280 likes | 502 Views
Security Is Everyone’s Responsibility. October 22, 2014. Agenda. Introduction – Scott Douglass Legal Issues – Laure Ergin Risk & Challenges - Kirk Die What IT is Seeing & Doing – Jason Cash Unit & Employee Responsibilities – Karl Hassler Sensitive Data – Karl Hassler
E N D
Security Is Everyone’s Responsibility October 22,2014
Agenda • Introduction – Scott Douglass • Legal Issues – Laure Ergin • Risk & Challenges - Kirk Die • What IT is Seeing & Doing – Jason Cash • Unit & Employee Responsibilities – Karl Hassler • Sensitive Data – Karl Hassler • Wrap Up / Discussion - Scott Douglass • Resources
Introduction • Today’s Reality • More Organizations are revealing they’ve been breached • Public pressure • Disclosure laws • Why We’re Here • Begin a dialogue • Raise awareness • Educate • Provide resources
Legal Issues • Which law applies depends on: • Location of institution • Type of information • Role of person storing the information • How the information was obtained? • Privacy / Security • Privacy – the freedom from having information from being disclosed without one’s consent • Security – the mechanism(s) in place to protect the privacy of information
Applicable Laws • Family Educational Rights & Privacy Act (FERPA) – protects student educationalrecords • Gramm Leach Bliley Act (GLBA) – protects financial informationof customers • Health Insurance Portability & Accountability Act Of 1996 (HIPAA) – protects patient information • Payment Card Industry-Data Security Standard (PCI-DSS) – protects credit card information • Delaware Breach Notification Law - Del. Code, Title 6, Sec. 12B-101 et seq. – requires breach notification in the event of a data breach • The Jeanne Clery Disclosure of Campus Security Policy & Campus Crime Statistics Act (Clery Act) – requires reporting of crime statistics to general public and federal government • Computer Fraud & Abuse Act – crimializes hacking into computers and computer networks • Communications Decency Act – regulates obscenity in cyberspace • Children’s Online Privacy Protection Act (COPPA) – regulates commercial operators that are directing services to children under 13 • Communications Assistance for Law Enforcement Act (CALEA) – regulates assistance that must be provided to law enforcement for phone tapping purposes • Federal Information Security Management Act (FISMA) – regulates how federal information and computers and networks are secured through contracts and possibly soon grant documents.
Types of Laws • Some laws are about what we can and can’t do with information we have – focus is protecting information. • Some laws are about information we have that we must share with individuals, our community and report to state and federal governments – focus is disclosure. • Some laws are about what you can and can’t do on your computer or on the internet – focus is on regulating conduct and behavior through or on the internet • Some laws go beyond securing information and want to make sure your information systems (computers and networks) are secure and protected.
Potential Risks • Legal Compliance • Failure to comply with privacy laws and regulations can result in significant legal sanctions, liability, fines, and other unpleasant consequences. • Regulatory agencies are stepping up enforcement – meaning surveys are being sent out, questions are being posed, and ultimately on site audits are conducted. • State attorneys general have enforcement power for state privacy/security laws plus they can enforce certain federal laws, too (HIPAA, COPPA). Privacy and security laws are expanding in their coverage.
Other Potential Risks • Reputational Injuries • Damage to Student Well-Being • Damage to Employee Well-Being • Soured Relationships • Financial Injuries • Time and Resources
University Data Security Challenges • Open Environment – many have access to records, control their own data • Social Security number as a student identifier – resides on many systems • Data Retention – tend to archive vs. delete • Research – studies can use vast amounts of sensitive information • Sharing – culturally much data is shared among colleagues
Target Rich Environment • In General – need to allow less access • Social Security number and other personal identifiers – retain in as few places as possible and only when needed • Data Retention – less is better • Research – separate initiative to secure research data • Sharing – be more careful on what we share and how
What IT Is Seeing • 171 UDELNET accounts compromised • 20 machines disabled on average per week due to malware, etc.
http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
What IT Is Doing • Created: • IT Security & Compliance Office (modernize policies) • Technical Security Group • Locate old data (SSNs) • Protect current data (more than SSNs!) • Detect intrusions • FireEye, snort, NGFW, etc.
What does IT need? • Process PII/SSNs scan results. • Desktop and laptop PII scanning software coming soon. • More SSNs. No, really.
Unit Responsibilities Some Action Items • Follow UD Policies • Develop Information Security Plan - Inventory data and devices (Know what you have) - Classify (Assess Sensitivity and Risk)- Establish protocols to Manage, Access and Use (Playbook) - Protect Data - Limit Use + Retention -Evaluate Processes (Where + How is data at risk?)
Employee Responsibilities Some Action Items • Unit Administrators - Inventory - Classify - Protect - Communicate • Employees - Understand responsibilities and requirements - Ask questions!
Employee ResponsibilitiesSome Action Items • Perform periodic reviews • Encrypt Sensitive Regulated data that must be retained • Purge or Archive unneeded data • Management standards followed? • New control gaps? • Report the loss or misuse of devices immediately
Types of Sensitive Data (1) • Confidential PII (Personally Identifiable Information) • First Name or Initial and Last Name, along with: • Social Security Number; • Driver’s License Number or State-Issued ID Number; • Alien Registration or Government Passport Number; or • Financial Information: Account, credit or debit card number
Types of Sensitive Data (2) • Student Data • Health Information • Financial Account Information, Credit Card #s • Certain Employment Data • Personally Identifiable Human Subject Research Data • UDelNet account passwords
Resources & Tools • UD Policies • 1-15 - http://www.udel.edu/ExecVP/policies/administrative/1-15.html • 1-22 - http://www.udel.edu/ExecVP/policies/administrative/1-22.html • Privacy & Confidentiality -http://www.udel.edu/it/security/policies/employees/privacy.html • Security Reporting -http://www.udel.edu/it/security/secreporting.html
Security Is Everyone’s Responsibility September 30, 2014