230 likes | 389 Views
Staying ahead of the storm: know your role in information security before a crisis hits. Jason Testart , IST Karen Jack, Secretariat. Topics. Part I: Policy Overview (Jason) Part II: What to do when there’s a breach (Karen). Policy Goals. Reduce our exposure
E N D
Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat
Topics • Part I: Policy Overview (Jason) • Part II: What to do when there’s a breach (Karen) WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Policy Goals • Reduce our exposure • Comply with laws and regulations • Focus our information security efforts Information Security is about maintaining our integrity, not our egos! WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
On the topic of exposure… STOP HOARDING INFORMATION! WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
You can’t compromise what’s not there • REDUCE what we collect • REDUCE what we duplicate • REDUCE what we keep WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Reduce your risk off campus • Remote access or data encryption. • Use a secure connection. • Beware of un-trusted computers! WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Don’t forget about Disposal! • Make sure that all confidential information is erased or not recoverable before computers, electronic storage media, or other electronic devices are disposed of. • See Electronic Media Disposal Guidelines WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Policy Development: Avoid disjointed policy statements WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Policy Documents • Statement on Security of UW Computing and Network Resources • Policy 8 – Information Security • Statement on Electronic Business • Breach Notification Procedure • Computer Security Incident Response Procedure • IT Security Standards (all under development) • Mobile Device Security Standards • Standards for Secure Hosting • Password Policy WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Security Classifications (from Policy 8) Public WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Roles & Responsibilities(from Policy 8) • Information Steward: Governs the use of information • Information Custodian: Keeper of the information • User: Makes use of the data WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Example: Vision Test Results @ Optometry • Who is the steward? • Director, School of Optometry • Who is the custodian? • Support staff in Optometry who handle paper records. • Systems Administrators of systems where results are stored. • Who is the user? • Faculty, and students in Optometry. WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Steward Responsibilities • Classify information. • Assess risk. • Delegating operational responsibility to one or more Information Custodians. • Establishing and maintaining rules and procedures. • Ensuring Compliance. WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Custodian Responsibilities • Knowing the rules, set by the steward. • Understanding how information flows. • Making sure information is available to authorized people and processes when needed. • Making sure the integrity of information is maintained. • Making sure information is not available to unauthorised people or processes. WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Tips for Classifying Data • Classify information that is obviously public. • Identify information that is Highly Restricted. • Do you really need it? • You need permission to use it. • …then Restricted • We can help you, if needed. • Whatever’s left is either obviously confidential or it’s not obvious. • The information steward makes the call on public vs. confidential. WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
What to do when there’s a breach WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Despite your best efforts, there’s been a breach • Server • Memory stick with grades • Information sent to wrong recipient • Student assignments WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
What do I do? • Incident Security Breach Response Procedure (http://www.adm.uwaterloo.ca/infosec/guidelines/breachprocedure.html) • Computer Security Incident Response Procedure (http://ist.uwaterloo.ca/security/policy/ir.shtml) • Information Security Breach • Circumvention of security controls • Unauthorised use of information • Unintended exposure of information • Purposes • Legislation • Identifying the cause(s) and prevention WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Incident Security Breach Response Procedure WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Notice – what it might entail • Restricted Information • Personal information • Personal health information • Information subject to non-disclosure • Passwords or private encryption keys • Notice • Extent and specifics • Steps individuals should take to protect themselves • Immediate and long term solutions • Privacy Commissioner of Ontario / FIPPA WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
What’s the purpose of all this? WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Results WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Final thoughts • Shared responsibility • Treat others’ personal information as you would wish others to treat yours WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm