Transcript Slide 1

Handling Sensitive Data:
Security, Privacy, and
Other Considerations
Rodney Petersen
Government Relations Officer
Security Task Force Coordinator
EDUCAUSE
Security Task Force
Goals:




Education and Awareness
Standards, Policies, and Procedures
Security Architecture and Tools
Organization and Information Sharing
Working Groups




Awareness and Training
Policies and Legal Issues
Risk Assessment
Effective Practices and Solutions
Annual Security Professionals Conference
Security Goals: C-I-A
Availability - computers, systems and networks
must be available on a timely basis to meet
mission requirements or to avoid substantial
losses.
Integrity - computers, systems, and networks
that contain information must be protected from
unauthorized, unanticipated, or unintentional
modification.
Confidentiality - computers, systems, and
networks that contain information require
protection from unauthorized use or disclosure.
Security Approaches
People – awareness, training, policies,
roles and responsibilities, staffing, etc.
Process – procedures, work flows,
systems, physical security, compliance, etc.
Technology – layered security, vulnerability
scanning, access controls, o/s and s/w
updates, etc.
ECAR IT Security Study
The Headlines You Won’t Read in the
Chronicle of Higher Ed or New York Times:
The respondents feel more secure today than
two years ago despite being in a perceived
riskier environment.
Respondents feel that the academic community
has become more sensitive to security and
privacy in the last two years.
ECAR IT Security Study, 2006
IT Security Incidents
Ten percent of the respondents in our survey
indicated that they had an IT security incident in
the last twelve months, which had been reported
to the press (down from 19 percent in 2003).
A majority of institutions (74.2 percent) report
that the number of incidents is about the same
or less in the past twelve months as compared
with the year before.
The primary perceived risks are viruses (72.6
percent), theft of personal financial information
(64.8 percent), and spoofing and spyware (55.3
percent).
ECAR IT Security Study, 2006
Data Security Incidents
Stolen Laptops
Missing Media
Unauthorized access to systems
Incident response teams
Notification to affected individuals
Identity theft and other types of fraud
Data Incident Notification Toolkit
Blueprint for Handling Data
Step 1: Create a security risk-aware culture that
includes an information security risk management
program
Step 2: Define institutional data types
Step 3: Clarify responsibilities and accountability for
safeguarding confidential/sensitive data
Step 4: Reduce access to confidential/sensitive data
not absolutely essential to institutional processes
Step 5: Establish and implement stricter controls for
safeguarding confidential/sensitive data
Step 6: Provide awareness and training
Step 7: Verify compliance routinely with your policies
and procedures
Step 1: Risk Aware Culture
1.1 Institution-wide security risk
management program
1.2 Roles and responsibilities defined for
overall information security at the central
and distributed level
1.3 Executive leadership support in the
form of policies and governance actions
Risk Management Framework
Risks Incurred
Damage
Percent
Business application, including e-mail, unavailable
33.7%
Network unavailable
29.4%
Information confidentiality compromised
26.0%
Damage to software
21.5%
Damage to data
12.5%
Negative publicity in the press
10.0%
Identity theft
8.4%
Damage to hardware
7.4%
Financial losses
6.4%
ECAR IT Security Study, 2006
Risk Assessments
55 percent do some type of risk
assessment
But less than 9 percent cover all
institutional systems and data.
ECAR IT Security Study, 2006
Responsibility for IT Security
IT Security Officer (up to 35% from 22%)
CIO (up to 14% from 8%)
Other IT Directors ( down to 50% from
67%)
IT Security Plan
11.2 percent - a comprehensive IT security
plan is in place
66.6 percent - a partial plan is in place.
20.4 percent - no IT security plan is in
place
ECAR IT Security Study, 2006
Policies in Place
Individual employee responsibilities for
information security practices (73%)
Protection of organizational assets (73%)
Managing privacy issues, including
breaches of personal information (72%)
Incident reporting and response (69%)
Disaster recovery contingency planning
(68%)
Policies in Place
Investigation and correction of the causes
of security failures (68%)
Notification of security events to:
individuals, the law, etc. (67%)
Sharing, storing, and transmitting data
(51%)
Data classification, retention, and
destruction (51%)
Identity Management (50%)
Step 1: Risk Aware Culture
1.1 Institution-wide security risk
management program
1.2 Roles and responsibilities defined for
overall information security at the central
and distributed level
1.3 Executive leadership support in the
form of policies and governance actions
Step 2: Define Data Types
2.1 Compliance with applicable federal and state
laws and regulations - as well as contractual
obligations - related to privacy and security of
data held by the institution (also consider
applicable international laws)
2.2 Data classification schema developed with
input from legal counsel and data stewards
2.3 Data classification schema assigned to
institutional data to the extent possible or
necessary
Step 3: Clarify Responsibilities
3.1 Data stewardship roles and
responsibilities
3.2 Legally binding third party agreements
that assign responsibility for secure data
handling
Step 4: Reduce Access to Data
4.1 Data collection processes (including forms)
should request only the minimum necessary
confidential/sensitive information
4.2 Application outputs (e.g., queries, hard copy
reports, etc.) should provide only the minimum
necessary confidential/sensitive information
4.3 Inventory and review access to existing
confidential/sensitive data on servers, desktops,
and mobile devices
4.4 Eliminate unnecessary confidential/sensitive
data on servers, desktops, and mobile devices
4.5 Eliminate dependence on SSNs as primary
identifiers and as a form of authentication
Step 5: Controls
5.1 Inventory and review/remediate security of devices
5.2 Configuration standards for applications, servers,
desktops, and mobile devices
5.3 Network level protections
5.4 Encryption strategies for data in transit and at rest
5.5 Policies regarding confidential/sensitive data on
mobile devices and home computers and for data
archival/storage
5.6 Identity management and resource provisioning
processes
5.7 Secure disposal of equipment and data
5.8 Consider background checks on individuals handling
confidential/sensitive data
Security Approaches in Place
Perimeter firewalls
Centralized backups
VPNs for remote access
Enterprise directory
Interior network firewalls
Intrusion detection
Active filtering
77%
77%
75%
75%
65%
62%
59%
Intrusion prevention
44% (up from 33%)
Security Standards for Applications 32% (up from 27%)
ECAR IT Security Study, 2006
Step 6: Awareness and Training
6.1 Make confidential/sensitive data handlers
aware of privacy and security requirements
6.2 Require acknowledgment by data users of
their responsibility for safeguarding such data
6.3 Enhance general privacy and security
awareness programs to specifically address
safeguarding confidential/sensitive data
6.4 Clearly communicate how to safeguard data
so that collaboration mechanisms such as e-mail
have strengths and limitations in terms of access
control
Awareness Programs
Students
Faculty
Staff
Program 2003
39.2%
38.2%
42.2%
Program 2005
62.3%
68.8%
69.1%
Percent change
23.1%
30.6%
26.9%
ECAR IT Security Study, 2006
Step 7: Verify Compliance
7.1 Routinely test network-connected devices and services for
weaknesses in operating systems, applications, and encryption
7.2 Routinely scan servers, desktops, mobile devices, and
networks containing confidential/sensitive data to verify
compliance
7.3 Routinely audit access privileges
7.4 Procurement procedures and contract language to ensure
proper data handling is maintained
7.5 System development methodologies that prevent new data
handling problems from being introduced into the environment
7.6 Utilize audit function within the institution to verify compliance
7.7 Incident response policies and procedures
7.8 Conduct regular meetings with stakeholders such as data
stewards, legal counsel, compliance officers, public safety, public
relations, and IT groups to review institutional risk and compliance
and to revise existing policies and procedures as needed
FTC Guide: Protecting
Personal Information
Take stock.
Know what personal information you have in your files
and on your computers.
Scale down.
Keep only what you need for your business.
Lock it.
Protect the information that you keep.
Pitch it.
Properly dispose of what you no longer need.
Plan ahead.
Create a plan to respond to security incidents.
Characteristics of Successful
IT Security Programs
Institutions with IT security plans in place characterize their
IT security programs as more successful and feel more
secure today.
The respondents who believe their institution provides
necessary resources give higher ratings for IT security
program success and their current sense of IT security.
The biggest barrier to IT security is lack of resources
(64.4 percent) and especially at smaller institutions, followed
by an academic culture of openness and autonomy
(49.6 percent), and lack of awareness (36.4 percent).
ECAR IT Security Study, 2006
For more information
Rodney Petersen
Email: [email protected]
Phone: 202.331.5368
EDUCAUSE/Internet2 Security Task Force
www.educause.edu/security
EDUCAUSE Center for Applied Research
www.educause.edu/ECAR
Blueprint for Handling Sensitive Data
wiki.internet2.edu/confluence/display/secguide