Securing Your Campus: What Every CIO Should Be Doing - PowerPoint PPT Presentation

Loading...

PPT – Securing Your Campus: What Every CIO Should Be Doing PowerPoint presentation | free to download - id: 3c865f-NGFhM



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Securing Your Campus: What Every CIO Should Be Doing

Description:

Securing Your Campus: What Every CIO Should Be Doing Joy Hughes CIO, George Mason University jhughes_at_gmu.edu Peter M. Siegel CIO, University of California, Davis – PowerPoint PPT presentation

Number of Views:153
Avg rating:3.0/5.0
Slides: 141
Provided by: vpietUcda
Learn more at: http://vpiet.ucdavis.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Securing Your Campus: What Every CIO Should Be Doing


1
Securing Your Campus What Every CIO Should Be
Doing
  • Joy Hughes
  • CIO, George Mason University
  • jhughes_at_gmu.edu
  • Peter M. Siegel
  • CIO, University of California, Davis
  • pmsiegel_at_ucdavis.edu
  • Jack Suess
  • VP of IT, U of Maryland, Baltimore County
  • jack_at_umbc.edu

2
Seminar Logistics
  • Seminar 11A - Securing Your Campus What Every
    CIO Should Be Doing
  • 830 to Noon
  • Please check your name off the list.
  • Break is at 1000 - 1015
  • Materials
  • Seminar booklet with slides
  • CD containing security resources

3
Securing Your Campus What Every CIO Should Be
Doing
  • This seminar will focus on the senior IT leader's
    role in securing the campus. It will leverage the
    work produced by the Security Task Force to help
    IT leaders understand current security issues and
    future trends. Special emphasis will be placed on
    using community resources to improve handling of
    sensitive data, preventing and responding to
    security incidents, and establishing security
    awareness programs on campus.

4
Basic Principles
  • Pete Siegel

5
Learning Objectives
  • Develop understanding of the importance of proper
    incident handling when a security incident occurs
  • Examine and discuss the ethical gray areas
    associated with security incidents.
  • Review the security resources available to help
    you at your campus.
  • Identify steps you can take now to improve
    security at your campus
  • Review the role of privacy in campus planning

6
What Is Information Security?
  • Programs, policies, and practices to maintain the
    Integrity, Availability and Confidentiality of
    Electronic Information

Robert Ono, UC Davis
7
Major Components of an Information Security
Program
Robert Ono, UC Davis
8
Security Checkpoint
  • How many of you in the past 18 months have
    completed
  • A risk assessment?
  • A comprehensive security plan?

9
ECAR Preliminary Results
  • In November 2005 ECAR replicated its study done
    in 2003. Some general findings
  • Security technology is being deployed as quickly
    as funding permits
  • Staffing and funding for security has increased
  • Only 51 reported having done a risk assessment.
  • 11 report having a comprehensive security plan
  • With this increase in funding why are things
    appearing to get worse?
  • People and process issues are always the hardest!

10
Security Checkpoint
  • How many information security staff (in FTEs) do
    you have?
  • Has the number increased in the past 2 years?
  • Quip of the Day
  • If you have to think about whether they are
    doing I.T. security or not, then dont count
    them.
  • Paraphrase of George Strawn, NSF CIO,
    Cybersecurity Summit, Sep 2004

11
ECAR - Staffing compliment and structure varies
significantly
  • 50 of respondents had at least one full time
    security staff member, with multi-person staffs
    most often reported at institutions with larger
    numbers of devices (10,000) on their networks
  • 66 of respondents indicated that they did not
    expect the size of their IT security staff to
    change in the next two years. 25 expected to
    add one staff member, and 9 expected to add two
    or more

12
Security ResponsibilityECAR 2003 Results
13
Where IT Security Officer ReportsECAR 2003
Results
14
Major Components of an Information Security
Program
  • One way to think about it
  • ?

15
Major Components of an Information Security
Program
  • Metaphor of FIREFIGHTING
  • Prevention / Avoidance
  • Fire codes, building codes, research
  • Assurance
  • Building inspections, firedrills, assessment
  • Response
  • Fire detectors, pulling alarms, getting everyone
    out, warning neighbors
  • Actually putting out fires!
  • Recovery and Investigation
  • Cleanup, hotel stay, rebuilding according to
    code, code citations

Putting out fires
16
Actions We Recommend
  • By end of talk, you as
  • CIOs
  • I.T. unit directors and managers
  • will have a set of take-away action items
    identified as effective, community
    practices                 

17
Actions for CIOs
  • i.     Designate an information security officer
    and organizationally place this position in an
    effective location.ii.     Review your
    institutional security policy. Does the policy
    define security governance? Is the policy clear
    with respect to requirements and
    responsibilities?iii.     Review the security
    model which underlines your institutions
    security program. Does the program address
    prevention, assurance, response and recovery? Do
    security program initiatives correspond to the
    identified system/network/data risks and
    regulatory controls?iv.     Review the process
    by which core institutional data is identified
    and protected.v.     Review your institutional
    strategic plan and information security long-term
    plans for congruence.

18
Actions for IT unit directors and Managers
  • i.     Assign specific technical staff members
    to support your information security program.
    Ensure that staff members understand their
    responsibilities and are sufficiently trained to
    carry-out these responsibilities.
  • ii.     Conduct unit security awareness for
    non-technical staff. Effective security practices
    requires the participation of everyone in the
    unit.
  • iii.     Conduct periodic risk assessments
    of your information systems and data using a team
    of administrators and technical staff. Verify
    that security work objectives will reduce
    vulnerabilities within high-risk security areas.
  • iv.     Adopt an organizational framework
    for security management. Review information
    security work objectives and progress on a
    regular basis. Focus measurement on reliable
    metrics wherever possible.
  • v.     Align unit security practices with
    institutional requirements. Review unit
    compliance to institutional security policies and
    regulations.

19
Information Security Challenges
  • The Challenges
  • Too few resources
  • Too much to do
  • We cant get everyone to buy in
  • It will take time
  • No, really, too few resources
  • Solution?

20
ChallengesHandling complexity by risk assessment
  • Solution
  • Share the risk (and responsibility)
  • View the issues as campus issues, not as I.T.
    issues
  • Carefully consider risks and address higher risk
    issues first and address progressively more
  • Not everything can be accomplished in a single
    year
  • Estimate risk against cost (including effort,
    local expertise)

21
Information Security Challenges
Robert Ono, UC Davis
22
Information Security Challenges
Discussion
Low Effort
High Effort High Risk Low Risk
23
Data Breaches
24
A Sampling of Incidents
25
August 2007
26
July 2007
27
September 29, 2006
28
September 29, 2006
29
September 27, 2006
30
September 22, 2006
31
August 4, 2006
32
June 30, 2006
33
June 16, 2006
34
The Crisis in Confidential Data Disclosure on
Campus
  • To see just what the situation is
  • www.privacyrights.org/ar/ChronDataBreaches.htm
  • Some Facts -
  • January 2005 August 2007
  • 159,054,253 private records disclosed
  • This represents only the tip of the iceberg, and
    the problem is more substantial than these data
    indicate

35
Security Breaches are Increasing
  • More data available at risk
  • Institutions providing 24x7 Internet access
  • Staff faculty moving to laptops wireless
  • Internet increasingly hostile
  • Botnets home broadband a bad combination
  • Organized crime now engaged - lucrative targets
  • HE gaps in policy, resources, expertise
  • Numerous breaches outside purview of central IT
  • Some believe campuses are being targeted
  • Governing boards, legislators, public upset

36
Funding Agencies becoming concerned
  • Granting agencies expecting more and more
    sophisticated security plans are part of grants
  • NSF Large Centers, but likely to expand
  • NIH
  • Faculty need to be part of your campus plan, not
    (in general) create their own

37
Laws and Policy Privacy / Security
  • HIPAA Privacy Rule - Health Insurance Portability
    and Accountability Act
  • FERPA Family Educational Rights and Privacy Act
  • California Information Practices Act
  • Notification, 1798 California Civil Code
  • PCI Payment Card Industry standards

Your state goes here!
38
Laws and Policies Privacy / Security
  • FISMA Federal Information Security Management
    Act
  • On your campus
  • Privacy Standards / Policies
  • Communications Policies
  • Cyber-safety Policy and Security Standards

39
Data Breaches Good News
  • Academic institutions represent only about 2 of
    the records exposed during breaches in 2007
  • Academic institutions report the largest number
    of incidents (compared with business, medical,
    K-12)
  • Tradition of openness
  • Relatively sophisticated detection
  • Improving steadily
  • More work needs to be done

40
More States Require Notification
35 States as of Jan 2007
  • Courtesy of U. of Georgia

http//infosec.uga.edu/policymanagement/breachnoti
ficationlaws.php
41
Notification an Ethical Response
  • Fear of Identity Theft
  • Nearly 100m identities released in recent years!
  • Press is making this a big issue, because their
    readers are concerned
  • Companies see money to be made by protecting
    people from ID theft and hype threats
  • Privacy groups want to use this issue to change
    data practices in companies
  • Result - average person, our students, faculty,
    and staff are worried!

42
Identity Theft Is Big Business
Jan 22, 2007 1423 ET LifeLock Begins Working
With Rush Limbaugh
TEMPE, AZ -- (MARKET WIRE) -- January 22, 2007 --
LifeLock, the leader in ID Theft prevention,
today announced a new radio advertising campaign
with the nationally syndicated radio program,
"The Rush Limbaugh Show," that will communicate a
powerful, consistent message about preventing the
rapidly growing crime of identity theft.
(http//www.marketwire.com/mw/release.do?id
725647sourceType1)
43
Identify Theft is Big Business
44
Case Study
  • Jack Suess

45
A Case Study
  • Based on real incident at large public institution

46
2003 Incidents at UT
  • 2003 Central admin database system breached
    45,000 names/SSNs exposed
  • The importance of this incident was it was one of
    the first higher education data incidents to get
    national media coverage.
  • It is also one of (possibly the only on in higher
    ed) to catch the person that did this and
    successfully prosecute them.
  • Credit for these slides is to go to our colleague
    Dan Updegrove, VP of IT at UT during this period.

47
2003 SSN Data Theft Chronology
  • Sun, Mar 2 initial observation of high-volume
    database access from off-campus
  • Mar 3 Law enforcement ISPs contacted
  • Mar 4 Evidence points to UT undergrad student
  • Mar 5 2 residences searched by U.S. Secret
    Service press breaks story UT datatheft
    website
  • Mar 14 Student arrested
  • Jun 10, 2005 Student convicted in Federal court
  • Sep 6, 2005 Student sentenced 5 yrs community
    svc, 170K restitution sentence under appeal

48
Case Study Overview
  • Why was UT vulnerable?
  • What did the attacker do?
  • How did UT respond?
  • Plea bargaining, trial, sentencing, (appeal?)
  • What was the cost to UT?
  • Lessons learned from this incident?

49
Why UT was vulnerable
  • Used SSN as a primary key in some of its legacy
    business system that validated your had completed
    safety training.
  • To help another UT campus it created a backdoor
    whereby you could enter your ssn to view your
    safety training record.
  • As application evolved from mainframe to web the
    developers didnt recognize the risk inherent in
    this.
  • Irony in this is that one week later UT had
    planned to shut down this application!

50
Break-in Discovered on Sunday
  • Application malfunctioned last week of Feb
  • Errors attributed to recent software mods
  • Applications analyst, checking the system Sunday
    evening, March 2, observed thousands of
    incremental SSN inputs, all from same IP address,
    in Houston
  • Application shut down immediately

51
UTs Response - Sunday Night
  • Requested Houston ISP freeze logs
  • Contacted law enforcement
  • Reinstalled TXCLAS with dummy data
  • Analyzed prior weeks logs, found similar
    enumeration attack from one Austin ISP
  • Analyzed other system logs, identified activity
    in authenticated systems from a UT student with
    home address in Houston

52
Law Enforcement Engages - Monday
  • Subpoena verifies IP addresses in Austin
    Houston correspond to the student
  • UT provides technical report on nature, origins,
    and impact of attack 2.5M inputs resulting in
    45K matches
  • Judge authorizes search warrants
  • Wed. evening both residences searched, desktop
    computer related material seized student
    confesses

53
Press Engages- Wednesday
  • Story leaked to Austin American-Statesman
  • Large breach risk of ID theft to 45,000
    reporter agrees to publish a UT URL
  • AA-S story hits wire services Wed evening
  • www.utexas.edu/datatheft/ launched
  • Press conference held Thursday, Mar 6
  • Suspect formally arrested Friday, Mar 14

54
Notifying the Victims
  • UT assigned highest priority to notifying all
    45,000 individuals via U.S. mail if possible
  • Lacked current addresses for many, so
  • Website requested current address information
  • 800 number setup 24x7 for several weeks
  • Key messages -- beyond UT is sorry
  • Data theft not necessarily identity theft
  • No-cost fraud alerts recommended

55
Notifying Victims - 2
  • Many letters returned for obsolete addresses
  • UT purchased addresses from com services
  • Some of these addresses bounced as well
  • Not all victims fluent in English
  • Website (English Spanish) provided updates
  • Some victims reported credit irregularities, but
    none, to date, determined to be linked to SSNs

56
Additional Forensic Analysis
  • Rogue TXCLAS activity from Austin IP shown in
    daily logs back to Sept, 2002
  • Unusual patterns in weekly aggregate log records
    from spring, 2002
  • No TXCLAS breaches documented from other sources
  • No other systems breached from same IP
  • Same student had been cited three times for AUP
    violations in UT dorm, spring 2002

57
Matching the PC to the Logs
  • Secret Service analysis of the PC showed strong
    match to UTs system logs
  • Cracking program found
  • No evidence that vulnerability or data were
    shared nor data exploited
  • Evidence of other rogue activity
  • Cracking other computers, incl businesses
  • Downloading Texas genealogy data

58
20 Months of Delay
  • Suspect completed spring semester at UT
  • Lead US Attorney replaced twice
  • Intermittent plea bargaining
  • Suspect withdrew from UT
  • Indictment finally issued Nov. 2004

59
4-Count Federal Indictment
  • accessed a protected computer without
    authorization and recklessly caused damage at
    least 5,000 120,000 to UT
  • with intent to defraud possessed 15 or more
    access devices 37,000 SSNs
  • credit card, bank account, and/or SSNs not
    from UT
  • possessed 37,000 ID docs of U.S.

60
The Trial June 6-10, 2005
  • Witnesses from UT
  • Applications Specialist who discovered break-in
  • Information Security Officer
  • Director of Systems
  • Deputy CIO who managed victim notification
  • CIO
  • Victims
  • A fellow UT student parents of another student
  • Business manager from an El Paso jewelry store

61
Prosecution Arguments
  • Evidence from defendants computer revealed years
    of rogue behavior including 3 warnings from UT
    in 2002
  • UT break-in uncontested, and genealogy data that
    could have been matched to UT names SSNs showed
    intent to defraud
  • Credit card data also showed fraud intent
  • Substantial harm to the community

62
Defense Arguments
  • Student loved computers wanted trophies
  • SSN script well-crafted, not reckless
  • No evidence of intent to defraud
  • Data on hard drive for months/years
  • No communication with other crackers
  • Very simple life style
  • UTs TXCLAS system not secure
  • UT inflated damage claims no overtime

63
Measuring the Damages
  • Overloaded system crashed 1,240
  • Staff time to conduct damage assessment respond,
    inspect logs, search for other possible breaches,
    etc. 109,000
  • Staff time hard-dollar costs to notify victims
    website, 800 number, help desk, printing, mailing
    61,000
  • Staff time to support Secret Service, US
    Attorneys Office not counted

64
Damages Different Dimensions
  • Guilt or innocence on 1st count Greater than
    5,000 in damages?
  • Federal sentencing guidelines step function adds
    months in prison as damages increase
  • Restitution UT was advised that costs to notify
    victims could be included
  • UTs reputation priceless!

65
The Jury Decides
  • Guilty
  • accessed a protected computer and recklessly
    caused damage at least 5,000 120,000 to UT
  • possessed 37,000 ID docs of U.S. but
    subsequently dismissed as statute was not in
    force in early 2003 !
  • Not guilty
  • with intent to defraud possessed 15 or more
    access devices 37,000 SSNs
  • with intent to defraud possessed credit card,
    bank account, and/or SSNs not from UT

66
Sentencing
  • 5 years probation, with no "un-monitored"
    Internet access how will this be enforced?
  • 500 hours community service
  • No fine
  • Full restitution to UT, in the amount of
    170,056
  • (US Attorney's Office had sought Federal prison
    time, and Judge stated that, under Federal
    sentencing guidelines, attacker could have been
    required to serve 15-21 months.)

67
Coda An Appeal?
  • We will appeal the conviction on the grounds
    that he did not act recklessly, an adverb that
    has no federal criminal definition, said Austin
    lawyer, who now represents the student.He will,
    however begin probation immediately. He
    certainly didn't intend to cause the university
    any damage - I don't think there's any doubt
    about that, Kirk said. If the judge had thought
    that, then he wouldn't have given probation.

68
What They Did Right
  • Maintained extensive logs
  • Contacted law enforcement quickly
  • Assembled response team
  • Central IT ISO, Systems, Network, User Svcs
  • Human Resources Student Info Systems
  • Legal Affairs
  • Public Affairs
  • Alerted Presidents Office

69
Did Right - 2
  • Focused on mitigating risk to victims
  • Key message to law enforcement press
  • Committed to disclosure (w/in legal limits)
  • Created datatheft website asap
  • Platform for Universitys official statements
  • Advice to victims
  • Feedback channel from victims, potential victims
  • Data theft not necessarily identity theft

70
Did Right - 3
  • Strong commitment to communication
  • Link to email over 2,000
  • Link to data form over 6,500
  • Toll-free hotline over 3,000
  • Two email msgs to these groups
  • U.S. mail to all with addresses
  • Monitored news media daily
  • Prepared graphics for testimony
  • Told the truth

71
Did Right - 4
  • Systematic logging of expenses time
  • 2,400 hours conducting damage assessment
  • 1,500 hours responding to the offense
  • Thorough documentation at each step
  • Essential when staff called to testify 27 months
    after the offense
  • Needed to support three separate prosecutors jury
    trial and possible appeal

72
Lessons Learned
  • SSNs as university IDs are a bad idea
  • Leads to SSN use in input, displays, reports
  • Exposure of U ID risks identity theft
  • 3 strikes, but student wasnt out some
    breakdown between ISO Student Judicial
    Services should have required in-person meetings
    escalation of sanctions

73
Lessons - 2
  • Software design/development/testing
  • Original application assumed trusted users
  • No checks for bad or repeated inputs
  • No logic checks when user base expanded
  • Unified database 1.5M records exposed
  • Web/Internet-enablement adds risk
  • Lost mainframe/3270 security by obscurity
  • Anytime/anywhere presumed, even if unneeded

74
Lessons - 3
  • Remote university accommodated
  • Unwise to offer unauthenticated access
  • This access should have been restricted
  • IP address range corresponding to campus only
  • Time of day
  • Each incremental change reasonable
  • No one looked at the big picture
  • Internet risks not front of mind for programmers

75
Lessons - 4
  • Unified databases create their own risks
  • Obscure app can expose the entire database
  • Apps programmers dont necessarily know the
    extent of database records fields
  • Is it reasonable to keep retired records forever
    in the production database?
  • Intrusion Detection Systems in place now but
    not then

76
Lessons - 5
  • Security breaches are very costly
  • Disruption of normal operations
  • Diversion of staff for 30 months in UT case
  • Direct costs of victim notification
  • Secondary diversion additional audits, reports
  • Negative PR may be the biggest cost
  • Security breaches makes news, especially ID theft
  • Direct impact on your key constituents
  • Your story can live for a very long time

77
Wrap-Up
  • UT was fortunate
  • Intruder acted alone was local/identifiable
  • Full restitution has been ordered
  • Victims were fortunate, apparently
  • UT law enforcement acted promptly
  • Victims provided with risk mitigation info
  • No evidence that data were exploited
  • Such orderly outcomes are very rare

78
References
  • UT Austin data theft website www.utexas.edu/data
    theft
  • Security Task Force www.educause.edu/security/

79
Incident Response Planning
  • Jack Suess

80
Incident Response Planning
  • No university can be certain they are secure and
    immune from an incident.
  • As part of your security planning, you should
    take time when it is not a crisis to prepare your
    campus on how to respond.
  • Step 1.
  • Incident response is a campus responsibility,
    involve them in the planning! Georgia Tech has a
    good collaborative approach

81
(No Transcript)
82
Incident Response Technical Resources
  • NIST publication 800-61, Incident Handling Guide
    is a good resource
  • SANS offers good technical courses on incident
    response for technical staff
  • Security professionals conference will have
    sessions on this
  • Take time to debrief staff on lessons learned
    when an incident occurs

83
Incident HandlingWhen Do You Notify?
  • CD contains resources on this from different
    groups. In some states there is little choice.
  • Better to err towards notification unless you can
    look into a camera and have a credible reason for
    why you didnt notify.
  • Key to not notifying is evidence data was not
    accessed -- logging and forensics are essential
    to proving this.

84
Incident Notification -What to do When it
Happens!
  • On your CD, STF document on Data Notification
    Procedures
  • Generate a press release
  • Identify a spokesperson for institution
  • Develop a notification letter to go out
  • Develop incident specific website to refer people
    too
  • Develop FAQ, resources for person to use
  • Cost is between 4 and 10 per SSN

85
Incident HandlingDealing With the Stress
  • CIOs often are designated the point person for
    these events.
  • These are stressful events.
  • People on campus are upset and feel betrayed.
    Dont take it personally.
  • This has to be looked at as an institutional
    problem the executive team must recognize this
    as a campus issue and provide support for
    increased funding, staffing, and policies. If
    not, update your resume and look elsewhere!

86
Shared Governance Is Key
  • On some campuses (e.g. UC Davis, UIUC)
  • The dean or vice chancellor of record (i.e. to
    which the unit with incident reports) is
    identified spokesperson
  • College (or responsible unit) pays mitigation
    costs
  • Campus safeguards (firewalls, incident response)
    not alternative to effective unit practices
  • Provides strong incentives for other deans
    (decimation principle of the Roman army)

87
  • BREAK
  • Return in 15 Minutes

88
Ethical Security Challenges
  • Many security incidents cross into an ethical
    gray area that can challenge CIOs
  • Was information really exposed?
  • If not, do you need to notify?
  • What about potential exposure?
  • What about outside pressure?
  • The scenario that follows will highlight these

89
Scenario for discussion
  • Location - a state without mandatory disclosure
    laws.
  • Background - Your campus is ready to announce
    their latest fundraising campaign at a gala event
    next month. The CIO discovers that the alumni
    development machine has been compromised.
  • Roles - CIO and VP of Advancement

90
Scenario - Discussion Points
  • Policy and procedures are important, it is
    critical from a legal standing to follow them.
  • A major security incident is not the time to
    begin building a relationship with other
    executives.
  • Think- can I defend my actions when the local TV
    news comes to interview me!
  • When in error, admit it, and take corrective
    action to address the root causes.
  • No job is worth violating your own ethical
    standards.

91
Using Community Resources
  • Joy Hughes

92
(No Transcript)
93
Using Community ResourcesI. A Blueprint for
Handling Sensitive DataII. Data
Classification Schemes
94
  • I. A BLUEPRINT FOR HANDLING SENSITIVE DATA

95
A Blueprint for Handling Sensitive Data
  • https//wiki.internet2.edu/confluence/display/secg
    uide/ConfidentialDataHandlingBlueprint (see
    handout)
  • Step 1 Create a security risk-aware culture
    that includes an information security risk
    management program.
  • Sample Resource https//wiki.internet2.edu/conflu
    ence/display/secguide/RiskAssessmentFramework

96
A Blueprint for Handling Sensitive Data
  • Step 2 Define institutional data
    types.Sample Resource http//connect.educause.e
    du/library/abstract/SensitiveDataProtect/45162

97
A Blueprint for Handling Sensitive Data
  • Step 3 Clarify responsibilities and
    accountability for safeguarding
    confidential/sensitive data.
  • Sample Resource http//its.uncg.edu/Policy_Manual
    /Data/

98
A Blueprint for Handling Sensitive Data
  • Step 4 Reduce access to confidential/sensitive
    data not absolutely essential to institutional
    processes.
  • Sample Resource
  • http//connect.educause.edu/library/abstract/NoMor
    eSocialSecurity/38825

99
A Blueprint for Handling Sensitive Data
  • Step 5 Establish and implement stricter
    controls for safeguarding confidential/sensitive
    data.
  • Sample Resource
  • http//www.yale.edu/ppdev/Procedures/its/1607/1607
    PR.01EndorseEncrirption.pdf

100
A Blueprint for Handling Sensitive Data
  • Step 6 Provide awareness and training.
  • Sample Resource http//www.educause.edu/conten
    t.asp?page_id5746

101
A Blueprint for Handling Sensitive Data
  • Step 7Verify compliance routinely with your
    policies and procedures.
  • Sample Resource
  • https//wiki.internet2.edu/confluence/display/secg
    uide/DataIncidentNotificationToolkit

102
  • II. DATA CLASSIFICATION SCHEMES

103
Data Classification Schemes
  • First, work with legal counsel, data stewards and
    campus stakeholders to create a Policy to provide
    the framework necessary to
  • Identify and classify data in order to assess
    risk and implement an appropriate level of
    security protection based on categorization.
  • Comply with legislation, regulations, and
    internal policies that govern the protection of
    data.
  • Facilitate and make the Incident Response process
    more efficient. The level in which the data is
    classified determines the level of response.

104
Data Classification Schemes
Samples George Washington University Stan
ford University U. of Texas - Austin
105
Data Classification at GW
Privacy Levels
Operations Levels
Confidential
Official
Public
Highest Security Highest Operations
Enterprise System
2
2
1
1
Department Server
3
2
Lowest Security Lowest Operations
2
Desktop/ Laptop
3
4
Note, numbers in boxes suggest the priority
levels for mitigating risks.
106
Stanford Data Classification
107
U of Texas-Austin Data Categories
108
For more information
  • EDUCAUSE/Internet2 Security Task
    Forcewww.educause.edu/security
  • EDUCAUSE Center for Applied Researchwww.educause.
    edu/ECAR
  • Blueprint for Handling Sensitive
    Datawiki.internet2.edu/confluence/display/secguid
    e

109
Actions and Next Steps
  • Pete Siegel

110
Actions for CIOs- Strategic
  • Meet with your executive peers to educate them.
  • Create an executive incident advisory team.
  • Organize and educate YOUR staff around security
  • Educate other campus IT staff about security
  • Develop policies and guidelines on data
    classification
  • Perform a risk assessment across the institution
    focusing on machines with sensitive data on them
  • Reallocate resources to implement proactive and
    automated systems to protect machines

111
Actions for CIO- Programmatic
  • i.     Designate an information security officer
    and organizationally place this position in an
    effective location.ii.     Review your
    institutional security policy. Does the policy
    define security governance? Is the policy clear
    with respect to requirements and
    responsibilities?iii.     Review the security
    model which underlines your institutions
    security program. Does the program address
    prevention, assurance, response and recovery? Do
    security program initiatives correspond to the
    identified system/network/data risks and
    regulatory controls?iv.     Review the process
    by which core institutional data is identified
    and protected.v.     Review your institutional
    strategic plan and information security long-term
    plans for congruence.

Review Each and Every Year-- Change is Rapid
112
Actions for IT Unit Directors and Managers
Strategic
  • Identify and prioritize security threats you see
    every day. Develop tracking statistics and
    metrics to quantify these threats and issues.
  • Imbed security into every technical activity in
    your organization. Work with staff in other
    departments to train them on appropriate
    techniques and tools (CIS)
  • Review the effective practices guide and discuss
    with peers what steps others have found
    effective.
  • Create an incident response team (IRT) and
    develop plans and procedures for when an incident
    occurs

113
Actions for IT Unit Directors and Managers
Programmatic
  • i.     Assign specific technical staff members
    to support your information security program.
    Ensure that staff members understand their
    responsibilities and are sufficiently trained to
    carry-out these responsibilities.
  • ii.     Conduct unit security awareness for
    non-technical staff. Effective security practices
    requires the participation of everyone in the
    unit.
  • iii.     Conduct periodic risk assessments
    of your information systems and data using a team
    of administrators and technical staff. Verify
    that security work objectives will reduce
    vulnerabilities within high-risk security areas.
  • iv.     Adopt an organizational framework
    for security management. Review information
    security work objectives and progress on a
    regular basis. Focus measurement on reliable
    metrics wherever possible.
  • v.     Align unit security practices with
    institutional requirements. Review unit
    compliance to institutional security policies and
    regulations.

114
Campus Focus UC DavisUC Data Security Policies
  • UC Information Security Policy
  • Test conditions for Restricted information
  • 1. Does the data include information that
    identifies or describes an individual?
  • 2. Would unauthorized access, modification or
    loss of the data seriously affect the University?
  • 3. Would unauthorized access, modification or
    loss of the data seriously affect a business
    partner of the University?
  • 4. Would unauthorized access, modification or
    loss of the data seriously affect the public?
  • 5. Has the Proprietor chosen to protect the data
    from general access or modification?

114
115
UC Data Security Policies
  • Security Provisions for UC System
  • Authentication Authorization
  • Background Checks
  • Control Administrative Accounts
  • Data Backup/Retention/Storage and Transit
    Encryption
  • Disaster Recovery Plan
  • Incident Response/Notification Plan
  • Physical Security Controls Media Controls

115
116
UC Davis Data Security Policy
  • Software Vulnerabilities
  • Virus Infections
  • Non-secure Computer Programs/Services
  • Authentication Measures
  • Insecure Personal Information
  • Firewall Services
  • Physical/Environment Controls Spam Generation
  • Open Proxy
  • Audit Logs
  • Backup/Recovery
  • Security Training
  • Spyware Removal
  • Data Removal Prior to Hardware Retirement
  • Incident Response Plans -new
  • Web Application Security -new

116
117
Sample Data Security Requirements (UC Davis)
117
R Required A Addressable X In Policy
118
Sample Data Security Requirements (UC Davis)
Continued
118
R Required A Addressable X In Policy
119
Campus Focus UC Davis to date
  • Initiate Risk Assessment
  • Prioritize Security Areas Needing Attention
    Pareto Principle (8020)
  • Seek Input in Developing and Implementing a
    Campus Unit Security Plan
  • Implement Security Plan
  • Annually Review Security Plan
  • Keep Up to Date with Security News

120
Campus Focus UC Davis 2007-2008
  • Expand security survey required of all
    departments to next stage including lower risk
    items
  • Develop more sophisticated training and tools for
    web / database-related security gaps
  • Implement more self-service and unit IT tools for
    finding private data on web sites, in databases,
    etc
  • Implement more tools to protect campus from
    itself
  • Intrusion detection systems
  • Continue departmental firewall investments
  • Implement full IT audit capability at college and
    departmental level (with campus auditors)
  • Improve dean-level oversight for college issues

121
Security Checkpoint your next steps
  • Identify five areas where you might plan
    additional security activities over the coming
    year
  • (training community, database security,
    unit-level security practices, research data
    integrity, )
  • For the most important 2-3, what specific steps
    are you proposing?
  • Who are the 2-3 most important stakeholders in
    getting/making the commitment to move ahead

122
Survey of Security Practices
  • Jack Suess

123
Review of Security Resources
  • Borrowing from David Letterman, here are my top
    ten resources that were developed by the Security
    Task Force that your institution can leverage for
    use at your own institution.

124
10. Internet2 Security Site
  • security.internet2.edu/
  • Internet2 has made security on research networks
    a priority. This site has an excellent collection
    of papers and presentations on security
    challenges for research networks. The netauth
    working group has excellent papers on
    implementing network access control.
  • To do - if you are an Internet2 member, have your
    security officer or network manager review SALSA
    Net-Auth archives consider joining the
    initiative.

125
9. Authentication Roadmap
  • www.nmi-edit.org/roadmap/draft-authn-roadmap-03/
  • The National Middleware Initiative consortium has
    developed an excellent document to use for
    planning an authentication and authorization
    strategy for your campus (on CD).
  • To do - Review this document with your staff
    responsible for authentication and authorization.
  • Consider sending some the campus architecture
    middleware planning events.
  • http//www.educause.edu/CampusArchitecturalMiddlle
    warePlanning(CAMP)Workshops/1607

126
8. Security Awareness Toolkit
  • www.educause.edu/SecurityAwarenessResourceLibrary/
    8762
  • This site contains planning documents, resources
    such as brochures, bookmarks, posters, sample web
    sites, and links to good resources development by
    the government, industry and other higher
    education institutions.
  • October is Cyber Security Awareness Month!

127
8. Sample Student Video
  • Out in the Open
  • http//www.researchchannel.org/mov/educ_con_ou
    topen_250k_qt.mov

128
7. Effective Practices Guide/Wiki
  • www.educause.edu/EffectivePracticesandSolutionsinS
    ecurity/1246
  • Released in 2004, the effective practices guide
    has specific solutions to many of the technical
    challenges facing institutions. In addition to
    material on solutions the guide integrates 45
    case studies from institutions on how they have
    solved the problem. Coming soon, this will move
    to a wiki!
  • To do - make sure you technical team has seen
    this and is aware of it as a resource.

129
6. Risk Assessment Framework
  • www.educause.edu/LibraryDetailPage/666?IDCSD4380
  • The risk assessment framework provides a detailed
    overview of establishing a risk assessment
    process on your campus and breaks this down in
    phases and discrete steps
  • On your CD are risk guides from NIST, Microsoft,
    and the World Bank. Included is a tutorial on
    risk management done in 2004.
  • To do - When you return to campus review the ISG
    self-assessment tool with your direct reports.

130
5. Data Notification Toolkit
  • www.educause.edu/DataIncidentNotificationToolkit/9
    320
  • This contains legal requirements, sample policy
    and procedures, threshold advice for
    notification, sample templates and web sites, and
    additional resources.
  • Review this when you get back and run a
    simulation of performing a notification to make
    sure everyone understands their role

131
4. Executive Awareness Resources
  • http//www.educause.edu/executiveawareness
  • This site contains overview information on
    improving executive awareness across the campus.
    This resource has articles, presentations, and
    policies for supporting awareness. The executive
    awareness videos (also on CD), is included.
  • To do - use the executive awareness resources to
    meet with key executives.

132
4. Executive Awareness Video
133
3. Security Professionals Conference
  • http//www.educause.edu/sec07
  • Security Professionals Conference 2008May 46,
    2008Arlington, Virginia
  • This conference is focused specifically on
    security issues in higher education and is a
    great place for someone to meet and learn from
    other higher education security professionals.
  • To do - have someone submit a proposal to the
    conference (due ca. Jan 2008)

134
2. Security Discussion List
  • www.educause.edu/SecurityDiscussionGroup/979
  • The security discussion list has over 1800
    subscribers and is among the most active EDUCAUSE
    email discussion list.
  • You can search this list by keyword for
    information on contacts.
  • To do - make sure your security team is
    subscribed to the list. This is a great way to
    leverage expertise

135
1. EDUCAUSE Security Task Force
  • www.educause.edu/security
  • Presently there are 60 people working on four
    major working groups - effective practices,
    security awareness, risk management, and policy
    and legal.
  • Co-chairs Pete Siegel (UC-Davis), Joy Hughes
    (GMU) ? Mely Tynan (Tufts). Focus is on
  • Data privacy and classification
  • Incident detection, handling, and response.
  • To do - attend the open meeting of the task force
    here at Educause 2007 on Thursday

136
Funding and StaffingResources and Questions
  • Resources on CD
  • ECAR report on Optimal Security Staffing
  • Security 101 for CIOs from 2001
  • CISWG Security Metrics (under legal)

137
Policy and LegalResources
  • On the CD
  • UT-Austin Student privacy requirements by state
  • NIST 800-60 data classification procedures
  • ECAR Security Policy Keys to Success
  • Policy development primer
  • Security policies from GMU, UT-Austin, UMBC,
    UC-Berkeley, and Georgia Tech

138
Security Professionals Media - 1
  • Educause/Internet2 Security Task Force
    http//www.educause.edu/security)
  • Internet2 Security Initiative http//security.inte
    rnet2.edu/
  • SANS unisog security discussion list
    https//lists.sans.org/mailman/listinfo/unisog
  • REN-ISAC membership http//www.ren-isac.net/

139
Security Professionals Media - 2
  • Educause
  •  Security Professionals Conference
  •  May 6-8l 2008, Arlington, VA
  • http//www.educause.edu/securityconference
  • Security discussion list
  • http//www.educause.edu/groups/security)
  • Incident notification toolkit
  • http//www.educause.edu/DataIncidentNotificationTo
    olkit/9320
  • Risk assessment framework
  • http//connect.educause.edu/blog/vvogel/riskassess
    mentframew/1950
  • Cyber-security resources
  • http//connect.educause.edu/blog/vvogel/riskassess
    mentframew/1950
  • Effective security practices workgroup
  • http//www.educause.edu/Committees/959?CODESECURI
    TY-EP

140
The McCumber Cube Video
  • http//www.educause.edu/7103
About PowerShow.com