780 likes | 977 Vues
A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations. David Escalante H. Morrow Long Director of Computer Policy Director, Information Security & Security Yale University Boston College NERCOMP Preconference Seminar
E N D
A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations David Escalante H. Morrow Long Director of Computer Policy Director, Information Security & Security Yale UniversityBoston College NERCOMP Preconference Seminar Monday, March 19, 2007 1:00 p.m. - 4:30 p.m.
Introductions • Ice-breaker BINGO!! • 5 minutes • First 10 people to get BINGO win a prize! • Introductions: • Name • Title or Functional Description of Duties • Organizational Affiliation • What do you want to get out of this session?
Overview to Seminar • Information security risks at colleges and universities present challenging legal, policy, technical, and operational issues. • Security incidents have resulted in compromises of personal information which have led to bad publicity and the potential for identity theft. • Risks to information security at colleges and universities continue to persist and necessitate that individuals at all levels of the institution become engaged to prevent further data breaches from occurring. • This seminar will outline a blueprint for protecting sensitive data according to the EDUCAUSE/Internet2 Security Task Force.
Seminar Goals At the end of this session: • You should feel comfortable discussing common cybersecurity threats plaguing higher education and computer users in general. • You will have a list of key strategies to follow for stopping the leakage of confidential/sensitive data. • You will be introduced to several security resources and best practices to help you apply the key strategies.
Today’s Roadmap • Foundations of Cybersecurity in Higher Ed • The Blueprint • Creating a Security Risk-Aware Culture • Defining Institutional Data Types • Clarify Responsibilities and Accountability • Reducing Access to Data Not Absolutely Essential • Establishing and Implementing Stricter Controls • Providing Awareness and Training • Verifying Compliance • Putting it All Together: Moving from Planning to Action
Higher Ed IT Environments • Technology Environment • Distributed computing and wide range of hardware and software from outdated to state-of-the-art • Increasing demands for distributed computing, distance learning and mobile/wireless capabilities which create unique security challenges • Leadership Environment • Reactive rather than proactive • Lack of clearly defined goals (what do we need to protect and why) • Academic Culture • Persistent belief that security & academic freedom are antithetical • Tolerance, experimentation, and anonymity highly valued
Higher Ed IT Environments • Current Status: “The information security environment has become increasingly more dangerous. News accounts have reported Higher Education institutions involved in dozens of incidents of compromised confidential information over the past year. The cost of notifying and offering assistance to those individuals who have had their privacy information compromised can run into the hundreds of thousands of dollars for each incident. Increased regulatory requirements also make it imperative that the University be able to show a level of due diligence in the protection of its systems and confidential data.” • Why is this in quotes?
Goals of Cybersecurity • Confidentiality - information requires protection from unauthorized use or disclosure. • Integrity - information must be protected from unauthorized, unanticipated, or unintentional modification. • Availability - computers, systems, networks, and information must be available on a timely basis to meet mission requirements or to avoid substantial losses.
Security Processes • Deter • Prevent • Detect • React • Adapt Burton Group: A Systematic, Comprehensive Approach to Information Security (Feb. 2005)
Security ImplementationRelies On: Systems must be built to technically adhere to policy Policies must be developed, communicated, maintained and enforced Process Technology People Processes must be developed that show how policies will be implemented People must understand their responsibilities regarding policy
Framing the Problem • Discussion – Breaches in Higher Education • How did they occur? • Who was impacted? • How much did it cost? • Are there themes? • What’s changed?
The Blueprint ConfidentialData Handling Blueprint Purpose • To provide a list of key strategies to follow for stopping the leakage of confidential/sensitive data. • To provide a toolkit that constructs resources pertaining to confidential/sensitive data handling. https://wiki.internet2.edu/confluence/display/secguide/Confidential+Data+Handling+Blueprint
The Blueprint ConfidentialData Handling Blueprint Introduction • Steps and ensuing sub-items are intended to provide a general roadmap • Institutions will be at varying stages of progress • Organized in a sequence that allows you to logically follow through each step • Each item is recommended as an effective practice; state/local legal requirements, institutional policy, or campus culture might leave each institution approaching this differently
Step 1 • Create a security risk-aware culture that includes an information security risk management program • Sub-steps 1.1 Institution-wide security risk management program 1.2 Roles and responsibilities defined for overall information security at the central and distributed level 1.3 Executive leadership support in the form of policies and governance actions
Why Do We Care? • HIPAA • FERPA • GLBA • Sarbanes Oxley Act • Grant requirements • Compliance • Other local state and federal regulations
Risk Management Risk = Threats x Vulnerabilities x Impact
Threat An adversary that is motivated to exploit a system vulnerability and is capable of doing so National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)
Examples of Threats • Hackers • Insiders • “Script Kiddies” • Criminal Organizations • Terrorists • Enemy Nation States
Vulnerability An error or a weaknessin the design, implementation, or operation of a system. National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)
Examples of Vulnerabilities • Networks – wired and wireless • Operating Systems – especially Windows • Hosts and Systems • Malicious Code and Viruses • People • Processes • Physical Environments
Impact Refers to the likelihood that a vulnerability will be exploited or that a threat may become harmful. National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)
Examples of Impact • Strategic Consequences • Financial Consequences • Legal Consequences • Operational Consequences • Reputational Consequences Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
Risk Management Risk = Threats x Vulnerabilities x Impact
Handling Risks • Risk Assumption • Risk Control • Risk Mitigation • Risk Avoidance Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
What Defines Culture? • Strategic Planning and Decision-Making • Examples: • Top-down • Bottom-up • Consensus-based • Institutional Values • Examples: • Student honor code • Strong faculty influence • Emphasis on accountability at all levels of institution • High bond rating
What Defines Culture? • Control of Operational Functions • Examples: • Centralized • Decentralized • Long-term Institutional Priorities • Examples: • Increase research • Increase community outreach • Other influences on culture?
Ideas For Using Culture Decentralized Control Over Computing Formalize and leverage network of departmental system administrators How? Some Examples: University of Virginia LSP Program http://www.itc.virginia.edu/dcs/lsp George Mason University SALT Group http://itu.gmu.edu/security/sysadmin/salt-description.html
Ideas For Using Culture Increasing Emphasis on Compliance Spotlight Federal Regulations Related to Security & Privacy How? Some Examples: IT Security for Higher Education: A Legal Perspective http://www.educause.edu/ir/library/pdf/csd2746.pdf Family Educational Rights & Privacy Act http://www.ed.gov/policy/gen/guid/fpcp/ferpa/index.html Gramm Leach Bliley Act http://www.ftc.gov/privacy/glbact/index.html Health Insurance Portability & Accountability Act http://www.hhs.gov/ocr.hipaa
Ideas For Using Culture Strong Leadership at the Top Make Executive-level Awareness a Top Priority How? ACE Letter to Presidents Regarding Cybersecurity http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm Information Security: A Difficult Balance http://www.educause.edu/pub/er/erm04/erm0456.asp Gaining the President’s Support for IT Initiatives at Small Colleges http://www.educause.edu/apps/eq/eqm04/eqm0417.asp Presidential Leadership for Information Technology http://www.educause.edu/ir/library/pdf/erm0332.pdf
Morning Break • Break 10:15 AM • Return 10:30 AM
Step 2 • Define institutional data types • Sub-steps 2.1 Compliance with applicable federal and state laws and regulations - as well as contractual obligations - related to privacy and security of data held by the institution (also consider applicable international laws) 2.2 Data classification schema developed with input from legal counsel and data stewards 2.3 Data classification schema assigned to institutional data to the extent possible or necessary
Institutional Data Types • Discussion – • Do you have a data classification schema? • Do you have a policy? • Why is this step important?
Data Classification Policy • Provides the framework necessary to identify and classify data in order to assess risk and implement an appropriate level of security protection based on categorization. • Provides the framework necessary to comply with legislation, regulations, and internal policies that govern the protection of data • Provides the framework necessary to facilitate and make the Incident Response process more efficient. The level in which the data is classified determines the level of response.
DataClassification – Policy Objectives • Communicates data categories to the University community and provides examples of how data should be classified • Communications the high level requirements necessary to protect data based on category • Communicates the roles and responsibilities of various members of the University community and external associates as it relates to GW owned data
Data Classification at GW Privacy Levels Operations Levels Public Official Confidential Highest Security Highest Operations Enterprise System 2 2 1 1 Department Server 3 2 Lowest Security Lowest Operations 2 Desktop/ Laptop 3 4 Note, numbers in boxes suggest the priority levels for mitigating risks.
Step 3 • Clarify responsibilities and accountability for safeguarding confidential/sensitive data • Sub-steps 3.1 Data stewardship roles and responsibilities 3.2 Legally binding third party agreements that assign responsibility for secure data handling
Example – University of North Carolina • Data Trustee: Data trustees are senior University officials (or their designees) who have planning and policy-level responsibility for data within their functional areas and management responsibilities for defined segments of institutional data. Responsibilities include assigning data stewards, participating in establishing policies, and promoting data resource management for the good of the entire University. • Data Steward: Data stewards are University officials having direct operational-level responsibility for information management – usually department directors. Data stewards are responsible for data access and policy implementation issues. • Data Custodian: Information Technology Services is the data custodian. The custodian is responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users as authorized by data trustees or their designees (usually the data stewards), and implementing and administering controls over the information. • Data User: Data users are individuals who need and use University data as part of their assigned duties or in fulfillment of assigned roles or functions within the University community. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of those data. http://its.uncg.edu/Policy_Manual/Data/
Step 4 • Reduce access to confidential/sensitive data not absolutely essential to institutional processes • Sub-steps 4.1 Data collection processes (including forms) should request only the minimum necessary confidential/sensitive information 4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information 4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices
Step 4 continued… • Reduce access to confidential/sensitive data not absolutely essential to institutional processes • Sub-steps continued 4.4 Eliminate unnecessary confidential/sensitive data on servers, desktops, and mobile devices 4.5 Eliminate dependence on SSNs as primary identifiers and as a form of authentication* *Note: SSNs may need to be used for certain things (e.g., student employees, student financial aid, etc.) and we recommend that schools limit the use of SSNs to necessary processes only.
Elimination of SSNs • Federal and state law requires the collection of your Social Security number (SSN) for certain purposes (for example, IRS reporting forms). However, widespread use of an individual's SSN is a major privacy concern. With incidents of identity theft increasing, steps to secure an individual's SSN become more important. • A large number of colleges and universities use SSNs as primary identifiers for faculty, staff, and students, which exposes institutions to risk because of changing legal and security environments. Therefore, many institutions are planning for the migration away from SSN use as a primary identifier. Undertaking such a task raises issues, challenges, and opportunities for any institution. • EDUCAUSE has identified links concerning the elimination of SSNs as primary identifiers that may be useful to the higher education community. • http://www.educause.edu/Browse/645?PARENT_ID=701
Step 5 • Establish and implement stricter controls for safeguarding confidential/sensitive data • Sub-steps 5.1 Inventory and review/remediate security of devices 5.2 Configuration standards for applications, servers, desktops, and mobile devices 5.3 Network level protections 5.4 Encryption strategies for data in transit and at rest
Step 5 continued… • Establish and implement stricter controls for safeguarding confidential/sensitive data • Sub-steps continued 5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage 5.6 Identity management and resource provisioning processes 5.7 Secure disposal of equipment and data 5.8 Consider background checks on individuals handling confidential/sensitive data
EncryptionCollaboration • Call for help – what are other universities doing? • Privacy Committee, Compliance Committee, LSPs • Key Stakeholders • Project management • Information Security Office + Technology Services + Technology Engineering = OneTeam
GW Scoring Criteria/Selection Rationale Vendors were evaluated on RFP requirements that covered “Whole Disk” and “Nice to Have” requirements: Product Evaluation Category Recommended?X - No √ - Yes X - No Out of a possible total weighted score of 285, Utimaco scored the highest based on the requirements defined in the RFP, had the lowest price and was the only product fully compatible with VMWare Note: Vendors were asked to respond to File and Folder Encryption Requirements but were not scored on them
GW’s Encryption Pilot • Planning • Technical set-up • Central IT Group 50%, Departments 50% • Communicate, communicate, communicate • Pilot results • Party!
GW Enterprise Rollout –50,000 Foot View 1Note: This assumes a 3 year plan FWI machine replacement plan for most faculty, except those that self –identify to adopt Safeguard Easy on an existing machine
Encryption Lessons Learned? • References provided invaluable advice • Project management support crucial • Flexibility required • Know your culture • Integrate with security philosophy and architecture • Establish generic policy and add guidelines/procedures as process matures • Communication and partnerships were critical success factors
Step 5 continued… • Establish and implement stricter controls for safeguarding confidential/sensitive data • Sub-steps continued 5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage 5.6 Identity management and resource provisioning processes 5.7 Secure disposal of equipment and data 5.8 Consider background checks on individuals handling confidential/sensitive data
EDUCAUSE Identity Management Resources Recent Library Submissions (3) • CIC Identity Management Conference Session: Federated Identity Management and Sharing Resources (2007) by Jim Phelps, IT Architect in Academia • Identity Management Conference Report (2007)by Committee on Institutional Cooperation • A Report on the Identity Management Summit (2007) by Norma Holland, Ann West and Steve Worona, EDUCAUSE Most Popular Library Content (3) • Top-Ten IT Issues, 2006 (2006) by Barbara I. Dewey, Peter B. DeBlois, and the 2006 EDUCAUSE Current Issues Committee, EDUCAUSE • Safeguarding the Tower: IT Security in Higher Education 2006 (2006) by Robert B. Kvavik, with John Voloudakis, ECAR • Identity Management in Higher Education: A Baseline Study (2006) by Ronald Yanosky, with Gail Salaway, ECAR • http://www.educause.edu/Browse/645?PARENT_ID=679
Step 6 • Provide awareness and training • Sub-steps 6.1 Make confidential/sensitive data handlers aware of privacy and security requirements 6.2 Require acknowledgement by data users of their responsibility for safeguarding such data 6.3 Enhance general privacy and security awareness programs to specifically address safeguarding confidential/sensitive data 6.4 Collaboration mechanisms such as e-mail have strengths and limitations in terms of access control, which must be clearly communicated and understood so that the data will be safe-guarded