190 likes | 304 Views
0. Securing Sensitive Information Across Campus. ACM SIGUCCS Computer Services Management Symposium April 9, 2006. Tim Foley. Gale Fritsche. Lehigh University. Library and Technology Services. Lehigh Overview. 0. Founded in 1865. Private research university located 90 miles west of NYC
E N D
0 Securing Sensitive Information Across Campus ACM SIGUCCS Computer Services Management Symposium April 9, 2006 Tim Foley Gale Fritsche Lehigh University Library and Technology Services
Lehigh Overview 0 • Founded in 1865. Private research university located 90 miles west of NYC • Ranks 32th out of 248 national universities in US News and World Report’s annual survey • Approx 4700 undergraduates, 1200 graduate students, 450 faculty and 1200 staff • Approx 90% Windows PCs, 5% Mac and 5% other (Linux etc.)
0 Library & Technology ServicesOrganizational Structure Vice Provost Library & Technology Client Services Administration & Advancement Library Systems & Collections Enterprise Systems Technology Management Distance Education & Faculty Development
The Problem Lehigh’s Committee Structure Process & Recommendation Issues and Concerns Other Data Security Initiatives 0 Presentation Agenda
0 Why do you need secure information? • Stolen Cal Berkeley laptop exposes personal data of nearly 100,000 (AP March 29, 2005) • A laptop with personal information of students and applicants was stolen from the Cleveland State University admissions office (WKYC-TV, June 3, 05) • Two laptops were stolen from UW Medical Center office with the personal data of about 1,600 patients (Seattle Post-Intelligencer, Jan 24, 2006) • 6000 affected at the University of Northern Iowa when laptop computer holding W-2 forms of student employees and faculty was illegally accessed (AP Feb 18, 2006)
23 states with security breach laws Consumers Union report as of 11/30/05 Reported breaches - 53,533,214 people affected since 2/15/05 see: http://www.privacyrights.org/ar/ChronDataBreaches.htm
0 Committee Structure Advisory Council for Information Services Data Advisory Council Data Standards Committee E-Security Committee Account Opening Sub Committee Firewall Sub Committee Data Encryption Sub Committee Identity Mgmt Sub Committee
0 Committee Charge Data Encryption Sub Committee • Systems Analysts • Security and Policy Officer • Computing Consultants • Database Manager • Enterprise Information Consultant • Client Services Team Leaders Examine current encryption technologies to address the best way to encrypt PCs, Macs, PDAs and other portable devices, and LTS backups to comply with the Lehigh University security plan Members
Subgroups Formed 0 • Basic file access to LTS shares • Removable media • PDAs (Palms and Pocket PCs) • Desktop PC encryption (Windows and Macs) • Backups (Windows and Enterprise) • Encryption of Unix, and Oracle • Encryption of network traffic • Microsoft SQL Server security • Encryption keys • End user training
0 Process & Recommendations • Off campus visits • Web research • Software testing • EFS encryption, Truecrypt, WinMagic • Encryption webpage development • Data security seminars • Various meetings with clients • Data security blog for staff • Identified University apps needing compliance with FERPA and HIPAA
0 Final Recommendations • Whole disk encryption for PCs • Encrypted disk images for Macintosh • Folder encryption using Windows EFS encryption • Truecrypt for Pocket PCs and removable media • Good.com software for Treos (Investigating) • Password protect Palm devices or Pocket PCs • Backup encryption (EFS Encryption and MS Backup) • Restricting local logins (XP local security policies) for users with Banner reporting roles • Enterprise backups are secure in machine room and transit. Still examining options for enterprise backup • Terminal Server for FERPA and HIPAA applications (Police Database, Counseling Services)
Issues and Concerns 0 • Cost of software • Recovering data on drives using whole disk encryption • Management of encryption keys • Privileges to download banner/access reports to PCs • Other places sensitive data reside on a hard drive • The recycle bin, temporary internet files • Laptop sleep mode (writes desktop to temporary files) • Management of shared encrypted resources
0 Other Data Security Initiatives • Campus firewall • Secure wireless implementation • Procedures for wiping computer hard drives prior to disposal • Campus Police registration database • Windows Vista testing (Bit Blocker Encryption)
Discussion Questions Do you have file encryption requirements at your College or University ? If so, what do you encrypt? • Desktop PCs • PDAs • Backups • All of the Above
Have you implemented a Identity Management System? If so, what vendor did you use? • IBM • Computer Associates • Microsoft • Novell • SUN • Other
How many of you have implemented a firewall for your campus network? • Yes • No
How many of you have experienced a recent security breach (Stolen Laptop, Hacker)? • Yes • No
What type of Information do you feel need to be the most secure? • Employee SSNs • Student Medical Info • Alumni Donor Info • Athlete Recruiting Info
Contact Information Tim Foley – tim.foley@lehigh.edu Gale Fritsche – gale.fritsche@lehigh.edu