uwm cio office institutional data privacy and security presenter: steve brukbacher, information...

UWM CIO Office

Institutional Data Privacy and

Security

Presenter: Steve Brukbacher, Information Security Architect

Moderated by: Bruce Maas, CIO

November 11, 2009

UWM CIO Office

UWM Information Security responsible for coordinating:• Policies

• Technical controls• Compliance• Communication• Forensics, investigations

and incident response

UWM CIO Office

Session Goals

• Answer “Why is this important?”

• Share Security Goals• Identify future steps and needs

First, some background…

UWM CIO Office

We are all data

custodians.

UWM CIO Office

Security Trends

Increasingly complex landscape

UWM CIO Office

Security Trends

Need to control where confidential data lands

UWM CIO Office

Security Trends

Challenging endpoint security

UWM CIO Office

Data breaches are costly.$202/record

500 records = $101K 1,000 records = $202K30,000 records = $6.06M

Source: Ponemon Institute ponemon.org

UWM CIO Office

Loss of trust.

Data breaches are costly.

Source: Ponemon Institute ponemon.org

UWM CIO Office

What dangers are on the

horizon?

UWM CIO Office

Threats

Datalossdb.org

UWM CIO Office

What have we gotten good at:

-Incident Response and Forensics-Day to day security issues-AV Management-Risk Assessments -Network Monitoring-Efficient Desktop Support

UWM CIO Office

So where is UWM in this

landscape?

UWM CIO Office

Data Sources

Students: Academic Health HR

Faculty/staff: HR Health

Research: Health Patent

UWM CIO Office

Types of Data

• SSNs• Credit card numbers• Grades• Personnel-related• Health-related• Research-related

UWM CIO Office

Personal Health Information Example

• CUPH (Aurora, Medical College, UWM)

• Milwaukee Health Report 2009

• Perinatal database hosting (80+ hospitals) statewide:

- Providing data to state vital records- Meeting reporting needs for

hospitals/health departments

UWM CIO Office

Health care issues such as:• Health care legislation• Pandemic issues• Socioeconomic disparity

Even more motivation for breach prevention!

UWM CIO Office

1.Manage access to and use of confidential data.

2. Understand where the data is

3. Develop efficient and consistent compliance processes

4. Offer “pre-fab” high security environments

Institutional Data Privacy and Security Goals

UWM CIO Office

1. Limit access to and use of confidential data

Institutional Data Privacy and Security Goals

UWM CIO Office

2. Know location of data

Institutional Data Privacy and Security Goals

UWM CIO Office

3. Employ a repeatable, cost-effective and reportable compliance methodology

$

Institutional Data Privacy and Security Goals

UWM CIO Office

4. Offer “pre fab” high security environments for researchers

Institutional Data Privacy and Security Goals

UWM CIO Office

What do we need?• Policy

• Procedures and processes

• Strengthened core IT infrastructure

• Security-enhanced networking environments

• Security-enhanced desktop environments

UWM CIO Office

Policies currently in place:• Acceptable Use Policy (AUP)• Campus Information Security Policy

UWM CIO Office

Policy Needs Identified/in ProcessResearch Data Security Policy:

- Integrate w/IRB process to secure confidential human subjects data

- Utilize form to gather basic info

- Work w/Security via checklist or

one-on-one engagement

UWM CIO Office

SSN Privacy & Security Policy:

- Establishes understanding to only collect/store data as necessary

- Formally ensures data is secured where

it is needed and used

Policy Needs Identified/in Process

UWM CIO Office

Procedures and Processes

• Need for GRC product?• IRB coordination• Ongoing process of procedure development

for security assessment and implementation

UWM CIO Office

New credit card data handling procedures/processes• Consolidation of card payment services

• Allowance for other options provided unit responsible for compliance efforts

UWM CIO Office

Strengthen Core IT

InfrastructureFramework: ITIL - IT Infrastructure Library:• Utilizes methodology for efficient and secure

IT management

• Focuses on defining services

• Clarifies requirements for: - Performance- Functionality- Security

UWM CIO Office

How do we do this?• Determine what you have• Stabilize the patient• Establish repeatable build processes• Enable continuous improvement

Strengthen Core IT

Infrastructure

UWM CIO Office

What are we working on?• More formal change management

process• Development of a unified patching

methodology• Contemplating a Log Management

system• Baseline system security standards

Strengthen Core IT

Infrastructure

UWM CIO Office

New Service/Service Enhancement Process

• Enumerates resource estimates and details impacts of systems/services

• Facilitates top-level resource decision-making

• Ensures right people at the table

• Helps balance service levels with service expectations

UWM CIO Office

• Need a network “home” for confidential data

• Need network-based firewall services

• Need flexible implementation

Security-enhanced Networking

Environments

UWM CIO Office

Tech Users Group providing foundation • Common identified solutions:

McAfee & EPOIdentity FinderNext Gen. endpoint securityCollaboration on OS deployments

• Needs:Patch ManagementFull support for FDEFile/folder level encryption software &

support

Security-enhanced Desktop

Environments

UWM CIO Office

1.Manage access to and use of confidential data.

2. Understand where the data is

3. Develop efficient and consistent compliance processes

4. Offer “pre-fab” high security environments – ability to execute

Institutional Data Privacy and Security Goals

UWM CIO Office

What do we need?• Policy to establish roles and “must do’s”

• Procedures and processes

• Strengthened core IT infrastructure

• Security-enhanced networking environments

• Security-enhanced desktop environments

UWM CIO Office

Specific Technical Needs:• Network firewall• GRC software• Identity Finder• Full disk encryption• File/folder-level encryption• Patch Management• Log management

UWM CIO Office

Requires Investment

:

Technology

People

UWM CIO Office

Shared responsibility of all to serve as data custodians

and ensure data is kept secure.

UWM CIO Office

Steve Brukbacher, sab2@uwm.edu

Bruce Maas, bmaas@uwm.edu

Institutional Data Privacy and

Security