DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW

1

CYBERSECURITY MONTH SERIES

Presented by George GuzmanOctober 27, 2014

Contents2

• Welcome and What we Do• Data Security and Compliance…what’s the difference?• Compliance landscape and strategies• Advanced Data Security• Target Story• Common Denominators• Our unique GW environment…lots going on• Common risk factors• Steps you can take• Who to contact

What we do3

The goal of the Compliance and Privacy Office is to establish a voluntary compliance program to ensure that faculty and staff are aware of and comply with federal, state and local laws and regulations.

We work closely with the Office of General Counsel, the Division of IT, and the respective academic and administrative functions of the university

Data Security and Compliance

4

What’s the difference?

Data security is the application of deterrents or security controls to protect data. The level of deterrents or security is commensurate to how the individual or entity uniquely “values” the data.

Compliance is applying a baseline of security controls (people, process, technology) defined by a standard. The baseline is applied to a specific type of data….typically regulated; such as health information, financial, personally identifiable information

Data Security and Compliance

5

Does Compliance equal highest level of security?No, it ensures a repeatable, stable baseline of security that can be measured to meet a specific regulatory requirement

Does highest level of security mean you are “secure”?Maybe, depends on where you place your security. Can you cover 100%...probably not.

Data Security and Compliance are key pieces to GW’s information risk management…ensuring compliance and placing highest security controls on assets that matter the most

Compliance Landscape6

http://www.higheredcompliance.org/matrix/

Frameworks and Strategies…more than technology

7

NIST 800-53

ISO27001

National Cybersecurity Framework

Advanced data security…8

Part of a defense in depth strategy to apply higher levels of security to high value information/assets

Penetration tests/Red team analysis Application code reviews System hardening Logging Intrusion detection Staff with advanced training/credentials

(forensics, malware analysis)

Examples of Data Security ≠ Compliance 9

40 million credit cards stolen, Target was PCI (Payment Card Industry) compliant, attacked through HVAC vendor

Common Denominators10

What are the common denominators?

Knowing what data you have Knowing the value of the data Knowing the risks to your data Understanding likelihood and impact of these risks Accepting a level of risk

This may seem obvious and easy…but ask your colleagues if they see it the same way. Entities need to define this…we do it here at GW

Our Unique GW Environment 11

Federal, State, Local laws (over

400 GW is required to

comply)

Rapidly changing technology…

boundaries are constantly

moving

Affiliations with hospitals, Public, Private sector,

other universities

20,000 students and over 6000

faculty and staff

Research Funding

Common Risk Factors 12

• Awareness of information in your care• Access to information…need to know principle• Dissemination of information…technology

makes it easy• Lack of knowledge or training of staff…

knowing your role, how to identify and what to do in situations

• Increased visibility of data loss…fines, reputational hit, accreditation risks, grants

Best Practices you can Take13

Referencing back to the Common Denominators slide

Knowing what data you have Knowing the value of the data Knowing the risks to your data Understanding the risk tolerance

• Ensure you and your team are leveraging available resources (tools, training, seminars)

• Never hesitate to ask for assistance…better to be safe

Resources14

http://www.cspri.seas.gwu.edu/ http://www.inforisktoday.com http://

www.higheredcompliance.org/matrix http://

www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

http://www.sans.org/critical-security-controls/

Division of IT Information Security Team http://it.gwu.edu/security

Contact Info15

Compliance and Privacy OfficeGeorge Guzman, Director of Compliance and Data Privacy, gguzman@gwu.edu 202-994-6226

Compliance Office Emailcomply@gwu.edu

Compliance Office direct line202-994-3386