A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations

About This Presentation

Title:

A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations

Description:

Title: Slide 1 Author: Rodney Petersen Last modified by: Valerie Vogel Created Date: 6/24/2005 3:39:49 PM Document presentation format: Letter Paper (8.5x11 in) – PowerPoint PPT presentation

Number of Views:445

Avg rating:3.0/5.0

Slides: 79

Provided by: rodneyp3

Learn more at: https://www.educause.edu

Category:

more less

Transcript and Presenter's Notes

Title: A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations

1
A Blueprint for Handling Sensitive Data
Security, Privacy, and Other Considerations

H. Morrow Long Krizi Trivisani
Director, Information Security Chief Security
Officer
Yale University The George Washington
University
EDUCAUSE Seminar Series
Los Angeles, California

2
Introductions

Ice-breaker BINGO!!
5 minutes
First 10 people to get BINGO win a prize!
Introductions
Name
Title or Functional Description of Duties
Organizational Affiliation
What do you want to get out of this session?

3
Overview to Seminar

Information security risks at colleges and
universities present challenging legal, policy,
technical, and operational issues.
Security incidents have resulted in compromises
of personal information which have led to bad
publicity and the potential for identity theft.
Risks to information security at colleges and
universities continue to persist and necessitate
that individuals at all levels of the institution
become engaged to prevent further data breaches
from occurring.
This seminar will outline a blueprint for
protecting sensitive data according to the
EDUCAUSE/Internet2 Security Task Force.

4
Seminar Goals

At the end of this session
You should feel comfortable discussing common
cybersecurity threats plaguing higher education
and computer users in general.
You will have a list of key strategies to follow
for stopping the leakage of confidential/sensitive
data.
You will be introduced to several security
resources and best practices to help you apply
the key strategies.

5
Todays Roadmap

Foundations of Cybersecurity in Higher Ed
The Blueprint
Creating a Security Risk-Aware Culture
Defining Institutional Data Types
Clarify Responsibilities and Accountability
Reducing Access to Data Not Absolutely Essential
Establishing and Implementing Stricter Controls
Providing Awareness and Training
Verifying Compliance
Putting it All Together Moving from Planning to
Action

6
Higher Ed IT Environments

Technology Environment
Distributed computing and wide range of hardware
and software from outdated to state-of-the-art
Increasing demands for distributed computing,
distance learning and mobile/wireless
capabilities which create unique security
challenges
Leadership Environment
Reactive rather than proactive
Lack of clearly defined goals (what do we need to
protect and why)
Academic Culture
Persistent belief that security academic
freedom are antithetical
Tolerance, experimentation, and anonymity highly
valued

7
Higher Ed IT Environments

Current Status The information security
environment has become increasingly more
dangerous. News accounts have reported Higher
Education institutions involved in dozens of
incidents of compromised confidential information
over the past year. The cost of notifying and
offering assistance to those individuals who have
had their privacy information compromised can run
into the hundreds of thousands of dollars for
each incident. Increased regulatory requirements
also make it imperative that the University be
able to show a level of due diligence in the
protection of its systems and confidential data.
Why is this in quotes?

8
Goals of Cybersecurity

Confidentiality - information requires protection
from unauthorized use or disclosure.
Integrity - information must be protected from
unauthorized, unanticipated, or unintentional
modification.
Availability - computers, systems, networks, and
information must be available on a timely basis
to meet mission requirements or to avoid
substantial losses.

9
Security Processes

Deter
Prevent
Detect
React
Adapt
Burton Group A Systematic, Comprehensive
Approach to Information Security (Feb. 2005)

10
Security ImplementationRelies On
Systems must be built to technically adhere to
policy
Policies must be developed, communicated,
maintained and enforced
Process
Technology
People
Processes must be developed that show how
policies will be implemented
People must understand their responsibilities
regarding policy
11
Framing the Problem

Discussion Breaches in Higher Education
How did they occur?
Who was impacted?
How much did it cost?
Are there themes?
Whats changed?

12
The Blueprint

Confidential Data Handling Blueprint
Purpose
To provide a list of key strategies to follow for
stopping the leakage of confidential/sensitive
data.
To provide a toolkit that constructs resources
pertaining to confidential/sensitive data
handling.
https//wiki.internet2.edu/confluence/display/secg
uide/ConfidentialDataHandlingBlueprint

13
The Blueprint

Confidential Data Handling Blueprint
Introduction
Steps and ensuing sub-items are intended to
provide a general roadmap
Institutions will be at varying stages of
progress
Organized in a sequence that allows you to
logically follow through each step
Each item is recommended as an effective
practice state/local legal requirements,
institutional policy, or campus culture might
leave each institution approaching this
differently

14
Step 1

Create a security risk-aware culture that
includes an information security risk management
program
Sub-steps
1.1 Institution-wide security risk management
program
1.2 Roles and responsibilities defined for
overall information security at the central and
distributed level
1.3 Executive leadership support in the form of
policies and governance actions

15
Why Do We Care?

HIPAA
FERPA
GLBA
Sarbanes Oxley Act
Grant requirements
Compliance
Other local state and federal regulations

16
Risk Management

Risk Threats x Vulnerabilities x Impact

17
Threat

An adversary that is motivated to exploit a
system vulnerability and is capable of doing so
National Research Council CSTB Report
Cybersecurity Today and Tomorrow Pay Now or Pay
Later (2002)

18
Examples of Threats

Hackers
Insiders
Script Kiddies
Criminal Organizations
Terrorists
Enemy Nation States

19
Vulnerability

An error or a weaknessin the design,
implementation, or operation of a system.
National Research Council CSTB Report
Cybersecurity Today and Tomorrow Pay Now or
Pay Later (2002)

20
Examples of Vulnerabilities

Networks wired and wireless
Operating Systems especially Windows
Hosts and Systems
Malicious Code and Viruses
People
Processes
Physical Environments

21
Impact

Refers to the likelihood that a vulnerability
will be exploited or that a threat may become
harmful.
National Research Council CSTB Report
Cybersecurity Today and Tomorrow Pay Now or Pay
Later (2002)

22
Examples of Impact

Strategic Consequences
Financial Consequences
Legal Consequences
Operational Consequences
Reputational Consequences
Qayoumi, Mohammad H. Mission Continuity
Planning Strategically Assessing and Planning
for Threats to Operations, NACUBO (2002).

23
Risk Management

Risk Threats x Vulnerabilities x Impact

24
Handling Risks

Risk Assumption
Risk Control
Risk Mitigation
Risk Avoidance
Qayoumi, Mohammad H. Mission Continuity
Planning Strategically Assessing and Planning
for Threats to Operations, NACUBO (2002).

25
What Defines Culture?

Strategic Planning and Decision-Making
Examples
Top-down
Bottom-up
Consensus-based
Institutional Values
Examples
Student honor code
Strong faculty influence
Emphasis on accountability at all levels of
institution
High bond rating

26
What Defines Culture?

Control of Operational Functions
Examples
Centralized
Decentralized
Long-term Institutional Priorities
Examples
Increase research
Increase community outreach
Other influences on culture?

27
Ideas For Using Culture
Decentralized Control Over Computing
Formalize and leverage network of departmental
system administrators
How? Some Examples University of Virginia LSP
Program http//www.itc.virginia.edu/dcs/lsp Georg
e Mason University SALT Group http//itu.gmu.edu/
security/sysadmin/salt-description.html
28
Ideas For Using Culture
Increasing Emphasis on Compliance
Spotlight Federal Regulations Related to Security
Privacy
How? Some Examples IT Security for Higher
Education A Legal Perspective http//www.educaus
e.edu/ir/library/pdf/csd2746.pdf Family
Educational Rights Privacy Act http//www.ed.gov
/policy/gen/guid/fpcp/ferpa/index.html Gramm
Leach Bliley Act http//www.ftc.gov/privacy/glbact
/index.html Health Insurance Portability
Accountability Act http//www.hhs.gov/ocr.hipaa
29
Ideas For Using Culture
Strong Leadership at the Top
Make Executive-level Awareness a Top Priority
How? ACE Letter to Presidents Regarding
Cybersecurity http//www.acenet.edu/washington/let
ters/2003/03march/cyber.cfm Information Security
A Difficult Balance http//www.educause.edu/pub/er
/erm04/erm0456.asp Gaining the Presidents
Support for IT Initiatives at Small
Colleges http//www.educause.edu/apps/eq/eqm04/eqm
0417.asp Presidential Leadership for Information
Technology http//www.educause.edu/ir/library/pdf/
erm0332.pdf
30
Morning Break

Break 1015 AM
Return 1030 AM

31
Step 2

Define institutional data types
Sub-steps
2.1 Compliance with applicable federal and state
laws and regulations - as well as contractual
obligations - related to privacy and security of
data held by the institution (also consider
applicable international laws)
2.2 Data classification schema developed with
input from legal counsel and data stewards
2.3 Data classification schema assigned to
institutional data to the extent possible or
necessary

32
Institutional Data Types

Discussion
Do you have a data classification schema?
Do you have a policy?
Why is this step important?

33
Data Classification Policy

Provides the framework necessary to identify and
classify data in order to assess risk and
implement an appropriate level of security
protection based on categorization.
Provides the framework necessary to comply with
legislation, regulations, and internal policies
that govern the protection of data
Provides the framework necessary to facilitate
and make the Incident Response process more
efficient. The level in which the data is
classified determines the level of response.

34
Data Classification Policy Objectives

Communicates data categories to the University
community and provides examples of how data
should be classified
Communications the high level requirements
necessary to protect data based on category
Communicates the roles and responsibilities of
various members of the University community and
external associates as it relates to GW owned
data

35
Data Classification at GW
Privacy Levels
Operations Levels
Confidential
Official
Public
Highest Security Highest Operations
Enterprise System
2
2
1
1
Department Server
3
2
Lowest Security Lowest Operations
2
Desktop/ Laptop
3
4
Note, numbers in boxes suggest the priority
levels for mitigating risks.
36
Step 3

Clarify responsibilities and accountability for
safeguarding confidential/sensitive data
Sub-steps
3.1 Data stewardship roles and responsibilities
3.2 Legally binding third party agreements that
assign responsibility for secure data handling

37
Example University of North Carolina

Data Trustee Data trustees are senior University
officials (or their designees) who have planning
and policy-level responsibility for data within
their functional areas and management
responsibilities for defined segments of
institutional data. Responsibilities include
assigning data stewards, participating in
establishing policies, and promoting data
resource management for the good of the entire
University.
Data Steward Data stewards are University
officials having direct operational-level
responsibility for information management
usually department directors. Data stewards are
responsible for data access and policy
implementation issues.
Data Custodian Information Technology Services
is the data custodian. The custodian is
responsible for providing a secure infrastructure
in support of the data, including, but not
limited to, providing physical security, backup
and recovery processes, granting access
privileges to system users as authorized by data
trustees or their designees (usually the data
stewards), and implementing and administering
controls over the information.
Data User Data users are individuals who need
and use University data as part of their assigned
duties or in fulfillment of assigned roles or
functions within the University community.
Individuals who are given access to sensitive
data have a position of special trust and as such
are responsible for protecting the security and
integrity of those data.
http//its.uncg.edu/Policy_Manual/Data/

38
Step 4

Reduce access to confidential/sensitive data not
absolutely essential to institutional processes
Sub-steps
4.1 Data collection processes (including forms)
should request only the minimum necessary
confidential/sensitive information
4.2 Application outputs (e.g., queries, hard copy
reports, etc.) should provide only the minimum
necessary confidential/sensitive information
4.3 Inventory and review access to existing
confidential/sensitive data on servers, desktops,
and mobile devices

39
Step 4 continued

Reduce access to confidential/sensitive data not
absolutely essential to institutional processes
Sub-steps continued
4.4 Eliminate unnecessary confidential/sensitive
data on servers, desktops, and mobile devices
4.5 Eliminate dependence on SSNs as primary
identifiers and as a form of authentication
Note SSNs may need to be used for certain
things (e.g., student employees, student
financial aid, etc.) and we recommend that
schools limit the use of SSNs to necessary
processes only.

40
Elimination of SSNs

Federal and state law requires the collection of
your Social Security number (SSN) for certain
purposes (for example, IRS reporting forms).
However, widespread use of an individual's SSN is
a major privacy concern. With incidents of
identity theft increasing, steps to secure an
individual's SSN become more important.
A large number of colleges and universities use
SSNs as primary identifiers for faculty, staff,
and students, which exposes institutions to risk
because of changing legal and security
environments. Therefore, many institutions are
planning for the migration away from SSN use as a
primary identifier. Undertaking such a task
raises issues, challenges, and opportunities for
any institution.
EDUCAUSE has identified links concerning the
elimination of SSNs as primary identifiers that
may be useful to the higher education community.
http//www.educause.edu/Browse/645?PARENT_ID701

41
Lunch

Break 12PM
Return 1PM

42
Step 5

Establish and implement stricter controls for
safeguarding confidential/sensitive data
Sub-steps
5.1 Inventory and review/remediate security of
devices
5.2 Configuration standards for applications,
servers, desktops, and mobile devices
5.3 Network level protections
5.4 Encryption strategies for data in transit and
at rest

43
Step 5 continued

Establish and implement stricter controls for
safeguarding confidential/sensitive data
Sub-steps continued
5.5 Policies regarding confidential/sensitive
data on mobile devices and home computers and for
data archival/storage
5.6 Identity management and resource provisioning
processes
5.7 Secure disposal of equipment and data
5.8 Consider background checks on individuals
handling confidential/sensitive data

44
EncryptionCollaboration

Call for help what are other universities
doing?
Privacy Committee, Compliance Committee, LSPs
Key Stakeholders
Project management
Information Security Office Technology Services
Technology Engineering OneTeam

45
GW Scoring Criteria/Selection Rationale
Vendors were evaluated on RFP requirements that
covered Whole Disk and Nice to Have
requirements
Vendor 1 Utimaco Vendor 3
Whole Disk - Authentication 38 37 35
Whole Disk - General 127 126 126
Whole Disk - Integration 58 58 54
Whole Disk - Management 44 44 44
Nice to Have 5 9 5
Total 272 274 264
Product
Evaluation Category
Recommended? X - No v
- Yes X - No
Out of a possible total weighted score of 285,
Utimaco scored the highest based on the
requirements defined in the RFP, had the lowest
price and was the only product fully compatible
with VMWare
Note Vendors were asked to respond to File and
Folder Encryption Requirements but were not
scored on them
46
GWs Encryption Pilot

Planning
Technical set-up
Central IT Group 50, Departments 50
Communicate, communicate, communicate
Pilot results
Party!

47
GW Enterprise Rollout 50,000 Foot View
Rollout Phase Description - Device Type Est Users Est Machines Estimated Timeframe
A Administrative Laptops and some Academic Dept Laptops used for Admin Purposes 1700 400 Laptops Dec 06 Feb 07
B Faculty Machines (Laptops and Desktops) FWI self-identify case by case 300 Machines1(Laptops and Desktops) 300 Machines1(Laptops and Desktops) May 07 May 10 (3 year FWI attrition cycle)
C Administrative Desktops some Academic Dept Desktops used for Admin Purposes TBD TBD June 07 Dec 07
D Other Devices (External Hard Drives, Thumb Drives, etc) TBD TBD TBD
1 Note This assumes a 3 year plan FWI machine
replacement plan for most faculty, except those
that self identify to adopt Safeguard Easy on an
existing machine
48
Encryption Lessons Learned?

References provided invaluable advice
Project management support crucial
Flexibility required
Know your culture
Integrate with security philosophy and
architecture
Establish generic policy and add
guidelines/procedures as process matures
Communication and partnerships were critical
success factors

49
Step 5 continued

Establish and implement stricter controls for
safeguarding confidential/sensitive data
Sub-steps continued
5.5 Policies regarding confidential/sensitive
data on mobile devices and home computers and for
data archival/storage
5.6 Identity management and resource provisioning
processes
5.7 Secure disposal of equipment and data
5.8 Consider background checks on individuals
handling confidential/sensitive data

50
EDUCAUSE Identity Management Resources

Recent Library Submissions (3)
CIC Identity Management Conference Session
Federated Identity Management and Sharing
Resources (2007) by Jim Phelps, IT Architect in
Academia
Identity Management Conference Report (2007)by
Committee on Institutional Cooperation
A Report on the Identity Management Summit (2007)
by Norma Holland, Ann West and Steve Worona,
EDUCAUSE
Most Popular Library Content (3)
Top-Ten IT Issues, 2006 (2006) by Barbara I.
Dewey, Peter B. DeBlois, and the 2006 EDUCAUSE
Current Issues Committee, EDUCAUSE
Safeguarding the Tower IT Security in Higher
Education 2006 (2006) by Robert B. Kvavik, with
John Voloudakis, ECAR
Identity Management in Higher Education A
Baseline Study (2006) by Ronald Yanosky, with
Gail Salaway, ECAR
http//www.educause.edu/Browse/645?PARENT_ID679

51
Step 6

Provide awareness and training
Sub-steps
6.1 Make confidential/sensitive data handlers
aware of privacy and security requirements
6.2 Require acknowledgement by data users of
their responsibility for safeguarding such data
6.3 Enhance general privacy and security
awareness programs to specifically address
safeguarding confidential/sensitive data
6.4 Collaboration mechanisms such as e-mail have
strengths and limitations in terms of access
control, which must be clearly communicated and
understood so that the data will be safe-guarded

52
Awareness and Training

Goal
To increase the awareness of the associated
risks of computer and network use and the
corresponding responsibilities of higher
education executives and end-users of technology
(faculty, staff, and students), and to further
the professional development of information
technology staff.
Programs
Outreach to Higher Ed Associations and Beyond
Annual Security Professionals Conference
Education Awareness Working Group
Initiatives
Leadership Book on Computer Network Security
for Higher Ed
National Cyber Security Awareness Month
Cybersecurity Awareness Resources
Executive Awareness, Student Awareness,
Training of IT Staff

53
What is Security Awareness?
Security awareness is knowledge of potential
threats. It is the advantage of knowing what
types of security issues and incidents members of
our organization may face in the day-to-day
routine of their University functions.
Technology alone cannot provide adequate
information security. People, awareness and
personal responsibility are critical to the
success of any information security program.
54
Why is Awareness Important?

55
When I Go To U.Va.
http//www.itc.virginia.edu/pubs/docs/RespComp/vid
eos/when-I-go-to-UVA-lg.mov
56
Who is your Audience?

Faculty
Staff
Students
Parents
Contractors
Visitors
Community/industry partners - outreach

57
Step 7

Verify compliance routinely with your policies
and procedures
Sub-steps
7.1 Routinely test network-connected devices and
services for weaknesses in operating systems,
applications, and encryption
7.2 Routinely scan servers, desktops, mobile
devices, and networks containing
confidential/sensitive data to verify compliance
7.3 Routinely audit access privileges
7.4 Procurement procedures and contract language
to ensure proper data handling is maintained

58
Step 7 continued

Verify compliance routinely with your policies
and procedures
Sub-steps continued
7.5 System development methodologies that prevent
new data handling problems from being introduced
into the environment
7.6 Utilize audit function within the institution
to verify compliance
7.7 Incident response policies and procedures
7.8 Conduct regular meetings with stakeholders
such as data stewards, legal counsel, compliance
officers, public safety, public relations, and IT
groups to review institutional risk and
compliance and to revise existing policies and
procedures as needed

59
GW Security Tool Kit

To provide departments managing systems outside
of the GW Data Center with standard guidelines
and procedures
Policies
Systems Checklist - Departmental Servers and
Enterprise Systems - an inventory of the systems,
functionality, system administration and security
settings
Best Practices for Department Server and
Enterprise System Checklist - these are the
specific security categories that were assessed
during the PWC Audit.
Server Management Best Practices - from the
Center for Internet Security There are currently
minimum security configurations for 14 types of
systems

60
GW Security Tool Kitcontinued

To provide departments managing systems outside
of the GW Data Center with standard guidelines
and procedures
Security Controls Matrix for Data Classification
- to determine security controls based on the
type of information on the system (Public,
Official Use, Confidential) and the type of
system itself (Desktop, Departmental Server,
Enterprise System).
Information Security Training and Awareness -
information about online training available to
all employees.
Resources encryption, incident response,
presentations, etc.

61
Compliance Scenario

GW conducted an audit project of 236
departmentally controlled servers for security
and PII (aka Server Information Security
Project, or SISP)
Project commissioned by EVPT and CIO
Audited configuration of computers and detection
of SSNs

62
Compliance Scenario

PII on almost 50 of servers admins thought is
was NOT on
About 75 of computers that were compromised had
completely up-to-date antivirus and/or firewalls
Security efforts focused mostly on protecting
servers as opposed to data

63
Compliance Scenario

Address problems in first pass
Include all computers with access to sensitive
data, not only known storage
Contrast locations of PII to current security
architecture
Desktops versus servers...
Integration with patch management systems?
Secure reporting
Log parsing by junior-level security staff

64
Safety Analyzer

Free tool for higher education
Sensitive Data Detection
SSNs with heuristics
Credit Card numbers with Luhn algorithm
validation
Compromise Detection
Trojan file detection
Kernel-level rootkit detection
IR-related data harvesting

65
The Blueprint

Discussion
Will you use the blueprint?
Do you have suggestions to improve it?
Do you have resources to submit?

66
Afternoon Break

Break 245 PM
Return 300 PM

67
Putting it All Together

Moving from Planning to Action!

68
Information Security Governance

If businesses, educational institutions, and
non-profit organizations are to make significant
progress securing their information assets,
executives must make information security an
integral part of core business operations. There
is no better way to accomplish this goal than to
highlight it as part of the existing internal
controls and policies that constitute corporate
governance.
Information Security Governance Report
Executive Summary

69
InfoSec Governance Self Assessment

Organizational Reliance on IT
E.g., What is the impact of major system downtime
on operations?
Risk Management
E.g., Has your organization conducted a risk
assessment and identified critical assets?
People
E.g., Is there a person or organization that has
information security as their primary duty?
Processes
E.g., Do you have official written information
security policies and procedures?
Technology
E.g., Is sensitive data encrypted?
Information Security Governance Assessment Tool
for Higher Education

70
Best Practices Metrics

Information Security Program Elements
Governance
Boards/Senior Executives/Shared Governance
Management
Directors and Managers
Technical
Central and Distributed IT Support Staff
CISWG Final Report on Best Practices Metrics

71
Governance

Oversee Risk Management and Compliance Programs
Pertaining to Information Security (e.g.,
Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley)
Approve and Adopt Broad Information Security
Program Principles and Approve Assignment of Key
Managers Responsible for Information Security
Strive to Protect the Interests of all
Stakeholders Dependent on Information Security
Review Information Security Policies Regarding
Strategic Partners and Other Third-parties
Strive to Ensure Business Continuity
Review Provisions for Internal and External
Audits of the Information Security Program
Collaborate with Management to Specify the
Information Security Metrics to be Reported to
the Board

72
Management

Establish Information Security Management
Policies and Controls and Monitor Compliance
Assign Information Security Roles,
Responsibilities, Required Skills, and Enforce
Role-based Information Access Privileges
Assess Information Risks, Establish Risk
Thresholds and Actively Manage Risk Mitigation
Ensure Implementation of Information Security
Requirements for Strategic Partners and Other
Third-parties
Identify and Classify Information Assets
Implement and Test Business Continuity Plans
Approve Information Systems Architecture during
Acquisition, Development, Operations, and
Maintenance
Protect the Physical Environment
Ensure Internal and External Audits of the
Information Security Program with Timely
Follow-up
Collaborate with Security Staff to Specify the
Information Security Metrics to be Reported to
Management

73
Technical

User Identification and Authentication
User Account Management
User Privileges
Configuration Management
Event and Activity Logging and Monitoring
Communications, Email, and Remote Access Security
Malicious Code Protection, Including Viruses,
Worms, and Trojans
Software Change Management, including Patching
Firewalls
Data Encryption
Backup and Recovery
Incident and Vulnerability Detection and Response
Collaborate with Management to Specify the
Technical Metrics to be Reported to Management