1 / 23

Staying ahead of the storm: know your role in information security before a crisis hits

Staying ahead of the storm: know your role in information security before a crisis hits. Jason Testart , IST Karen Jack, Secretariat. Topics. Part I: Policy Overview (Jason) Part II: What to do when there’s a breach (Karen). Policy Goals. Reduce our exposure

gasha
Download Presentation

Staying ahead of the storm: know your role in information security before a crisis hits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat

  2. Topics • Part I: Policy Overview (Jason) • Part II: What to do when there’s a breach (Karen) WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  3. Policy Goals • Reduce our exposure • Comply with laws and regulations • Focus our information security efforts Information Security is about maintaining our integrity, not our egos! WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  4. On the topic of exposure… STOP HOARDING INFORMATION! WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  5. You can’t compromise what’s not there • REDUCE what we collect • REDUCE what we duplicate • REDUCE what we keep WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  6. Reduce your risk off campus • Remote access or data encryption. • Use a secure connection. • Beware of un-trusted computers! WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  7. Don’t forget about Disposal! • Make sure that all confidential information is erased or not recoverable before computers, electronic storage media, or other electronic devices are disposed of. • See Electronic Media Disposal Guidelines WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  8. Policy Development: Avoid disjointed policy statements WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  9. Policy Documents • Statement on Security of UW Computing and Network Resources • Policy 8 – Information Security • Statement on Electronic Business • Breach Notification Procedure • Computer Security Incident Response Procedure • IT Security Standards (all under development) • Mobile Device Security Standards • Standards for Secure Hosting • Password Policy WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  10. Security Classifications (from Policy 8) Public WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  11. Roles & Responsibilities(from Policy 8) • Information Steward: Governs the use of information • Information Custodian: Keeper of the information • User: Makes use of the data WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  12. Example: Vision Test Results @ Optometry • Who is the steward? • Director, School of Optometry • Who is the custodian? • Support staff in Optometry who handle paper records. • Systems Administrators of systems where results are stored. • Who is the user? • Faculty, and students in Optometry. WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  13. Steward Responsibilities • Classify information. • Assess risk. • Delegating operational responsibility to one or more Information Custodians. • Establishing and maintaining rules and procedures. • Ensuring Compliance. WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  14. Custodian Responsibilities • Knowing the rules, set by the steward. • Understanding how information flows. • Making sure information is available to authorized people and processes when needed. • Making sure the integrity of information is maintained. • Making sure information is not available to unauthorised people or processes. WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  15. Tips for Classifying Data • Classify information that is obviously public. • Identify information that is Highly Restricted. • Do you really need it? • You need permission to use it. • …then Restricted • We can help you, if needed. • Whatever’s left is either obviously confidential or it’s not obvious. • The information steward makes the call on public vs. confidential. WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  16. What to do when there’s a breach WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  17. Despite your best efforts, there’s been a breach • Server • Memory stick with grades • Information sent to wrong recipient • Student assignments WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  18. What do I do? • Incident Security Breach Response Procedure (http://www.adm.uwaterloo.ca/infosec/guidelines/breachprocedure.html) • Computer Security Incident Response Procedure (http://ist.uwaterloo.ca/security/policy/ir.shtml) • Information Security Breach • Circumvention of security controls • Unauthorised use of information • Unintended exposure of information • Purposes • Legislation • Identifying the cause(s) and prevention WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  19. Incident Security Breach Response Procedure WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  20. Notice – what it might entail • Restricted Information • Personal information • Personal health information • Information subject to non-disclosure • Passwords or private encryption keys • Notice • Extent and specifics • Steps individuals should take to protect themselves • Immediate and long term solutions • Privacy Commissioner of Ontario / FIPPA WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  21. What’s the purpose of all this? WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  22. Results WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

  23. Final thoughts • Shared responsibility • Treat others’ personal information as you would wish others to treat yours WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

More Related