Title: A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations
1A Blueprint for Handling Sensitive Data
Security, Privacy, and Other Considerations
- H. Morrow Long Krizi Trivisani
- Director, Information Security Chief Security
Officer - Yale University The George Washington
- University
- EDUCAUSE Seminar Series
- Los Angeles, California
2Introductions
- Ice-breaker BINGO!!
- 5 minutes
- First 10 people to get BINGO win a prize!
- Introductions
- Name
- Title or Functional Description of Duties
- Organizational Affiliation
- What do you want to get out of this session?
3Overview to Seminar
- Information security risks at colleges and
universities present challenging legal, policy,
technical, and operational issues. - Security incidents have resulted in compromises
of personal information which have led to bad
publicity and the potential for identity theft. - Risks to information security at colleges and
universities continue to persist and necessitate
that individuals at all levels of the institution
become engaged to prevent further data breaches
from occurring. - This seminar will outline a blueprint for
protecting sensitive data according to the
EDUCAUSE/Internet2 Security Task Force.
4Seminar Goals
- At the end of this session
- You should feel comfortable discussing common
cybersecurity threats plaguing higher education
and computer users in general. - You will have a list of key strategies to follow
for stopping the leakage of confidential/sensitive
data. - You will be introduced to several security
resources and best practices to help you apply
the key strategies.
5Todays Roadmap
- Foundations of Cybersecurity in Higher Ed
- The Blueprint
- Creating a Security Risk-Aware Culture
- Defining Institutional Data Types
- Clarify Responsibilities and Accountability
- Reducing Access to Data Not Absolutely Essential
- Establishing and Implementing Stricter Controls
- Providing Awareness and Training
- Verifying Compliance
- Putting it All Together Moving from Planning to
Action
6Higher Ed IT Environments
- Technology Environment
- Distributed computing and wide range of hardware
and software from outdated to state-of-the-art - Increasing demands for distributed computing,
distance learning and mobile/wireless
capabilities which create unique security
challenges - Leadership Environment
- Reactive rather than proactive
- Lack of clearly defined goals (what do we need to
protect and why) - Academic Culture
- Persistent belief that security academic
freedom are antithetical - Tolerance, experimentation, and anonymity highly
valued
7Higher Ed IT Environments
- Current Status The information security
environment has become increasingly more
dangerous. News accounts have reported Higher
Education institutions involved in dozens of
incidents of compromised confidential information
over the past year. The cost of notifying and
offering assistance to those individuals who have
had their privacy information compromised can run
into the hundreds of thousands of dollars for
each incident. Increased regulatory requirements
also make it imperative that the University be
able to show a level of due diligence in the
protection of its systems and confidential data.
- Why is this in quotes?
8Goals of Cybersecurity
- Confidentiality - information requires protection
from unauthorized use or disclosure. - Integrity - information must be protected from
unauthorized, unanticipated, or unintentional
modification. - Availability - computers, systems, networks, and
information must be available on a timely basis
to meet mission requirements or to avoid
substantial losses.
9Security Processes
- Deter
- Prevent
- Detect
- React
- Adapt
- Burton Group A Systematic, Comprehensive
Approach to Information Security (Feb. 2005)
10Security ImplementationRelies On
Systems must be built to technically adhere to
policy
Policies must be developed, communicated,
maintained and enforced
Process
Technology
People
Processes must be developed that show how
policies will be implemented
People must understand their responsibilities
regarding policy
11Framing the Problem
- Discussion Breaches in Higher Education
- How did they occur?
- Who was impacted?
- How much did it cost?
- Are there themes?
- Whats changed?
12The Blueprint
- Confidential Data Handling Blueprint
- Purpose
- To provide a list of key strategies to follow for
stopping the leakage of confidential/sensitive
data. - To provide a toolkit that constructs resources
pertaining to confidential/sensitive data
handling. - https//wiki.internet2.edu/confluence/display/secg
uide/ConfidentialDataHandlingBlueprint
13The Blueprint
- Confidential Data Handling Blueprint
- Introduction
- Steps and ensuing sub-items are intended to
provide a general roadmap - Institutions will be at varying stages of
progress - Organized in a sequence that allows you to
logically follow through each step - Each item is recommended as an effective
practice state/local legal requirements,
institutional policy, or campus culture might
leave each institution approaching this
differently
14Step 1
- Create a security risk-aware culture that
includes an information security risk management
program - Sub-steps
- 1.1 Institution-wide security risk management
program - 1.2 Roles and responsibilities defined for
overall information security at the central and
distributed level - 1.3 Executive leadership support in the form of
policies and governance actions
15Why Do We Care?
- HIPAA
- FERPA
- GLBA
- Sarbanes Oxley Act
- Grant requirements
- Compliance
- Other local state and federal regulations
16Risk Management
- Risk Threats x Vulnerabilities x Impact
17Threat
- An adversary that is motivated to exploit a
system vulnerability and is capable of doing so - National Research Council CSTB Report
Cybersecurity Today and Tomorrow Pay Now or Pay
Later (2002)
18Examples of Threats
- Hackers
- Insiders
- Script Kiddies
- Criminal Organizations
- Terrorists
- Enemy Nation States
19Vulnerability
- An error or a weaknessin the design,
implementation, or operation of a system. - National Research Council CSTB Report
Cybersecurity Today and Tomorrow Pay Now or
Pay Later (2002)
20Examples of Vulnerabilities
- Networks wired and wireless
- Operating Systems especially Windows
- Hosts and Systems
- Malicious Code and Viruses
- People
- Processes
- Physical Environments
21Impact
- Refers to the likelihood that a vulnerability
will be exploited or that a threat may become
harmful. - National Research Council CSTB Report
Cybersecurity Today and Tomorrow Pay Now or Pay
Later (2002)
22Examples of Impact
- Strategic Consequences
- Financial Consequences
- Legal Consequences
- Operational Consequences
- Reputational Consequences
- Qayoumi, Mohammad H. Mission Continuity
Planning Strategically Assessing and Planning
for Threats to Operations, NACUBO (2002).
23Risk Management
- Risk Threats x Vulnerabilities x Impact
24Handling Risks
- Risk Assumption
- Risk Control
- Risk Mitigation
- Risk Avoidance
- Qayoumi, Mohammad H. Mission Continuity
Planning Strategically Assessing and Planning
for Threats to Operations, NACUBO (2002).
25What Defines Culture?
- Strategic Planning and Decision-Making
- Examples
- Top-down
- Bottom-up
- Consensus-based
- Institutional Values
- Examples
- Student honor code
- Strong faculty influence
- Emphasis on accountability at all levels of
institution - High bond rating
26What Defines Culture?
- Control of Operational Functions
- Examples
- Centralized
- Decentralized
- Long-term Institutional Priorities
- Examples
- Increase research
- Increase community outreach
- Other influences on culture?
27Ideas For Using Culture
Decentralized Control Over Computing
Formalize and leverage network of departmental
system administrators
How? Some Examples University of Virginia LSP
Program http//www.itc.virginia.edu/dcs/lsp Georg
e Mason University SALT Group http//itu.gmu.edu/
security/sysadmin/salt-description.html
28Ideas For Using Culture
Increasing Emphasis on Compliance
Spotlight Federal Regulations Related to Security
Privacy
How? Some Examples IT Security for Higher
Education A Legal Perspective http//www.educaus
e.edu/ir/library/pdf/csd2746.pdf Family
Educational Rights Privacy Act http//www.ed.gov
/policy/gen/guid/fpcp/ferpa/index.html Gramm
Leach Bliley Act http//www.ftc.gov/privacy/glbact
/index.html Health Insurance Portability
Accountability Act http//www.hhs.gov/ocr.hipaa
29Ideas For Using Culture
Strong Leadership at the Top
Make Executive-level Awareness a Top Priority
How? ACE Letter to Presidents Regarding
Cybersecurity http//www.acenet.edu/washington/let
ters/2003/03march/cyber.cfm Information Security
A Difficult Balance http//www.educause.edu/pub/er
/erm04/erm0456.asp Gaining the Presidents
Support for IT Initiatives at Small
Colleges http//www.educause.edu/apps/eq/eqm04/eqm
0417.asp Presidential Leadership for Information
Technology http//www.educause.edu/ir/library/pdf/
erm0332.pdf
30Morning Break
- Break 1015 AM
- Return 1030 AM
31Step 2
- Define institutional data types
- Sub-steps
- 2.1 Compliance with applicable federal and state
laws and regulations - as well as contractual
obligations - related to privacy and security of
data held by the institution (also consider
applicable international laws) - 2.2 Data classification schema developed with
input from legal counsel and data stewards - 2.3 Data classification schema assigned to
institutional data to the extent possible or
necessary
32Institutional Data Types
- Discussion
- Do you have a data classification schema?
- Do you have a policy?
- Why is this step important?
33Data Classification Policy
- Provides the framework necessary to identify and
classify data in order to assess risk and
implement an appropriate level of security
protection based on categorization. - Provides the framework necessary to comply with
legislation, regulations, and internal policies
that govern the protection of data - Provides the framework necessary to facilitate
and make the Incident Response process more
efficient. The level in which the data is
classified determines the level of response.
34Data Classification Policy Objectives
- Communicates data categories to the University
community and provides examples of how data
should be classified - Communications the high level requirements
necessary to protect data based on category - Communicates the roles and responsibilities of
various members of the University community and
external associates as it relates to GW owned
data
35Data Classification at GW
Privacy Levels
Operations Levels
Confidential
Official
Public
Highest Security Highest Operations
Enterprise System
2
2
1
1
Department Server
3
2
Lowest Security Lowest Operations
2
Desktop/ Laptop
3
4
Note, numbers in boxes suggest the priority
levels for mitigating risks.
36Step 3
- Clarify responsibilities and accountability for
safeguarding confidential/sensitive data - Sub-steps
- 3.1 Data stewardship roles and responsibilities
- 3.2 Legally binding third party agreements that
assign responsibility for secure data handling
37Example University of North Carolina
- Data Trustee Data trustees are senior University
officials (or their designees) who have planning
and policy-level responsibility for data within
their functional areas and management
responsibilities for defined segments of
institutional data. Responsibilities include
assigning data stewards, participating in
establishing policies, and promoting data
resource management for the good of the entire
University. - Data Steward Data stewards are University
officials having direct operational-level
responsibility for information management
usually department directors. Data stewards are
responsible for data access and policy
implementation issues. - Data Custodian Information Technology Services
is the data custodian. The custodian is
responsible for providing a secure infrastructure
in support of the data, including, but not
limited to, providing physical security, backup
and recovery processes, granting access
privileges to system users as authorized by data
trustees or their designees (usually the data
stewards), and implementing and administering
controls over the information. - Data User Data users are individuals who need
and use University data as part of their assigned
duties or in fulfillment of assigned roles or
functions within the University community.
Individuals who are given access to sensitive
data have a position of special trust and as such
are responsible for protecting the security and
integrity of those data. - http//its.uncg.edu/Policy_Manual/Data/
38Step 4
- Reduce access to confidential/sensitive data not
absolutely essential to institutional processes - Sub-steps
- 4.1 Data collection processes (including forms)
should request only the minimum necessary
confidential/sensitive information - 4.2 Application outputs (e.g., queries, hard copy
reports, etc.) should provide only the minimum
necessary confidential/sensitive information - 4.3 Inventory and review access to existing
confidential/sensitive data on servers, desktops,
and mobile devices
39Step 4 continued
- Reduce access to confidential/sensitive data not
absolutely essential to institutional processes - Sub-steps continued
- 4.4 Eliminate unnecessary confidential/sensitive
data on servers, desktops, and mobile devices - 4.5 Eliminate dependence on SSNs as primary
identifiers and as a form of authentication - Note SSNs may need to be used for certain
things (e.g., student employees, student
financial aid, etc.) and we recommend that
schools limit the use of SSNs to necessary
processes only.
40Elimination of SSNs
- Federal and state law requires the collection of
your Social Security number (SSN) for certain
purposes (for example, IRS reporting forms).
However, widespread use of an individual's SSN is
a major privacy concern. With incidents of
identity theft increasing, steps to secure an
individual's SSN become more important. - A large number of colleges and universities use
SSNs as primary identifiers for faculty, staff,
and students, which exposes institutions to risk
because of changing legal and security
environments. Therefore, many institutions are
planning for the migration away from SSN use as a
primary identifier. Undertaking such a task
raises issues, challenges, and opportunities for
any institution. - EDUCAUSE has identified links concerning the
elimination of SSNs as primary identifiers that
may be useful to the higher education community. - http//www.educause.edu/Browse/645?PARENT_ID701
41Lunch
42Step 5
- Establish and implement stricter controls for
safeguarding confidential/sensitive data - Sub-steps
- 5.1 Inventory and review/remediate security of
devices - 5.2 Configuration standards for applications,
servers, desktops, and mobile devices - 5.3 Network level protections
- 5.4 Encryption strategies for data in transit and
at rest
43Step 5 continued
- Establish and implement stricter controls for
safeguarding confidential/sensitive data - Sub-steps continued
- 5.5 Policies regarding confidential/sensitive
data on mobile devices and home computers and for
data archival/storage - 5.6 Identity management and resource provisioning
processes - 5.7 Secure disposal of equipment and data
- 5.8 Consider background checks on individuals
handling confidential/sensitive data
44EncryptionCollaboration
- Call for help what are other universities
doing? - Privacy Committee, Compliance Committee, LSPs
- Key Stakeholders
- Project management
- Information Security Office Technology Services
Technology Engineering OneTeam
45GW Scoring Criteria/Selection Rationale
Vendors were evaluated on RFP requirements that
covered Whole Disk and Nice to Have
requirements
Vendor 1 Utimaco Vendor 3
Whole Disk - Authentication 38 37 35
Whole Disk - General 127 126 126
Whole Disk - Integration 58 58 54
Whole Disk - Management 44 44 44
Nice to Have 5 9 5
Total 272 274 264
Product
Evaluation Category
Recommended? X - No v
- Yes X - No
Out of a possible total weighted score of 285,
Utimaco scored the highest based on the
requirements defined in the RFP, had the lowest
price and was the only product fully compatible
with VMWare
Note Vendors were asked to respond to File and
Folder Encryption Requirements but were not
scored on them
46GWs Encryption Pilot
- Planning
- Technical set-up
- Central IT Group 50, Departments 50
- Communicate, communicate, communicate
- Pilot results
- Party!
47GW Enterprise Rollout 50,000 Foot View
Rollout Phase Description - Device Type Est Users Est Machines Estimated Timeframe
A Administrative Laptops and some Academic Dept Laptops used for Admin Purposes 1700 400 Laptops Dec 06 Feb 07
B Faculty Machines (Laptops and Desktops) FWI self-identify case by case 300 Machines1(Laptops and Desktops) 300 Machines1(Laptops and Desktops) May 07 May 10 (3 year FWI attrition cycle)
C Administrative Desktops some Academic Dept Desktops used for Admin Purposes TBD TBD June 07 Dec 07
D Other Devices (External Hard Drives, Thumb Drives, etc) TBD TBD TBD
1 Note This assumes a 3 year plan FWI machine
replacement plan for most faculty, except those
that self identify to adopt Safeguard Easy on an
existing machine
48 Encryption Lessons Learned?
- References provided invaluable advice
- Project management support crucial
- Flexibility required
- Know your culture
- Integrate with security philosophy and
architecture - Establish generic policy and add
guidelines/procedures as process matures - Communication and partnerships were critical
success factors
49Step 5 continued
- Establish and implement stricter controls for
safeguarding confidential/sensitive data - Sub-steps continued
- 5.5 Policies regarding confidential/sensitive
data on mobile devices and home computers and for
data archival/storage - 5.6 Identity management and resource provisioning
processes - 5.7 Secure disposal of equipment and data
- 5.8 Consider background checks on individuals
handling confidential/sensitive data
50EDUCAUSE Identity Management Resources
- Recent Library Submissions (3)
- CIC Identity Management Conference Session
Federated Identity Management and Sharing
Resources (2007) by Jim Phelps, IT Architect in
Academia - Identity Management Conference Report (2007)by
Committee on Institutional Cooperation - A Report on the Identity Management Summit (2007)
by Norma Holland, Ann West and Steve Worona,
EDUCAUSE - Most Popular Library Content (3)
- Top-Ten IT Issues, 2006 (2006) by Barbara I.
Dewey, Peter B. DeBlois, and the 2006 EDUCAUSE
Current Issues Committee, EDUCAUSE - Safeguarding the Tower IT Security in Higher
Education 2006 (2006) by Robert B. Kvavik, with
John Voloudakis, ECAR - Identity Management in Higher Education A
Baseline Study (2006) by Ronald Yanosky, with
Gail Salaway, ECAR - http//www.educause.edu/Browse/645?PARENT_ID679
51Step 6
- Provide awareness and training
- Sub-steps
- 6.1 Make confidential/sensitive data handlers
aware of privacy and security requirements - 6.2 Require acknowledgement by data users of
their responsibility for safeguarding such data - 6.3 Enhance general privacy and security
awareness programs to specifically address
safeguarding confidential/sensitive data - 6.4 Collaboration mechanisms such as e-mail have
strengths and limitations in terms of access
control, which must be clearly communicated and
understood so that the data will be safe-guarded
52Awareness and Training
- Goal
- To increase the awareness of the associated
risks of computer and network use and the
corresponding responsibilities of higher
education executives and end-users of technology
(faculty, staff, and students), and to further
the professional development of information
technology staff. - Programs
- Outreach to Higher Ed Associations and Beyond
- Annual Security Professionals Conference
- Education Awareness Working Group
- Initiatives
- Leadership Book on Computer Network Security
for Higher Ed - National Cyber Security Awareness Month
- Cybersecurity Awareness Resources
- Executive Awareness, Student Awareness,
Training of IT Staff
53What is Security Awareness?
Security awareness is knowledge of potential
threats. It is the advantage of knowing what
types of security issues and incidents members of
our organization may face in the day-to-day
routine of their University functions.
Technology alone cannot provide adequate
information security. People, awareness and
personal responsibility are critical to the
success of any information security program.
54Why is Awareness Important?
55When I Go To U.Va.
http//www.itc.virginia.edu/pubs/docs/RespComp/vid
eos/when-I-go-to-UVA-lg.mov
56Who is your Audience?
- Faculty
- Staff
- Students
- Parents
- Contractors
- Visitors
- Community/industry partners - outreach
57Step 7
- Verify compliance routinely with your policies
and procedures - Sub-steps
- 7.1 Routinely test network-connected devices and
services for weaknesses in operating systems,
applications, and encryption - 7.2 Routinely scan servers, desktops, mobile
devices, and networks containing
confidential/sensitive data to verify compliance - 7.3 Routinely audit access privileges
- 7.4 Procurement procedures and contract language
to ensure proper data handling is maintained
58Step 7 continued
- Verify compliance routinely with your policies
and procedures - Sub-steps continued
- 7.5 System development methodologies that prevent
new data handling problems from being introduced
into the environment - 7.6 Utilize audit function within the institution
to verify compliance - 7.7 Incident response policies and procedures
- 7.8 Conduct regular meetings with stakeholders
such as data stewards, legal counsel, compliance
officers, public safety, public relations, and IT
groups to review institutional risk and
compliance and to revise existing policies and
procedures as needed
59GW Security Tool Kit
- To provide departments managing systems outside
of the GW Data Center with standard guidelines
and procedures - Policies
- Systems Checklist - Departmental Servers and
Enterprise Systems - an inventory of the systems,
functionality, system administration and security
settings - Best Practices for Department Server and
Enterprise System Checklist - these are the
specific security categories that were assessed
during the PWC Audit. - Server Management Best Practices - from the
Center for Internet Security There are currently
minimum security configurations for 14 types of
systems
60GW Security Tool Kitcontinued
- To provide departments managing systems outside
of the GW Data Center with standard guidelines
and procedures - Security Controls Matrix for Data Classification
- to determine security controls based on the
type of information on the system (Public,
Official Use, Confidential) and the type of
system itself (Desktop, Departmental Server,
Enterprise System). - Information Security Training and Awareness -
information about online training available to
all employees. - Resources encryption, incident response,
presentations, etc.
61Compliance Scenario
- GW conducted an audit project of 236
departmentally controlled servers for security
and PII (aka Server Information Security
Project, or SISP) - Project commissioned by EVPT and CIO
- Audited configuration of computers and detection
of SSNs
62Compliance Scenario
- PII on almost 50 of servers admins thought is
was NOT on - About 75 of computers that were compromised had
completely up-to-date antivirus and/or firewalls - Security efforts focused mostly on protecting
servers as opposed to data
63Compliance Scenario
- Address problems in first pass
- Include all computers with access to sensitive
data, not only known storage - Contrast locations of PII to current security
architecture - Desktops versus servers...
- Integration with patch management systems?
- Secure reporting
- Log parsing by junior-level security staff
64Safety Analyzer
- Free tool for higher education
- Sensitive Data Detection
- SSNs with heuristics
- Credit Card numbers with Luhn algorithm
validation - Compromise Detection
- Trojan file detection
- Kernel-level rootkit detection
- IR-related data harvesting
65The Blueprint
- Discussion
- Will you use the blueprint?
- Do you have suggestions to improve it?
- Do you have resources to submit?
66Afternoon Break
- Break 245 PM
- Return 300 PM
67Putting it All Together
- Moving from Planning to Action!
68Information Security Governance
- If businesses, educational institutions, and
non-profit organizations are to make significant
progress securing their information assets,
executives must make information security an
integral part of core business operations. There
is no better way to accomplish this goal than to
highlight it as part of the existing internal
controls and policies that constitute corporate
governance. - Information Security Governance Report
Executive Summary
69InfoSec Governance Self Assessment
- Organizational Reliance on IT
- E.g., What is the impact of major system downtime
on operations? - Risk Management
- E.g., Has your organization conducted a risk
assessment and identified critical assets? - People
- E.g., Is there a person or organization that has
information security as their primary duty? - Processes
- E.g., Do you have official written information
security policies and procedures? - Technology
- E.g., Is sensitive data encrypted?
- Information Security Governance Assessment Tool
for Higher Education
70Best Practices Metrics
- Information Security Program Elements
- Governance
- Boards/Senior Executives/Shared Governance
- Management
- Directors and Managers
- Technical
- Central and Distributed IT Support Staff
- CISWG Final Report on Best Practices Metrics
71Governance
- Oversee Risk Management and Compliance Programs
Pertaining to Information Security (e.g.,
Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley) - Approve and Adopt Broad Information Security
Program Principles and Approve Assignment of Key
Managers Responsible for Information Security - Strive to Protect the Interests of all
Stakeholders Dependent on Information Security - Review Information Security Policies Regarding
Strategic Partners and Other Third-parties - Strive to Ensure Business Continuity
- Review Provisions for Internal and External
Audits of the Information Security Program - Collaborate with Management to Specify the
Information Security Metrics to be Reported to
the Board
72Management
- Establish Information Security Management
Policies and Controls and Monitor Compliance - Assign Information Security Roles,
Responsibilities, Required Skills, and Enforce
Role-based Information Access Privileges - Assess Information Risks, Establish Risk
Thresholds and Actively Manage Risk Mitigation - Ensure Implementation of Information Security
Requirements for Strategic Partners and Other
Third-parties - Identify and Classify Information Assets
- Implement and Test Business Continuity Plans
- Approve Information Systems Architecture during
Acquisition, Development, Operations, and
Maintenance - Protect the Physical Environment
- Ensure Internal and External Audits of the
Information Security Program with Timely
Follow-up - Collaborate with Security Staff to Specify the
Information Security Metrics to be Reported to
Management
73Technical
- User Identification and Authentication
- User Account Management
- User Privileges
- Configuration Management
- Event and Activity Logging and Monitoring
- Communications, Email, and Remote Access Security
- Malicious Code Protection, Including Viruses,
Worms, and Trojans - Software Change Management, including Patching
- Firewalls
- Data Encryption
- Backup and Recovery
- Incident and Vulnerability Detection and Response
- Collaborate with Management to Specify the
Technical Metrics to be Reported to Management
74Building Security Programs
- Gain the support of the Administration.
- Define roles and responsibilities.
- Review your institutions policies.
- Build long lasting partnerships with everyone,
well maybe not everyone. - Collaborate with security professionals in your
region or State. - Institutionalize a strong security awareness
program.
75Security Scenarios
- Data breach exercises and realistic role playing
scenarios - Break into 6 groups
- Each group will be given scenarios
- 30 minutes to brainstorm
- 3 5 minutes for each group to present
76Wrap-Up
- Question Answer
- Seminar Evaluation Feedback
- Program ends at 430PM
77Listservs Newsgroups
- EDUCAUSE Security Discussion Listserv
- http//www.educause.edu/SecurityDiscussionGroup/9
79 - Microsoft Security Alerts
- http//www.microsoft.com/security/bulletins/alert
s.mspx - US-CERT Alerts and Tipshttp//www.us-cert.gov/cas
/signup.htmlchoose - NIST Publication Mailing list
- http//csrc.nist.gov/compubs-mail.html
78Contacts
- H. Morrow Long
- morrow.long_at_yale.edu
- Krizi Trivisani
- krizi_at_gwu.edu