![Page 1: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/1.jpg)
Enterprise data (decentralized control, data
security and privacy)
Prevention: People and Process
Rodney Petersen
Security Task Force Coordinator
EDUCAUSE
![Page 2: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/2.jpg)
Framing the Problem
INFORMATION Privacy and Security Paper and Electronic Reliance on Networks and Technology
Business CONTINUITY
Critical Infrastructure PROTECTION Part of National Strategy to Secure Homeland
![Page 3: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/3.jpg)
Security Processes
Deter
Prevent
Detect
React
Adapt
Burton Group: A Systematic, Comprehensive Approach to Information Security (Feb. 2005)
![Page 4: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/4.jpg)
Points of Emphasis
People
Processes
Technology
![Page 5: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/5.jpg)
Risk Management
Risk = Threats x Vulnerabilities x Impact
![Page 6: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/6.jpg)
Threat
An adversary that is motivated to exploit a system vulnerability
and is capable of doing so
National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)
![Page 7: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/7.jpg)
Examples of Threats
Hackers
Insiders
“Script Kiddies”
Criminal Organizations
Terrorists
Enemy Nation States
![Page 8: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/8.jpg)
Vulnerability
An error or a weaknessin the design, implementation, or
operation of a system.
National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)
![Page 9: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/9.jpg)
Examples of Vulnerabilities
Networks – wired and wireless
Operating Systems – especially Windows
Hosts and Systems
Malicious Code and Viruses
People
Processes
Physical Environments
![Page 10: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/10.jpg)
Impact
Refers to the likelihood that a vulnerability will be exploited or
that a threat may become harmful.
National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)
![Page 11: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/11.jpg)
Examples of Impact
Strategic ConsequencesFinancial ConsequencesLegal ConsequencesOperational ConsequencesReputational Consequences
Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
![Page 12: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/12.jpg)
Handling Risks
Risk AssumptionRisk ControlRisk MitigationRisk Avoidance
Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
![Page 13: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/13.jpg)
Framework for Risk Assessment
Phase 1: Identify Critical Assets and Security Strategies Strategic Perspective Operational Perspective Practice Perspective Consolidated View of Security Requirements
Phase 2: Identify Infrastructure Vulnerabilities (Technological View) Key Technology Components Selected Technology Components Evaluation
Phase 3: Develop Security Strategy and Plans (Risk Analysis) Risk Assessment Protection Strategy and Mitigation Plan
![Page 14: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/14.jpg)
Institutional Policies
Policies are statements that reflect the philosophies, attitudes, or values of an organization related to a specific issue. They are generally represented in a paragraph or perhaps two but not pages. They might say “what” but not “how”. Checklists, procedures, standards, and guidelines all must implement, reflect, and support the applicable policy or policies. The entire set of statements is sometimes considered to be the “Policy”
Bruhn and Petersen, A Primer on Policy Development for Institutions of Higher Education, 2003.
![Page 15: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/15.jpg)
Data Protection Policies
Acceptable Use Policy
Security Policy
Privacy Policy
Data Policy
![Page 16: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/16.jpg)
Security Policies
RFC2196: A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.
RFC2196: The main purpose of a security policy is to inform users, staff and managers of their obligatory requirements for protecting technology and information assets.
![Page 17: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/17.jpg)
Security Policy ComponentsRFC2196
Computer Technology Purchasing Privacy (i.e., sets reasonable expectations)Access Rights and PrivilegesAccountability (i.e., responsibilities)AuthenticationAvailability (sets user expectations)IT System and Network MaintenanceViolations ReportingContact Information
![Page 18: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/18.jpg)
Privacy Policies
Setting “reasonable expectations”With respect to types of “personal info” Student Education Records (FERPA) Protected Health Information (HIPAA) Nonpublic Personal Financial Information (GLB Act)
Primary identifiers and use of SSN’sWith respect to collection of information – i.e., privacy statementsWith respect to disclosure of information, including public records requirements
![Page 19: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/19.jpg)
Data Policies
Enterprise data management structureData classification – for example: Unrestricted Data Sensitive Data Critical Data
Roles and responsibilities – for example Data Trustees Data Stewards Data Managers
Access rights and privileges – i.e., data users
![Page 20: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/20.jpg)
Protection of Sensitive Personal Information
Develop, implement, maintain, and enforce a written program for the security of sensitive personal information that you collect, maintain, sell, transfer, or dispose of, containing: administrative safeguards technical safeguards physical safeguards
to:1. ensure the security and confidentiality of such data;2. protect against any anticipated threats or hazards to the security or integrity of such data; and3. to protect against unauthorized access to, or use of, such data that could result in substantial harm to any individual.
S. 1408: Identity Theft Protection Act (109th Congress)
![Page 21: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/21.jpg)
Awareness & Training
Who needs “awareness” (consciousness-raising)? All Users! Executives Faculty Staff Students Users of Sensitive Data IT Staff
Training (skills development) Especially for data stewards, IT staff, and information
security team
![Page 22: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/22.jpg)
ACE Letter to Presidents
Set the tone: ensure that all campus stakeholders know that you take Cybersecurity seriously. Insist on community-wide awareness and accountability.Establish responsibility for campus-wide Cybersecurity at the cabinet level. At a large university, this responsibility might be assigned to the Chief Information Officer. At a small college, this person may have responsibility for many areas, including the institutional computing environment. Ask for a periodic Cybersecurity risk assessment that identifies the most important risks to your institution. Manage these risks in the context of institutional planning and budgeting.Request updates to your Cybersecurity plans on a regular basis in response to the rapid evolution of the technologies, vulnerabilities, threats, and risks.
![Page 23: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/23.jpg)
Cybersecurity Awareness Resources CD
The Awareness and Training Working Group of the EDUCAUSE/Internet2 Security Task Force compiled cybersecurity awareness resources distributed on a CD.
The resources were collected to showcase the variety of security awareness efforts underway at institutions of higher education and to provide resources for colleges and universities that are looking to jump-start a program for their organization.
![Page 24: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/24.jpg)
What’s on the CD?
PamphletsPost CardsPresentationsSecurity Awareness DocumentsSecurity CardsSecurity ToolsSecurity QuizzesSurveysVideos
Book MarksBrochuresChecklists FlyersGamesGovernment ResourcesHandoutsIndustry ResourcesLinks to School’s Security Web Page(s)
![Page 25: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/25.jpg)
Information Security Governance
If businesses, educational institutions, and non-profit organizations are to make significant progress securing their information assets, executives must make information security an integral part of core business operations. There is no better way to accomplish this goal than to highlight it as part of the existing internal controls and policies that constitute corporate governance.
Information Security Governance Report: Executive Summary
![Page 26: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/26.jpg)
InfoSec Governance Self Assessment
Organizational Reliance on IT E.g., What is the impact of major system downtime on operations?
Risk Management E.g., Has your organization conducted a risk assessment and
identified critical assets?
People E.g., Is there a person or organization that has information security
as their primary duty?
Processes E.g., Do you have official written information security policies and
procedures?
Technology E.g., Is sensitive data encrypted?
Information Security Governance Assessment Tool for Higher Education
![Page 27: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/27.jpg)
Best Practices & Metrics
Information Security Program Elements:
Governance Boards/Senior Executives/Shared Governance
Management Directors and Managers
Technical Central and Distributed IT Support Staff
CISWG Final Report on Best Practices & Metrics
![Page 28: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/28.jpg)
Governance
Oversee Risk Management and Compliance Programs Pertaining to Information Security (e.g., Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley)Approve and Adopt Broad Information Security Program Principles and Approve Assignment of Key Managers Responsible for Information SecurityStrive to Protect the Interests of all Stakeholders Dependent on Information SecurityReview Information Security Policies Regarding Strategic Partners and Other Third-partiesStrive to Ensure Business ContinuityReview Provisions for Internal and External Audits of the Information Security ProgramCollaborate with Management to Specify the Information Security Metrics to be Reported to the Board
![Page 29: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/29.jpg)
Management
Establish Information Security Management Policies and Controls and Monitor ComplianceAssign Information Security Roles, Responsibilities, Required Skills, and Enforce Role-based Information Access PrivilegesAssess Information Risks, Establish Risk Thresholds and Actively Manage Risk MitigationEnsure Implementation of Information Security Requirements for Strategic Partners and Other Third-partiesIdentify and Classify Information AssetsImplement and Test Business Continuity PlansApprove Information Systems Architecture during Acquisition, Development, Operations, and MaintenanceProtect the Physical EnvironmentEnsure Internal and External Audits of the Information Security Program with Timely Follow-upCollaborate with Security Staff to Specify the Information Security Metrics to be Reported to Management
![Page 30: Enterprise data (decentralized control, data security and privacy) Prevention: People and Process Rodney Petersen Security Task Force Coordinator EDUCAUSE](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e155503460f94b00146/html5/thumbnails/30.jpg)
Technical
User Identification and AuthenticationUser Account ManagementUser PrivilegesConfiguration ManagementEvent and Activity Logging and MonitoringCommunications, Email, and Remote Access SecurityMalicious Code Protection, Including Viruses, Worms, and TrojansSoftware Change Management, including PatchingFirewallsData EncryptionBackup and RecoveryIncident and Vulnerability Detection and ResponseCollaborate with Management to Specify the Technical Metrics to be Reported to Management