from being introduced
  into the environment
• 7.6 Utilize audit function within the institution
  to verify compliance
• 7.7 Incident response policies and procedures
• 7.8 Conduct regular meetings with stakeholders
  such as data stewards, legal counsel, compliance
  officers, public safety, public relations, and IT
  groups to review institutional risk and
  compliance and to revise existing policies and
  procedures as needed

99
Audit Function

• Auditor -- friend or enemy?
• Audit reports generally go higher in the
  organization than security memos
• Audit staff has some skills at compliance and
  testing against a process or procedure
• Use them to double-check yourself and to check
  things that you cant due to time or political
  constraints

100
Step 7 continued

• Verify compliance routinely with your policies
  and procedures
• Sub-steps continued
• 7.5 System development methodologies that prevent
  new data handling problems from being introduced
  into the environment
• 7.6 Utilize audit function within the institution
  to verify compliance
• 7.7 Incident response policies and procedures
• 7.8 Conduct regular meetings with stakeholders
  such as data stewards, legal counsel, compliance
  officers, public safety, public relations, and IT
  groups to review institutional risk and
  compliance and to revise existing policies and
  procedures as needed

101
Incident Response

• An incident response structure is a necessity
• Rich vein of material on this -- blueprint has
  links
• Cut down time data is exposed

102
Step 7 continued

• Verify compliance routinely with your policies
  and procedures
• Sub-steps continued
• 7.5 System development methodologies that prevent
  new data handling problems from being introduced
  into the environment
• 7.6 Utilize audit function within the institution
  to verify compliance
• 7.7 Incident response policies and procedures
• 7.8 Conduct regular meetings with stakeholders
  such as data stewards, legal counsel, compliance
  officers, public safety, public relations, and
  IT groups to review institutional risk and
  compliance and to revise existing policies and
  procedures as needed

103
Continuous Improvement

• Keep it current
• Keep them current
• Keep within the law
• Keep exploiting new technology

104
FTC Guide Protecting Personal Information

• Take stock.Know what personal information you
  have in your files and on your computers.
• Scale down.Keep only what you need for your
  business.
• Lock it.Protect the information that you keep.
• Pitch it. Properly dispose of what you no
  longer need.
• Plan ahead. Create a plan to respond to
  security incidents.

105
Putting it All Together

• Moving from Planning to Action!

106
The Blueprint

• Discussion
• How will you use the blueprint?
• Do you have suggestions to improve it?
• Do you have resources or effective practices to
  submit?

107
Wrap-Up

• Question Answer
• Seminar Evaluation Feedback
• Program ends at 1200pm

108
For more information

• David EscalanteEmail david.escalante_at_bc.eduPho
  ne 617-552-6060
• EDUCAUSE/Internet2 Security Task
  Forcewww.educause.edu/security
• EDUCAUSE Center for Applied Researchwww.educause.
  edu/ECAR
• Blueprint for Handling Sensitive
  Datawiki.internet2.edu/confluence/display/secguid
  e

109
Case Study

• Group Discussion
• Who do you need to include (or other consult) as
  part of the emergency meeting?
• What core messages will you plan to deliver at
  the press conference?
• What kinds of questions should you anticipate
  from reporters or potential victims?