1 / 13

Data and Service Security

Data and Service Security. A.S.Trew , G. Poxon & S.McGeever. Mobile Data Security. In 2010 Records Management published a policy on sensitive data necessary response to the Data Protection Act the Colleges thought this inadequate because: of the gap between policy and practice

nita
Download Presentation

Data and Service Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data and Service Security A.S.Trew, G. Poxon & S.McGeever

  2. Mobile Data Security • In 2010 Records Management published a policy on sensitive data • necessary response to the Data Protection Act • the Colleges thought this inadequate because: • of the gap between policy and practice • Support and guidance were seen as piecemeal and un-coordinated • MVM and CSE surveyed staff and PG students to determine: • were sensitive data being transferred electronically? • here, “sensitive” does not simply refer to Personal Data, but exam papers, proposals etc. • if so, was this being done in a secure manner? • and what type of person was most at risk? • yes, we have problems • 79.5% use data outside the University network … of these, ~50% use sensitive data in this way • most sensitive data are not controlled under the Data Protection Act • exposure risk is strongly correlated with staff role • individuals have a responsibility to ensure that they take all reasonable precautions to secure sensitive data • … but this cannot be relied upon as the only defence • eg. 38% use their smartphone for University business, 35% of these do not even use a PIN

  3. the challenge • … is to address these in a way which is consistent with academic practice • though we all have to work within the law • do you routinely forward University email to, say, gmail? If so, you could be breaking the Data Protection Act • in a company it would be (relatively) easy to impose a common way of working to minimise the threat • but we require different ways of working in different areas and easy collaboration with externals • and have a mindset which prioritises this over all other considerations • the problem is probably worst within CSE • we combine technical demands with “self-will” • … leading to an attitude amongst many key staff which ignores the problem

  4. the remedy? • MVM will alert staff with targetted emails • ie different emails for Professors, PGR … • we believe that this is not sufficient in CSE, we will: • have a co-ordinated, consistent roll-out of existing guidance to School IT teams, IS, School management … • encourage College to appoint a senior academic to lead compliance activity • report gaps and remedies to Records Management and ISG

  5. School IT School IT RM ISG Use Cases & Recommendations CCPAG School IT School IT ISG College Monitor General Help Specific Help Academic Staff

  6. Mobile Data Security - actions • actions: • CCPAG has created a basic set of guidelines and use cases appropriate for CSE • Email has gone out from HoC/HoS’s requiring staff to comply with guidelines • ICO increasingly looking at documented evidence of staff engagement should a breach occur • but, we must keep people’s attention, identify / support new use cases, report incidents and change mindset. • address these by : • Sending annual reminders to all staff • Incorporate security into induction process and provide (on-line) training • Work with IS, MVM, HSS and Data Practitioners to identify gaps in documentation, develop/identify further use cases, share best practice • Provide central mechanism for transparent feedback / reporting of incidents • success metrics: • Re-run questionnaire in a few years time • CCPAG judgement (i.e. is it our impression that compliance is better? Has mindset changed?) • Records Management judgement • Have there been any incidents?

  7. Services • focus to date has been on mobile data & clients (e.g., laptops, smartphones) • where active management and monitoring is least likely • … but recent compromises mainly concentrated on servers & services, also largely unmanaged • again, active management & monitoring rare • even expertly managed servers and services, however, can be compromised • combinations of old and new attacks make guaranteed prevention impossible • …also widespread use of third party services (e.g. Dropbox) • no management or monitoring available

  8. … the problem five • four known break-ins within CSE in the last 18 months: • P&A: unpatched web services led to 34 unmanaged services compromised, machines used to relay spam • Informatics: weak password led to staff and student ssh services compromised, loss of service • Biology: unpatched web service attacked, servers used to sell Viagra; automated attack led to compromised service, usernames/passwords stolen => reputational damage • ICMS: unpatched, unmanaged web service compromised … • Engineering: main web server hacked to sell Viagra • … but it is embarrassing to acknowledge such events, so we do not know the extent of break-ins, nor learn from experience • also reluctance to acknowledge the problem because of its scale … do we have the time, skills, and resolution to fix?

  9. … the response • the University decides to strengthen its 2009 ‘Information Security Policy’ • the section describing the responsibilities of the Support Groups and Colleges/Schools updated to pass responsibility clearly to Hos’s • You are response for any loss of sensitive data from your School • You are responsible for the integrity of any services provided by your School • Brian Gilmore becomes Chief Information Technology Security Officer (CITSO) • the focal point for the provision of advice, and collector of security incidents across the institution • His stated approach is to provide policies, but not how they should be implemented • … this gives us the freedom to tailor approaches to meet local needs

  10. what do we do? • three approaches to minimising risks: • Extend centrally managed services to cover more of the use cases that are clearly required for academic success (e.g., where external collaborations drive technical requirements) • ensure owners of centrally unmanaged services/machines are aware of the risks and adopt these • provide training and education for the (decreasing?) remainder of unmanaged usage • caveats: • even well-resourced Schools cannot guarantee protection (prevention, detection and recovery feedback loop essential) • price of world-class, research-focussed University = growing lag between individuals’ adoption and UoE-scale managed services • onus on academics to justify refusing extended managed services where these are proven fit for purpose.

  11. Layered security Highly sensitive data Mildly sensitive data (most) research data

  12. immediate recommendations • identify a security representative per School • to provide technical support to HoS to enable them to meet their obligations under the Information Security Policy • inform all staff of their responsibilities to keep data and services secure • potential of disciplinary action in cases of gross misconduct • audit School IT activities to identify all services and key data sets • categorise risks • propose moving to managed (School or IS) services where possible • … where not possible take explicit steps to implement best practice • review, share, feedback … use CCPAG as clearing house

  13. outstanding issues • How do we: • accommodate academic needs with limited effort • implement the security policy • cf. Informatics experience • identify Security Reps/Enforcers with the knowledge and seniority to fulfil their role • cf. ISG practices • …

More Related