Embed Size (px)
DESCRIPTION
Security Is Everyone’s Responsibility. October 22, 2014. Agenda. Introduction – Scott Douglass Legal Issues – Laure Ergin Risk & Challenges - Kirk Die What IT is Seeing & Doing – Jason Cash Unit & Employee Responsibilities – Karl Hassler Sensitive Data – Karl Hassler - PowerPoint PPT Presentation
Citation preview
Security Is Everyone’s Responsibility
October 22, 2014
Agenda• Introduction – Scott Douglass
• Legal Issues – Laure Ergin
• Risk & Challenges - Kirk Die
• What IT is Seeing & Doing – Jason Cash
• Unit & Employee Responsibilities – Karl Hassler
• Sensitive Data – Karl Hassler
• Wrap Up / Discussion - Scott Douglass
• Resources
2
Introduction• Today’s Reality
– More Organizations are revealing they’ve been breached• Public pressure• Disclosure laws
• Why We’re Here– Begin a dialogue – Raise awareness– Educate– Provide resources
3
Legal Issues• Which law applies depends on:
– Location of institution– Type of information– Role of person storing the information– How the information was obtained?
• Privacy / Security– Privacy – the freedom from having information from being
disclosed without one’s consent– Security – the mechanism(s) in place to protect the
privacy of information
Applicable Laws• Family Educational Rights & Privacy Act (FERPA) – protects student educational records• Gramm Leach Bliley Act (GLBA) – protects financial information of customers• Health Insurance Portability & Accountability Act Of 1996 (HIPAA) – protects patient
information• Payment Card Industry-Data Security Standard (PCI-DSS) – protects credit card
information• Delaware Breach Notification Law - Del. Code, Title 6, Sec. 12B-101 et seq. – requires
breach notification in the event of a data breach• The Jeanne Clery Disclosure of Campus Security Policy & Campus Crime Statistics Act
(Clery Act) – requires reporting of crime statistics to general public and federal government
• Computer Fraud & Abuse Act – crimializes hacking into computers and computer networks
• Communications Decency Act – regulates obscenity in cyberspace• Children’s Online Privacy Protection Act (COPPA) – regulates commercial operators that
are directing services to children under 13• Communications Assistance for Law Enforcement Act (CALEA) – regulates assistance
that must be provided to law enforcement for phone tapping purposes• Federal Information Security Management Act (FISMA) – regulates how federal
information and computers and networks are secured through contracts and possibly soon grant documents.
Types of Laws
• Some laws are about what we can and can’t do with information we have – focus is protecting information.
• Some laws are about information we have that we must share with individuals, our community and report to state and federal governments – focus is disclosure.
• Some laws are about what you can and can’t do on your computer or on the internet – focus is on regulating conduct and behavior through or on the internet
• Some laws go beyond securing information and want to make sure your information systems (computers and networks) are secure and protected.
Potential Risks• Legal Compliance
– Failure to comply with privacy laws and regulations can result in significant legal sanctions, liability, fines, and other unpleasant consequences.
– Regulatory agencies are stepping up enforcement – meaning surveys are being sent out, questions are being posed, and ultimately on site audits are conducted.
– State attorneys general have enforcement power for state privacy/security laws plus they can enforce certain federal laws, too (HIPAA, COPPA). Privacy and security laws are expanding in their coverage.
Other Potential Risks• Reputational Injuries
• Damage to Student Well-Being
• Damage to Employee Well-Being
• Soured Relationships
• Financial Injuries
• Time and Resources
8
University Data Security Challenges• Open Environment – many have access to records,
control their own data
• Social Security number as a student identifier – resides on many systems
• Data Retention – tend to archive vs. delete
• Research – studies can use vast amounts of sensitive information
• Sharing – culturally much data is shared among colleagues
Target Rich Environment
• In General – need to allow less access
• Social Security number and other personal identifiers – retain in as few places as possible and only when needed
• Data Retention – less is better
• Research – separate initiative to secure research data
• Sharing – be more careful on what we share and how
What IT Is Seeing
• 171 UDELNET accounts compromised
• 20 machines disabled on average per week due to malware, etc.
11
http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
What IT Is Doing• Created:
– IT Security & Compliance Office (modernize policies)– Technical Security Group
• Locate old data (SSNs)
• Protect current data (more than SSNs!)
• Detect intrusions• FireEye, snort, NGFW, etc.
14
What does IT need?• Process PII/SSNs scan results.
• Desktop and laptop PII scanning software coming soon.
• More SSNs. No, really.
16
Unit Responsibilities Some Action Items
• Follow UD Policies
• Develop Information Security Plan- Inventory data and devices (Know what you have)
- Classify (Assess Sensitivity and Risk) - Establish protocols to Manage, Access and Use (Playbook)
- Protect Data
- Limit Use + Retention
- Evaluate Processes (Where + How is data at risk?)
18
Employee Responsibilities Some Action Items
• Unit Administrators - Inventory - Classify - Protect - Communicate
• Employees- Understand responsibilities and requirements
- Ask questions!
19
Employee ResponsibilitiesSome Action Items
• Perform periodic reviews- Encrypt Sensitive Regulated data that must be retained- Purge or Archive unneeded data- Management standards followed?- New control gaps?
• Report the loss or misuse of devices immediately
20
Types of Sensitive Data (1)
• Confidential PII (Personally Identifiable Information)– First Name or Initial and Last Name, along with:
– Social Security Number;– Driver’s License Number or State-Issued ID Number;– Alien Registration or Government Passport Number; or– Financial Information: Account, credit or debit card number
21
Types of Sensitive Data (2)
• Student Data• Health Information• Financial Account Information, Credit Card #s• Certain Employment Data• Personally Identifiable Human Subject Research
Data• UDelNet account passwords
22
Discussion
23
Resources & Tools• UD Policies
– 1-15 - http://www.udel.edu/ExecVP/policies/administrative/1-15.html
– 1-22 - http://www.udel.edu/ExecVP/policies/administrative/1-22.html
• Privacy & Confidentiality -http://www.udel.edu/it/security/policies/employees/privacy.html
• Security Reporting -http://www.udel.edu/it/security/secreporting.html
24
Security Is Everyone’s Responsibility
September 30, 2014
