Goans-Helms-IT Security at Georgia Tech Library
-
Upload
national-information-standards-organization-niso -
Category
Education
-
view
167 -
download
2
Transcript of Goans-Helms-IT Security at Georgia Tech Library
IT SECURITY AT GEORGIA TECH LIBRARYC U R R E N T E F F O R T S A N D E M E R G I N G P R A C T I C E S
OVERVIEW: IT SECURITY AND LIBRARY SYSTEMS / SERVICES
IT Security
Phishing
Authentication
Collaboration: Vendors
Collaboration: Patron Data
Internal Audit and Risk Self-Assessment / Data Safeguards
Training and Future Plans
AUTHENTICATION, AUTHORIZATION & ACCESS CONTROL
Authenticate• Integration with CAS, Shibboleth• Implementation of Duo (two-factor authentication)• LastPass EnterpriseAuthorize• PersonAffiliation, curriculum, departmentAccess Control• Proxy logs into Splunk
COLLABORATION: VENDORS AND DATA / IT SECURITYCampus Security Review• Data in the System • Data Backup and Disaster Recovery• Vendor IT Security Practice/Compliance• Network Diagram and Firewalls and VLANs• Vendor’s internal testing, intrusion prevention and training.
Results• Data Sensitivity is Low• Vendor use of independent auditing firm for security compliance (annual)• Manage user access, permissions and revocation• Vendor provides description of password complexity rules• Vendor demonstrates protocols do not transmit clear text
COLLABORATION: PATRON DATA
Share the least amount of patron data necessary to support the sharing of collections.• First Name• Last Name• Unique identifier if using PPID in lieu of employee ID• Email Address
I N TERN AL AUD IT A N D RI SK SELF A SSESSMEN T: STEWAR DS HI P O UTCOM ES
Training• Provide training for library employees on IT Security and Data Stewardship
Data Classification• Audited 42 servers to document the classification of data on the servers. We did not have category IV data.
Logon Banner• Implemented a logon banner which displays the standard usage agreement and a 15-minute idle timeout
Self Risk-Assessment• Conducted a self risk-assessment with the campus online tool
INTERNAL AUDIT AND RISK SELF ASSESSMENT: TRAININGWorked with Campus Cybersecurity to provide• 9 Training sessions for all library employees
• Covered campus IT policies• Phishing
• 1 Training session for Library IT employees on security, confidentiality of information and software copyright laws
INTERNAL AUDIT AND RISK SELF ASSESSMENT: TRAINING OUTCOMES• Computer & Network Usage and Security Policy (CNUSP)• Data Access Policy & Data Classification• Threats (Hacking and Phishing)• Email Security Basics• Common Phishing Attacks• URL Dissection• Password Policy• Picking a Strong Password
INTERNAL AUDIT AND RISK SELF ASSESSMENT: DATA CLASS IF ICATION
GT Data Categorization https://security.gatech.edu/DataCategorization
• Public Use• Examples: Institute web site content, press releases, employee work addresses, Library Catalog InformationCategory I• Internal Use• Examples: directory listings, internal intranet web sites, gtID (alone), Library Resources• NOTE: This is the default data classification category.
Category II• Sensitive• Examples: Social Security Number, research data, intellectual property of Georgia Tech, Library Circulation Records, Security Camera Recordings
Category III• Highly Sensitive• Examples: Credit Card NumbersCategory IV
INTERNAL AUDIT AND RISK SELF ASSESSMENT: LOGON BANNER
IT&D Desktop and Collaboration Services team updated the standard usage agreement on all library managed desktops and implemented a 15-minute idle timeout to ensure that computers do not become accessible for unauthorized use.
INTERNAL AUDIT AND RISK SELF ASSESSMENT: SELF AUDIT SAMPLE 1RISK: If unit data is not properly protected, the unit’s ability to accomplish its organizational objectives may be hindered.CONTROLS:1. Employees are notified of the CNUSP and DAP.2. The data stored on information systems has been classified in accordance with the Data Access Policy (DAP).3. Servers that store sensitive data are listed in the OIT sensitive server list.4. User access to sensitive data is properly authorized5. Policies / procedures are in place for data security breaches
INTERNAL AUDIT AND RISK SELF ASSESSMENT: SELF AUDIT SAMPLE 2RISK: Inadequately secured web servers may result in compromise of data/campus network, system corruption, loss of productivity & adverse public relations or reputation.CONTROLS:1. Web site development adheres to the Institute guide for the development of web sites.2. Web site statistics are logged and maintained.3. There are procedures/checklists in place to ensure the security of the web server.4. There are intrusion detection systems protecting the network.5. Proper change management procedures are utilized when making changes to web servers.
INTERNAL AUDIT AND RISK SELF ASSESSMENT: SELF AUDIT SAMPLE 3RISK: Unauthorized access to data.CONTROLS:1. Password Management process is in place.2. Strong authentication controls for networks, servers, and applications.3. Logs are kept and reviewed on a regular basis4. Users are uniquely identifiable.5. Restrict access based on individual's job6. System safeguards are in place7. Vulnerability scans are completed against the internal and external networks.
DATA SAFEGUARDSServers, Endpoints (e.g. Desktop Computers, Laptop Computers, Workstations, USB Storage Devices), Mobile Devices (e.g. Smart Phones, Tablet Computers, Personal Digital Assistants, Handheld Scanners), Cloud Computing.Each page in the spreadsheet contains a matrix outlining the specific configurations or controls, as well as whether the configuration or control is Mandatory or Recommended based on the category of data being stored on the computing system in question.https://security.gatech.edu/security-standards-and-procedures
LIBRARY NEXT: PREPARING FOR THE FUTUREVendors Security Practices and ComplianceVendor responses written into contractsPatron data privacy and data not being soldData elimination written into contractImprove management and access via relocation of server room to centrally controlled facilityOngoing employee training and awareness of security issues, practices and policiesOngoing risk assessment and mitigation strategies (hardware, software, data, user behavior)
REFERENCESGeorgia Tech Library: Library Nexthttp://librarynext.gatech.edu/Georgia Tech CNUSPhttp://policylibrary.gatech.edu/information-technology/computer-and-network-usage-and-securityGeorgia Tech DAPhttp://policylibrary.gatech.edu/data-accessGeorgia Tech Phish Bowlhttps://stats.security.gatech.edu/phishbowl/Georgia Tech Security Standards and Procedureshttps://security.gatech.edu/security-standards-and-procedures
THANK YOU
Doug Goans < [email protected] >Head of IT&D, Georgia Tech Library
Chris Helms <[email protected] >Application Development Manager, Georgia Tech Library