data security and compliance…what you need to know 1 cybersecurity month series presented by...
TRANSCRIPT
DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW
1
CYBERSECURITY MONTH SERIES
Presented by George GuzmanOctober 27, 2014
Contents2
• Welcome and What we Do• Data Security and Compliance…what’s the difference?• Compliance landscape and strategies• Advanced Data Security• Target Story• Common Denominators• Our unique GW environment…lots going on• Common risk factors• Steps you can take• Who to contact
What we do3
The goal of the Compliance and Privacy Office is to establish a voluntary compliance program to ensure that faculty and staff are aware of and comply with federal, state and local laws and regulations.
We work closely with the Office of General Counsel, the Division of IT, and the respective academic and administrative functions of the university
Data Security and Compliance
4
What’s the difference?
Data security is the application of deterrents or security controls to protect data. The level of deterrents or security is commensurate to how the individual or entity uniquely “values” the data.
Compliance is applying a baseline of security controls (people, process, technology) defined by a standard. The baseline is applied to a specific type of data….typically regulated; such as health information, financial, personally identifiable information
Data Security and Compliance
5
Does Compliance equal highest level of security?No, it ensures a repeatable, stable baseline of security that can be measured to meet a specific regulatory requirement
Does highest level of security mean you are “secure”?Maybe, depends on where you place your security. Can you cover 100%...probably not.
Data Security and Compliance are key pieces to GW’s information risk management…ensuring compliance and placing highest security controls on assets that matter the most
Compliance Landscape6
http://www.higheredcompliance.org/matrix/
Frameworks and Strategies…more than technology
7
NIST 800-53
ISO27001
National Cybersecurity Framework
Advanced data security…8
Part of a defense in depth strategy to apply higher levels of security to high value information/assets
Penetration tests/Red team analysis Application code reviews System hardening Logging Intrusion detection Staff with advanced training/credentials
(forensics, malware analysis)
Examples of Data Security ≠ Compliance 9
40 million credit cards stolen, Target was PCI (Payment Card Industry) compliant, attacked through HVAC vendor
Common Denominators10
What are the common denominators?
Knowing what data you have Knowing the value of the data Knowing the risks to your data Understanding likelihood and impact of these risks Accepting a level of risk
This may seem obvious and easy…but ask your colleagues if they see it the same way. Entities need to define this…we do it here at GW
Our Unique GW Environment 11
Federal, State, Local laws (over
400 GW is required to
comply)
Rapidly changing technology…
boundaries are constantly
moving
Affiliations with hospitals, Public, Private sector,
other universities
20,000 students and over 6000
faculty and staff
Research Funding
Common Risk Factors 12
• Awareness of information in your care• Access to information…need to know principle• Dissemination of information…technology
makes it easy• Lack of knowledge or training of staff…
knowing your role, how to identify and what to do in situations
• Increased visibility of data loss…fines, reputational hit, accreditation risks, grants
Best Practices you can Take13
Referencing back to the Common Denominators slide
Knowing what data you have Knowing the value of the data Knowing the risks to your data Understanding the risk tolerance
• Ensure you and your team are leveraging available resources (tools, training, seminars)
• Never hesitate to ask for assistance…better to be safe
Resources14
http://www.cspri.seas.gwu.edu/ http://www.inforisktoday.com http://
www.higheredcompliance.org/matrix http://
www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
http://www.sans.org/critical-security-controls/
Division of IT Information Security Team http://it.gwu.edu/security
Contact Info15
Compliance and Privacy OfficeGeorge Guzman, Director of Compliance and Data Privacy, [email protected] 202-994-6226
Compliance Office [email protected]
Compliance Office direct line202-994-3386