1 / 25

Risk-Based Information Security Program at NMSU

Risk-Based Information Security Program at NMSU. presented by Norma Grijalva NMSU Chief Information Officer John Roberts NMSU Chief Information Security Officer October 2, 2014. Data Privacy Laws/Regulations. FERPA – Family Educational Rights and Privacy Act

gmaxwell
Télécharger la présentation

Risk-Based Information Security Program at NMSU

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk-Based Information Security Program at NMSU presented by Norma Grijalva NMSU Chief Information Officer John Roberts NMSU Chief Information Security Officer October 2, 2014

  2. Data Privacy Laws/Regulations • FERPA – Family Educational Rights and Privacy Act • HIPAA – Health Insurance Portability and Accountability Act • GLBA – Gramm-Leach-Bliley Act • RFR – Red Flags Rule of the Federal Trade Commission • FISMA – Federal Information Security Management Act • PCI DSS – Payment Card Industry Data Security Standards • Others exist, but the above are primary 2

  3. General Institutional Requirements • FERPA, HIPAA, GLBA, RFR, FISMA, and PCI-DSS require the following: • Designated information security responsibility • Risk-based information security program • Data security policies and procedures • Monitoring and incident handling/compliance • Data security training and awareness 3

  4. Consequences of Noncompliance • FERPA – Loss of federal funding to institution • HIPAA – Monetary penalties of up to $6M / year • GLBA – Fines and imprisonment • RFR – Federal fines • FISMA – Loss of research and contract funding • PCI DSS • Fines • Removal of institution’s ability to take credit card payments 4

  5. Recent Higher Ed Data Breaches • Butler University, June 2014 • 163,000 records taken • Iowa State University (NMSU peer), April 2014 • 48,729 records taken • North Dakota University, March 2014 • 291,465 records taken • Indiana University, February 2014 • 146,000 records taken • University of Maryland, February 2014 • 309,079 records taken 5

  6. Hard Costs Related to Breaches • Maricopa Community College District for last year's data breach costs are approaching $20 million • University of Maryland to pay $2.6M just for credit monitoring of data breach victims. Other costs TBD • Target estimates data breach costs at nearly $150 million and shares are down • These are just a few examples… 6

  7. NMSU’s Risk If hackers compromised Banner, how many unique social security numbers would they have access to? A. 10,000 B. 25,000 C. 50,000 D. I already have enough trouble sleeping at night 7

  8. ~ 500,000 (including the SSNs of the people sitting to your right and left) 8

  9. NMSU’s Risk (continued) • In addition to social security numbers and other Personally Identifiable Information (PII), NMSU’s systems contain other regulated data • Not all regulated data resides centrally --- desktop/shadow systems and departmental servers may also contain regulated data • We still get reports of PII data being transmitted “in the clear” despite NMSU data security policy 9

  10. Estimated Cost of a Data Breach • Based on 2013 Study by Ponemon Institute & Symantec • $111 per record at US universities and colleges • $136 per record across industry • Estimated cost of a breach at NMSU • $55,500,000 based on loss of 500,000 records at $111 per record • Includes costs associated with loss of public confidence, reputation, etc. 10

  11. Breaches Bring Greater Focus • Higher education institutions are reacting to data breaches by committing to improved data security • University of Maryland created a President's Task Force on Cybersecurity, adding more staff and purchasing expensive security tools • Iowa State University is creating policies and deploying security tools, etc. 11

  12. NMSU is being proactive • Enhancing security practices within the technology – network, servers, software • Implementing new security tools • Beefing up training & awareness, compliance across the institution • Working to establish a risk-based information security program • Doing what we can with available resources, but more is needed 12

  13. Changing IT Landscape • Factors that are now shaping IT • Greater and very real threats to institutional data • Integration of information technology into all areas of NMSU’s business, requiring a strategic versus strictly operational perspective of IT • Competition for IT resources is growing, requiring better planning, resource allocation, and sharing • A move to IT Governance is key! 13

  14. Information Technology Governance • Just what is IT Governance? • The processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. (Gartner) • What does IT Governance do for NMSU? • Ensures the effective evaluation, selection, prioritization, and funding of competing IT investments • Optimizes resources • Lowers risk • Enhances measurement of institutional IT performance 14

  15. IT Governance, Then Data Governance • Data governance is born of IT governance • Once IT governance is established, data governance follows 15

  16. Governance Leads to Security • IT and Data Governance are the foundation of data security, culminating in protection that is based on identified risk • Awareness is the first step • Information security is everyone’s responsibility • Appropriate governance ensures that the university is in compliance with data security laws and NMSU policies 16

  17. To successfully protect our data, we need your support! 17

  18. How do we do this? • Safe Computing practices • Password protection on computer (physically lock computer when you walk away) • Anti Virus • Malware • Firewall • Automatic Updates

  19. How do we do this? (Cont.) 2) Data Protection • All mobile storage devices need to be encrypted • Jump drives, Laptops, External Storage Devices • All devices where regulated data is stored needs to be encrypted. • Options • File Encryption (If you inadvertently send email to the wrong person it is protected) • Device Encryption

  20. File Encryption

  21. How do we do this? (Cont.) 3) Data Discovery • Identity Finder – tool to assist • End user police – Do we have a bad practice running somewhere? • Password Strength • Develop a password phrase

  22. How do we do this with Email • Phishing • How can I tell? What should I do? • Don’t click and don’t open attachments • Targeted Phishing & Social Engineering assessments • NMSU generated spam  • Etiquette • Be aware of the TO & CC especially when sending to a list

  23. How do we do this with the VPN • What is a Virtual Private Network (VPN) • Your own end to end encrypted network path • How do I get it and use it. • Go to vpn.nmsu.edu and enter your credentials: auto install/manual install • Use it everywhere including Aggie Air till 2015 • Types: Full (NMSU-Full) vs. Not so Full (NMSU) • What’s coming next?

  24. Risk-Based Information Security Program at NMSU Questions? Thanks Norma Grijalva John Roberts

More Related