RINGS (ResNet Integrated Next Generation Solution) Educause Security Professionals Conference 2006.
Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government...
-
Upload
jasper-perkins -
Category
Documents
-
view
220 -
download
0
Transcript of Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government...
Handling Sensitive Data:Security, Privacy, and Other Considerations
Rodney Petersen
Government Relations Officer
Security Task Force Coordinator
EDUCAUSE
Security Task Force
Goals: Education and Awareness Standards, Policies, and Procedures Security Architecture and Tools Organization and Information Sharing
Working Groups Awareness and Training Policies and Legal Issues Risk Assessment Effective Practices and Solutions
Annual Security Professionals Conference
Security Goals: C-I-A
Availability - computers, systems and networks must be available on a timely basis to meet mission requirements or to avoid substantial losses.Integrity - computers, systems, and networks that contain information must be protected from unauthorized, unanticipated, or unintentional modification.Confidentiality - computers, systems, and networks that contain information require protection from unauthorized use or disclosure.
Security Approaches
People – awareness, training, policies, roles and responsibilities, staffing, etc.
Process – procedures, work flows, systems, physical security, compliance, etc.
Technology – layered security, vulnerability scanning, access controls, o/s and s/w updates, etc.
ECAR IT Security Study
The Headlines You Won’t Read in the Chronicle of Higher Ed or New York Times:
The respondents feel more secure today than two years ago despite being in a perceived riskier environment.
Respondents feel that the academic community has become more sensitive to security and privacy in the last two years.
ECAR IT Security Study, 2006
IT Security Incidents
Ten percent of the respondents in our survey indicated that they had an IT security incident in the last twelve months, which had been reported to the press (down from 19 percent in 2003).A majority of institutions (74.2 percent) report that the number of incidents is about the same or less in the past twelve months as compared with the year before.The primary perceived risks are viruses (72.6 percent), theft of personal financial information (64.8 percent), and spoofing and spyware (55.3 percent).
ECAR IT Security Study, 2006
Data Security Incidents
Stolen Laptops
Missing Media
Unauthorized access to systems
Incident response teams
Notification to affected individuals
Identity theft and other types of fraud
Data Incident Notification Toolkit
Blueprint for Handling Data
Step 1: Create a security risk-aware culture that includes an information security risk management programStep 2: Define institutional data typesStep 3: Clarify responsibilities and accountability for safeguarding confidential/sensitive dataStep 4: Reduce access to confidential/sensitive data not absolutely essential to institutional processesStep 5: Establish and implement stricter controls for safeguarding confidential/sensitive dataStep 6: Provide awareness and trainingStep 7: Verify compliance routinely with your policies and procedures
Step 1: Risk Aware Culture
1.1 Institution-wide security risk management program
1.2 Roles and responsibilities defined for overall information security at the central and distributed level
1.3 Executive leadership support in the form of policies and governance actions
Risk Management Framework
Risks Incurred
ECAR IT Security Study, 2006
Damage Percent
Business application, including e-mail, unavailable 33.7%
Network unavailable 29.4%
Information confidentiality compromised 26.0%
Damage to software 21.5%
Damage to data 12.5%
Negative publicity in the press 10.0%
Identity theft 8.4%
Damage to hardware 7.4%
Financial losses 6.4%
Risk Assessments
55 percent do some type of risk assessment
But less than 9 percent cover all institutional systems and data.
ECAR IT Security Study, 2006
Responsibility for IT Security
IT Security Officer (up to 35% from 22%)
CIO (up to 14% from 8%)
Other IT Directors ( down to 50% from 67%)
IT Security Plan
11.2 percent - a comprehensive IT security plan is in place
66.6 percent - a partial plan is in place.
20.4 percent - no IT security plan is in place
ECAR IT Security Study, 2006
Policies in Place
Individual employee responsibilities for information security practices (73%)
Protection of organizational assets (73%)
Managing privacy issues, including breaches of personal information (72%)
Incident reporting and response (69%)
Disaster recovery contingency planning (68%)
Policies in Place
Investigation and correction of the causes of security failures (68%)Notification of security events to: individuals, the law, etc. (67%)Sharing, storing, and transmitting data (51%)Data classification, retention, and destruction (51%)Identity Management (50%)
Step 1: Risk Aware Culture
1.1 Institution-wide security risk management program
1.2 Roles and responsibilities defined for overall information security at the central and distributed level
1.3 Executive leadership support in the form of policies and governance actions
Step 2: Define Data Types
2.1 Compliance with applicable federal and state laws and regulations - as well as contractual obligations - related to privacy and security of data held by the institution (also consider applicable international laws) 2.2 Data classification schema developed with input from legal counsel and data stewards 2.3 Data classification schema assigned to institutional data to the extent possible or necessary
Step 3: Clarify Responsibilities
3.1 Data stewardship roles and responsibilities
3.2 Legally binding third party agreements that assign responsibility for secure data handling
Step 4: Reduce Access to Data
4.1 Data collection processes (including forms) should request only the minimum necessary confidential/sensitive information 4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information 4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices 4.4 Eliminate unnecessary confidential/sensitive data on servers, desktops, and mobile devices 4.5 Eliminate dependence on SSNs as primary identifiers and as a form of authentication
Step 5: Controls
5.1 Inventory and review/remediate security of devices 5.2 Configuration standards for applications, servers, desktops, and mobile devices 5.3 Network level protections5.4 Encryption strategies for data in transit and at rest 5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage 5.6 Identity management and resource provisioning processes 5.7 Secure disposal of equipment and data 5.8 Consider background checks on individuals handling confidential/sensitive data
Security Approaches in Place
Perimeter firewalls 77%Centralized backups 77%VPNs for remote access 75%Enterprise directory 75%Interior network firewalls 65%Intrusion detection 62%Active filtering 59%
Intrusion prevention 44% (up from 33%)Security Standards for Applications 32% (up from 27%)
ECAR IT Security Study, 2006
Step 6: Awareness and Training
6.1 Make confidential/sensitive data handlers aware of privacy and security requirements 6.2 Require acknowledgment by data users of their responsibility for safeguarding such data 6.3 Enhance general privacy and security awareness programs to specifically address safeguarding confidential/sensitive data 6.4 Clearly communicate how to safeguard data so that collaboration mechanisms such as e-mail have strengths and limitations in terms of access control
Awareness Programs
ECAR IT Security Study, 2006
Students Faculty Staff
Program 2003 39.2% 38.2% 42.2%
Program 2005 62.3% 68.8% 69.1%
Percent change 23.1% 30.6% 26.9%
Step 7: Verify Compliance
7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption 7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance 7.3 Routinely audit access privileges 7.4 Procurement procedures and contract language to ensure proper data handling is maintained 7.5 System development methodologies that prevent new data handling problems from being introduced into the environment 7.6 Utilize audit function within the institution to verify compliance 7.7 Incident response policies and procedures 7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed
FTC Guide: Protecting Personal Information
Take stock.Know what personal information you have in your files and on your computers.
Scale down.Keep only what you need for your business.Lock it.Protect the information that you keep.Pitch it. Properly dispose of what you no longer need.Plan ahead. Create a plan to respond to security incidents.
Characteristics of Successful IT Security Programs
Institutions with IT security plans in place characterize their IT security programs as more successful and feel more secure today.
The respondents who believe their institution provides necessary resources give higher ratings for IT security program success and their current sense of IT security.
The biggest barrier to IT security is lack of resources (64.4 percent) and especially at smaller institutions, followed by an academic culture of openness and autonomy (49.6 percent), and lack of awareness (36.4 percent).
ECAR IT Security Study, 2006
For more information
Rodney PetersenEmail: [email protected]: 202.331.5368EDUCAUSE/Internet2 Security Task Forcewww.educause.edu/securityEDUCAUSE Center for Applied Researchwww.educause.edu/ECARBlueprint for Handling Sensitive Datawiki.internet2.edu/confluence/display/secguide