210 likes | 406 Views
The BU Data Protection Standards. This Information Security Governance Committee Presents a unified frame work for the protection and management of information entrusted to Boston University. Quinn Shamblin Executive Director & Information Security Officer CISM, CISSP, GCFA, PMP qrs@bu.edu
E N D
The BU Data Protection Standards This Information Security Governance Committee Presents a unified frame work for the protection and management of information entrusted to Boston University
Quinn Shamblin • Executive Director & Information Security Officer • CISM, CISSP, GCFA, PMP • qrs@bu.edu • 358-6310 • This presentation is an overview of the structure and intend of the various documents that make up the Data Protection Standards and orient you to their contents • Copies of the current versions are provided for feedback • This presentation is intended to open discussion BU Information Security Presenter & Presentation Structure
Trust Complexity Guidance Simplification Support BU Information Security The Vision
Applicable Laws and Standards • HIPAA - Health Insurance Portability and Accountability Act • FERPA - Family Educational Rights and Privacy Act • GLBA - Gramm-Leach-Bliley Act Safeguarding • ISO 27001 - International Standards Organization for Information Security • COBIT 4.0 - ISACA Audit Controls Objective for IT • Massachusetts General Law Chapter 93H (the Identity Theft Law) • Massachusetts Regulation 201 CMR 17 (Standards for the Protection of Personal Information of Residents of the Commonwealth • Recent Court Cases and Events • Briar Group, Epsilon BU Information Security The Environment
Information Security • Referencing best practice, national and international standards. • The ISGC Policy Working Group • The Information Security Governance Committee • The Governance Steering Committees • The Executive Steering Committee BU Information Security The Approval Process
A related series of six controlling documents • Additional supporting documents • 1.2.A – Data Classification Guide • 1.2.B – Data Management Guide • 1.2.C – Access Management and Authentication Requirements • 1.2.D – Data Protection Requirements • 1.2.E – Minimum Security Standards • 1.2.F – Education, Compliance and Remediation BU Information Security The Data Protection Standards
The intention is to provide simplified guidance on how to handle these complex issues, breaking them down into discrete elements Careful attention has been paid to the use of language: “should”/“may” vs. “must” As we go through these requirements, you will see that, while IS&T will provide many helpful resources, there are expectations of units, departments and individual employees as well BU Information Security Document Approach
Defines and describes the categories under which University Data is to be classified: • Public • Internal • Confidential • Restricted Use BU Information Security Data Classification Guide Public Internal Confidential Restricted Use
People are expected to know what kinds of data fall into what categories and how to handle data in those categories • Focus on the requirements by classification vs. the details of specific laws • This approach will allow for simplified training on general data handling and information protection • Onboarding, Online, Refresh BU Information Security Practical Impacts
Defines the roles for managing data and the responsibilities of each. • Data Trustee – Approves business use of data • Information Security – Consults on secure systems architecture, owns security management process • Departmental Security Administrators – Security liaison for their department • Data Custodian – Usually a technical person that supports the application holding the data BU Information Security Data Management Guide
Trustees will no longer be asked to be technology experts, but rather to focus on business use IS&T and Departments are expected to help provide appropriate guidance and resources to allow faculty and staff to know what to do BU Information Security Practical Impacts
Defines how access to systems and applications is to be managed. Includes standards for the configuration, care and use of: • Passwords • Two-factor authentication • Single sign-on • Shared accounts BU Information Security Access Management and Authentication Requirements
Best practice requires passwords be changed periodically. Sometimes so do regulations.(BU Bus) Aligning PW complexity requirements, allowing for future consolidation. Generally requires unique accounts for each person. Shared accounts are discouraged BU Information Security Practical Impacts
Focuses on proper handling of information based on the classification of the information • Information focus, not strictly technology focus • Standards are provided for • Collection & Storage • Access & Transmission • Destruction & EOL • Auditing & Incident Handling BU Information Security Data Protection Requirements
This document sets stricter requirements for information at higher levels of sensitivity • The walls are very high for Restricted Use • Discourage use of this information unless legitimately needed. BU Information Security Practical Impacts
Provides security and configuration standards for electronic devices Computers, laptops, tablets, iPads, smartphones, cloud services, etc. may all be used to store and access information The level of security required of these devices is based on the level of sensitivity of the information that they may be used to access BU Information Security Minimum Security Standards
This document sets stricter requirements for devices used to access or store information at higher levels of sensitivity • Some devices—such as Android mobile phones—do not yet have security features sufficient to support the safe use to access Restricted Use information. Others require proper configuration • Guidance will be provided by InfoSec BU Information Security Practical Impacts
Defines responsibilities for education, compliance and remediation activities that may be required by the data protection standards and provides the authority to conduct such activities. • Focus • What is happening at BU? • Where are our biggest risks? • How can those risks be reduced? • Analysis, education and consulting. BU Information Security Education, Compliance, Remediation
Data loss prevention (DLP) techniques may include an electronic scan of network traffic or email for Restricted Use data Where issues are found Information Security may contact just the person or in the case of repeated or severe issues, involve management BU Information Security Practical Impacts
Obtain approval through governance • Online as recommendations • Reference materials & processes made available • Instructor-lead and online training courses • Contact all units to develop compliance plan • Set compliance deadline • Overall? By Unit ? BU Information Security Deployment Plan
Quinn Shamblin • qrs@bu.edu BU Information Security