security is everyone’s responsibility · 2014-10-22 · retain in as few places as possible and...
TRANSCRIPT
![Page 1: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/1.jpg)
Security Is Everyone’s Responsibility
October 22, 2014
![Page 2: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/2.jpg)
Agenda • Introduction – Scott Douglass
• Legal Issues – Laure Ergin
• Risk & Challenges - Kirk Die
• What IT is Seeing & Doing – Jason Cash
• Unit & Employee Responsibilities – Karl Hassler
• Sensitive Data – Karl Hassler
• Wrap Up / Discussion - Scott Douglass
• Resources 2
![Page 3: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/3.jpg)
Introduction • Today’s Reality
– More Organizations are revealing they’ve been breached • Public pressure • Disclosure laws
• Why We’re Here – Begin a dialogue – Raise awareness
– Educate
– Provide resources
3
![Page 4: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/4.jpg)
Legal Issues • Which law applies depends on:
– Location of institution – Type of information – Role of person storing the information – How the information was obtained?
• Privacy / Security – Privacy – the freedom from having information from being
disclosed without one’s consent – Security – the mechanism(s) in place to protect the privacy of
information
![Page 5: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/5.jpg)
Applicable Laws • Family Educational Rights & Privacy Act (FERPA) – protects student educational records • Gramm Leach Bliley Act (GLBA) – protects financial information of customers • Health Insurance Portability & Accountability Act Of 1996 (HIPAA) – protects patient
information • Payment Card Industry-Data Security Standard (PCI-DSS) – protects credit card
information • Delaware Breach Notification Law - Del. Code, Title 6, Sec. 12B-101 et seq. – requires
breach notification in the event of a data breach • The Jeanne Clery Disclosure of Campus Security Policy & Campus Crime Statistics Act
(Clery Act) – requires reporting of crime statistics to general public and federal government • Computer Fraud & Abuse Act – crimializes hacking into computers and computer networks • Communications Decency Act – regulates obscenity in cyberspace • Children’s Online Privacy Protection Act (COPPA) – regulates commercial operators that
are directing services to children under 13 • Communications Assistance for Law Enforcement Act (CALEA) – regulates assistance that
must be provided to law enforcement for phone tapping purposes • Federal Information Security Management Act (FISMA) – regulates how federal
information and computers and networks are secured through contracts and possibly soon grant documents.
![Page 6: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/6.jpg)
Types of Laws • Some laws are about what we can and can’t do with information we
have – focus is protecting information. • Some laws are about information we have that we must share with
individuals, our community and report to state and federal governments – focus is disclosure.
• Some laws are about what you can and can’t do on your computer or
on the internet – focus is on regulating conduct and behavior through or on the internet
• Some laws go beyond securing information and want to make sure
your information systems (computers and networks) are secure and protected.
![Page 7: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/7.jpg)
Potential Risks • Legal Compliance
– Failure to comply with privacy laws and regulations can result in significant legal sanctions, liability, fines, and other unpleasant consequences.
– Regulatory agencies are stepping up enforcement – meaning
surveys are being sent out, questions are being posed, and ultimately on site audits are conducted.
– State attorneys general have enforcement power for state privacy/security laws plus they can enforce certain federal laws, too (HIPAA, COPPA). Privacy and security laws are expanding in their coverage.
![Page 8: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/8.jpg)
Other Potential Risks • Reputational Injuries
• Damage to Student Well-Being
• Damage to Employee Well-Being
• Soured Relationships
• Financial Injuries
• Time and Resources
8
![Page 9: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/9.jpg)
University Data Security Challenges • Open Environment – many have access to records, control
their own data
• Social Security number as a student identifier – resides on many systems
• Data Retention – tend to archive vs. delete
• Research – studies can use vast amounts of sensitive information
• Sharing – culturally much data is shared among colleagues
![Page 10: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/10.jpg)
Target Rich Environment
• In General – need to allow less access
• Social Security number and other personal identifiers – retain in as few places as possible and only when needed
• Data Retention – less is better
• Research – separate initiative to secure research data
• Sharing – be more careful on what we share and how
![Page 11: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/11.jpg)
What IT Is Seeing
• 171 UDELNET accounts compromised
• 20 machines disabled on average per week due to malware, etc.
11
![Page 12: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/12.jpg)
http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/
![Page 13: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/13.jpg)
h#p://www.informa0onisbeau0ful.net/visualiza0ons/worlds-‐biggest-‐data-‐breaches-‐hacks/
![Page 14: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/14.jpg)
What IT Is Doing • Created:
– IT Security & Compliance Office (modernize policies) – Technical Security Group
• Locate old data (SSNs)
• Protect current data (more than SSNs!)
• Detect intrusions • FireEye, snort, NGFW, etc.
14
![Page 15: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/15.jpg)
![Page 16: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/16.jpg)
What does IT need? • Process PII/SSNs scan results.
• Desktop and laptop PII scanning software coming soon.
• More SSNs. No, really.
16
![Page 17: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/17.jpg)
![Page 18: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/18.jpg)
Unit Responsibilities Some Action Items
• Follow UD Policies
• Develop Information Security Plan - Inventory data and devices (Know what you have)
- Classify (Assess Sensitivity and Risk) - Establish protocols to Manage, Access and Use (Playbook)
- Protect Data - Limit Use + Retention
- Evaluate Processes (Where + How is data at risk?)
18
![Page 19: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/19.jpg)
Employee Responsibilities Some Action Items
• Unit Administrators - Inventory - Classify - Protect - Communicate
• Employees - Understand responsibilities and requirements
- Ask questions!
19
![Page 20: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/20.jpg)
Employee ResponsibilitiesSome Action Items
• Perform periodic reviews
- Encrypt Sensitive Regulated data that must be retained - Purge or Archive unneeded data - Management standards followed? - New control gaps?
• Report the loss or misuse of devices immediately
20
![Page 21: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/21.jpg)
Types of Sensitive Data (1)
• Confidential PII (Personally Identifiable Information)
– First Name or Initial and Last Name, along with: – Social Security Number; – Driver’s License Number or State-Issued ID Number; – Alien Registration or Government Passport Number; or – Financial Information: Account, credit or debit card number
21
![Page 22: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/22.jpg)
Types of Sensitive Data (2)
• Student Data • Health Information • Financial Account Information, Credit Card #s • Certain Employment Data • Personally Identifiable Human Subject Research Data • UDelNet account passwords
22
![Page 23: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/23.jpg)
Discussion
23
![Page 24: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/24.jpg)
Resources & Tools • UD Policies
– 1-15 - http://www.udel.edu/ExecVP/policies/administrative/1-15.html
– 1-22 - http://www.udel.edu/ExecVP/policies/administrative/1-22.html
• Privacy & Confidentiality -http://www.udel.edu/it/security/policies/employees/privacy.html
• Security Reporting -http://www.udel.edu/it/security/secreporting.html
24
![Page 25: Security Is Everyone’s Responsibility · 2014-10-22 · retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate](https://reader036.vdocument.in/reader036/viewer/2022070713/5ed11d28a4cd0f7e1411eaed/html5/thumbnails/25.jpg)
Security Is Everyone’s Responsibility
September 30, 2014