A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations - PowerPoint PPT Presentation

Loading...

PPT – A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations PowerPoint presentation | free to download - id: 46dcbe-MWI5Y



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations

Description:

original s by Rodney Petersen, Krizi Travisti, and others – PowerPoint PPT presentation

Number of Views:341
Avg rating:3.0/5.0
Slides: 110
Provided by: davides1
Learn more at: http://download.101com.com
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations


1
A Blueprint for Handling Sensitive Data
Security, Privacy, and Other Considerations
  • David Escalante
  • Director, Computer Policy Security
  • Boston College
  • Monday, July 30, 2007, 830am-1200pm
  • Campus Technology 2007
  • Washington, DC

2
Seminar Goals
  • At the end of this session
  • You should feel comfortable discussing common
    cybersecurity risks plaguing higher education and
    computer users in general.
  • You will have a list of key strategies to pursue
    for stopping the leakage of confidential/sensitive
    data.
  • You will be introduced to several security
    resources and best practices to help you apply
    the key strategies.

3
Agenda (1)
  • Overview and Introductions
  • Creating a Security Risk-Aware Culture
  • Defining Institutional Data Types
  • Clarifying Responsibility and Accountability
  • Reducing Access to Data Not Absolutely Essential

4
Agenda (2)
  • Establishing Implementing Stricter Controls
  • Providing Awareness and Training
  • Managing Sensitive Data Outreach Programs
  • Verifying Compliance
  • Putting It All Together
  • Evaluation and Wrap-Up

5
Icebreaker
  • Human Scavenger Hunt
  • Instructions
  • Take a moment to read entire list (front and
    back)
  • Obtain as many signatures as possible in the time
    allotted
  • An individual may sign your sheet only once
  • Fill in the blanks when space is provided

6
The Blueprint
  • Confidential Data Handling Blueprint
  • Purpose
  • To provide a list of key strategies to follow for
    stopping the leakage of confidential/sensitive
    data.
  • To provide a toolkit that constructs resources
    pertaining to confidential/sensitive data
    handling. 
  • https//wiki.internet2.edu/confluence/display/se
    cguide/ConfidentialDataHandlingBlueprint

7
The Blueprint
  • Confidential Data Handling Blueprint
  • Introduction
  • Steps and ensuing sub-items are intended to
    provide a general roadmap
  • Institutions will be at varying stages of
    progress
  • Organized in a sequence that allows you to
    logically follow through each step
  • Each item is recommended as an effective
    practice state/local legal requirements,
    institutional policy, or campus culture might
    leave each institution approaching this
    differently

8
Ingredients for Success
Systems must be built and technologies deployed
to adhere to policies
Policies must be developed, communicated,
maintained, and enforced
Process
Technology
People
Processes must be developed that show how
policies will be implemented
People must understand their roles and
responsibilities according to policies
9
Step 1
  • Create a security risk-aware culture that
    includes an information security risk management
    program
  • Sub-steps
  • 1.1 Institution-wide security risk management
    program
  • 1.2 Roles and responsibilities defined for
    overall information security at the central and
    distributed level
  • 1.3 Executive leadership support in the form of
    policies and governance actions

10
Step 1
  • Create a security risk-aware culture that
    includes an information security risk management
    program
  • Sub-steps
  • 1.1 Institution-wide security risk management
    program
  • 1.2Roles and responsibilities defined for overall
    information security at the central and
    distributed level
  • 1.3 Executive leadership support in the form of
    policies and governance actions

11
Risk Management Framework
12
Risk Assessment Framework
  • Phase 0 Establish Risk Assessment Criteria for
    the Identification and Prioritization of Critical
    Assets
  • Phase 1 Develop Initial Security Strategies
  • Phase 2 Technological View Identify
    Infrastructure Vulnerabilities
  • Phase 3 Develop Security Strategy and Plans

13
Risks Incurred
Damage Percent
Business application, including e-mail, unavailable 33.7
Network unavailable 29.4
Information confidentiality compromised 26.0
Damage to software 21.5
Damage to data 12.5
Negative publicity in the press 10.0
Identity theft 8.4
Damage to hardware 7.4
Financial losses 6.4
  • ECAR IT Security Study, 2006

14
Risk Assessments
  • 55 percent do some type of risk assessment
  • But less than 9 percent cover all institutional
    systems and data.
  • ECAR IT Security Study, 2006

15
Step 1
  • Create a security risk-aware culture that
    includes an information security risk management
    program
  • Sub-steps
  • 1.1 Institution-wide security risk management
    program
  • 1.2 Roles and responsibilities defined for
    overall information security at the central and
    distributed level
  • 1.3 Executive leadership support in the form of
    policies and governance actions

16
Best Practices Metrics
  • Information Security Program Elements
  • Governance
  • Boards/Senior Executives/Shared Governance
  • Management
  • Directors and Managers
  • Technical
  • Central and Distributed IT Support Staff
  • CISWG Final Report on Best Practices Metrics

17
Governance
  • Oversee Risk Management and Compliance Programs
    Pertaining to Information Security (e.g.,
    Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley)
  • Approve and Adopt Broad Information Security
    Program Principles and Approve Assignment of Key
    Managers Responsible for Information Security
  • Strive to Protect the Interests of all
    Stakeholders Dependent on Information Security
  • Review Information Security Policies Regarding
    Strategic Partners and Other Third-parties
  • Strive to Ensure Business Continuity
  • Review Provisions for Internal and External
    Audits of the Information Security Program
  • Collaborate with Management to Specify the
    Information Security Metrics to be Reported to
    the Board
  • CISWG Final Report on Best Practices Metrics

18
Management
  • Establish Information Security Management
    Policies and Controls and Monitor Compliance
  • Assign Information Security Roles,
    Responsibilities, Required Skills, and Enforce
    Role-based Information Access Privileges
  • Assess Information Risks, Establish Risk
    Thresholds and Actively Manage Risk Mitigation
  • Ensure Implementation of Information Security
    Requirements for Strategic Partners and Other
    Third-parties
  • Identify and Classify Information Assets
  • Implement and Test Business Continuity Plans
  • Approve Information Systems Architecture during
    Acquisition, Development, Operations, and
    Maintenance
  • Protect the Physical Environment
  • Ensure Internal and External Audits of the
    Information Security Program with Timely
    Follow-up
  • Collaborate with Security Staff to Specify the
    Information Security Metrics to be Reported to
    Management
  • CISWG Final Report on Best Practices Metrics

19
Technical
  • User Identification and Authentication
  • User Account Management
  • User Privileges
  • Configuration Management
  • Event and Activity Logging and Monitoring
  • Communications, Email, and Remote Access Security
  • Malicious Code Protection, Including Viruses,
    Worms, and Trojans
  • Software Change Management, including Patching
  • Firewalls
  • Data Encryption
  • Backup and Recovery
  • Incident and Vulnerability Detection and Response
  • Collaborate with Management to Specify the
    Technical Metrics to be Reported to Management
  • CISWG Final Report on Best Practices Metrics

20
Responsibility for IT Security
  • IT Security Officer (up to 35 from 22)
  • CIO (up to 14 from 8)
  • Other IT Directors (down to 50 from 67)

21
IT Security Plan
  • 11.2 percent - a comprehensive IT security plan
    is in place
  • 66.6 percent - a partial plan is in place
  • 20.4 percent - no IT security plan is in place
  • ECAR IT Security Study, 2006

22
Characteristics of Successful IT Security Programs
  • Institutions with IT security plans in place
    characterize their IT security programs as more
    successful and feel more secure today.
  • The respondents who believe their institution
    provides necessary resources give higher ratings
    for IT security program success and their current
    sense of IT security.
  • The biggest barrier to IT security is lack of
    resources (64.4 percent) and especially at
    smaller institutions, followed by an academic
    culture of openness and autonomy (49.6 percent),
    and lack of awareness (36.4 percent).
  • ECAR IT Security Study, 2006

23
Step 1
  • Create a security risk-aware culture that
    includes an information security risk management
    program
  • Sub-steps
  • 1.1 Institution-wide security risk management
    program
  • 1.2 Roles and responsibilities defined for
    overall information security at the central and
    distributed level
  • 1.3 Executive leadership support in the form of
    policies and governance actions

24
Information Security Governance
  • If businesses, educational institutions, and
    non-profit organizations are to make significant
    progress securing their information assets,
    executives must make information security an
    integral part of core business operations. There
    is no better way to accomplish this goal than to
    highlight it as part of the existing internal
    controls and policies that constitute corporate
    governance.
  • Information Security Governance Report
    Executive Summary

25
InfoSec Governance Self Assessment
  • Organizational Reliance on IT
  • E.g., What is the impact of major system downtime
    on operations?
  • Risk Management
  • E.g., Has your organization conducted a risk
    assessment and identified critical assets?
  • People
  • E.g., Is there a person or organization that has
    information security as their primary duty?
  • Processes
  • E.g., Do you have official written information
    security policies and procedures?
  • Technology
  • E.g., Is sensitive data encrypted?
  • Information Security Governance Assessment Tool
    for Higher Education

26
Policies in Place
  • Individual employee responsibilities for
    information security practices (73)
  • Protection of organizational assets (73)
  • Managing privacy issues, including breaches of
    personal information (72)
  • Incident reporting and response (69)
  • Disaster recovery contingency planning (68)

27
Policies in Place
  • Investigation and correction of the causes of
    security failures (68)
  • Notification of security events to individuals,
    the law, etc. (67)
  • Sharing, storing, and transmitting data (51)
  • Data classification, retention, and destruction
    (51)
  • Identity Management (50)

28
Step 2
  • Define institutional data types
  • Sub-steps
  • 2.1 Compliance with applicable federal and state
    laws and regulations - as well as contractual
    obligations - related to privacy and security of
    data held by the institution (also consider
    applicable international laws)
  • 2.2 Data classification schema developed with
    input from legal counsel and data stewards
  • 2.3 Data classification schema assigned to
    institutional data to the extent possible or
    necessary

29
Step 2
  • Define institutional data types
  • Sub-steps
  • 2.1 Compliance with applicable federal and state
    laws and regulations - as well as contractual
    obligations - related to privacy and security of
    data held by the institution (also consider
    applicable international laws)
  • 2.2 Data classification schema developed with
    input from legal counsel and data stewards
  • 2.3 Data classification schema assigned to
    institutional data to the extent possible or
    necessary

30
All-In-One Compliance
What When Where Where Why Wrath
FERPA 1974 amendments National Protect student records Protect student records No federal funding
GLBA 1999 National Protect financial records Protect financial records Fines, up to 5 years in jail
ECPA/CFAA 1984, 86 amendments National Protect computers Protect computers various
SB1386 2003 California Disclose breaches Disclose breaches Cost to comply civil suit
PATRIOT Act 2001 National Allow law enforcement access Allow law enforcement access Generally increased other penalties
HIPAA 1996 thru 2003 National Protect health records Protect health records max 250,000 10 years in jail
PCI 2004 National Protect credit cards Protect credit cards Restitution fines
31
Step 2
  • Define institutional data types
  • Sub-steps
  • 2.1 Compliance with applicable federal and state
    laws and regulations - as well as contractual
    obligations - related to privacy and security of
    data held by the institution (also consider
    applicable international laws)
  • 2.2 Data classification schema developed with
    input from legal counsel and data stewards
  • 2.3 Data classification schema assigned to
    institutional data to the extent possible or
    necessary

32
Data Classification Policy
  • Provides the framework necessary to
  • Identify and classify data in order to assess
    risk and implement an appropriate level of
    security protection based on categorization.
  • Comply with legislation, regulations, and
    internal policies that govern the protection of
    data.
  • Facilitate and make the Incident Response process
    more efficient. The level in which the data is
    classified determines the level of response.

33
NIST Security Categorization
Example An Enterprise Information System
FIPS 199 LOW MODERATE HIGH
Confidentiality The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Integrity The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Availability The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Mapping Information Types to FIPS 199 Security
Categories
34
Data Classification at GW
Privacy Levels
Operations Levels
Confidential
Official
Public
Highest Security Highest Operations
Enterprise System
2
2
1
1
Department Server
3
2
Lowest Security Lowest Operations
2
Desktop/ Laptop
3
4
Note, numbers in boxes suggest the priority
levels for mitigating risks.
35
Stanford Data Classification
36
U of Texas-Austin Data Categories
37
Qualitative Risk Assessment Exercise
Confidentiality (H, M, L) Integrity (H, M, L) Availability (H, M, L) Total (H3, L1)
Bookstore Cash Register System
Blackboard/ WebCT (CMS)
Library Catalog
Admissions
Main web site
E-mail
Time Sheet Entry
38
  • BREAK

39
Step 3
  • Clarify responsibilities and accountability for
    safeguarding confidential/sensitive data
  • Sub-steps
  • 3.1Data stewardship roles and responsibilities
  • 3.2Legally binding third party agreements that
    assign responsibility for secure data handling

40
Step 3
  • Clarify responsibilities and accountability for
    safeguarding confidential/sensitive data
  • Sub-steps
  • 3.1Data stewardship roles and responsibilities
  • 3.2Legally binding third party agreements that
    assign responsibility for secure data handling

41
Example University of North Carolina
  • Data Trustee Data trustees are senior University
    officials (or their designees) who have planning
    and policy-level responsibility for data within
    their functional areas and management
    responsibilities for defined segments of
    institutional data. Responsibilities include
    assigning data stewards, participating in
    establishing policies, and promoting data
    resource management for the good of the entire
    University.
  • Data Steward Data stewards are University
    officials having direct operational-level
    responsibility for information management
    usually department directors. Data stewards are
    responsible for data access and policy
    implementation issues.
  • Data Custodian Information Technology Services
    is the data custodian. The custodian is
    responsible for providing a secure infrastructure
    in support of the data, including, but not
    limited to, providing physical security, backup
    and recovery processes, granting access
    privileges to system users as authorized by data
    trustees or their designees (usually the data
    stewards), and implementing and administering
    controls over the information.
  • Data User Data users are individuals who need
    and use University data as part of their assigned
    duties or in fulfillment of assigned roles or
    functions within the University community.
    Individuals who are given access to sensitive
    data have a position of special trust and as such
    are responsible for protecting the security and
    integrity of those data.
  • http//its.uncg.edu/Policy_Manual/Data/

42
Step 3
  • Clarify responsibilities and accountability for
    safeguarding confidential/sensitive data
  • Sub-steps
  • 3.1Data stewardship roles and responsibilities
  • 3.2Legally binding third party agreements that
    assign responsibility for secure data handling

43
Outsourced Data Handling
  • Some Drivers
  • Security of Commercial Software addressed
    elsewhere (Step 7.4)
  • Incidents Mishandling by 3rd Parties
  • GLB Act Oversight of Service Providers
  • PCI requirement
  • Federal Contracts and Grant
  • Sample Contract Language
  • E-mail instructor for a copy

44
Step 4
  • Reduce access to confidential/sensitive data not
    absolutely essential to institutional processes
  • Sub-steps
  • 4.1 Data collection processes (including forms)
    should request only the minimum necessary
    confidential/sensitive information
  • 4.2 Application outputs (e.g., queries, hard copy
    reports, etc.) should provide only the minimum
    necessary confidential/sensitive information
  • 4.3 Inventory and review access to existing
    confidential/sensitive data on servers,
    desktops, and mobile devices

45
Step 4 continued
  • Reduce access to confidential/sensitive data not
    absolutely essential to institutional processes
  • Sub-steps continued
  • 4.4 Eliminate unnecessary confidential/sensitive
    data on servers, desktops, and mobile devices
  • 4.5 Eliminate dependence on SSNs as primary
    identifiers and as a form of authentication
  • Note SSNs may need to be used for certain
    things (e.g., student employees, student
    financial aid, etc.) and we recommend that
    schools limit the use of SSNs to necessary
    processes only.

46
Step 4
  • Reduce access to confidential/sensitive data not
    absolutely essential to institutional processes
  • Sub-steps
  • 4.1 Data collection processes (including forms)
    should request only the minimum necessary
    confidential/sensitive information
  • 4.2 Application outputs (e.g., queries, hard copy
    reports, etc.) should provide only the minimum
    necessary confidential/sensitive information
  • 4.3 Inventory and review access to existing
    confidential/sensitive data on servers,
    desktops, and mobile devices

47
Fair Information Practices and Privacy
  • General Principles of Fair Information Practice
  • Openness
  • Individual Participation
  • Collection Limitation
  • Data Quality
  • Finality
  • Security
  • Accountability
  • Privacy Statements
  • Privacy Policies

48
Step 4
  • Reduce access to confidential/sensitive data not
    absolutely essential to institutional processes
  • Sub-steps
  • 4.1 Data collection processes (including forms)
    should request only the minimum necessary
    confidential/sensitive information
  • 4.2 Application outputs (e.g., queries, hard copy
    reports, etc.) should provide only the minimum
    necessary confidential/sensitive information
  • 4.3 Inventory and review access to existing
    confidential/sensitive data on servers,
    desktops, and mobile devices

49
Step 4
  • Reduce access to confidential/sensitive data not
    absolutely essential to institutional processes
  • Sub-steps
  • 4.1 Data collection processes (including forms)
    should request only the minimum necessary
    confidential/sensitive information
  • 4.2 Application outputs (e.g., queries, hard copy
    reports, etc.) should provide only the minimum
    necessary confidential/sensitive information
  • 4.3 Inventory and review access to existing
    confidential/sensitive data on servers,
    desktops, and mobile devices

50
Step 4 continued
  • Reduce access to confidential/sensitive data not
    absolutely essential to institutional processes
  • Sub-steps continued
  • 4.4 Eliminate unnecessary confidential/sensitive
    data on servers, desktops, and mobile devices
  • 4.5 Eliminate dependence on SSNs as primary
    identifiers and as a form of authentication
  • Note SSNs may need to be used for certain
    things (e.g., student employees, student
    financial aid, etc.) and we recommend that
    schools limit the use of SSNs to necessary
    processes only.

51
Solutions
  • Safety Analyzer (George Washington University)
  • Sensitive Data Detection
  • SSNs with heuristics
  • Credit Card numbers with Luhn algorithm
    validation
  • Compromise Detection
  • Trojan file detection
  • Kernel-level rootkit detection
  • IR-related data harvesting
  • Spider(Cornell University)
  • SENF! (Sensitive Number Finder)(University of
    Texas at Austin)

52
Step 4 continued
  • Reduce access to confidential/sensitive data not
    absolutely essential to institutional processes
  • Sub-steps continued
  • 4.4 Eliminate unnecessary confidential/sensitive
    data on servers, desktops, and mobile devices
  • 4.5 Eliminate dependence on SSNs as primary
    identifiers and as a form of authentication
  • Note SSNs may need to be used for certain
    things (e.g., student employees, student
    financial aid, etc.) and we recommend that
    schools limit the use of SSNs to necessary
    processes only.

53
Elimination of SSNs
  • Federal and state law requires the collection of
    your Social Security number (SSN) for certain
    purposes (for example, IRS reporting forms).
    However, widespread use of an individual's SSN is
    a major privacy concern. With incidents of
    identity theft increasing, steps to secure an
    individual's SSN become more important.
  • A large number of colleges and universities use
    SSNs as primary identifiers for faculty, staff,
    and students, which exposes institutions to risk
    because of changing legal and security
    environments. Therefore, many institutions are
    planning for the migration away from SSN use as a
    primary identifier. Undertaking such a task
    raises issues, challenges, and opportunities for
    any institution.
  • EDUCAUSE has identified links concerning the
    elimination of SSNs as primary identifiers that
    may be useful to the higher education community.
  • http//www.educause.edu/Browse/645?PARENT_ID701

54
Where to be with SSNs
University Processes Supporting Systems
SSNs requested only when essential
SSNs provided only when essential
SSN access authorized to least of people
SSNs stored only in highly secured devices and
file cabinets
Clear SSN use policy exists
Responsibilities for SSN protection well
communicated
Compliance verification processes in place
55
Step 5
  • Establish and implement stricter controls for
    safeguarding confidential/sensitive data
  • Sub-steps
  • 5.1 Inventory and review/remediate security of
    devices
  • 5.2 Configuration standards for applications,
    servers, desktops, and mobile devices
  • 5.3 Network level protections
  • 5.4 Encryption strategies for data in transit and
    at rest

56
Step 5 continued
  • Establish and implement stricter controls for
    safeguarding confidential/sensitive data
  • Sub-steps continued
  • 5.5 Policies regarding confidential/sensitive
    data on mobile devices and home computers and
    for data archival/storage
  • 5.6 Identity management and resource provisioning
    processes
  • 5.7 Secure disposal of equipment and data
  • 5.8 Consider background checks on individuals
    handling confidential/sensitive data

57
Step 5
  • Establish and implement stricter controls for
    safeguarding confidential/sensitive data
  • Sub-steps
  • 5.1 Inventory and review/remediate security of
    devices
  • 5.2 Configuration standards for applications,
    servers, desktops, and mobile devices
  • 5.3 Network level protections
  • 5.4 Encryption strategies for data in transit and
    at rest

58
Inventory Devices
  • Network Registration (NetReg)
  • Commercial NAC solutions (Cisco, etc)
  • Commercial desktop management products
  • Altiris, etc.
  • Manual Inventories
  • Review Security of Devices
  • Network vulnerability scans
  • Local tools such as Microsofts Baseline Security
    Analyzer (MBSA)
  • Manage your anti-virus for review/remediate

which ones???
59
Step 5
  • Establish and implement stricter controls for
    safeguarding confidential/sensitive data
  • Sub-steps
  • 5.1 Inventory and review/remediate security of
    devices
  • 5.2 Configuration standards for applications,
    servers, desktops, and mobile devices
  • 5.3 Network level protections
  • 5.4 Encryption strategies for data in transit and
    at rest

60
Configuration Standards
  • There are recommendations available from various
    sources on the Internet
  • Vendors themselves
  • Center for Internet Security (http//www.cisecurit
    y.org/)
  • NSA (http//www.nsa.gov/snac/)
  • How to Implement at your institution
  • Use your own published procedures
  • Publish links to sources above
  • Create and use Images
  • Dont Forget Applications
  • Web servers
  • Mail servers
  • FTP servers
  • Consider standards as part of the Software
    Development Life Cycle

61
Step 5
  • Establish and implement stricter controls for
    safeguarding confidential/sensitive data
  • Sub-steps
  • 5.1 Inventory and review/remediate security of
    devices
  • 5.2 Configuration standards for applications,
    servers, desktops, and mobile devices
  • 5.3 Network level protections
  • 5.4 Encryption strategies for data in transit and
    at rest

62
Network Level Protections
  • Intrusion Detection System
  • Snort, Dragon, NFR
  • Intrusion Prevention System
  • Tipping Point, Intrushield
  • Extrusion Prevention System
  • Vontu, Reconnecx, Fidelis
  • Database protection systems
  • Guardium, Tizor, etc.
  • Network Anomaly Detection
  • Q1 Radar, Arbor, Mazu,etc. (flow analysis)

63
Step 5
  • Establish and implement stricter controls for
    safeguarding confidential/sensitive data
  • Sub-steps
  • 5.1 Inventory and review/remediate security of
    devices
  • 5.2 Configuration standards for applications,
    servers, desktops, and mobile devices
  • 5.3 Network level protections
  • 5.4 Encryption strategies for data in transit and
    at rest

64
Encryption Data in Transit
  • Strategies for Data in Transit
  • Encrypt before sending(e.g. PGP)
  • Encrypt on the fly (e.g. SSL)
  • Issues for Data in Transit
  • Key exchange
  • Performance
  • Choice of algorithm
  • Protocols
  • SSL
  • SSH
  • Proprietary (in which case check the algorithm)

65
Encryption and Data at Rest
  • Problems with Data at Rest
  • Theft by a network intruder
  • Physical theft -- for example, a laptop
  • Data at Rest Strategies
  • Whole disk encryption
  • File encryption
  • Issues
  • Key escrow
  • Cost if not using O/S vendors file encryption
  • Very low adoption rate in higher ed market

66
Step 5 continued
  • Establish and implement stricter controls for
    safeguarding confidential/sensitive data
  • Sub-steps continued
  • 5.5 Policies regarding confidential/sensitive
    data on mobile devices and home computers and
    for data archival/storage
  • 5.6 Identity management and resource provisioning
    processes
  • 5.7 Secure disposal of equipment and data
  • 5.8 Consider background checks on individuals
    handling confidential/sensitive data

67
Data on Mobile Devices
  • Data has wings
  • PDAs and music players
  • USB memory fobs
  • Cyber-cafes
  • Home computers
  • Compensating Policy
  • Written mandates
  • Practical assistance
  • Enforcement or checking is exceedingly difficult
  • Which does not mean you should not do it, if
    nothing else it can be used to justify discipline

68
Protection of Mobile Data
  • OMB Memo Protection of Sensitive Agency
    Informationhttp//www.whitehouse.gov/omb/memorand
    a/fy2006/m06-16.pdf
  • NIST ChecklistProtection of Remote Information

69
Step 5 continued
  • Establish and implement stricter controls for
    safeguarding confidential/sensitive data
  • Sub-steps continued
  • 5.5 Policies regarding confidential/sensitive
    data on mobile devices and home computers and for
    data archival/storage
  • 5.6 Identity management and resource provisioning
    processes
  • 5.7 Secure disposal of equipment and data
  • 5.8 Consider background checks on individuals
    handling confidential/sensitive data

70
ID Management
  • Access control lists (ACLs)
  • Account creation
  • Account deletion
  • Process issues
  • Fragmentation can be addressed
  • By process improvement
  • Via technology
  • Rich area of research development
  • Also commercial solutions
  • Active Directory
  • LDAP solutions

71
EDUCAUSE Identity Management Resources
  • Recent Library Submissions (3)
  • CIC Identity Management Conference Session
    Federated Identity Management and Sharing
    Resources (2007) by Jim Phelps, IT Architect in
    Academia
  • Identity Management Conference Report (2007)by
    Committee on Institutional Cooperation
  • A Report on the Identity Management Summit (2007)
    by Norma Holland, Ann West and Steve Worona,
    EDUCAUSE
  • Most Popular Library Content (3)
  • Top-Ten IT Issues, 2006 (2006) by Barbara I.
    Dewey, Peter B. DeBlois, and the 2006 EDUCAUSE
    Current Issues Committee, EDUCAUSE
  • Safeguarding the Tower IT Security in Higher
    Education 2006 (2006) by Robert B. Kvavik, with
    John Voloudakis, ECAR
  • Identity Management in Higher Education A
    Baseline Study (2006) by Ronald Yanosky, with
    Gail Salaway, ECAR
  • http//www.educause.edu/Browse/645?PARENT_ID679

72
Step 5 continued
  • Establish and implement stricter controls for
    safeguarding confidential/sensitive data
  • Sub-steps continued
  • 5.5 Policies regarding confidential/sensitive
    data on mobile devices and home computers and for
    data archival/storage
  • 5.6 Identity management and resource provisioning
    processes
  • 5.7 Secure disposal of equipment and data
  • 5.8 Consider background checks on individuals
    handling confidential/sensitive data

73
Equipment and Data Disposal
  • Classic examples are lost backup tapes
  • Magnetic media destruction can be done
    physically (sledgehammer) or magnetically
    (degaussed or multi-pass formatted) or both
  • Do not ignore hard-copy data
  • Shredders
  • This step can be both expensive and inconvenient

74
Data Sanitization Guidelines
  • NIST Special Publication 800-88 Guidelines for
    Media Sanitizationhttp//csrc.nist.gov/publicatio
    ns/nistpubs/800-88/NISTSP800-88_rev1.pdf
  • EDUCAUSE/Internet2 Security Task ForcePractical
    Data Sanitization Guidelines for Higher
    Educationhttps//wiki.internet2.edu/confluence/di
    splay/secguide/GuidelinesforDataSanitization
  • Michigan State University Best Practices in
    Disposal of Computers and Electronic Storage
    Media http//computing.msu.edu/msd/documents/safec
    omputerdisposal.pdf

75
Step 5 continued
  • Establish and implement stricter controls for
    safeguarding confidential/sensitive data
  • Sub-steps continued
  • 5.5 Policies regarding confidential/sensitive
    data on mobile devices and home computers and for
    data archival/storage
  • 5.6 Identity management and resource provisioning
    processes
  • 5.7 Secure disposal of equipment and data
  • 5.8 Consider background checks on individuals
    handling confidential/sensitive data

76
Background Checks
  • Kinds of checks
  • Criminal
  • Credit
  • Resume
  • Education
  • Why?
  • How?
  • Do you save it once its complete?
  • Do results stay in H/R or go to hiring manager?
  • If running criminal checks, how wide a net do you
    cast and how legitimate can you be?

77
Security Approaches in Place
  • Perimeter firewalls 77
  • Centralized backups 77
  • VPNs for remote access 75
  • Enterprise directory 75
  • Interior network firewalls 65
  • Intrusion detection 62
  • Active filtering 59
  • Intrusion prevention 44 (up from 33)
  • Security Standards for Applications 32 (up from
    27)
  • ECAR IT Security Study, 2006

78
Step 6
  • Provide awareness and training
  • Sub-steps
  • 6.1 Make confidential/sensitive data handlers
    aware of privacy and security requirements
  • 6.2 Require acknowledgement by data users of
    their responsibility for safeguarding such data
  • 6.3 Enhance general privacy and security
    awareness programs to specifically address
    safeguarding confidential/sensitive data
  • 6.4 Collaboration mechanisms such as e-mail have
    strengths and limitations in terms of access
    control, which must be clearly communicated and
    understood so that the data will be safe-guarded

79
Awareness Training
  • Who needs awareness (consciousness-raising)?
    All Users!
  • Executives
  • Faculty
  • Staff
  • Students
  • Users of Sensitive Data
  • IT Staff
  • Training (skills development)
  • Especially for data stewards, IT staff, and
    information security team

80
Why? Whos the Threat?
81
Cybersecurity Awareness Resources CD
  • The Awareness and Training Working Group of the
    EDUCAUSE/Internet2 Security Task Force compiled
    cybersecurity awareness resources distributed on
    a CD which are now on the web site.
  • The resources were collected to showcase the
    variety of security awareness efforts underway at
    institutions of higher education and to provide
    resources for colleges and universities that are
    looking to jump-start a program for their
    organization. 

82
Whats on the Web Site?
  • Pamphlets
  • Post Cards
  • Presentations
  • Security Awareness Documents
  • Security Cards
  • Security Tools
  • Security Quizzes
  • Surveys
  • Videos
  • Book Marks
  • Brochures
  • Checklists
  • Flyers
  • Games
  • Government Resources
  • Handouts
  • Industry Resources
  • Links to Schools Security Web Page(s)

83
Awareness Programs
Students Faculty Staff
Program 2003 39.2 38.2 42.2
Program 2005 62.3 68.8 69.1
Percent change 23.1 30.6 26.9
  • ECAR IT Security Study, 2006

84
When I Go To U.Va.
http//www.itc.virginia.edu/pubs/docs/RespComp/vid
eos/when-I-go-to-UVA-lg.mov
85
Security Awareness Exercise
  • Outline a Plan for a Security Awareness Campaign
    About Managing Sensitive Data
  • Who is your target audience?
  • How will you market it?
  • What are your key messages?
  • What method of delivery will you use?
  • How will you measure its effectiveness?

86
Step 7
  • Verify compliance routinely with your policies
    and procedures
  • Sub-steps
  • 7.1 Routinely test network-connected devices and
    services for weaknesses in operating systems,
    applications, and encryption
  • 7.2 Routinely scan servers, desktops, mobile
    devices, and networks containing
    confidential/sensitive data to verify compliance
  • 7.3 Routinely audit access privileges
  • 7.4 Procurement procedures and contract language
    to ensure proper data handling is maintained

87
Step 7 continued
  • Verify compliance routinely with your policies
    and procedures
  • Sub-steps continued
  • 7.5 System development methodologies that prevent
    new data handling problems from being introduced
    into the environment
  • 7.6 Utilize audit function within the institution
    to verify compliance
  • 7.7 Incident response policies and procedures
  • 7.8 Conduct regular meetings with stakeholders
    such as data stewards, legal counsel, compliance
    officers, public safety, public relations, and
    IT groups to review institutional risk and
    compliance and to revise existing policies and
    procedures as needed

88
Step 7
  • Verify compliance routinely with your policies
    and procedures
  • Sub-steps
  • 7.1 Routinely test network-connected devices and
    services for weaknesses in operating systems,
    applications, and encryption
  • 7.2 Routinely scan servers, desktops, mobile
    devices, and networks containing
    confidential/sensitive data to verify compliance
  • 7.3 Routinely audit access privileges
  • 7.4 Procurement procedures and contract language
    to ensure proper data handling is maintained

89
Routine Testing
  • Network Admission Control (NAC)
  • Test(s) at network registration
  • But not all weaknesses are caught by commercial
    testing programs (scanners)
  • Encryption can be tricky
  • Network sniffing
  • Examine configuration files
  • Applications can imply things like re-running
    regression testing after changes

90
Step 7
  • Verify compliance routinely with your policies
    and procedures
  • Sub-steps
  • 7.1 Routinely test network-connected devices and
    services for weaknesses in operating systems,
    applications, and encryption
  • 7.2 Routinely scan servers, desktops, mobile
    devices, and networks containing
    confidential/sensitive data to verify compliance
  • 7.3 Routinely audit access privileges
  • 7.4 Procurement procedures and contract language
    to ensure proper data handling is maintained

91
Routine Scanning
  • Vulnerability Scanners
  • Nessus
  • ISS
  • GFI LANGuard
  • eEye Retina
  • Local confidential data scanners
  • GW Safety Analyzer
  • Cornell Spider
  • U.Texas SENF (Sensitive Number Finder)

follow-up on 4.3
92
Step 7
  • Verify compliance routinely with your policies
    and procedures
  • Sub-steps
  • 7.1 Routinely test network-connected devices and
    services for weaknesses in operating systems,
    applications, and encryption
  • 7.2 Routinely scan servers, desktops, mobile
    devices, and networks containing
    confidential/sensitive data to verify compliance
  • 7.3 Routinely audit access privileges
  • 7.4 Procurement procedures and contract language
    to ensure proper data handling is maintained

93
Routine Audits
  • Copy your external auditors ?
  • What persons, groups, or roles have access?
  • Should have access?
  • Check terminated employees against list
  • Transfers to new internal jobs as well
  • Unclear as to wisdom of letting them know youre
    coming

94
Step 7
  • Verify compliance routinely with your policies
    and procedures
  • Sub-steps
  • 7.1 Routinely test network-connected devices and
    services for weaknesses in operating systems,
    applications, and encryption
  • 7.2 Routinely scan servers, desktops, mobile
    devices, and networks containing
    confidential/sensitive data to verify compliance
  • 7.3 Routinely audit access privileges
  • 7.4 Procurement procedures and contract language
    to ensure proper data handling is maintained

95
Procurement Practices
  • Contracts in the U.S. establish your rights --
    very few rights are guaranteed
  • Are any vendors subject to your policies, or to
    any other statute governing their handling of
    your data?
  • Does their contract acknowledge this?
  • How are the vendors liable?
  • Your judgment, theirs, or a courts?

96
Step 7 continued
  • Verify compliance routinely with your policies
    and procedures
  • Sub-steps continued
  • 7.5 System development methodologies that prevent
    new data handling problems from being introduced
    into the environment
  • 7.6 Utilize audit function within the institution
    to verify compliance
  • 7.7 Incident response policies and procedures
  • 7.8 Conduct regular meetings with stakeholders
    such as data stewards, legal counsel, compliance
    officers, public safety, public relations, and IT
    groups to review institutional risk and
    compliance and to revise existing policies and
    procedures as needed

97
System Development
  • Add security to your software development life
    cycle
  • When
  • Requirements
  • Vendor analysis or architecture development
  • Test
  • Turnover
  • Consider canned methodologies only if they
    incorporate security

98
Step 7 continued
  • Verify compliance routinely with your policies
    and procedures
  • Sub-steps continued
  • 7.5 System development methodologies that prevent
    new data handling problems from being introduced
    into the environment
  • 7.6 Utilize audit function within the institution
    to verify compliance
  • 7.7 Incident response policies and procedures
  • 7.8 Conduct regular meetings with stakeholders
    such as data stewards, legal counsel, compliance
    officers, public safety, public relations, and IT
    groups to review institutional risk and
    compliance and to revise existing policies and
    procedures as needed

99
Audit Function
  • Auditor -- friend or enemy?
  • Audit reports generally go higher in the
    organization than security memos
  • Audit staff has some skills at compliance and
    testing against a process or procedure
  • Use them to double-check yourself and to check
    things that you cant due to time or political
    constraints

100
Step 7 continued
  • Verify compliance routinely with your policies
    and procedures
  • Sub-steps continued
  • 7.5 System development methodologies that prevent
    new data handling problems from being introduced
    into the environment
  • 7.6 Utilize audit function within the institution
    to verify compliance
  • 7.7 Incident response policies and procedures
  • 7.8 Conduct regular meetings with stakeholders
    such as data stewards, legal counsel, compliance
    officers, public safety, public relations, and IT
    groups to review institutional risk and
    compliance and to revise existing policies and
    procedures as needed

101
Incident Response
  • An incident response structure is a necessity
  • Rich vein of material on this -- blueprint has
    links
  • Cut down time data is exposed

102
Step 7 continued
  • Verify compliance routinely with your policies
    and procedures
  • Sub-steps continued
  • 7.5 System development methodologies that prevent
    new data handling problems from being introduced
    into the environment
  • 7.6 Utilize audit function within the institution
    to verify compliance
  • 7.7 Incident response policies and procedures
  • 7.8 Conduct regular meetings with stakeholders
    such as data stewards, legal counsel, compliance
    officers, public safety, public relations, and
    IT groups to review institutional risk and
    compliance and to revise existing policies and
    procedures as needed

103
Continuous Improvement
  • Keep it current
  • Keep them current
  • Keep within the law
  • Keep exploiting new technology

104
FTC Guide Protecting Personal Information
  • Take stock.Know what personal information you
    have in your files and on your computers.
  • Scale down.Keep only what you need for your
    business.
  • Lock it.Protect the information that you keep.
  • Pitch it. Properly dispose of what you no
    longer need.
  • Plan ahead. Create a plan to respond to
    security incidents.

105
Putting it All Together
  • Moving from Planning to Action!

106
The Blueprint
  • Discussion
  • How will you use the blueprint?
  • Do you have suggestions to improve it?
  • Do you have resources or effective practices to
    submit?

107
Wrap-Up
  • Question Answer
  • Seminar Evaluation Feedback
  • Program ends at 1200pm

108
For more information
  • David EscalanteEmail david.escalante_at_bc.eduPho
    ne 617-552-6060
  • EDUCAUSE/Internet2 Security Task
    Forcewww.educause.edu/security
  • EDUCAUSE Center for Applied Researchwww.educause.
    edu/ECAR
  • Blueprint for Handling Sensitive
    Datawiki.internet2.edu/confluence/display/secguid
    e

109
Case Study
  • Group Discussion
  • Who do you need to include (or other consult) as
    part of the emergency meeting?
  • What core messages will you plan to deliver at
    the press conference?
  • What kinds of questions should you anticipate
    from reporters or potential victims?
About PowerShow.com