Transcript What Is Outstanding In Your Security and Compliance Practice?

Information Security for
Educational Institutions.
Mark Rasch
[email protected]
Introduction
The threats are real
Malware (e.g. viruses, worms, Trojan Horses) are becoming more
sophisticated
Security breaches and attacks are becoming more publicized
People are becoming more concerned with their online privacy…
However, people still lack awareness on basic computer security
issues
A Typical Higher Education Computing Infrastructure
Traditionally “open”
Critical for researchers
Critical for students’ learning
Higher education comprise of 15% of the Internet address space
Wired campus (dorms to Greek housing) with usually no network
authentication
Many institutions now offer campus-wide wireless access
Tech-savvy students
Threat Matrix
Internal Threats
External Threats
•Illness of personnel
•Illness of multiple personnel
•Loss of key personnel
•Loss of network services
•Disgruntled employees
•Disgruntled consultants
•Labor dispute / unrest
•User misuse / theft of data and resources
•Malware (viruses, worms, Trojan Horses,
rootkits)
•Software bugs and flaws
•Lighting
•Short-term utility outage
•Long-term utility outage
•Flood
•Fire
•Theft of hardware / disks / tapes
•Theft of personnel desktop
•Theft of personnel laptop
•Computer vendor / developer failure (e.g.
bankruptcy)
•Random hackers / crackers
•Terrorism
Overlapping Security Issues in Industry and Higher
Education
Enormous disconnect between IT and general users
Lack of awareness of computer security fundamentals (poor practices)
Social engineering
Insider threat
Lack of low-tech and low-cost planning
Too much focus on products for implementing computer security
Lack of testing environments to understand threats and potential
security breaches
Security is a reactive process
Risks in Higher Education
Openness = fertile ground for attacks and risks
Web hosting and file sharing
Decentralization
Lack of visibility for security and privacy
Security is looked at as a bad thing by professionals and students: tough sell
Multiple roles of educational institutions
Educational – provider of services
Educational – academic freedom
Financial
Health care
Government contract
Real estate owner
Internet service provider
Law enforcement agency
Hotspots
Data security
Privacy
Next generation of malware
Poisoned Peer-to-Peer (P2P) networks and torrents
Compliance and auditing
Next Generation of Malware
Now spreading through instant messaging, P2P, social
networking sites, cell phone and SMS and MMS
Malware hybrids: fooling and cloaking malicious intent
• Rootkit - Toolbox of tools for a cracker to keep root
access. Also hides and secures a cracker's presence on a
system.
• Example: spyware that has a rootkit component
• Can fool anti-virus or anti-spyware software
Next Generation of Malware (continued)
Kernel-based attack technique using hooks and layers
• Kernel - Core of an operating system, Responsible for
resource allocation, low-level hardware interfaces, security,
etc.
• Altering normal program control flow
• The Microsoft Windows architecture makes this possible
Bottom line: malware becoming more lethal, and extremely
more difficult to find!
Data Privacy
Mantras:
• Provide prominent disclosure
• Data minimization (collection, storage, and sharing)
• Anonymity
• Put users in charge of their data
Other components to a privacy framework:
• Quality (accuracy and completion)
• Security
• Monitoring and enforcement
WHAT IS FERPA?
Family
Educational
Rights and
Privacy
Act of 1974 protects the privacy of student educational records.
FERPA applies to any higher education institution receiving
federal funds administered by the Department of Education.
FERPA
Family Education Rights and Privacy Act
20 U.S.C § 1232g
34 CFR Part 99
WHO IS PROTECTED UNDER FERPA?
Students who are currently enrolled in higher education institutions or formerly
enrolled, regardless of their age or status in regard to parental dependency.
Students who have applied but have not attended an institution do not have rights
under FERPA.
RIGHTS OF STUDENTS
Inspect and Review their Education Records
Exercise limited control over disclosure of Education Records
information
Seek to correct their Education Records
Report violations of FERPA to the Department of Education
Be informed of their FERPA rights
EDUCATION RECORDS
“Education Records” generally include any records which contain
information directly related to the student that is in the possession of the
University. The records may be in printed form, handwritten, computer,
magnetic tape, e-mail, film or some other medium.
WHAT IS NOT INCLUDED IN AN
EDUCATION RECORD?
Records or notes in the sole possession of educational personnel not
accessible to other personnel (i.e. contained in a faculty member’s notes)
Law enforcement or campus security records (University Police records)
Records relating to individual’s employment by the University (Work Study
records ARE educational records)
Medical treatment records (made or maintained by a Physician, Psychiatrist,
Psychologist or related paraprofessional)
Alumni records
LIMITATIONS ON
STUDENT’S RIGHT TO INSPECT AND REVIEW
Students may review their records by submitting a written request to the appropriate
Record Custodian.
The Student is not permitted to inspect and review financial records of his/her parents.
2.
The Student is not permitted to inspect and review confidential letters and
recommendations in their education record (if the student signed a waiver).
The items listed above are to be removed from the file prior to the
student’s review of his/her education record.
LIMITATIONS ON
STUDENT’S RIGHT TO INSPECT AND REVIEW
3.
Copies are not required unless it is unreasonable for the student to
come in and inspect his/her records.
4.
The University is responsible to provide the student’s records for
inspection no later than 45 days after requested.
Disclosure
Written
Consent
Of
Student
Disclosure
To
Parents
Disclosure
Exceptions
WRITTEN CONSENT OF STUDENT
Voluntary written consent of Student to specific third parties. Document
should be signed and dated by the Student and state the following:
--Specific records to disclose
--Purpose of disclosure
--Identity of party to whom disclosure is to be
made
The consent will remain valid until the student requests that it
be revoked.
Disclosure
To Parents
When Student is financially dependent
on Parents as defined under Section
152 of Internal Revenue Code.
(Claimed as a dependent on Parent’s
federal tax return)
When Student violates any Federal,
State or Local law, or any rule or policy
of the University governing the use or
possession of alcohol or controlled
substances if, the Student is under 21,
and the Student has committed a
disciplinary violation.
(Judicial Board)
DISCLOSURE EXCEPTIONS
University Faculty, Staff and Administrators with a “legitimate
educational interest”
Federal, State and Local Education Authorities involving
an audit or evaluation of compliance with Education Programs
Results of disciplinary hearing to alleged victim of a crime of
violence
Educational institutions where student seeks or intends to
enroll
Judicial Order or Subpoena
Health or Safety Emergency
Processing Financial Aid
Directory Information
WHAT IS DIRECTORY INFORMATION?
The University may disclose information about a student without violating
FERPA through what is known as “directory information”.
Annually the University is required to notify students in attendance of what
information constitutes “directory information.” This notice must also provide
procedures for students to restrict the University from releasing his/her directory
information. This notice is provided in the annual Student Code of Conduct, on the
Registrar’s website, in University Policy, and published in the student newspaper.
DIRECTORY INFORMATION
Student’s name
Student’s address
Telephone number
Major field of study
Degrees and awards received
Previous educational institutions
Participation in officially recognized sports and activities
Weight and height for athletes
Dates of attendance
Electronic mail address
Student’s photograph
STUDENT’S REFUSAL TO PERMIT RELEASE OF
DIRECTORY INFORMATION
Student can refuse to permit release of directory information by completing the form in the student
paper or on the Registrar’s website or by forwarding the following statement to the University
Registrar’s office at G-3 Thackeray Hall:
“I hereby request that no personal information included in my Directory
Information be released.” This request must be signed and dated by the student
with his/her name, address and social security number.
Once this request is received at the Registrar’s office, no future disclosures will be made without the
student’s written consent.
The refusal to permit release of Directory Information is permanent.
A student may rescind this action in-person or by submitting a notarized request in writing to the
Office of the University Registrar.
RECORDKEEPING
REQUIREMENT
The University is required to keep a record of each request for access
and disclosure of personally identifiable information from the
education record of each student.
This record must be maintained with the education record of each
student as long as the education record is maintained.
FERPA AND
INTERNATIONAL STUDENTS
International students have the same rights to inspect their
records and request amendments.
International students consent to release of their records to
certain governmental agencies on immigration forms.
CORRECTING
EDUCATION RECORDS
Students are permitted to inspect and review their Education Records, and
to seek to change any part that they believe is inaccurate, misleading, or
in violation of their privacy rights.
a.
If the requested change falls within the individual’s
Academic Integrity Guidelines, then Academic Integrity Guidelines shall
control the procedure to follow. FERPA gives the student the right to
correct an inaccurately recorded grade, not to have the grade evaluated
and changed.
b.
If the requested change is not a violation of the Student or
Faculty obligation, then the standard access and release of records will be
followed
RIGHT TO REPORT VIOLATIONS TO THE U.S.
DEPARTMENT OF EDUCATION
Any complaint filed by a Student regarding a violation of their
FERPA rights is investigated and processed by the Family Policy
Compliance Office of the U.S. Department of Education. If a
determination is made that the University is in violation, both the
University and the Student will be advised and informed of the
measures to be taken in order to come into compliance with the
law.
STUDENT’S RIGHT TO
BE INFORMED OF THEIR
FERPA RIGHTS
The University is required to annually inform student’s
of their FERPA rights. The notification must also indicate
the location of the student’s records and the procedure to
be followed to inspect and review their record.
DECEASED STUDENTS
The privacy rights of an individual expires upon that
individual’s death. FERPA does not apply and it is the
University’s discretion to disclose any information of the
deceased student.
How Come So Many Data Privacy Problems Recently?
Heavy usage and dependency of Social Security Numbers and
credit card numbers
Poor web security
Insider threats
Social engineering (scam artists, phishing)
Pharming
Third-part businesses
Linkability
Common Compliance and Legal Frameworks
Health Insurance Portability and Accountability Act (HIPPA)
Gramm-Leach-Bliley Act (GLBA)
Computer Fraud and Abuse Act (CFAA)
Sarbanes-Oxley Act
USA PATRIOT Act
Visa USA Cardholder Information Security Program (CISP) /
MasterCard Site Data Protection Program / Payment Card
Industry (PCI) Data Security Standard
Significance of the Compliance Frameworks
HIPAA security rule - Safeguarding of electronic protected health
information
GLBA - Protects privacy of consumer information in the financial sector
Sarbanes-Oxley Act - Executives need to report quickly and accurately
USA PATRIOT Act – Provides law enforcement agencies with greater
access to electronic communications
Colleges and universities have to comply with more regulations than
businesses
Impact of Breaches
Heavy network consumption
Direct impact on leadership
Direct impact on students’ learning
Wasted funding (private and public)
Legal consequences
Bad press
Loss of competitive edge
Long road to recovery
What You DON’T Want to Do
Pretend the problems will go away
Establish reactive and short-term fixes
Primarily rely on a firewall, or just software solutions, for security
perimeter protection
Fail to understand the relationship of information security to the
business problem
Assign untrained people to maintain security and compliance
Short-Term: Awareness, Awareness, Awareness
Irony: provisions for education and training in SOX and the DMCA
Very little money is spent on computer security education to the
public
Security is boring, difficult, and political
At fault: IT professionals, users, technology
Lack of ownership on security and privacy issues by companies
Emerging technologies pose a serious threat if deployed naively
Unfortunately, the infrastructure and architecture of current
computing systems, users do need to be informed
Short-Term: Awareness (continued)
Provide an undergraduate course in computer
security, privacy, and politics:
• Overlap of departments and groups in a
University (e.g. Computer Science, Law School)
• Investment for students, the University, and for
the instructors of the course
Short-Term: Low-Cost and Low-Tech Improvements
First things first, ask yourself, and to management (revisit the
questions):
• What are your security goals?
• What are you really protecting?
• What are your priorities, especially in a product (e.g.
interface, administration, prevention)?
Short-Term: Low-Cost and Low-Tech Improvements
(continued)
Write documentation in what system support staff and users need to do
with respect to network and information security
Establish baseline security configurations for all appropriate technology
platforms (e.g. web browser)
Establish a vulnerability management process
Use vulnerability assessment tools to periodically conduct selfassessments
Monitor log files from critical systems on a daily basis
SANS have excellent policy templates
Long-Term Opportunity: Develop Visualization Tools
(continued)
Example projects/opportunities:
• Security situation awareness
• Profiling users and traffic
• Linking relationships
• Network traffic classification
• Intrusion detection
• Detecting abnormalities
For More Information
Mark D. Rasch
Managing Director – Technology
FTI Consulting
1201 Eye Street, NW
Washington, D.C. 20005
(301) 547-6925 tel
(240) 209-5344 fax
[email protected]