IT SECURITY AT GEORGIA TECH LIBRARYC U R R E N T E F F O R T S A N D E M E R G I N G P R A C T I C E S

OVERVIEW: IT SECURITY AND LIBRARY SYSTEMS / SERVICES

IT Security

Phishing

Authentication

Collaboration: Vendors

Collaboration: Patron Data

Internal Audit and Risk Self-Assessment / Data Safeguards

Training and Future Plans

PHISHING

2011Go Phish

2012SpearPhishTraining

Phish Bowl

AUTHENTICATION, AUTHORIZATION & ACCESS CONTROL

Authenticate• Integration with CAS, Shibboleth• Implementation of Duo (two-factor authentication)• LastPass EnterpriseAuthorize• PersonAffiliation, curriculum, departmentAccess Control• Proxy logs into Splunk

COLLABORATION: GEORGIA TECH L IBRARY & EMORY LIBRARIES

COLLABORATION: VENDORS AND DATA / IT SECURITYCampus Security Review• Data in the System • Data Backup and Disaster Recovery• Vendor IT Security Practice/Compliance• Network Diagram and Firewalls and VLANs• Vendor’s internal testing, intrusion prevention and training.

Results• Data Sensitivity is Low• Vendor use of independent auditing firm for security compliance (annual)• Manage user access, permissions and revocation• Vendor provides description of password complexity rules• Vendor demonstrates protocols do not transmit clear text

COLLABORATION: PATRON DATA

Share the least amount of patron data necessary to support the sharing of collections.• First Name• Last Name• Unique identifier if using PPID in lieu of employee ID• Email Address

INTERNAL AUDIT AND RISK SELF-ASSESSMENT: OVERVIEW

I N TERN AL AUD IT A N D RI SK SELF A SSESSMEN T: STEWAR DS HI P O UTCOM ES

Training• Provide training for library employees on IT Security and Data Stewardship

Data Classification• Audited 42 servers to document the classification of data on the servers. We did not have category IV data.

Logon Banner• Implemented a logon banner which displays the standard usage agreement and a 15-minute idle timeout

Self Risk-Assessment• Conducted a self risk-assessment with the campus online tool

INTERNAL AUDIT AND RISK SELF ASSESSMENT: TRAININGWorked with Campus Cybersecurity to provide• 9 Training sessions for all library employees

• Covered campus IT policies• Phishing

• 1 Training session for Library IT employees on security, confidentiality of information and software copyright laws

INTERNAL AUDIT AND RISK SELF ASSESSMENT: TRAINING OUTCOMES• Computer & Network Usage and Security Policy (CNUSP)• Data Access Policy & Data Classification• Threats (Hacking and Phishing)• Email Security Basics• Common Phishing Attacks• URL Dissection• Password Policy• Picking a Strong Password

INTERNAL AUDIT AND RISK SELF ASSESSMENT: DATA CLASS IF ICATION

GT Data Categorization https://security.gatech.edu/DataCategorization

• Public Use• Examples: Institute web site content, press releases, employee work addresses, Library Catalog InformationCategory I• Internal Use• Examples: directory listings, internal intranet web sites, gtID (alone), Library Resources• NOTE: This is the default data classification category.

Category II• Sensitive• Examples: Social Security Number, research data, intellectual property of Georgia Tech, Library Circulation Records, Security Camera Recordings

Category III• Highly Sensitive• Examples: Credit Card NumbersCategory IV

INTERNAL AUDIT AND RISK SELF ASSESSMENT: LOGON BANNER

IT&D Desktop and Collaboration Services team updated the standard usage agreement on all library managed desktops and implemented a 15-minute idle timeout to ensure that computers do not become accessible for unauthorized use.

INTERNAL AUDIT AND RISK SELF ASSESSMENT: SELF AUDIT SAMPLE 1RISK: If unit data is not properly protected, the unit’s ability to accomplish its organizational objectives may be hindered.CONTROLS:1. Employees are notified of the CNUSP and DAP.2. The data stored on information systems has been classified in accordance with the Data Access Policy (DAP).3. Servers that store sensitive data are listed in the OIT sensitive server list.4. User access to sensitive data is properly authorized5. Policies / procedures are in place for data security breaches

INTERNAL AUDIT AND RISK SELF ASSESSMENT: SELF AUDIT SAMPLE 2RISK: Inadequately secured web servers may result in compromise of data/campus network, system corruption, loss of productivity & adverse public relations or reputation.CONTROLS:1. Web site development adheres to the Institute guide for the development of web sites.2. Web site statistics are logged and maintained.3. There are procedures/checklists in place to ensure the security of the web server.4. There are intrusion detection systems protecting the network.5. Proper change management procedures are utilized when making changes to web servers.

INTERNAL AUDIT AND RISK SELF ASSESSMENT: SELF AUDIT SAMPLE 3RISK: Unauthorized access to data.CONTROLS:1. Password Management process is in place.2. Strong authentication controls for networks, servers, and applications.3. Logs are kept and reviewed on a regular basis4. Users are uniquely identifiable.5. Restrict access based on individual's job6. System safeguards are in place7. Vulnerability scans are completed against the internal and external networks.

DATA SAFEGUARDSServers, Endpoints (e.g. Desktop Computers, Laptop Computers, Workstations, USB Storage Devices), Mobile Devices (e.g. Smart Phones, Tablet Computers, Personal Digital Assistants, Handheld Scanners), Cloud Computing.Each page in the spreadsheet contains a matrix outlining the specific configurations or controls, as well as whether the configuration or control is Mandatory or Recommended based on the category of data being stored on the computing system in question.https://security.gatech.edu/security-standards-and-procedures

LIBRARY NEXT: PREPARING FOR THE FUTUREVendors Security Practices and ComplianceVendor responses written into contractsPatron data privacy and data not being soldData elimination written into contractImprove management and access via relocation of server room to centrally controlled facilityOngoing employee training and awareness of security issues, practices and policiesOngoing risk assessment and mitigation strategies (hardware, software, data, user behavior)

REFERENCESGeorgia Tech Library: Library Nexthttp://librarynext.gatech.edu/Georgia Tech CNUSPhttp://policylibrary.gatech.edu/information-technology/computer-and-network-usage-and-securityGeorgia Tech DAPhttp://policylibrary.gatech.edu/data-accessGeorgia Tech Phish Bowlhttps://stats.security.gatech.edu/phishbowl/Georgia Tech Security Standards and Procedureshttps://security.gatech.edu/security-standards-and-procedures

THANK YOU

Doug Goans < doug.goans@library.gatech.edu >Head of IT&D, Georgia Tech Library

Chris Helms <chris.helms@library.gatech.edu >Application Development Manager, Georgia Tech Library