Handling Sensitive Data: Security, Privacy, and Other Considerations - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

Handling Sensitive Data: Security, Privacy, and Other Considerations

Description:

Availability - computers, systems and networks must be available ... Blueprint for ... Blueprint for Handling Sensitive Data. wiki.internet2.edu/confluence ... – PowerPoint PPT presentation

Number of Views:413
Avg rating:3.0/5.0
Slides: 29
Provided by: rpe99
Learn more at: http://www.siguccs.org
Category:

less

Transcript and Presenter's Notes

Title: Handling Sensitive Data: Security, Privacy, and Other Considerations


1
Handling Sensitive DataSecurity, Privacy, and
Other Considerations
  • Rodney Petersen
  • Government Relations Officer
  • Security Task Force Coordinator
  • EDUCAUSE

2
Security Task Force
  • Goals
  • Education and Awareness
  • Standards, Policies, and Procedures
  • Security Architecture and Tools
  • Organization and Information Sharing
  • Working Groups
  • Awareness and Training
  • Policies and Legal Issues
  • Risk Assessment
  • Effective Practices and Solutions
  • Annual Security Professionals Conference

3
Security Goals C-I-A
  • Availability - computers, systems and networks
    must be available on a timely basis to meet
    mission requirements or to avoid substantial
    losses.
  • Integrity - computers, systems, and networks that
    contain information must be protected from
    unauthorized, unanticipated, or unintentional
    modification.
  • Confidentiality - computers, systems, and
    networks that contain information require
    protection from unauthorized use or disclosure.

4
Security Approaches
  • People awareness, training, policies, roles and
    responsibilities, staffing, etc.
  • Process procedures, work flows, systems,
    physical security, compliance, etc.
  • Technology layered security, vulnerability
    scanning, access controls, o/s and s/w updates,
    etc.

5
ECAR IT Security Study
  • The Headlines You Wont Read in the Chronicle
    of Higher Ed or New York Times
  • The respondents feel more secure today than two
    years ago despite being in a perceived riskier
    environment.
  • Respondents feel that the academic community has
    become more sensitive to security and privacy in
    the last two years.
  • ECAR IT Security Study, 2006

6
IT Security Incidents
  • Ten percent of the respondents in our survey
    indicated that they had an IT security incident
    in the last twelve months, which had been
    reported to the press (down from 19 percent in
    2003).
  • A majority of institutions (74.2 percent) report
    that the number of incidents is about the same or
    less in the past twelve months as compared with
    the year before.
  • The primary perceived risks are viruses (72.6
    percent), theft of personal financial information
    (64.8 percent), and spoofing and spyware (55.3
    percent).
  • ECAR IT Security Study, 2006

7
Data Security Incidents
  • Stolen Laptops
  • Missing Media
  • Unauthorized access to systems
  • Incident response teams
  • Notification to affected individuals
  • Identity theft and other types of fraud
  • Data Incident Notification Toolkit

8
Blueprint for Handling Data
  • Step 1 Create a security risk-aware culture that
    includes an information security risk management
    program
  • Step 2 Define institutional data types
  • Step 3 Clarify responsibilities and
    accountability for safeguarding
    confidential/sensitive data
  • Step 4 Reduce access to confidential/sensitive
    data not absolutely essential to institutional
    processes
  • Step 5 Establish and implement stricter controls
    for safeguarding confidential/sensitive data
  • Step 6 Provide awareness and training
  • Step 7 Verify compliance routinely with your
    policies and procedures

9
Step 1 Risk Aware Culture
  • 1.1 Institution-wide security risk management
    program
  • 1.2 Roles and responsibilities defined for
    overall information security at the central and
    distributed level
  • 1.3 Executive leadership support in the form of
    policies and governance actions

10
Risk Management Framework
11
Risks Incurred
  • ECAR IT Security Study, 2006

12
Risk Assessments
  • 55 percent do some type of risk assessment
  • But less than 9 percent cover all institutional
    systems and data.
  • ECAR IT Security Study, 2006

13
Responsibility for IT Security
  • IT Security Officer (up to 35 from 22)
  • CIO (up to 14 from 8)
  • Other IT Directors ( down to 50 from 67)

14
IT Security Plan
  • 11.2 percent - a comprehensive IT security plan
    is in place
  • 66.6 percent - a partial plan is in place.
  • 20.4 percent - no IT security plan is in place
  • ECAR IT Security Study, 2006

15
Policies in Place
  • Individual employee responsibilities for
    information security practices (73)
  • Protection of organizational assets (73)
  • Managing privacy issues, including breaches of
    personal information (72)
  • Incident reporting and response (69)
  • Disaster recovery contingency planning (68)

16
Policies in Place
  • Investigation and correction of the causes of
    security failures (68)
  • Notification of security events to individuals,
    the law, etc. (67)
  • Sharing, storing, and transmitting data (51)
  • Data classification, retention, and destruction
    (51)
  • Identity Management (50)

17
Step 1 Risk Aware Culture
  • 1.1 Institution-wide security risk management
    program
  • 1.2 Roles and responsibilities defined for
    overall information security at the central and
    distributed level
  • 1.3 Executive leadership support in the form of
    policies and governance actions

18
Step 2 Define Data Types
  • 2.1 Compliance with applicable federal and state
    laws and regulations - as well as contractual
    obligations - related to privacy and security of
    data held by the institution (also consider
    applicable international laws)
  • 2.2 Data classification schema developed with
    input from legal counsel and data stewards
  • 2.3 Data classification schema assigned to
    institutional data to the extent possible or
    necessary

19
Step 3 Clarify Responsibilities
  • 3.1 Data stewardship roles and responsibilities
  • 3.2 Legally binding third party agreements that
    assign responsibility for secure data handling

20
Step 4 Reduce Access to Data
  • 4.1 Data collection processes (including forms)
    should request only the minimum necessary
    confidential/sensitive information
  • 4.2 Application outputs (e.g., queries, hard copy
    reports, etc.) should provide only the minimum
    necessary confidential/sensitive information
  • 4.3 Inventory and review access to existing
    confidential/sensitive data on servers, desktops,
    and mobile devices
  • 4.4 Eliminate unnecessary confidential/sensitive
    data on servers, desktops, and mobile devices
  • 4.5 Eliminate dependence on SSNs as primary
    identifiers and as a form of authentication

21
Step 5 Controls
  • 5.1 Inventory and review/remediate security of
    devices
  • 5.2 Configuration standards for applications,
    servers, desktops, and mobile devices
  • 5.3 Network level protections
  • 5.4 Encryption strategies for data in transit and
    at rest
  • 5.5 Policies regarding confidential/sensitive
    data on mobile devices and home computers and for
    data archival/storage
  • 5.6 Identity management and resource provisioning
    processes
  • 5.7 Secure disposal of equipment and data
  • 5.8 Consider background checks on individuals
    handling confidential/sensitive data

22
Security Approaches in Place
  • Perimeter firewalls 77
  • Centralized backups 77
  • VPNs for remote access 75
  • Enterprise directory 75
  • Interior network firewalls 65
  • Intrusion detection 62
  • Active filtering 59
  • Intrusion prevention 44 (up from 33)
  • Security Standards for Applications 32 (up from
    27)
  • ECAR IT Security Study, 2006

23
Step 6 Awareness and Training
  • 6.1 Make confidential/sensitive data handlers
    aware of privacy and security requirements
  • 6.2 Require acknowledgment by data users of their
    responsibility for safeguarding such data
  • 6.3 Enhance general privacy and security
    awareness programs to specifically address
    safeguarding confidential/sensitive data
  • 6.4 Clearly communicate how to safeguard data so
    that collaboration mechanisms such as e-mail have
    strengths and limitations in terms of access
    control

24
Awareness Programs
  • ECAR IT Security Study, 2006

25
Step 7 Verify Compliance
  • 7.1 Routinely test network-connected devices and
    services for weaknesses in operating systems,
    applications, and encryption
  • 7.2 Routinely scan servers, desktops, mobile
    devices, and networks containing
    confidential/sensitive data to verify compliance
  • 7.3 Routinely audit access privileges
  • 7.4 Procurement procedures and contract language
    to ensure proper data handling is maintained
  • 7.5 System development methodologies that prevent
    new data handling problems from being introduced
    into the environment
  • 7.6 Utilize audit function within the institution
    to verify compliance
  • 7.7 Incident response policies and procedures
  • 7.8 Conduct regular meetings with stakeholders
    such as data stewards, legal counsel, compliance
    officers, public safety, public relations, and IT
    groups to review institutional risk and
    compliance and to revise existing policies and
    procedures as needed

26
FTC Guide Protecting Personal Information
  • Take stock.Know what personal information you
    have in your files and on your computers.
  • Scale down.Keep only what you need for your
    business.
  • Lock it.Protect the information that you keep.
  • Pitch it. Properly dispose of what you no
    longer need.
  • Plan ahead. Create a plan to respond to
    security incidents.

27
Characteristics of Successful IT Security Programs
  • Institutions with IT security plans in place
    characterize their IT security programs as more
    successful and feel more secure today.
  • The respondents who believe their institution
    provides necessary resources give higher ratings
    for IT security program success and their current
    sense of IT security.
  • The biggest barrier to IT security is lack of
    resources (64.4 percent) and especially at
    smaller institutions, followed by an academic
    culture of openness and autonomy (49.6 percent),
    and lack of awareness (36.4 percent).
  • ECAR IT Security Study, 2006

28
For more information
  • Rodney PetersenEmail rpetersen_at_educause.eduPho
    ne 202.331.5368
  • EDUCAUSE/Internet2 Security Task
    Forcewww.educause.edu/security
  • EDUCAUSE Center for Applied Researchwww.educause.
    edu/ECAR
  • Blueprint for Handling Sensitive
    Datawiki.internet2.edu/confluence/display/secguid
    e
Write a Comment
User Comments (0)
About PowerShow.com