1 / 27

Managing Sensitive Data

Managing Sensitive Data. Harvard Townsend Interim University IT Security Officer harv@k-state.edu 532-2985 College Court 114.

lavonn
Télécharger la présentation

Managing Sensitive Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Managing Sensitive Data Harvard Townsend Interim University IT Security Officer harv@k-state.edu 532-2985 College Court 114 Dept Security Contacts Training

  2. “…as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns - the ones we don't know we don't know.” Donald Rumsfeld, Secretary of Defense, 2002 Dept Security Contacts Training

  3. Why Should We Care? • 93,998,906 and counting…… the approximate number of records with personal identity information that have been compromised due to security breaches since February 15, 2005 • Privacy Rights Clearing Housewww.privacyrights.org/ar/ChronDataBreaches.htm Dept Security Contacts Training

  4. Why Should We Care? • Data entrusted to our care • Handling a breach very expensive • Damage to institution’s reputation Dept Security Contacts Training

  5. Dept Security Contacts Training

  6. Why Should We Care? • It is the law: • SB 196 Kansas Security Breach Law takes effect Jan. 1, 2007 • Protects personal identity information • Mandates prompt investigation and notification • FERPA (student records) • HIPAA (medical records) • GLB (financial records) • ECPA (electronic communications) Dept Security Contacts Training

  7. Why Should We Care? • It is K-State policy • PPM 3495 “Collection, Use, and Protection of Social Security Numbers” • PPM 3415 “Information Security Plan” (GLB) • PPM 7010, section .430 “Intellectual Property Rights” • PPM 7010, section .440 “Data Access and Retention” • PPM 3485 “Protecting Sensitive Data by Desktop Search Products” • PPM 3060 “Kansas Open Records Act” • PPM 3090 “Retention of Records” • PPM 3430 “Security for Information, Computing and Network Resources” Dept Security Contacts Training

  8. Dept Security Contacts Training

  9. Dept Security Contacts Training

  10. Spoofed Website Hosted on the server in China Legitimate Website Dept Security Contacts Training

  11. Hosted in Germany Salvation Army Phishing Site Harvested Data Login from Romania Victim Source of Spam Dept Security Contacts Training

  12. What is “Sensitive Data?” • Sensitivity = level of protection against disclosure and abuse • Criticality = level of importance to the institution • Risk = measure of negative impact of a event and probability it will occur Dept Security Contacts Training

  13. Data Classification • Public data • Internal restricted data • Confidential data • National Security Interest data Dept Security Contacts Training

  14. Public Data • Approved for distribution to the public • No such thing as unauthorized disclosure • Very low sensitivity • Still needs protection • Examples: • Course catalog • Campus maps • Online people directory • Extension publications • Press releases Dept Security Contacts Training

  15. Internal Restricted Data • Intended for use only within K-State for University purposes • Requires access controls • Public disclosure could cause problems • Moderate sensitivity • Examples: • Departmental intranet • Transaction log files • Budget data • Purchase orders Dept Security Contacts Training

  16. Confidential Data • Highly sensitive data that can only be disclosed to individuals with explicit authorization • Protection required by law (FERPA, HIPAA) • Unauthorized disclosure harmful or catastrophic to individual, group, or institution • High sensitivity, thus requires highest level of protection • Examples: SSN, credit card #s, personal identity data, student records, personnel records, medical records Dept Security Contacts Training

  17. National Security Interest Data • Federal government classified data • Restrictions determined by the source agency • Moderate to high sensitivity, depending on federal classification • Examples: • Biosecurity Research Institute data • DoD contracts • Homeland Security contracts Dept Security Contacts Training

  18. Managing Confidential Data General Guidelines • Data owner must approve access • Require strong authN/authZ for access • Understand and secure all interfaces (“trust relationships”) • Secure test and development systems • Secure developers’ desktops • Don’t use real data for test and development • Control printing • Encrypt stored data where feasible • Fear wireless! Dept Security Contacts Training

  19. Managing Confidential Data General Guidelines • Transmit securely (SFTP and SSH, not FTP and Telnet) • Don’t send in e-mail • Store on a secure server, not desktop or laptop • Place systems behind firewall with restrictive ruleset • Restrict physical access and remote access to server(s) • Monitor 24x7x365 • Secure, frequent, off-site backups • Destroy data thoroughly upon disposal • Perform security audit at least annually Dept Security Contacts Training

  20. Social Security Numbers • See policy on the “Collection, Use, and Protection of Social Security Numbers”http://www.k-state.edu/policies/ppm/3495.html#policy • Removal from ID cards July 1, 2006 • Replaced with Wildcat ID (WID) • Available in K-State Online, KATS, DARS, eID e-profile • Full conversion in new SIS Dept Security Contacts Training

  21. What Should You Do About SSNs? • Read “Understanding K-State IDs” www.k-state.edu/infotech/personalid/understandingids.html • Communicate the issue with your department • Identify uses of SSNs and compare to policy requirements • Be paranoid! • Watch IT Tuesday for more info Dept Security Contacts Training

  22. Credit Card Numbers • Never store credit card numbers • Use third party credit service company • If you handle credit cards, review Payment Card Industry Data Security Standards(PCI DSS) • K-State is currently level 3 merchant • Become level 1 if compromised Dept Security Contacts Training

  23. Mobile Devices • Laptop or tablet PCs • Smart phones like Blackberry, Palm Treo • Personal Digital Assistants (PDAs) • Portable media players (iPod) • Storage media like USB flash drive, SD or CompactFlash cards Dept Security Contacts Training

  24. Preventing Theft • Use tracking and recovery software like Computrace from Absolute Software (www.absolute.com) • Use lock cables • Apply tamper-resistant asset tag or engrave cover • Use a nondescript carrying case • Don’t let it out of your sight when you travel • Always take it in your carry-on luggage • Don’t leave it in view in your car • Lock it securely with a cable in your hotel room Dept Security Contacts Training

  25. Data on Mobile Devices • DON’T store confidential data on mobile devices • If you must, encrypt it • Beware of managing encryption keys • Keep the original file(s) on a secure server • Diligently manage the security of the device (patches, antivirus software, firewalls, etc.) Dept Security Contacts Training

  26. Rumsfeldisms on IT Security On interrogating hackers: “I don't know what the facts are but somebody's certainly going to sit down with him and find out what he knows that they may not know, and make sure he knows what they know that he may not know.” On communicating with the media after a compromise: “I believe what I said yesterday. I don't know what I said, but I know what I think, and, well, I assume it's what I said.” “If I said yes, that would then suggest that that might be the only place where it might be done which would not be accurate, necessarily accurate. It might also not be inaccurate, but I'm disinclined to mislead anyone.” “Learn to say 'I don't know.' If used when appropriate, it will be often.” “I am not going to give you a number for it because it's not my business to do intelligent work.”

  27. Questions? Dept Security Contacts Training

More Related