Embed Size (px)
Citation preview
IT Security ChallengesIT Security ChallengesInIn
Higher Education Higher Education
Steve SchusterSteve Schuster
Cornell UniversityCornell University
Questions I’d like to AnswerQuestions I’d like to Answer
►Why do we care about IT security?Why do we care about IT security?►What are some of our universities What are some of our universities
biggest challenges?biggest challenges?►What can universities do to address What can universities do to address
these challenges?these challenges?
Why Do We Care?Why Do We Care?
►Current federal and state lawCurrent federal and state law Family Educational Rights and Privacy Act Family Educational Rights and Privacy Act
(FERPA)(FERPA) Health Insurance Portability and Health Insurance Portability and
Accountability Act (HIPAA)Accountability Act (HIPAA) Gramm-Leach-Bliley Act (GLBA)Gramm-Leach-Bliley Act (GLBA) Compromise notification lawsCompromise notification laws
►12 states12 states►NYS Breech of Security Bill -- December, 2005NYS Breech of Security Bill -- December, 2005
Why Do We Care?Why Do We Care?
►Growing social expectations due to Growing social expectations due to rise in identity theft awarenessrise in identity theft awareness
►Reputational concernsReputational concerns►Growing possibility for lawsuitsGrowing possibility for lawsuits
Why Do We Care?Why Do We Care?► NY State Breech of Security BillNY State Breech of Security Bill
Personally identifiable informationPersonally identifiable information► Social security numberSocial security number► Drivers license numberDrivers license number► Account number of credit/debit card with pinAccount number of credit/debit card with pin
Must notify if data was “reasonably believed to have been Must notify if data was “reasonably believed to have been acquired by a person without valid authorization“acquired by a person without valid authorization“
NotificationNotification► PersonalPersonal► If NY residentIf NY resident
NYS Attorney General – Internet BureauNYS Attorney General – Internet Bureau NYS Attorney General – The CapitolNYS Attorney General – The Capitol NYS Consumer Protection BoardNYS Consumer Protection Board NYS Office of Cyber Security and Critical Infrastructure Protection NYS Office of Cyber Security and Critical Infrastructure Protection
Consequences of Non-complianceConsequences of Non-compliance► NYS can sue for damages on behave of individualNYS can sue for damages on behave of individual► Civil suites up to $150,000Civil suites up to $150,000
Why Do We Care?Why Do We Care?
► First half of this year had 72 reported compromisesFirst half of this year had 72 reported compromises Education – 37Education – 37 Business – 23Business – 23 Government – 7Government – 7 Healthcare – 5Healthcare – 5
► Causes of the compromisesCauses of the compromises Hacking – 40Hacking – 40 Stolen property – 16Stolen property – 16 Lost property – 6Lost property – 6 Insider – 5Insider – 5 Fraud/social engineering – 2Fraud/social engineering – 2 Email – 1Email – 1 Web – 1Web – 1
Why Do We Care?Why Do We Care?
Why Do We Care?Why Do We Care?
Why Do We Care?Why Do We Care?
Why Do We Care?Why Do We Care?
Our Biggest ChallengesOur Biggest Challenges
► Not ending up on the front page of the NY TimesNot ending up on the front page of the NY Times► Changing/emerging law Changing/emerging law ► Growing social expectations and requirementsGrowing social expectations and requirements► General “openness” of universities can make us an General “openness” of universities can make us an
easier targeteasier target► Creating a common understanding about what data Creating a common understanding about what data
needs to be protectedneeds to be protected► Complexity due to decentralized IT support complicates Complexity due to decentralized IT support complicates
the identification of critical or sensitive resources/datathe identification of critical or sensitive resources/data► Timely and accurate response to security incidentsTimely and accurate response to security incidents► Institutional-level questions are difficult to get Institutional-level questions are difficult to get
answeredanswered
Challenge: Not ending up on the Challenge: Not ending up on the front page of the NY Timesfront page of the NY Times
►ResponseResponse A combination of A combination of everythingeverything we do we do PrayPray
Challenge: Changing/Emerging Challenge: Changing/Emerging LawLaw
►ResponseResponse Make friends with University CounselMake friends with University Counsel Develop a clear understanding and Develop a clear understanding and
communicate what data needs to be protectedcommunicate what data needs to be protected Periodic security awareness for at least those Periodic security awareness for at least those
handling regulated data handling regulated data Never miss a “learning” opportunityNever miss a “learning” opportunity
►User/department notificationUser/department notification Make sure policy reflects current requirementsMake sure policy reflects current requirements
►Data Security/Management policyData Security/Management policy
Challenge: Growing Social Challenge: Growing Social Expectations and RequirementsExpectations and Requirements►ResponseResponse
Prepare your legal defense nowPrepare your legal defense now►Participate in internal and external auditsParticipate in internal and external audits►Show consistent improvementsShow consistent improvements►Work to establish at least state-of-the-practice Work to establish at least state-of-the-practice
security technology, processes and proceduressecurity technology, processes and procedures►Develop analysis and incident handling Develop analysis and incident handling
standards and practicesstandards and practices
Challenge: University Challenge: University “Openness”“Openness”
►ResponseResponse Implement a security strategy that meets Implement a security strategy that meets
the business needs of the unitthe business needs of the unit Build trust and understanding across the Build trust and understanding across the
communitycommunity Rise to the challengeRise to the challenge
►Protected infrastructures DO NOT hinder Protected infrastructures DO NOT hinder researchresearch
Challenge: Understanding What Challenge: Understanding What Data Needs to be ProtectedData Needs to be Protected
► ResponseResponse Data categories can helpData categories can help
►Regulated, Confidential and PublicRegulated, Confidential and Public Map specific data elements into each categoryMap specific data elements into each category Work toward the identification of all IT resources Work toward the identification of all IT resources
that house each categorythat house each category CommunicateCommunicate
►AwarenessAwareness►PolicyPolicy►““Educational” opportunitiesEducational” opportunities
The Audit Office can certainly help hereThe Audit Office can certainly help here
Challenge: Complexity Due to Challenge: Complexity Due to DecentralizationDecentralization
►ResponseResponse Building and maintaining trust is not an Building and maintaining trust is not an
optionoption Establish best practices and strong Establish best practices and strong
recommendationsrecommendations Gain the support of the University Audit Gain the support of the University Audit
OfficeOffice Support university-wide outreachSupport university-wide outreach
►IT Security CouncilIT Security Council►Monthly Security Special Interest Group (SIG)Monthly Security Special Interest Group (SIG)
Challenge: Timely and accurate Challenge: Timely and accurate response to security incidentsresponse to security incidents
►ResponseResponse Develop processes and procedures in Develop processes and procedures in
advanceadvance Ensure the procedures are universally Ensure the procedures are universally
availableavailable Provide response training to local unitsProvide response training to local units Ensure the central IT Security Office is Ensure the central IT Security Office is
involved with the incidentinvolved with the incident Automate as much of the response process Automate as much of the response process
as possibleas possible Establish a Data Loss Response TeamEstablish a Data Loss Response Team
Challenge: Answering Challenge: Answering Institutional QuestionsInstitutional Questions
►ResponseResponse Do not ask abstract questionsDo not ask abstract questions Work real world situations requiring action Work real world situations requiring action
and decisionsand decisions Create a Data Loss Response TeamCreate a Data Loss Response Team
Responding to IncidentsResponding to Incidents
► Clearly distinguish between IT security and data Clearly distinguish between IT security and data securitysecurity
► Data Loss Response TeamData Loss Response Team Established to ensure the university responds appropriatelyEstablished to ensure the university responds appropriately MembersMembers
► University AuditUniversity Audit University CounselUniversity Counsel► Public RelationsPublic Relations VP of ITVP of IT► Risk ManagementRisk Management University PoliceUniversity Police► Data StewardsData Stewards Local UnitLocal Unit
Two meetings of this team per incidentTwo meetings of this team per incident► First meeting establishes understanding of incident and First meeting establishes understanding of incident and
provides specific directionprovides specific direction► Second meeting weighs evidence and determines appropriate Second meeting weighs evidence and determines appropriate
actionsactions
Responding to IncidentsResponding to Incidents
►Data Loss Response Team benefitsData Loss Response Team benefits Helps answer tough questions for the universityHelps answer tough questions for the university Provides a balanced and effective decision Provides a balanced and effective decision
making processmaking process Helps establish minimum standards for analysis Helps establish minimum standards for analysis Weighs in on established practices and Weighs in on established practices and
proceduresprocedures Establishes a more thorough understanding of Establishes a more thorough understanding of
IT security challengesIT security challenges
Questions?
