DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by...
-
Upload
joella-rodgers -
Category
Documents
-
view
246 -
download
0
Transcript of DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by...
![Page 1: DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014.](https://reader033.fdocuments.in/reader033/viewer/2022050802/56649d925503460f94a783fa/html5/thumbnails/1.jpg)
DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW
1
CYBERSECURITY MONTH SERIES
Presented by George GuzmanOctober 27, 2014
![Page 2: DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014.](https://reader033.fdocuments.in/reader033/viewer/2022050802/56649d925503460f94a783fa/html5/thumbnails/2.jpg)
Contents2
• Welcome and What we Do• Data Security and Compliance…what’s the difference?• Compliance landscape and strategies• Advanced Data Security• Target Story• Common Denominators• Our unique GW environment…lots going on• Common risk factors• Steps you can take• Who to contact
![Page 3: DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014.](https://reader033.fdocuments.in/reader033/viewer/2022050802/56649d925503460f94a783fa/html5/thumbnails/3.jpg)
What we do3
The goal of the Compliance and Privacy Office is to establish a voluntary compliance program to ensure that faculty and staff are aware of and comply with federal, state and local laws and regulations.
We work closely with the Office of General Counsel, the Division of IT, and the respective academic and administrative functions of the university
![Page 4: DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014.](https://reader033.fdocuments.in/reader033/viewer/2022050802/56649d925503460f94a783fa/html5/thumbnails/4.jpg)
Data Security and Compliance
4
What’s the difference?
Data security is the application of deterrents or security controls to protect data. The level of deterrents or security is commensurate to how the individual or entity uniquely “values” the data.
Compliance is applying a baseline of security controls (people, process, technology) defined by a standard. The baseline is applied to a specific type of data….typically regulated; such as health information, financial, personally identifiable information
![Page 5: DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014.](https://reader033.fdocuments.in/reader033/viewer/2022050802/56649d925503460f94a783fa/html5/thumbnails/5.jpg)
Data Security and Compliance
5
Does Compliance equal highest level of security?No, it ensures a repeatable, stable baseline of security that can be measured to meet a specific regulatory requirement
Does highest level of security mean you are “secure”?Maybe, depends on where you place your security. Can you cover 100%...probably not.
Data Security and Compliance are key pieces to GW’s information risk management…ensuring compliance and placing highest security controls on assets that matter the most
![Page 6: DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014.](https://reader033.fdocuments.in/reader033/viewer/2022050802/56649d925503460f94a783fa/html5/thumbnails/6.jpg)
Compliance Landscape6
http://www.higheredcompliance.org/matrix/
![Page 7: DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014.](https://reader033.fdocuments.in/reader033/viewer/2022050802/56649d925503460f94a783fa/html5/thumbnails/7.jpg)
Frameworks and Strategies…more than technology
7
NIST 800-53
ISO27001
National Cybersecurity Framework
![Page 8: DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014.](https://reader033.fdocuments.in/reader033/viewer/2022050802/56649d925503460f94a783fa/html5/thumbnails/8.jpg)
Advanced data security…8
Part of a defense in depth strategy to apply higher levels of security to high value information/assets
Penetration tests/Red team analysis Application code reviews System hardening Logging Intrusion detection Staff with advanced training/credentials
(forensics, malware analysis)
![Page 9: DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014.](https://reader033.fdocuments.in/reader033/viewer/2022050802/56649d925503460f94a783fa/html5/thumbnails/9.jpg)
Examples of Data Security ≠ Compliance 9
40 million credit cards stolen, Target was PCI (Payment Card Industry) compliant, attacked through HVAC vendor
![Page 10: DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014.](https://reader033.fdocuments.in/reader033/viewer/2022050802/56649d925503460f94a783fa/html5/thumbnails/10.jpg)
Common Denominators10
What are the common denominators?
Knowing what data you have Knowing the value of the data Knowing the risks to your data Understanding likelihood and impact of these risks Accepting a level of risk
This may seem obvious and easy…but ask your colleagues if they see it the same way. Entities need to define this…we do it here at GW
![Page 11: DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014.](https://reader033.fdocuments.in/reader033/viewer/2022050802/56649d925503460f94a783fa/html5/thumbnails/11.jpg)
Our Unique GW Environment 11
Federal, State, Local laws (over
400 GW is required to
comply)
Rapidly changing technology…
boundaries are constantly
moving
Affiliations with hospitals, Public, Private sector,
other universities
20,000 students and over 6000
faculty and staff
Research Funding
![Page 12: DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014.](https://reader033.fdocuments.in/reader033/viewer/2022050802/56649d925503460f94a783fa/html5/thumbnails/12.jpg)
Common Risk Factors 12
• Awareness of information in your care• Access to information…need to know principle• Dissemination of information…technology
makes it easy• Lack of knowledge or training of staff…
knowing your role, how to identify and what to do in situations
• Increased visibility of data loss…fines, reputational hit, accreditation risks, grants
![Page 13: DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014.](https://reader033.fdocuments.in/reader033/viewer/2022050802/56649d925503460f94a783fa/html5/thumbnails/13.jpg)
Best Practices you can Take13
Referencing back to the Common Denominators slide
Knowing what data you have Knowing the value of the data Knowing the risks to your data Understanding the risk tolerance
• Ensure you and your team are leveraging available resources (tools, training, seminars)
• Never hesitate to ask for assistance…better to be safe
![Page 14: DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014.](https://reader033.fdocuments.in/reader033/viewer/2022050802/56649d925503460f94a783fa/html5/thumbnails/14.jpg)
Resources14
http://www.cspri.seas.gwu.edu/ http://www.inforisktoday.com http://
www.higheredcompliance.org/matrix http://
www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
http://www.sans.org/critical-security-controls/
Division of IT Information Security Team http://it.gwu.edu/security
![Page 15: DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014.](https://reader033.fdocuments.in/reader033/viewer/2022050802/56649d925503460f94a783fa/html5/thumbnails/15.jpg)
Contact Info15
Compliance and Privacy OfficeGeorge Guzman, Director of Compliance and Data Privacy, [email protected] 202-994-6226
Compliance Office [email protected]
Compliance Office direct line202-994-3386