Data%20Privacy%20and%20Security:%20Sort%20of%20Urgency - PowerPoint PPT Presentation

View by Category
About This Presentation



Title: PowerPoint Presentation Last modified by: Fujitsu Created Date: 1/1/1601 12:00:00 AM Document presentation format: On-screen Show Other titles – PowerPoint PPT presentation

Number of Views:53
Avg rating:3.0/5.0
Slides: 16
Provided by: cun102


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Data%20Privacy%20and%20Security:%20Sort%20of%20Urgency

Data Privacy and Security Sort of Urgency
  • Praveen Panchal, CIO

  • Within little over one year there were 237
    reported security breaches
  • Compromising more than 97 million records
    containing personal information
  • 83 or 35 incidents involved High Ed institutions

Source Privacy Rights Clearinghouse
Changing Nature of Threats
  • Early threats were targeted on servers and
    computers connected to network to destroy them or
    use them to launch subsequent attacks
  • Now threats are no longer operating systems,
    networks, or control of machines but rather
  • Personal data about the users on these machines
    for profit

Attackers are increasingly seeking financial
gain rather than mere notoriety. During the past
year we have seen a significant decrease in the
number of large scale global virus outbreaks and,
instead, are observing that attackers are moving
towards smaller, more focused attacks Vincent
Weafer Senior Director at Symantec Corporation
  • Furious Constituents
  • Negative Publicity
  • Tarnished Reputation
  • Public Embarrassment
  • Investigations
  • Lawsuits, Fines and Penalties
  • Financial Losses
  • Waste of Valuable Resources

What we can do?
  • Implement Technological Solutions
  • Adopt Soft IT Security Approaches
  • Change the Campus Culture
  • Combination of all the above

Note All the points addressed here have been
adopted as an activity in the CUNY Security Plan.
Technological Solutions
  • Perimeter and Interior Firewalls
  • Virtual Private Network
  • Intrusion Detection and Prevention System
  • Enterprise Directory
  • Filtering Technology
  • Network Behavior Analysis

Soft IT Security Approach
  • Planning
  • Develop well-thought-out comprehensive IT
    security plan, risk assessment and IT security
    implementation strategy which is standards-based,
    flexible, mission-driven, adaptable, simple and
  • Implementation
  • Implement IT security plan and make it intrinsic
    part of day-to-day operations of the campus
  • Auditing
  • Periodically examine, assess and analyze
    security of central and local applications,
    networks, and data
  • Policies and Procedures
  • Develop policies and procedures for data backup,
    authentication and authorization, physical
    security, employee responsibilities, disaster
    recovery, formal incident-response procedures,

Change the Campus Culture
  • Invigorate Senior Management Interest and Support
    in IT Security (Buck Stops Here!)
  • Garner political support which is critical to
    provide credibility to IT security program
  • Define IT Security Functions (Who Does What?)
  • Implement governance structure to institute CUNY
    mandated policies and procedures and empower
    Internet Security Officer (ISO) to implement
    these policies and procedures
  • Training and Awareness (Think IT Security
  • Provide training on current techniques, security
    awareness programs, change in institutional
    culture to respect for private information of our
    constituents and restrict the distribution of
    sensitive data
  • Maintain Assets Inventory (What We Got?)
  • Identify and classify assets that require
    protection through classifications such as
    regulatory compliance, confidential, internal and

CUNY Security Initiatives
  • Security Communication and Training
  • Seminars and Workshops - Wireless Technology,
    Intrusion Management, Vulnerability Management
    and Microsoft Security
  • Security Policy, Advisement and Procedures
  • Security alerts and advisories - Phishing,
    Email/Passwords, Private Information and Spam
  • Security procedure authored and adopted for
    Breach Reporting
  • Security policies (18) authored and adopted -
    Access to Sensitive or Non-Public University
    Data/Systems, Authentication, User IDs, Severance
    of Computer Accounts, Review of Computer Access,
    Student/Part-time Employees/Contractor User IDs,
    Passwords, Privileged Access, Mobile Devices,
    Incident Response and Reporting, Change of Data
    in Permanent Records, Centralized Data
    Management, Grade Changes, Changes in Information
    Systems, Vulnerability Assessments, Web
    Accessible Data, Management Responsibility,
    Information Security Policy Governance

CUNY Security Initiatives
  • Security Incident Response
  • Reporting and notification protocols and
    consistent follow through their execution
  • Information Security Strategy
  • University Security Plan oriented towards
    providing security services and increased
    capabilities to benefit the Colleges and the
    University while maintaining the collaborative
    approach with CUNY constituents
  • E-Signature Initiative
  • Initiative to gather input from University and
    College constituents to assess and recommend
    e-Signature opportunities for consideration
    during ERP implementation

CUNY Security Initiatives
  • Data Warehouse
  • Formal review and approval process for vetting
    all requests to access the data warehouse (forms
    are published at
  • Security Technology Selection
  • Intrusion Management Program - Network behavior
    analysis appliances from Mazu Networks and
    signature-based intrusion detection appliances
    from Symantec
  • Assessments
  • CIS Portal Vulnerability Assessment, University
    Web Services Assessment and external vendor
  • Security Integration CIS Projects
  • EDS Credit Card Processing/PCI Compliance,
    Enterprise Directory, Crystal Developer/Enterprise
    , CO LAN, Portal Authentication/Identity
    conflicts, Wireless Network Architecture, email
    Architecture, and VPN/firewall port requests

Information Security Laws and Regulations
  • Family Educational Rights and Privacy Act (FERPA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability
    Act (HIPAA)
  • Communications Assistance for Law Enforcement Act
  • Payment Card Industry Data Security Standard
  • Federal Information Security Management Act

  • Senior-Level Support and Involvement
  • Enterprise view of Information Security rather
    than just specific department
  • Alignment of Technologies, Processes and Campus
    Culture with Information Security
  • Flexible Information Security efforts to more
    easily adapt to new threats as they emerge

Thank You!
Acknowledgement This presentation was made
possible with the help of Mr. Carl Cammarata,
CUNY Chief Information Security Officer and
selected articles from Educause Review,
September/October 2006.