Information Security for Educational Institutions. - PowerPoint PPT Presentation

Loading...

PPT – Information Security for Educational Institutions. PowerPoint presentation | free to download - id: 4914be-Yjc5N



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Information Security for Educational Institutions.

Description:

Information Security for Educational Institutions. Mark Rasch Mark.Rasch_at_FTIConsulting.com Introduction The threats are real Malware (e.g. viruses, worms, Trojan ... – PowerPoint PPT presentation

Number of Views:101
Avg rating:3.0/5.0
Slides: 43
Provided by: Ming81
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Information Security for Educational Institutions.


1
Information Security for Educational
Institutions.
  • Mark Rasch
  • Mark.Rasch_at_FTIConsulting.com

2
Introduction
  • The threats are real
  • Malware (e.g. viruses, worms, Trojan Horses) are
    becoming more sophisticated
  • Security breaches and attacks are becoming more
    publicized
  • People are becoming more concerned with their
    online privacy
  • However, people still lack awareness on basic
    computer security issues

3
A Typical Higher Education Computing
Infrastructure
  • Traditionally open
  • Critical for researchers
  • Critical for students learning
  • Higher education comprise of 15 of the Internet
    address space
  • Wired campus (dorms to Greek housing) with
    usually no network authentication
  • Many institutions now offer campus-wide wireless
    access
  • Tech-savvy students

4
Threat Matrix
Internal Threats Illness of personnel Illness of multiple personnel Loss of key personnel Loss of network services Disgruntled employees Disgruntled consultants Labor dispute / unrest User misuse / theft of data and resources Malware (viruses, worms, Trojan Horses, rootkits) Software bugs and flaws External Threats Lighting Short-term utility outage Long-term utility outage Flood Fire Theft of hardware / disks / tapes Theft of personnel desktop Theft of personnel laptop Computer vendor / developer failure (e.g. bankruptcy) Random hackers / crackers Terrorism
5
Overlapping Security Issues in Industry and
Higher Education
  • Enormous disconnect between IT and general users
  • Lack of awareness of computer security
    fundamentals (poor practices)
  • Social engineering
  • Insider threat
  • Lack of low-tech and low-cost planning
  • Too much focus on products for implementing
    computer security
  • Lack of testing environments to understand
    threats and potential security breaches
  • Security is a reactive process

6
Risks in Higher Education
  • Openness fertile ground for attacks and risks
  • Web hosting and file sharing
  • Decentralization
  • Lack of visibility for security and privacy
  • Security is looked at as a bad thing by
    professionals and students tough sell
  • Multiple roles of educational institutions
  • Educational provider of services
  • Educational academic freedom
  • Financial
  • Health care
  • Government contract
  • Real estate owner
  • Internet service provider
  • Law enforcement agency

7
Hotspots
  • Data security
  • Privacy
  • Next generation of malware
  • Poisoned Peer-to-Peer (P2P) networks and torrents
  • Compliance and auditing

8
Next Generation of Malware
  • Now spreading through instant messaging, P2P,
    social networking sites, cell phone and SMS and
    MMS
  • Malware hybrids fooling and cloaking malicious
    intent
  • Rootkit - Toolbox of tools for a cracker to keep
    root access. Also hides and secures a cracker's
    presence on a system.
  • Example spyware that has a rootkit component
  • Can fool anti-virus or anti-spyware software

9
Next Generation of Malware (continued)
  • Kernel-based attack technique using hooks and
    layers
  • Kernel - Core of an operating system,
    Responsible for resource allocation, low-level
    hardware interfaces, security, etc.
  • Altering normal program control flow
  • The Microsoft Windows architecture makes this
    possible
  • Bottom line malware becoming more lethal, and
    extremely more difficult to find!

10
Data Privacy
  • Mantras
  • Provide prominent disclosure
  • Data minimization (collection, storage, and
    sharing)
  • Anonymity
  • Put users in charge of their data
  • Other components to a privacy framework
  • Quality (accuracy and completion)
  • Security
  • Monitoring and enforcement

11
WHAT IS FERPA?
  • Family
  • Educational
  • Rights and
  • Privacy
  • Act of 1974 protects the privacy of student
    educational records.
  • FERPA applies to any higher education
    institution receiving federal funds administered
    by the Department of Education.

12
FERPA
  • Family Education Rights and Privacy Act
  • 20 U.S.C 1232g
  • 34 CFR Part 99

13
WHO IS PROTECTED UNDER FERPA?Students who are
currently enrolled in higher education
institutions or formerly enrolled, regardless of
their age or status in regard to parental
dependency. Students who have applied but have
not attended an institution do not have rights
under FERPA.
14
RIGHTS OF STUDENTS
  • Inspect and Review their Education Records
  • Exercise limited control over disclosure of
    Education Records information
  • Seek to correct their Education Records
  • Report violations of FERPA to the Department of
    Education
  • Be informed of their FERPA rights

15
EDUCATION RECORDS
  • Education Records generally include any
    records which contain information directly
    related to the student that is in the possession
    of the University. The records may be in printed
    form, handwritten, computer, magnetic tape,
    e-mail, film or some other medium.

16
WHAT IS NOT INCLUDED IN AN EDUCATION RECORD?
  • Records or notes in the sole possession of
    educational personnel not accessible to other
    personnel (i.e. contained in a faculty members
    notes)
  • Law enforcement or campus security records
    (University Police records)
  • Records relating to individuals employment by
    the University (Work Study records ARE
    educational records)
  • Medical treatment records (made or maintained by
    a Physician, Psychiatrist, Psychologist or
    related paraprofessional)
  • Alumni records

17
LIMITATIONS ON STUDENTS RIGHT TO INSPECT AND
REVIEW
  • Students may review their records by submitting a
    written request to the appropriate Record
    Custodian.
  • The Student is not permitted to inspect and
    review financial records of his/her parents.
  • 2. The Student is not permitted to inspect and
    review confidential letters and recommendations
    in their education record (if the student signed
    a waiver).
  • The items listed above are to be removed from
    the file prior to the students review of his/her
    education record.

18
LIMITATIONS ON STUDENTS RIGHT TO INSPECT AND
REVIEW
  • 3. Copies are not required unless it is
    unreasonable for the student to come in and
    inspect his/her records.
  • 4. The University is responsible to provide the
    students records for inspection no later than 45
    days after requested.

19
(No Transcript)
20
WRITTEN CONSENT OF STUDENT
  • Voluntary written consent of Student to specific
    third parties. Document should be signed and
    dated by the Student and state the following
  • --Specific records to disclose
  • --Purpose of disclosure
  • --Identity of party to whom disclosure is to be
    made
  • The consent will remain valid until the student
    requests that it be revoked.

21
(No Transcript)
22
(No Transcript)
23
WHAT IS DIRECTORY INFORMATION?
  • The University may disclose information about a
    student without violating FERPA through what is
    known as directory information.
  • Annually the University is required to notify
    students in attendance of what information
    constitutes directory information. This notice
    must also provide procedures for students to
    restrict the University from releasing his/her
    directory information. This notice is provided in
    the annual Student Code of Conduct, on the
    Registrars website, in University Policy, and
    published in the student newspaper.

24
DIRECTORY INFORMATION
  • Students name
  • Students address
  • Telephone number
  • Major field of study
  • Degrees and awards received
  • Previous educational institutions
  • Participation in officially recognized sports and
    activities
  • Weight and height for athletes
  • Dates of attendance
  • Electronic mail address
  • Students photograph

25
STUDENTS REFUSAL TO PERMIT RELEASE OF DIRECTORY
INFORMATION
  • Student can refuse to permit release of
    directory information by completing the form in
    the student paper or on the Registrars website
    or by forwarding the following statement to the
    University Registrars office at G-3 Thackeray
    Hall
  • I hereby request that no personal information
    included in my Directory Information be
    released. This request must be signed and dated
    by the student with his/her name, address and
    social security number.
  • Once this request is received at the Registrars
    office, no future disclosures will be made
    without the students written consent.
  • The refusal to permit release of Directory
    Information is permanent.
  • A student may rescind this action in-person or
    by submitting a notarized request in writing to
    the Office of the University Registrar.

26
RECORDKEEPING REQUIREMENT
  • The University is required to keep a record of
    each request for access and disclosure of
    personally identifiable information from the
    education record of each student.
  • This record must be maintained with the education
    record of each student as long as the education
    record is maintained.

27
FERPA AND INTERNATIONAL STUDENTS
  • International students have the same rights to
    inspect their records and request amendments.
  • International students consent to release of
    their records to certain governmental agencies on
    immigration forms.

28
CORRECTING EDUCATION RECORDS
  • Students are permitted to inspect and review
    their Education Records, and to seek to change
    any part that they believe is inaccurate,
    misleading, or in violation of their privacy
    rights.
  • a. If the requested change falls within the
    individuals Academic Integrity Guidelines, then
    Academic Integrity Guidelines shall control the
    procedure to follow. FERPA gives the student the
    right to correct an inaccurately recorded grade,
    not to have the grade evaluated and changed.
  • b. If the requested change is not a violation
    of the Student or Faculty obligation, then the
    standard access and release of records will be
    followed

29
RIGHT TO REPORT VIOLATIONS TO THE U.S. DEPARTMENT
OF EDUCATION
  • Any complaint filed by a Student regarding a
    violation of their FERPA rights is investigated
    and processed by the Family Policy Compliance
    Office of the U.S. Department of Education. If a
    determination is made that the University is in
    violation, both the University and the Student
    will be advised and informed of the measures to
    be taken in order to come into compliance with
    the law.

30
STUDENTS RIGHT TO BE INFORMED OF THEIR FERPA
RIGHTS
  • The University is required to annually inform
    students of their FERPA rights. The
    notification must also indicate the location of
    the students records and the procedure to be
    followed to inspect and review their record.

31
DECEASED STUDENTS
  • The privacy rights of an individual expires upon
    that individuals death. FERPA does not apply
    and it is the Universitys discretion to disclose
    any information of the deceased student.

32
How Come So Many Data Privacy Problems Recently?
  • Heavy usage and dependency of Social Security
    Numbers and credit card numbers
  • Poor web security
  • Insider threats
  • Social engineering (scam artists, phishing)
  • Pharming
  • Third-part businesses
  • Linkability

33
Common Compliance and Legal Frameworks
  • Health Insurance Portability and Accountability
    Act (HIPPA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Computer Fraud and Abuse Act (CFAA)
  • Sarbanes-Oxley Act
  • USA PATRIOT Act
  • Visa USA Cardholder Information Security Program
    (CISP) / MasterCard Site Data Protection Program
    / Payment Card Industry (PCI) Data Security
    Standard

34
Significance of the Compliance Frameworks
  • HIPAA security rule - Safeguarding of electronic
    protected health information
  • GLBA - Protects privacy of consumer information
    in the financial sector
  • Sarbanes-Oxley Act - Executives need to report
    quickly and accurately
  • USA PATRIOT Act Provides law enforcement
    agencies with greater access to electronic
    communications
  • Colleges and universities have to comply with
    more regulations than businesses

35
Impact of Breaches
  • Heavy network consumption
  • Direct impact on leadership
  • Direct impact on students learning
  • Wasted funding (private and public)
  • Legal consequences
  • Bad press
  • Loss of competitive edge
  • Long road to recovery

36
What You DONT Want to Do
  • Pretend the problems will go away
  • Establish reactive and short-term fixes
  • Primarily rely on a firewall, or just software
    solutions, for security perimeter protection
  • Fail to understand the relationship of
    information security to the business problem
  • Assign untrained people to maintain security and
    compliance

37
Short-Term Awareness, Awareness, Awareness
  • Irony provisions for education and training in
    SOX and the DMCA
  • Very little money is spent on computer security
    education to the public
  • Security is boring, difficult, and political
  • At fault IT professionals, users, technology
  • Lack of ownership on security and privacy issues
    by companies
  • Emerging technologies pose a serious threat if
    deployed naively
  • Unfortunately, the infrastructure and
    architecture of current computing systems, users
    do need to be informed

38
Short-Term Awareness (continued)
  • Provide an undergraduate course in computer
    security, privacy, and politics
  • Overlap of departments and groups in a University
    (e.g. Computer Science, Law School)
  • Investment for students, the University, and for
    the instructors of the course

39
Short-Term Low-Cost and Low-Tech Improvements
  • First things first, ask yourself, and to
    management (revisit the questions)
  • What are your security goals?
  • What are you really protecting?
  • What are your priorities, especially in a product
    (e.g. interface, administration, prevention)?

40
Short-Term Low-Cost and Low-Tech Improvements
(continued)
  • Write documentation in what system support staff
    and users need to do with respect to network and
    information security
  • Establish baseline security configurations for
    all appropriate technology platforms (e.g. web
    browser)
  • Establish a vulnerability management process
  • Use vulnerability assessment tools to
    periodically conduct self-assessments
  • Monitor log files from critical systems on a
    daily basis
  • SANS have excellent policy templates

41
Long-Term Opportunity Develop Visualization
Tools (continued)
  • Example projects/opportunities
  • Security situation awareness
  • Profiling users and traffic
  • Linking relationships
  • Network traffic classification
  • Intrusion detection
  • Detecting abnormalities

42
For More Information
  • Mark D. Rasch
  • Managing Director Technology
  • FTI Consulting
  • 1201 Eye Street, NW
  • Washington, D.C. 20005
  • (301) 547-6925 tel
  • (240) 209-5344 fax
  • Mark.Rasch_at_FTIConsulting.com
About PowerShow.com