Title: A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations
1A Blueprint for Handling Sensitive Data
Security, Privacy, and Other Considerations
- David Escalante
- Director, Computer Policy Security
- Boston College
- Monday, July 30, 2007, 830am-1200pm
- Campus Technology 2007
- Washington, DC
2Seminar Goals
- At the end of this session
- You should feel comfortable discussing common
cybersecurity risks plaguing higher education and
computer users in general. - You will have a list of key strategies to pursue
for stopping the leakage of confidential/sensitive
data. - You will be introduced to several security
resources and best practices to help you apply
the key strategies.
3Agenda (1)
- Overview and Introductions
- Creating a Security Risk-Aware Culture
- Defining Institutional Data Types
- Clarifying Responsibility and Accountability
- Reducing Access to Data Not Absolutely Essential
4Agenda (2)
- Establishing Implementing Stricter Controls
- Providing Awareness and Training
- Managing Sensitive Data Outreach Programs
- Verifying Compliance
- Putting It All Together
- Evaluation and Wrap-Up
5Icebreaker
- Human Scavenger Hunt
- Instructions
- Take a moment to read entire list (front and
back) - Obtain as many signatures as possible in the time
allotted - An individual may sign your sheet only once
- Fill in the blanks when space is provided
6The Blueprint
- Confidential Data Handling Blueprint
- Purpose
- To provide a list of key strategies to follow for
stopping the leakage of confidential/sensitive
data. - To provide a toolkit that constructs resources
pertaining to confidential/sensitive data
handling. - https//wiki.internet2.edu/confluence/display/se
cguide/ConfidentialDataHandlingBlueprint
7The Blueprint
- Confidential Data Handling Blueprint
- Introduction
- Steps and ensuing sub-items are intended to
provide a general roadmap - Institutions will be at varying stages of
progress - Organized in a sequence that allows you to
logically follow through each step - Each item is recommended as an effective
practice state/local legal requirements,
institutional policy, or campus culture might
leave each institution approaching this
differently
8Ingredients for Success
Systems must be built and technologies deployed
to adhere to policies
Policies must be developed, communicated,
maintained, and enforced
Process
Technology
People
Processes must be developed that show how
policies will be implemented
People must understand their roles and
responsibilities according to policies
9Step 1
- Create a security risk-aware culture that
includes an information security risk management
program - Sub-steps
- 1.1 Institution-wide security risk management
program - 1.2 Roles and responsibilities defined for
overall information security at the central and
distributed level - 1.3 Executive leadership support in the form of
policies and governance actions
10Step 1
- Create a security risk-aware culture that
includes an information security risk management
program - Sub-steps
- 1.1 Institution-wide security risk management
program - 1.2Roles and responsibilities defined for overall
information security at the central and
distributed level - 1.3 Executive leadership support in the form of
policies and governance actions
11Risk Management Framework
12Risk Assessment Framework
- Phase 0 Establish Risk Assessment Criteria for
the Identification and Prioritization of Critical
Assets - Phase 1 Develop Initial Security Strategies
- Phase 2 Technological View Identify
Infrastructure Vulnerabilities - Phase 3 Develop Security Strategy and Plans
13Risks Incurred
Damage Percent
Business application, including e-mail, unavailable 33.7
Network unavailable 29.4
Information confidentiality compromised 26.0
Damage to software 21.5
Damage to data 12.5
Negative publicity in the press 10.0
Identity theft 8.4
Damage to hardware 7.4
Financial losses 6.4
- ECAR IT Security Study, 2006
14Risk Assessments
- 55 percent do some type of risk assessment
- But less than 9 percent cover all institutional
systems and data. - ECAR IT Security Study, 2006
15Step 1
- Create a security risk-aware culture that
includes an information security risk management
program - Sub-steps
- 1.1 Institution-wide security risk management
program - 1.2 Roles and responsibilities defined for
overall information security at the central and
distributed level - 1.3 Executive leadership support in the form of
policies and governance actions
16Best Practices Metrics
- Information Security Program Elements
- Governance
- Boards/Senior Executives/Shared Governance
- Management
- Directors and Managers
- Technical
- Central and Distributed IT Support Staff
- CISWG Final Report on Best Practices Metrics
17Governance
- Oversee Risk Management and Compliance Programs
Pertaining to Information Security (e.g.,
Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley) - Approve and Adopt Broad Information Security
Program Principles and Approve Assignment of Key
Managers Responsible for Information Security - Strive to Protect the Interests of all
Stakeholders Dependent on Information Security - Review Information Security Policies Regarding
Strategic Partners and Other Third-parties - Strive to Ensure Business Continuity
- Review Provisions for Internal and External
Audits of the Information Security Program - Collaborate with Management to Specify the
Information Security Metrics to be Reported to
the Board - CISWG Final Report on Best Practices Metrics
18Management
- Establish Information Security Management
Policies and Controls and Monitor Compliance - Assign Information Security Roles,
Responsibilities, Required Skills, and Enforce
Role-based Information Access Privileges - Assess Information Risks, Establish Risk
Thresholds and Actively Manage Risk Mitigation - Ensure Implementation of Information Security
Requirements for Strategic Partners and Other
Third-parties - Identify and Classify Information Assets
- Implement and Test Business Continuity Plans
- Approve Information Systems Architecture during
Acquisition, Development, Operations, and
Maintenance - Protect the Physical Environment
- Ensure Internal and External Audits of the
Information Security Program with Timely
Follow-up - Collaborate with Security Staff to Specify the
Information Security Metrics to be Reported to
Management - CISWG Final Report on Best Practices Metrics
19Technical
- User Identification and Authentication
- User Account Management
- User Privileges
- Configuration Management
- Event and Activity Logging and Monitoring
- Communications, Email, and Remote Access Security
- Malicious Code Protection, Including Viruses,
Worms, and Trojans - Software Change Management, including Patching
- Firewalls
- Data Encryption
- Backup and Recovery
- Incident and Vulnerability Detection and Response
- Collaborate with Management to Specify the
Technical Metrics to be Reported to Management - CISWG Final Report on Best Practices Metrics
20Responsibility for IT Security
- IT Security Officer (up to 35 from 22)
- CIO (up to 14 from 8)
- Other IT Directors (down to 50 from 67)
21IT Security Plan
- 11.2 percent - a comprehensive IT security plan
is in place - 66.6 percent - a partial plan is in place
- 20.4 percent - no IT security plan is in place
- ECAR IT Security Study, 2006
22Characteristics of Successful IT Security Programs
- Institutions with IT security plans in place
characterize their IT security programs as more
successful and feel more secure today. - The respondents who believe their institution
provides necessary resources give higher ratings
for IT security program success and their current
sense of IT security. - The biggest barrier to IT security is lack of
resources (64.4 percent) and especially at
smaller institutions, followed by an academic
culture of openness and autonomy (49.6 percent),
and lack of awareness (36.4 percent). - ECAR IT Security Study, 2006
23Step 1
- Create a security risk-aware culture that
includes an information security risk management
program - Sub-steps
- 1.1 Institution-wide security risk management
program - 1.2 Roles and responsibilities defined for
overall information security at the central and
distributed level - 1.3 Executive leadership support in the form of
policies and governance actions
24Information Security Governance
- If businesses, educational institutions, and
non-profit organizations are to make significant
progress securing their information assets,
executives must make information security an
integral part of core business operations. There
is no better way to accomplish this goal than to
highlight it as part of the existing internal
controls and policies that constitute corporate
governance. - Information Security Governance Report
Executive Summary
25InfoSec Governance Self Assessment
- Organizational Reliance on IT
- E.g., What is the impact of major system downtime
on operations? - Risk Management
- E.g., Has your organization conducted a risk
assessment and identified critical assets? - People
- E.g., Is there a person or organization that has
information security as their primary duty? - Processes
- E.g., Do you have official written information
security policies and procedures? - Technology
- E.g., Is sensitive data encrypted?
- Information Security Governance Assessment Tool
for Higher Education
26Policies in Place
- Individual employee responsibilities for
information security practices (73) - Protection of organizational assets (73)
- Managing privacy issues, including breaches of
personal information (72) - Incident reporting and response (69)
- Disaster recovery contingency planning (68)
27Policies in Place
- Investigation and correction of the causes of
security failures (68) - Notification of security events to individuals,
the law, etc. (67) - Sharing, storing, and transmitting data (51)
- Data classification, retention, and destruction
(51) - Identity Management (50)
28Step 2
- Define institutional data types
- Sub-steps
- 2.1 Compliance with applicable federal and state
laws and regulations - as well as contractual
obligations - related to privacy and security of
data held by the institution (also consider
applicable international laws) - 2.2 Data classification schema developed with
input from legal counsel and data stewards - 2.3 Data classification schema assigned to
institutional data to the extent possible or
necessary
29Step 2
- Define institutional data types
- Sub-steps
- 2.1 Compliance with applicable federal and state
laws and regulations - as well as contractual
obligations - related to privacy and security of
data held by the institution (also consider
applicable international laws) - 2.2 Data classification schema developed with
input from legal counsel and data stewards - 2.3 Data classification schema assigned to
institutional data to the extent possible or
necessary
30All-In-One Compliance
What When Where Where Why Wrath
FERPA 1974 amendments National Protect student records Protect student records No federal funding
GLBA 1999 National Protect financial records Protect financial records Fines, up to 5 years in jail
ECPA/CFAA 1984, 86 amendments National Protect computers Protect computers various
SB1386 2003 California Disclose breaches Disclose breaches Cost to comply civil suit
PATRIOT Act 2001 National Allow law enforcement access Allow law enforcement access Generally increased other penalties
HIPAA 1996 thru 2003 National Protect health records Protect health records max 250,000 10 years in jail
PCI 2004 National Protect credit cards Protect credit cards Restitution fines
31Step 2
- Define institutional data types
- Sub-steps
- 2.1 Compliance with applicable federal and state
laws and regulations - as well as contractual
obligations - related to privacy and security of
data held by the institution (also consider
applicable international laws) - 2.2 Data classification schema developed with
input from legal counsel and data stewards - 2.3 Data classification schema assigned to
institutional data to the extent possible or
necessary
32Data Classification Policy
- Provides the framework necessary to
- Identify and classify data in order to assess
risk and implement an appropriate level of
security protection based on categorization. - Comply with legislation, regulations, and
internal policies that govern the protection of
data. - Facilitate and make the Incident Response process
more efficient. The level in which the data is
classified determines the level of response.
33NIST Security Categorization
Example An Enterprise Information System
FIPS 199 LOW MODERATE HIGH
Confidentiality The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Integrity The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Availability The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Mapping Information Types to FIPS 199 Security
Categories
34Data Classification at GW
Privacy Levels
Operations Levels
Confidential
Official
Public
Highest Security Highest Operations
Enterprise System
2
2
1
1
Department Server
3
2
Lowest Security Lowest Operations
2
Desktop/ Laptop
3
4
Note, numbers in boxes suggest the priority
levels for mitigating risks.
35Stanford Data Classification
36U of Texas-Austin Data Categories
37Qualitative Risk Assessment Exercise
Confidentiality (H, M, L) Integrity (H, M, L) Availability (H, M, L) Total (H3, L1)
Bookstore Cash Register System
Blackboard/ WebCT (CMS)
Library Catalog
Admissions
Main web site
E-mail
Time Sheet Entry
38 39Step 3
- Clarify responsibilities and accountability for
safeguarding confidential/sensitive data - Sub-steps
- 3.1Data stewardship roles and responsibilities
- 3.2Legally binding third party agreements that
assign responsibility for secure data handling
40Step 3
- Clarify responsibilities and accountability for
safeguarding confidential/sensitive data - Sub-steps
- 3.1Data stewardship roles and responsibilities
- 3.2Legally binding third party agreements that
assign responsibility for secure data handling
41Example University of North Carolina
- Data Trustee Data trustees are senior University
officials (or their designees) who have planning
and policy-level responsibility for data within
their functional areas and management
responsibilities for defined segments of
institutional data. Responsibilities include
assigning data stewards, participating in
establishing policies, and promoting data
resource management for the good of the entire
University. - Data Steward Data stewards are University
officials having direct operational-level
responsibility for information management
usually department directors. Data stewards are
responsible for data access and policy
implementation issues. - Data Custodian Information Technology Services
is the data custodian. The custodian is
responsible for providing a secure infrastructure
in support of the data, including, but not
limited to, providing physical security, backup
and recovery processes, granting access
privileges to system users as authorized by data
trustees or their designees (usually the data
stewards), and implementing and administering
controls over the information. - Data User Data users are individuals who need
and use University data as part of their assigned
duties or in fulfillment of assigned roles or
functions within the University community.
Individuals who are given access to sensitive
data have a position of special trust and as such
are responsible for protecting the security and
integrity of those data. - http//its.uncg.edu/Policy_Manual/Data/
42Step 3
- Clarify responsibilities and accountability for
safeguarding confidential/sensitive data - Sub-steps
- 3.1Data stewardship roles and responsibilities
- 3.2Legally binding third party agreements that
assign responsibility for secure data handling
43Outsourced Data Handling
- Some Drivers
- Security of Commercial Software addressed
elsewhere (Step 7.4) - Incidents Mishandling by 3rd Parties
- GLB Act Oversight of Service Providers
- PCI requirement
- Federal Contracts and Grant
- Sample Contract Language
- E-mail instructor for a copy
44Step 4
- Reduce access to confidential/sensitive data not
absolutely essential to institutional processes - Sub-steps
- 4.1 Data collection processes (including forms)
should request only the minimum necessary
confidential/sensitive information - 4.2 Application outputs (e.g., queries, hard copy
reports, etc.) should provide only the minimum
necessary confidential/sensitive information - 4.3 Inventory and review access to existing
confidential/sensitive data on servers,
desktops, and mobile devices
45Step 4 continued
- Reduce access to confidential/sensitive data not
absolutely essential to institutional processes - Sub-steps continued
- 4.4 Eliminate unnecessary confidential/sensitive
data on servers, desktops, and mobile devices - 4.5 Eliminate dependence on SSNs as primary
identifiers and as a form of authentication - Note SSNs may need to be used for certain
things (e.g., student employees, student
financial aid, etc.) and we recommend that
schools limit the use of SSNs to necessary
processes only.
46Step 4
- Reduce access to confidential/sensitive data not
absolutely essential to institutional processes - Sub-steps
- 4.1 Data collection processes (including forms)
should request only the minimum necessary
confidential/sensitive information - 4.2 Application outputs (e.g., queries, hard copy
reports, etc.) should provide only the minimum
necessary confidential/sensitive information - 4.3 Inventory and review access to existing
confidential/sensitive data on servers,
desktops, and mobile devices
47Fair Information Practices and Privacy
- General Principles of Fair Information Practice
- Openness
- Individual Participation
- Collection Limitation
- Data Quality
- Finality
- Security
- Accountability
- Privacy Statements
- Privacy Policies
48Step 4
- Reduce access to confidential/sensitive data not
absolutely essential to institutional processes - Sub-steps
- 4.1 Data collection processes (including forms)
should request only the minimum necessary
confidential/sensitive information - 4.2 Application outputs (e.g., queries, hard copy
reports, etc.) should provide only the minimum
necessary confidential/sensitive information - 4.3 Inventory and review access to existing
confidential/sensitive data on servers,
desktops, and mobile devices
49Step 4
- Reduce access to confidential/sensitive data not
absolutely essential to institutional processes - Sub-steps
- 4.1 Data collection processes (including forms)
should request only the minimum necessary
confidential/sensitive information - 4.2 Application outputs (e.g., queries, hard copy
reports, etc.) should provide only the minimum
necessary confidential/sensitive information - 4.3 Inventory and review access to existing
confidential/sensitive data on servers,
desktops, and mobile devices
50Step 4 continued
- Reduce access to confidential/sensitive data not
absolutely essential to institutional processes - Sub-steps continued
- 4.4 Eliminate unnecessary confidential/sensitive
data on servers, desktops, and mobile devices - 4.5 Eliminate dependence on SSNs as primary
identifiers and as a form of authentication - Note SSNs may need to be used for certain
things (e.g., student employees, student
financial aid, etc.) and we recommend that
schools limit the use of SSNs to necessary
processes only.
51Solutions
- Safety Analyzer (George Washington University)
- Sensitive Data Detection
- SSNs with heuristics
- Credit Card numbers with Luhn algorithm
validation - Compromise Detection
- Trojan file detection
- Kernel-level rootkit detection
- IR-related data harvesting
- Spider(Cornell University)
- SENF! (Sensitive Number Finder)(University of
Texas at Austin)
52Step 4 continued
- Reduce access to confidential/sensitive data not
absolutely essential to institutional processes - Sub-steps continued
- 4.4 Eliminate unnecessary confidential/sensitive
data on servers, desktops, and mobile devices - 4.5 Eliminate dependence on SSNs as primary
identifiers and as a form of authentication - Note SSNs may need to be used for certain
things (e.g., student employees, student
financial aid, etc.) and we recommend that
schools limit the use of SSNs to necessary
processes only.
53Elimination of SSNs
- Federal and state law requires the collection of
your Social Security number (SSN) for certain
purposes (for example, IRS reporting forms).
However, widespread use of an individual's SSN is
a major privacy concern. With incidents of
identity theft increasing, steps to secure an
individual's SSN become more important. - A large number of colleges and universities use
SSNs as primary identifiers for faculty, staff,
and students, which exposes institutions to risk
because of changing legal and security
environments. Therefore, many institutions are
planning for the migration away from SSN use as a
primary identifier. Undertaking such a task
raises issues, challenges, and opportunities for
any institution. - EDUCAUSE has identified links concerning the
elimination of SSNs as primary identifiers that
may be useful to the higher education community. - http//www.educause.edu/Browse/645?PARENT_ID701
54Where to be with SSNs
University Processes Supporting Systems
SSNs requested only when essential
SSNs provided only when essential
SSN access authorized to least of people
SSNs stored only in highly secured devices and
file cabinets
Clear SSN use policy exists
Responsibilities for SSN protection well
communicated
Compliance verification processes in place
55Step 5
- Establish and implement stricter controls for
safeguarding confidential/sensitive data - Sub-steps
- 5.1 Inventory and review/remediate security of
devices - 5.2 Configuration standards for applications,
servers, desktops, and mobile devices - 5.3 Network level protections
- 5.4 Encryption strategies for data in transit and
at rest
56Step 5 continued
- Establish and implement stricter controls for
safeguarding confidential/sensitive data - Sub-steps continued
- 5.5 Policies regarding confidential/sensitive
data on mobile devices and home computers and
for data archival/storage - 5.6 Identity management and resource provisioning
processes - 5.7 Secure disposal of equipment and data
- 5.8 Consider background checks on individuals
handling confidential/sensitive data
57Step 5
- Establish and implement stricter controls for
safeguarding confidential/sensitive data - Sub-steps
- 5.1 Inventory and review/remediate security of
devices - 5.2 Configuration standards for applications,
servers, desktops, and mobile devices - 5.3 Network level protections
- 5.4 Encryption strategies for data in transit and
at rest
58Inventory Devices
- Network Registration (NetReg)
- Commercial NAC solutions (Cisco, etc)
- Commercial desktop management products
- Altiris, etc.
- Manual Inventories
- Review Security of Devices
- Network vulnerability scans
- Local tools such as Microsofts Baseline Security
Analyzer (MBSA) - Manage your anti-virus for review/remediate
which ones???
59Step 5
- Establish and implement stricter controls for
safeguarding confidential/sensitive data - Sub-steps
- 5.1 Inventory and review/remediate security of
devices - 5.2 Configuration standards for applications,
servers, desktops, and mobile devices - 5.3 Network level protections
- 5.4 Encryption strategies for data in transit and
at rest
60Configuration Standards
- There are recommendations available from various
sources on the Internet - Vendors themselves
- Center for Internet Security (http//www.cisecurit
y.org/) - NSA (http//www.nsa.gov/snac/)
- How to Implement at your institution
- Use your own published procedures
- Publish links to sources above
- Create and use Images
- Dont Forget Applications
- Web servers
- Mail servers
- FTP servers
- Consider standards as part of the Software
Development Life Cycle
61Step 5
- Establish and implement stricter controls for
safeguarding confidential/sensitive data - Sub-steps
- 5.1 Inventory and review/remediate security of
devices - 5.2 Configuration standards for applications,
servers, desktops, and mobile devices - 5.3 Network level protections
- 5.4 Encryption strategies for data in transit and
at rest
62Network Level Protections
- Intrusion Detection System
- Snort, Dragon, NFR
- Intrusion Prevention System
- Tipping Point, Intrushield
- Extrusion Prevention System
- Vontu, Reconnecx, Fidelis
- Database protection systems
- Guardium, Tizor, etc.
- Network Anomaly Detection
- Q1 Radar, Arbor, Mazu,etc. (flow analysis)
63Step 5
- Establish and implement stricter controls for
safeguarding confidential/sensitive data - Sub-steps
- 5.1 Inventory and review/remediate security of
devices - 5.2 Configuration standards for applications,
servers, desktops, and mobile devices - 5.3 Network level protections
- 5.4 Encryption strategies for data in transit and
at rest
64Encryption Data in Transit
- Strategies for Data in Transit
- Encrypt before sending(e.g. PGP)
- Encrypt on the fly (e.g. SSL)
- Issues for Data in Transit
- Key exchange
- Performance
- Choice of algorithm
- Protocols
- SSL
- SSH
- Proprietary (in which case check the algorithm)
65Encryption and Data at Rest
- Problems with Data at Rest
- Theft by a network intruder
- Physical theft -- for example, a laptop
- Data at Rest Strategies
- Whole disk encryption
- File encryption
- Issues
- Key escrow
- Cost if not using O/S vendors file encryption
- Very low adoption rate in higher ed market
66Step 5 continued
- Establish and implement stricter controls for
safeguarding confidential/sensitive data - Sub-steps continued
- 5.5 Policies regarding confidential/sensitive
data on mobile devices and home computers and
for data archival/storage - 5.6 Identity management and resource provisioning
processes - 5.7 Secure disposal of equipment and data
- 5.8 Consider background checks on individuals
handling confidential/sensitive data
67Data on Mobile Devices
- Data has wings
- PDAs and music players
- USB memory fobs
- Cyber-cafes
- Home computers
- Compensating Policy
- Written mandates
- Practical assistance
- Enforcement or checking is exceedingly difficult
- Which does not mean you should not do it, if
nothing else it can be used to justify discipline
68Protection of Mobile Data
- OMB Memo Protection of Sensitive Agency
Informationhttp//www.whitehouse.gov/omb/memorand
a/fy2006/m06-16.pdf - NIST ChecklistProtection of Remote Information
69Step 5 continued
- Establish and implement stricter controls for
safeguarding confidential/sensitive data - Sub-steps continued
- 5.5 Policies regarding confidential/sensitive
data on mobile devices and home computers and for
data archival/storage - 5.6 Identity management and resource provisioning
processes - 5.7 Secure disposal of equipment and data
- 5.8 Consider background checks on individuals
handling confidential/sensitive data
70ID Management
- Access control lists (ACLs)
- Account creation
- Account deletion
- Process issues
- Fragmentation can be addressed
- By process improvement
- Via technology
- Rich area of research development
- Also commercial solutions
- Active Directory
- LDAP solutions
71EDUCAUSE Identity Management Resources
- Recent Library Submissions (3)
- CIC Identity Management Conference Session
Federated Identity Management and Sharing
Resources (2007) by Jim Phelps, IT Architect in
Academia - Identity Management Conference Report (2007)by
Committee on Institutional Cooperation - A Report on the Identity Management Summit (2007)
by Norma Holland, Ann West and Steve Worona,
EDUCAUSE - Most Popular Library Content (3)
- Top-Ten IT Issues, 2006 (2006) by Barbara I.
Dewey, Peter B. DeBlois, and the 2006 EDUCAUSE
Current Issues Committee, EDUCAUSE - Safeguarding the Tower IT Security in Higher
Education 2006 (2006) by Robert B. Kvavik, with
John Voloudakis, ECAR - Identity Management in Higher Education A
Baseline Study (2006) by Ronald Yanosky, with
Gail Salaway, ECAR - http//www.educause.edu/Browse/645?PARENT_ID679
72Step 5 continued
- Establish and implement stricter controls for
safeguarding confidential/sensitive data - Sub-steps continued
- 5.5 Policies regarding confidential/sensitive
data on mobile devices and home computers and for
data archival/storage - 5.6 Identity management and resource provisioning
processes - 5.7 Secure disposal of equipment and data
- 5.8 Consider background checks on individuals
handling confidential/sensitive data
73Equipment and Data Disposal
- Classic examples are lost backup tapes
- Magnetic media destruction can be done
physically (sledgehammer) or magnetically
(degaussed or multi-pass formatted) or both - Do not ignore hard-copy data
- Shredders
- This step can be both expensive and inconvenient
74Data Sanitization Guidelines
- NIST Special Publication 800-88 Guidelines for
Media Sanitizationhttp//csrc.nist.gov/publicatio
ns/nistpubs/800-88/NISTSP800-88_rev1.pdf - EDUCAUSE/Internet2 Security Task ForcePractical
Data Sanitization Guidelines for Higher
Educationhttps//wiki.internet2.edu/confluence/di
splay/secguide/GuidelinesforDataSanitization - Michigan State University Best Practices in
Disposal of Computers and Electronic Storage
Media http//computing.msu.edu/msd/documents/safec
omputerdisposal.pdf
75Step 5 continued
- Establish and implement stricter controls for
safeguarding confidential/sensitive data - Sub-steps continued
- 5.5 Policies regarding confidential/sensitive
data on mobile devices and home computers and for
data archival/storage - 5.6 Identity management and resource provisioning
processes - 5.7 Secure disposal of equipment and data
- 5.8 Consider background checks on individuals
handling confidential/sensitive data
76Background Checks
- Kinds of checks
- Criminal
- Credit
- Resume
- Education
- Why?
- How?
- Do you save it once its complete?
- Do results stay in H/R or go to hiring manager?
- If running criminal checks, how wide a net do you
cast and how legitimate can you be?
77Security Approaches in Place
- Perimeter firewalls 77
- Centralized backups 77
- VPNs for remote access 75
- Enterprise directory 75
- Interior network firewalls 65
- Intrusion detection 62
- Active filtering 59
- Intrusion prevention 44 (up from 33)
- Security Standards for Applications 32 (up from
27) - ECAR IT Security Study, 2006
78Step 6
- Provide awareness and training
- Sub-steps
- 6.1 Make confidential/sensitive data handlers
aware of privacy and security requirements - 6.2 Require acknowledgement by data users of
their responsibility for safeguarding such data - 6.3 Enhance general privacy and security
awareness programs to specifically address
safeguarding confidential/sensitive data - 6.4 Collaboration mechanisms such as e-mail have
strengths and limitations in terms of access
control, which must be clearly communicated and
understood so that the data will be safe-guarded
79Awareness Training
- Who needs awareness (consciousness-raising)?
All Users! - Executives
- Faculty
- Staff
- Students
- Users of Sensitive Data
- IT Staff
- Training (skills development)
- Especially for data stewards, IT staff, and
information security team
80Why? Whos the Threat?
81Cybersecurity Awareness Resources CD
- The Awareness and Training Working Group of the
EDUCAUSE/Internet2 Security Task Force compiled
cybersecurity awareness resources distributed on
a CD which are now on the web site. - The resources were collected to showcase the
variety of security awareness efforts underway at
institutions of higher education and to provide
resources for colleges and universities that are
looking to jump-start a program for their
organization.
82Whats on the Web Site?
- Pamphlets
- Post Cards
- Presentations
- Security Awareness Documents
- Security Cards
- Security Tools
- Security Quizzes
- Surveys
- Videos
- Book Marks
- Brochures
- Checklists
- Flyers
- Games
- Government Resources
- Handouts
- Industry Resources
- Links to Schools Security Web Page(s)
83Awareness Programs
Students Faculty Staff
Program 2003 39.2 38.2 42.2
Program 2005 62.3 68.8 69.1
Percent change 23.1 30.6 26.9
- ECAR IT Security Study, 2006
84When I Go To U.Va.
http//www.itc.virginia.edu/pubs/docs/RespComp/vid
eos/when-I-go-to-UVA-lg.mov
85Security Awareness Exercise
- Outline a Plan for a Security Awareness Campaign
About Managing Sensitive Data - Who is your target audience?
- How will you market it?
- What are your key messages?
- What method of delivery will you use?
- How will you measure its effectiveness?
86Step 7
- Verify compliance routinely with your policies
and procedures - Sub-steps
- 7.1 Routinely test network-connected devices and
services for weaknesses in operating systems,
applications, and encryption - 7.2 Routinely scan servers, desktops, mobile
devices, and networks containing
confidential/sensitive data to verify compliance
- 7.3 Routinely audit access privileges
- 7.4 Procurement procedures and contract language
to ensure proper data handling is maintained
87Step 7 continued
- Verify compliance routinely with your policies
and procedures - Sub-steps continued
- 7.5 System development methodologies that prevent
new data handling problems from being introduced
into the environment - 7.6 Utilize audit function within the institution
to verify compliance - 7.7 Incident response policies and procedures
- 7.8 Conduct regular meetings with stakeholders
such as data stewards, legal counsel, compliance
officers, public safety, public relations, and
IT groups to review institutional risk and
compliance and to revise existing policies and
procedures as needed
88Step 7
- Verify compliance routinely with your policies
and procedures - Sub-steps
- 7.1 Routinely test network-connected devices and
services for weaknesses in operating systems,
applications, and encryption - 7.2 Routinely scan servers, desktops, mobile
devices, and networks containing
confidential/sensitive data to verify compliance - 7.3 Routinely audit access privileges
- 7.4 Procurement procedures and contract language
to ensure proper data handling is maintained
89Routine Testing
- Network Admission Control (NAC)
- Test(s) at network registration
- But not all weaknesses are caught by commercial
testing programs (scanners) - Encryption can be tricky
- Network sniffing
- Examine configuration files
- Applications can imply things like re-running
regression testing after changes
90Step 7
- Verify compliance routinely with your policies
and procedures - Sub-steps
- 7.1 Routinely test network-connected devices and
services for weaknesses in operating systems,
applications, and encryption - 7.2 Routinely scan servers, desktops, mobile
devices, and networks containing
confidential/sensitive data to verify compliance
- 7.3 Routinely audit access privileges
- 7.4 Procurement procedures and contract language
to ensure proper data handling is maintained
91Routine Scanning
- Vulnerability Scanners
- Nessus
- ISS
- GFI LANGuard
- eEye Retina
- Local confidential data scanners
- GW Safety Analyzer
- Cornell Spider
- U.Texas SENF (Sensitive Number Finder)
follow-up on 4.3
92Step 7
- Verify compliance routinely with your policies
and procedures - Sub-steps
- 7.1 Routinely test network-connected devices and
services for weaknesses in operating systems,
applications, and encryption - 7.2 Routinely scan servers, desktops, mobile
devices, and networks containing
confidential/sensitive data to verify compliance - 7.3 Routinely audit access privileges
- 7.4 Procurement procedures and contract language
to ensure proper data handling is maintained
93Routine Audits
- Copy your external auditors ?
- What persons, groups, or roles have access?
- Should have access?
- Check terminated employees against list
- Transfers to new internal jobs as well
- Unclear as to wisdom of letting them know youre
coming
94Step 7
- Verify compliance routinely with your policies
and procedures - Sub-steps
- 7.1 Routinely test network-connected devices and
services for weaknesses in operating systems,
applications, and encryption - 7.2 Routinely scan servers, desktops, mobile
devices, and networks containing
confidential/sensitive data to verify compliance - 7.3 Routinely audit access privileges
- 7.4 Procurement procedures and contract language
to ensure proper data handling is maintained
95Procurement Practices
- Contracts in the U.S. establish your rights --
very few rights are guaranteed - Are any vendors subject to your policies, or to
any other statute governing their handling of
your data? - Does their contract acknowledge this?
- How are the vendors liable?
- Your judgment, theirs, or a courts?
96Step 7 continued
- Verify compliance routinely with your policies
and procedures - Sub-steps continued
- 7.5 System development methodologies that prevent
new data handling problems from being introduced
into the environment - 7.6 Utilize audit function within the institution
to verify compliance - 7.7 Incident response policies and procedures
- 7.8 Conduct regular meetings with stakeholders
such as data stewards, legal counsel, compliance
officers, public safety, public relations, and IT
groups to review institutional risk and
compliance and to revise existing policies and
procedures as needed
97System Development
- Add security to your software development life
cycle - When
- Requirements
- Vendor analysis or architecture development
- Test
- Turnover
- Consider canned methodologies only if they
incorporate security
98Step 7 continued
- Verify compliance routinely with your policies
and procedures - Sub-steps continued
- 7.5 System development methodologies that prevent
new data handling problems from being introduced
into the environment - 7.6 Utilize audit function within the institution
to verify compliance - 7.7 Incident response policies and procedures
- 7.8 Conduct regular meetings with stakeholders
such as data stewards, legal counsel, compliance
officers, public safety, public relations, and IT
groups to review institutional risk and
compliance and to revise existing policies and
procedures as needed
99Audit Function
- Auditor -- friend or enemy?
- Audit reports generally go higher in the
organization than security memos - Audit staff has some skills at compliance and
testing against a process or procedure - Use them to double-check yourself and to check
things that you cant due to time or political
constraints
100Step 7 continued
- Verify compliance routinely with your policies
and procedures - Sub-steps continued
- 7.5 System development methodologies that prevent
new data handling problems from being introduced
into the environment - 7.6 Utilize audit function within the institution
to verify compliance - 7.7 Incident response policies and procedures
- 7.8 Conduct regular meetings with stakeholders
such as data stewards, legal counsel, compliance
officers, public safety, public relations, and IT
groups to review institutional risk and
compliance and to revise existing policies and
procedures as needed
101Incident Response
- An incident response structure is a necessity
- Rich vein of material on this -- blueprint has
links - Cut down time data is exposed
102Step 7 continued
- Verify compliance routinely with your policies
and procedures - Sub-steps continued
- 7.5 System development methodologies that prevent
new data handling problems from being introduced
into the environment - 7.6 Utilize audit function within the institution
to verify compliance - 7.7 Incident response policies and procedures
- 7.8 Conduct regular meetings with stakeholders
such as data stewards, legal counsel, compliance
officers, public safety, public relations, and
IT groups to review institutional risk and
compliance and to revise existing policies and
procedures as needed
103Continuous Improvement
- Keep it current
- Keep them current
- Keep within the law
- Keep exploiting new technology
104FTC Guide Protecting Personal Information
- Take stock.Know what personal information you
have in your files and on your computers. - Scale down.Keep only what you need for your
business. - Lock it.Protect the information that you keep.
- Pitch it. Properly dispose of what you no
longer need. - Plan ahead. Create a plan to respond to
security incidents.
105Putting it All Together
- Moving from Planning to Action!
106The Blueprint
- Discussion
- How will you use the blueprint?
- Do you have suggestions to improve it?
- Do you have resources or effective practices to
submit?
107Wrap-Up
- Question Answer
- Seminar Evaluation Feedback
- Program ends at 1200pm
108For more information
- David EscalanteEmail david.escalante_at_bc.eduPho
ne 617-552-6060 - EDUCAUSE/Internet2 Security Task
Forcewww.educause.edu/security - EDUCAUSE Center for Applied Researchwww.educause.
edu/ECAR - Blueprint for Handling Sensitive
Datawiki.internet2.edu/confluence/display/secguid
e
109Case Study
- Group Discussion
- Who do you need to include (or other consult) as
part of the emergency meeting? - What core messages will you plan to deliver at
the press conference? - What kinds of questions should you anticipate
from reporters or potential victims?