Security Is Everyone’s Responsibility

October 22, 2014

Agenda •  Introduction – Scott Douglass

•  Legal Issues – Laure Ergin

•  Risk & Challenges - Kirk Die

•  What IT is Seeing & Doing – Jason Cash

•  Unit & Employee Responsibilities – Karl Hassler

•  Sensitive Data – Karl Hassler

•  Wrap Up / Discussion - Scott Douglass

•  Resources 2

Introduction •  Today’s Reality

–  More Organizations are revealing they’ve been breached •  Public pressure •  Disclosure laws

•  Why We’re Here –  Begin a dialogue –  Raise awareness

–  Educate

–  Provide resources

3

Legal Issues •  Which law applies depends on:

–  Location of institution –  Type of information –  Role of person storing the information –  How the information was obtained?

•  Privacy / Security –  Privacy – the freedom from having information from being

disclosed without one’s consent –  Security – the mechanism(s) in place to protect the privacy of

information

Applicable Laws •  Family Educational Rights & Privacy Act (FERPA) – protects student educational records •  Gramm Leach Bliley Act (GLBA) – protects financial information of customers •  Health Insurance Portability & Accountability Act Of 1996 (HIPAA) – protects patient

information •  Payment Card Industry-Data Security Standard (PCI-DSS) – protects credit card

information •  Delaware Breach Notification Law - Del. Code, Title 6, Sec. 12B-101 et seq. – requires

breach notification in the event of a data breach •  The Jeanne Clery Disclosure of Campus Security Policy & Campus Crime Statistics Act

(Clery Act) – requires reporting of crime statistics to general public and federal government •  Computer Fraud & Abuse Act – crimializes hacking into computers and computer networks •  Communications Decency Act – regulates obscenity in cyberspace •  Children’s Online Privacy Protection Act (COPPA) – regulates commercial operators that

are directing services to children under 13 •  Communications Assistance for Law Enforcement Act (CALEA) – regulates assistance that

must be provided to law enforcement for phone tapping purposes •  Federal Information Security Management Act (FISMA) – regulates how federal

information and computers and networks are secured through contracts and possibly soon grant documents.

Types of Laws •  Some laws are about what we can and can’t do with information we

have – focus is protecting information. •  Some laws are about information we have that we must share with

individuals, our community and report to state and federal governments – focus is disclosure.

•  Some laws are about what you can and can’t do on your computer or

on the internet – focus is on regulating conduct and behavior through or on the internet

•  Some laws go beyond securing information and want to make sure

your information systems (computers and networks) are secure and protected.

Potential Risks •  Legal Compliance

–  Failure to comply with privacy laws and regulations can result in significant legal sanctions, liability, fines, and other unpleasant consequences.

–  Regulatory agencies are stepping up enforcement – meaning

surveys are being sent out, questions are being posed, and ultimately on site audits are conducted.

–  State attorneys general have enforcement power for state privacy/security laws plus they can enforce certain federal laws, too (HIPAA, COPPA). Privacy and security laws are expanding in their coverage.

Other Potential Risks •  Reputational Injuries

•  Damage to Student Well-Being

•  Damage to Employee Well-Being

•  Soured Relationships

•  Financial Injuries

•  Time and Resources

8

University Data Security Challenges •  Open Environment – many have access to records, control

their own data

•  Social Security number as a student identifier – resides on many systems

•  Data Retention – tend to archive vs. delete

•  Research – studies can use vast amounts of sensitive information

•  Sharing – culturally much data is shared among colleagues

Target Rich Environment

   

•  In General – need to allow less access

•  Social Security number and other personal identifiers – retain in as few places as possible and only when needed

•  Data Retention – less is better

•  Research – separate initiative to secure research data

•  Sharing – be more careful on what we share and how

What IT Is Seeing

•  171 UDELNET accounts compromised

•  20 machines disabled on average per week due to malware, etc.

11

http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/

h#p://www.informa0onisbeau0ful.net/visualiza0ons/worlds-­‐biggest-­‐data-­‐breaches-­‐hacks/  

What IT Is Doing •  Created:

–  IT Security & Compliance Office (modernize policies) –  Technical Security Group

•  Locate old data (SSNs)

•  Protect current data (more than SSNs!)

•  Detect intrusions •  FireEye, snort, NGFW, etc.

14

What does IT need? •  Process PII/SSNs scan results.

•  Desktop and laptop PII scanning software coming soon.

•  More SSNs. No, really.

16

Unit Responsibilities Some Action Items

•  Follow UD Policies

•  Develop Information Security Plan - Inventory data and devices (Know what you have)

- Classify (Assess Sensitivity and Risk) - Establish protocols to Manage, Access and Use (Playbook)

- Protect Data - Limit Use + Retention

- Evaluate Processes (Where + How is data at risk?)

18

Employee Responsibilities Some Action Items

•  Unit Administrators - Inventory - Classify - Protect - Communicate

•  Employees - Understand responsibilities and requirements

- Ask questions!

19

Employee ResponsibilitiesSome Action Items

•  Perform periodic reviews

-  Encrypt Sensitive Regulated data that must be retained -  Purge or Archive unneeded data -  Management standards followed? -  New control gaps?

•  Report the loss or misuse of devices immediately

20

Types of Sensitive Data (1)

•  Confidential PII (Personally Identifiable Information)

–  First Name or Initial and Last Name, along with: –  Social Security Number; –  Driver’s License Number or State-Issued ID Number; –  Alien Registration or Government Passport Number; or –  Financial Information: Account, credit or debit card number

21

Types of Sensitive Data (2)

•  Student Data •  Health Information •  Financial Account Information, Credit Card #s •  Certain Employment Data •  Personally Identifiable Human Subject Research Data •  UDelNet account passwords

22

Discussion

23

Resources & Tools •  UD Policies

–  1-15 - http://www.udel.edu/ExecVP/policies/administrative/1-15.html

–  1-22 - http://www.udel.edu/ExecVP/policies/administrative/1-22.html

•  Privacy & Confidentiality -http://www.udel.edu/it/security/policies/employees/privacy.html

•  Security Reporting -http://www.udel.edu/it/security/secreporting.html

24

Security Is Everyone’s Responsibility

September 30, 2014