1 / 29

Harvard Townsend IT Security Officer harv@ksu October 31, 2007

Peeling Back the Layers of an Ogre (or for those who like boring titles – Where is Our Confidential Data Hiding?). Harvard Townsend IT Security Officer harv@ksu.edu October 31, 2007. Agenda. Why should we care? What should we care about? What are the threats? What can we do about it?.

avani
Download Presentation

Harvard Townsend IT Security Officer harv@ksu October 31, 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Peeling Back the Layers of an Ogre(or for those who like boring titles – Where is Our Confidential Data Hiding?) Harvard Townsend IT Security Officer harv@ksu.edu October 31, 2007

  2. Agenda • Why should we care? • What should we care about? • What are the threats? • What can we do about it?

  3. Why Should We Care? • 167,706,372 and counting…… the approximate number of records with personal identity information compromised due to security breaches since January 2005 www.privacyrights.org/ar/ChronDataBreaches.htm • In 2006, 3 million college students possible victims of identity theft (CDW-G study) • Identity theft is the fastest growing crime

  4. Why Should We Care? • Handling a breach very expensive

  5. Why Should We Care? • Damage to institution’s reputation

  6. Why Should We Care? • Yourreputation or job may be on the line

  7. Why Should We Care? • It is the law: • SB 196 Kansas Security Breach Law • Protects personal identity information • Mandates prompt investigation and notification • FERPA (student records) • HIPAA (medical records) • GLB (financial records) • ECPA (electronic communications) • Federal Rules of Civil Procedure (e-Discovery)

  8. Because Visa Said So • Payment Card Industry Data Security Standards (PCI DSS) • Version 1.1 published in Sept. 2006 • www.pcisecuritystandards.org • “PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted.” • Do you know who is handling credit card info on campus and how they are doing it?

  9. Credit Cards@K-State • I’m not putting this info in the PowerPoint presentation!!

  10. What Should We CareAbout? • All data needs protection • Particularly interested in confidential data • Highly sensitive data that can only be disclosed to individuals with explicit authorization • Protection required by law (FERPA, HIPAA) • Unauthorized disclosure harmful or catastrophic to individual, group, or institution • Examples: SSN. Credit card info, student grades, medical records

  11. What Are the Threats? • Ignorance • Theft – external and internal • Inadvertent disclosure • Improper disposal • Highly distributed IT services • Backups • Catastrophic failure or other disaster • Mobility – laptops, wireless, USB thumb drives, SmartPhones

  12. Fear Laptops!

  13. What Can We Do About It? • Know your data! • Its value • Its classification • Its location (of every copy) • Who is responsible for it • Who has access to it • The threats to it

  14. What Can We Do About It? • “Data Classification and Security Policy and Standards” • Classify data based on sensitivity • Specify security requirements for each classification • Define roles and responsibilities

  15. Policy “All University Data must be classified according to the K-State Data Classification Schema and protected according to K-State Data Security Standards. Exceptions must be approved in writing by the Chief Data Stewards and the Vice Provost for IT Services.”

  16. Data Classification Schema • 4 categories: • Public • Internal • Confidential • Proprietary

  17. Access Controls Copying/Printing Network Security System Security Physical Security Remote Access Storage Transmission Backup/DR Media Sanitization Training Audit Schedule Data Security Standards

  18. Implementation Strategy • Focus on confidential data first • SSNs • Credit cards • Serve as guideline for other data • Eventually require classification of all data

  19. Where is the data located? • You would be surprised! • Tools to help • “Spider” from Cornellhttp://www.cit.cornell.edu/security/tools/ • Sensitive Number Finder (SENF) from UT-Austin https://source.its.utexas.edu/groups/its-iso/projects/senf • Not ready for your average user

  20. Where is the data located? • Gradebooks, esp. old spreadsheets • Course web pages • Homework assignments • Exams • Travel authorization forms • Applications for admission • Personnel papers • E-mail • Backup tapes, CDs, floppies, USB drives • Where have you found confidential data?

  21. What Can We Do About It? • Delete unnecessary copies • Make sure it’s gone when deleted • Know how to protect it • K-State Data Security Standards • K-State SSN Policy • PCI DSS for credit cards • K-State Mobile Device Security Guidelines • Encryption

  22. What Can We Do About It?SSNs • K-State Policy on “Collection, Use and Protection of Social Security Numbers” “Use of the SSN as an identifier will be discontinued, except where authorized for employment, IRS reporting, federal student financial aid processing, state and federal reporting requirements, and a limited number of other business transactions.”

  23. What Can We Do About It?SSNs • Appendix A lists approved uses: • Employment • Application and receipt of financial aid • Tuition remission • Benefits administration • Insurance • IRS reporting • Student information exchange (transcripts)

  24. What Can We Do About It?SSNs • Start transitioning to use of the Wildcat ID (WID) • iSIS a key component to this transition • Also the People Database • Departments are moving in that direction • Where are the SSNs in your department? • Run Spider from Cornell to find them

  25. What Can We Do About It? Credit Cards • Must comply with the Payment Card Industry Data Security Standards (PCI DSS) no matter the merchant level (we’re level 2) • Are strong requirements • 12 major requirements in 6 categories • 238 individual controls • Annual self-assessment questionnaire • Quarterly network security scan by an “approved scanning vendor”

  26. What Can We Do About It? Credit Cards • The plan • Internal Audit documented campus practices • Working group formed to develop strategy • Use central service or comply with DSS • See http://www.pcisecuritystandards.org for more information • Data Security Standard v1.1 • Self-assessment questionnaire • Network scanning procedure • Security audit procedure

  27. What Can We Do About It?Mobility • Don’t store confidential data on mobile devices! • Mobile device security guidelines http://www.k-state.edu/infotech/security/mobile.html

  28. What Can We Do About It?Encryption • Stored data • Software encryption • Hardware encryption • Transmitted data • SIRT team working on a software recommendation • Laptops • Removable devices

  29. What’s on your mind?

More Related