security is everyone’s responsibility october 22, 2014
TRANSCRIPT
![Page 1: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/1.jpg)
Security Is Everyone’s Responsibility
October 22, 2014
![Page 2: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/2.jpg)
Agenda• Introduction – Scott Douglass
• Legal Issues – Laure Ergin
• Risk & Challenges - Kirk Die
• What IT is Seeing & Doing – Jason Cash
• Unit & Employee Responsibilities – Karl Hassler
• Sensitive Data – Karl Hassler
• Wrap Up / Discussion - Scott Douglass
• Resources
2
![Page 3: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/3.jpg)
Introduction• Today’s Reality
– More Organizations are revealing they’ve been breached• Public pressure• Disclosure laws
• Why We’re Here– Begin a dialogue – Raise awareness– Educate– Provide resources
3
![Page 4: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/4.jpg)
Legal Issues• Which law applies depends on:
– Location of institution– Type of information– Role of person storing the information– How the information was obtained?
• Privacy / Security– Privacy – the freedom from having information from being
disclosed without one’s consent– Security – the mechanism(s) in place to protect the
privacy of information
![Page 5: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/5.jpg)
Applicable Laws• Family Educational Rights & Privacy Act (FERPA) – protects student educational records• Gramm Leach Bliley Act (GLBA) – protects financial information of customers• Health Insurance Portability & Accountability Act Of 1996 (HIPAA) – protects patient
information• Payment Card Industry-Data Security Standard (PCI-DSS) – protects credit card
information• Delaware Breach Notification Law - Del. Code, Title 6, Sec. 12B-101 et seq. – requires
breach notification in the event of a data breach• The Jeanne Clery Disclosure of Campus Security Policy & Campus Crime Statistics Act
(Clery Act) – requires reporting of crime statistics to general public and federal government
• Computer Fraud & Abuse Act – crimializes hacking into computers and computer networks
• Communications Decency Act – regulates obscenity in cyberspace• Children’s Online Privacy Protection Act (COPPA) – regulates commercial operators that
are directing services to children under 13• Communications Assistance for Law Enforcement Act (CALEA) – regulates assistance
that must be provided to law enforcement for phone tapping purposes• Federal Information Security Management Act (FISMA) – regulates how federal
information and computers and networks are secured through contracts and possibly soon grant documents.
![Page 6: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/6.jpg)
Types of Laws
• Some laws are about what we can and can’t do with information we have – focus is protecting information.
• Some laws are about information we have that we must share with individuals, our community and report to state and federal governments – focus is disclosure.
• Some laws are about what you can and can’t do on your computer or on the internet – focus is on regulating conduct and behavior through or on the internet
• Some laws go beyond securing information and want to make sure your information systems (computers and networks) are secure and protected.
![Page 7: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/7.jpg)
Potential Risks• Legal Compliance
– Failure to comply with privacy laws and regulations can result in significant legal sanctions, liability, fines, and other unpleasant consequences.
– Regulatory agencies are stepping up enforcement – meaning surveys are being sent out, questions are being posed, and ultimately on site audits are conducted.
– State attorneys general have enforcement power for state privacy/security laws plus they can enforce certain federal laws, too (HIPAA, COPPA). Privacy and security laws are expanding in their coverage.
![Page 8: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/8.jpg)
Other Potential Risks• Reputational Injuries
• Damage to Student Well-Being
• Damage to Employee Well-Being
• Soured Relationships
• Financial Injuries
• Time and Resources
8
![Page 9: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/9.jpg)
University Data Security Challenges• Open Environment – many have access to records,
control their own data
• Social Security number as a student identifier – resides on many systems
• Data Retention – tend to archive vs. delete
• Research – studies can use vast amounts of sensitive information
• Sharing – culturally much data is shared among colleagues
![Page 10: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/10.jpg)
Target Rich Environment
• In General – need to allow less access
• Social Security number and other personal identifiers – retain in as few places as possible and only when needed
• Data Retention – less is better
• Research – separate initiative to secure research data
• Sharing – be more careful on what we share and how
![Page 11: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/11.jpg)
What IT Is Seeing
• 171 UDELNET accounts compromised
• 20 machines disabled on average per week due to malware, etc.
11
![Page 12: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/12.jpg)
http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/
![Page 13: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/13.jpg)
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
![Page 14: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/14.jpg)
What IT Is Doing• Created:
– IT Security & Compliance Office (modernize policies)– Technical Security Group
• Locate old data (SSNs)
• Protect current data (more than SSNs!)
• Detect intrusions• FireEye, snort, NGFW, etc.
14
![Page 15: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/15.jpg)
![Page 16: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/16.jpg)
What does IT need?• Process PII/SSNs scan results.
• Desktop and laptop PII scanning software coming soon.
• More SSNs. No, really.
16
![Page 17: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/17.jpg)
![Page 18: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/18.jpg)
Unit Responsibilities Some Action Items
• Follow UD Policies
• Develop Information Security Plan- Inventory data and devices (Know what you have)
- Classify (Assess Sensitivity and Risk) - Establish protocols to Manage, Access and Use (Playbook)
- Protect Data
- Limit Use + Retention
- Evaluate Processes (Where + How is data at risk?)
18
![Page 19: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/19.jpg)
Employee Responsibilities Some Action Items
• Unit Administrators - Inventory - Classify - Protect - Communicate
• Employees- Understand responsibilities and requirements
- Ask questions!
19
![Page 20: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/20.jpg)
Employee ResponsibilitiesSome Action Items
• Perform periodic reviews- Encrypt Sensitive Regulated data that must be retained- Purge or Archive unneeded data- Management standards followed?- New control gaps?
• Report the loss or misuse of devices immediately
20
![Page 21: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/21.jpg)
Types of Sensitive Data (1)
• Confidential PII (Personally Identifiable Information)– First Name or Initial and Last Name, along with:
– Social Security Number;– Driver’s License Number or State-Issued ID Number;– Alien Registration or Government Passport Number; or– Financial Information: Account, credit or debit card number
21
![Page 22: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/22.jpg)
Types of Sensitive Data (2)
• Student Data• Health Information• Financial Account Information, Credit Card #s• Certain Employment Data• Personally Identifiable Human Subject Research
Data• UDelNet account passwords
22
![Page 23: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/23.jpg)
Discussion
23
![Page 24: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/24.jpg)
Resources & Tools• UD Policies
– 1-15 - http://www.udel.edu/ExecVP/policies/administrative/1-15.html
– 1-22 - http://www.udel.edu/ExecVP/policies/administrative/1-22.html
• Privacy & Confidentiality -http://www.udel.edu/it/security/policies/employees/privacy.html
• Security Reporting -http://www.udel.edu/it/security/secreporting.html
24
![Page 25: Security Is Everyone’s Responsibility October 22, 2014](https://reader036.vdocument.in/reader036/viewer/2022062312/551bf05f550346be588b6597/html5/thumbnails/25.jpg)
Security Is Everyone’s Responsibility
September 30, 2014