Transcript Campus-wide Information Security Activites

Campus-wide Information Security
Activities
Teresa Macklin
Information Security Officer
27 May, 2009
Red Flag Rules
 What are the “Red Flag Rules”? (Identity theft
prevention program required by federal law)
 What does it mean to us? (Applies to us where our
operations allow persons to use a credit or deposit account
where payments are made periodically.)
 What is a “Red Flag”? (A red flag is a pattern or activity
that might indicate identity theft.)
CSU Response
 CSU-wide program development guidelines ready to
go before Board of Trustees
 Guidelines include sufficient information to develop a
qualified program
 Campuses required to develop a program and
report on compliance
Campus Red Flag Program Goals








Identify Covered Accounts
Identify Relevant Red Flags
Review/develop mechanisms to Detect Red Flags
Review/develop mechanisms to Respond to Identity
Theft
Integrate Red Flags Rule into Current Compliance
Program Activities
Ensure Contract Compliance
Provide Employee Training
Provide Oversight and Review of the Program
PCI Compliance
 Payment Card Industry Data Security Standard (PCI DSS)
imposed by industry on all organizations that accept
payment cards
 PCI DSS is multi-faceted security standard that includes
requirements for






security management,
policies,
procedures,
network architecture,
software design and
other critical data protection measures.
CSU Response
 Each campus must
 complete a PCI DSS assessment
 Implement or maintain a compliant security program
 CSU PCI Compliance Guidelines:
 Implement working committee
 Determine merchant and assessment activities
 Develop payment card authorization policy
 Develop campus security program
 Annual assessment activity
PCI Committee Objectives
 The committee must
 Obtain the support of senior management!
 Include representation from Information Technology, Information





Security, Internal Audit, Business and Finance, and auxiliary
organizations.
Establish a comprehensive inventory of information related to its
use of payment cards.
Determine which of the standards apply (depends on volume of
payment card activity across campus)
Develop campus policy to review and approve new payment card
activities
Ensure that the campus information security policy and incident
response plan meets the PCS DSS standard
Conduct assessments and reviews and/or managed independent
third party verification activities
PCI DSS Standard Overview

Build and Maintain a Secure Network


Install and maintain a firewall configuration to protect cardholder data
Protect Cardholder Data
 Protect stored cardholder data
 Encrypt transmission of cardholder data and sensitive information across open public
networks

Maintain a Vulnerability Management Program
 Use and regularly update anti-virus software
 Develop and maintain secure systems and applications

Implement Strong Access Control Measures
 Restrict access to data by business need-to-know
 Assign a unique ID to each person with computer access
 Restrict physical access to cardholder data

Regularly Monitor and Test Networks
 Track and monitor access to network resources and cardholder data
 Regularly test security systems and processes

Maintain an Information Security Policy

Maintain a policy that addresses information security
Data Classification Activity
 In order to comply with the CSU-wide Information
Security Policy and Standards, the campus is required
to maintain an inventory of information assets which
contain critical or protected data.
 Contact each campus organization and gather
information about “protected” data and the methods
by which it is stored. Use responses to create an
inventory database.
 Survey released this week.
Protected Level 1 – Confidential Data


Confidential Information is information maintained by the
University that is exempt from disclosure under the provisions
of the California Public Records Act or other applicable state or
federal laws.

Passwords or credentials that grant access to level 1 and level 2
data

PINs (Personal Identification Numbers)
Confidential information is information whose unauthorized
use, access, disclosure, acquisition, modification, loss, or
deletion could result is severe damage to the CSU, its students,
employees, or customers. Financial loss, damage to the CSU’s
reputation, and legal action could occur.

Birth date combined with last four digits of SSN and name

Credit card numbers with cardholder name

Tax ID with name

Driver’s license number, state identification card, and other
forms of national or international identification (such as
passports, visas, etc.) in combination with name

Social Security number and name

Health insurance information

Medical records related to an individual

Psychological Counseling records related to an individual

Bank account or debt card information in combination with
any required security code, access code, or password that
would permit access to an individual's financial account

Biometric information

Electronic or digitized signatures

Private key (digital certificate)

Attorney/client communications

Legal investigations conducted by the University

Third party proprietary information per contractual agreement

Sealed bids

Level 1 information is intended solely for use within the CSU
and limited to those with a “business need-to know.”

Statutes, regulations, other legal obligations or mandates
protect much of this information.

Disclosure of Level 1 information to persons outside of the
University is governed by specific standards and controls
designed to protect the information.
Protected Level 2 – Internal Use Data (Partial List)



Internal use information is information
which must be protected due to proprietary,
ethical, or privacy considerations.
Although not specifically protected by
statute, regulations, or other legal
obligations or mandates, unauthorized use,
access, disclosure, acquisition, modification,
loss, or deletion of information at this level
could cause financial loss, damage to the
CSU’s reputation, violate an individual’s
privacy rights, or make legal action
necessary
Non-directory educational information may
not be released except under certain
prescribed conditions.

Identity Validation Keys (name with)



Student Information-Educational Records
(Excludes directory information) including:





Grades
Courses taken
Schedule
…
Employee Information







Birth date (full: mm-dd-yy)
Birth date (partial: mm-dd only)
Employee net salary
Employment history
Home address
Personal telephone numbers
Personal email
…
Other
Library circulation information.
 Trade secrets or intellectual property such
as research activities
 …
