1 / 51

Dr. Michael Dean, Dr. Linda Wilbanks, and Theon Dam | Nov.-Dec. 2017 U.S. Department of Education

Session 30. What FAAs need to know about Cybersecurity Initiatives, Data Protection, Identity Theft and Cybersecurity Risk Management. Dr. Michael Dean, Dr. Linda Wilbanks, and Theon Dam | Nov.-Dec. 2017 U.S. Department of Education

montes
Télécharger la présentation

Dr. Michael Dean, Dr. Linda Wilbanks, and Theon Dam | Nov.-Dec. 2017 U.S. Department of Education

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session 30 What FAAs need to know about Cybersecurity Initiatives, Data Protection, Identity Theft and Cybersecurity Risk Management Dr. Michael Dean, Dr. Linda Wilbanks, and Theon Dam | Nov.-Dec. 2017 U.S. Department of Education 2017 FSA Training Conference for Financial Aid Professionals

  2. Presentation Overview ORGANIZATIONAL VIEW OF RISKS • Enterprise Risk Management • Cyber Security Risk Management OPERATIONAL CYBER SECURITY • Cyber Security Guidance on IT Security to Institutions of Higher Education Dr. Michael Dean Chief Enterprise Risk Officer Dr. Linda Wilbanks Senior Advisor, Cyber Security Risk Management Theon Dam ISSO

  3. Organizational View of Risks • Enterprise Risk Management • Cyber Security Risk Management PURPOSE • To provide a very brief introduction to Enterprise Risk Management • To show some differences between operational cyber security and cyber security risk management • To suggest to Board and Executive management at IHEs a focused approach to enterprise risk management including enterprise-level cyber security risk management

  4. Enterprise Risk Management

  5. Risk Terminology Risk: The effect of uncertainty on objectives What does ERM seek to do? • Optimize value to the organization-understanding and mitigating the mission-critical risks • Connect risks across the organization for executive level focus and to enhance strategic execution • Align organization risks with strategic goals and objectives • Integrate risk-based decision-making throughout the organization Risk Management: A series of coordinated activities to direct and control challenges or threats to achieving an organizations goals Enterprise Risk Management: An organization-wide approach to addressing the full spectrum of the organization’s significant risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos

  6. Types of Risks Financial Regulatory Strategic Technology Reputation • Cyber • Compromise of networks allowing unauthorized access to information • Failure to protect personally identifiable information from unauthorized disclosure • Inaccurate, unreliable and/or incomplete financial statements and/or records • Inadequate, ineffective and/or inappropriate internal controls • Inconsistent, inaccurate and/or inefficient administration, disbursement, and servicing of student aid • Ineffective oversight and monitoring of Title IV programs and participants • Failure to adhere to and/or implement requirements associated with Title IX/Clery Act • Failure to resolve key control deficiencies identified during the audit process • Failure to achieve program targets • Failure to achieve enrollment and retention targets • Inability to perform significant academic or scientific research

  7. Traditional Risk Management vs. Enterprise Risk Management Risk Management Enterprise Risk Management • Focuses on discrete risks • Risk as individual hazards (siloed) • Risks with no owners • Manages risks individually • Considers only downside of risk • Contained within individual business units • One-dimensional assessment (potential impact) • Risk in the context of business strategy • Addresses risk interdependencies • Defined risk responsibilities • Portfolio view of risk • Considers the upside and downside of risk • Imbedded within the organization • Multi-dimensional assessment

  8. Critical Elements of Enterprise Risk Management Investment Strategic Plan Board & Executive Level Focus Organization Wide Enterprise Technology Cyber Security Risk

  9. Cyber Security Risk Management

  10. Cyber Security Risk Terminology Information Security Risk: risk to organizational operations (mission, function, image, reputation, organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification or destruction of information and/or information systems Information System-Related Security Risk: risks that arise through the loss of confidentiality, integrity, or availability of information systems

  11. Sources of Cyber Security Risks Employees, Students, Anyone with Access Natural Disasters Mobile Devices Connections Data Transmissions and at Rest Viruses, Trojans, Electronic Tampering/ Theft/Fraud

  12. Cyber Security Risk Management Accountability U.S. DOE, FSA Trustees, Presidents, Executive and Academic Administrators Students Financial Aid Administrators, Faculty, Staff  EVERYONE 

  13. Cyber Security Risk Management (CSRM) vs. Operational Cyber Security (OCS) Determine Risk Appetite CSRM OCS Identify Risks • What is the acceptable level of risk? • What information is needed about threats and vulnerabilities? • What are the risks? • Do the mitigations produce acceptable level of risk? • How effective were the mitigations? • Did mitigating of risks add strategic value to the organization by moving closer to goal achievement? • What is the impact? • What are threats and vulnerabilities? • What are the risks? • What security controls are needed to reduce the risk? • How effective were the security controls? Determine Risk Mitigations Develop Risk Register/Profile Monitor

  14. Suggested Strategic Focus for Institutions of Higher Education Board of Trustees • Oversight accountability for enterprise risks including cyber risks • Ensures executive prioritization of enterprise risk management • Executive-level focus on enterprise risks including cyber security risks • Promotes culture of risk management • Accountable for management of enterprise risks including cyber security risks and holds key management accountable • Delivers enterprise-view of cyber security risks and impact to organization strategy • Promotes culture of risk management • Works with OCS to identify risks • Monitors and evaluates policy compliance, risk mitigations, and quality of cyber security implementation • Links risks across the enterprise and connects risk mitigations to organization value • Responsible for implementing cyber security • Implements risk mitigations • Works with ERM to identify risks • Recommends operational policy

  15. Operational Cyber Security Theon Dam

  16. Agenda • Purpose • Comply with Laws and Regulations • FSA Security Initiatives • What are PII and SPII ? • Security & Privacy Awareness • Cost of Breach • FAA Guidance

  17. Purpose • To provide Cyber Security guidance on IT security to institutions of higher education as they are obligated to: • Protect data used in all aspects of the administration of the Title IV Federal student financial aid programs • Protect all breaches resulting in loss of PII data to FSA

  18. Your Obligation To Protect PII Data Dear Colleague Letter • Publication Date: July 29, 2015 • Subject: Protecting Student Information • Data breaches proliferating • Cooperation of FSA Partners to implement strong security policies, controls, and monitoring is critical to protecting personally identifiable information and ensuring the confidentiality, security, and integrity of Title IV financial aid information

  19. Legal Obligation to Protect PII Data • Student Aid Internet Gateway (SAIG) Enrollment Agreement • The institution “must ensure that all Federal Student Aid applicant information is protected from access by or disclosure to unauthorized personnel.” • Privacy Act of 1974 (Federal Agencies) • HEA (Higher Education Act) • Gramm-Leach-Bliley Act • Safeguards Rule • Applies to financial institutions and those that receive information about the customers of financial institutions • Requires institutions to secure customer information and create a written information security plan that describes program to protect customer information

  20. FSA Security Initiatives • Active Confirmation • Primary Destination Point Administrator (DPA) • SAIG Mailbox | TG Number • December 15, 2017 • Federal Student Aid Identification (FSA ID) • Short Message Service (SMS) Feature • Verify phone number

  21. Personally Identifiable Information (PII) • PII is defined as all personal information associated with an individual and includes everything from their name to their Social Security number. • Social Security Number (SSN) • Driver’s license or State ID number • Alien Registration Number • Financial account number

  22. Sensitive PII (SPII) • Requires more protection because its improper release could result in harm, embarrassment, inconvenience, or unfairness to the individual whose name or identity is linked to the information. • Combining pieces of non-sensitive information could result in a set of information that is sensitive. • Citizenship or immigration status • Account passwords • Last 4 digits of SSN • Date of Birth • Mother’s maiden name • Medical information

  23. Protecting PII in Communications • Sensitive PII sent via email must be encrypted using: • a password-protected WinZip archive • send via separate email messages

  24. Tips to Safeguard PII • Minimize PII • Collect only PII that you are authorized to collect, and at the minimum level necessary • Limit number of copies containing PII to the minimum needed • Secure PII • Store PII in an appropriate access-controlled environment • Use fictional personal data for presentations or training • Review documents for PII prior to posting • Safeguard PII in any format • Disclose PII only to those authorized • Safeguard the transfer of PII • Do not email PII unless it is encrypted or in a password protected attachment • Alert FAX recipients of incoming transmission • Use services that provide tracking and confirmation of delivery when mailing • Dispose of PII Properly • Delete/dispose of PII at the end of its retention period or transfer it to the custody of an archives, as specified by its applicable records retention schedule

  25. The Insider Threats • Insiders are trusted employees, vendors, and contractors that have access to internal system resources, including personnel, facilities, information and intellectual property (IP), equipment, networks, and systems.

  26. The Insider Threats (cont’d) • Non-malicious actions include negligence and errors made by personnel in the course of executing their everyday responsibilities. • Malicious actions include intentionally exceeding or misusing access in a manner that negatively affects the confidentiality, integrity, or availability of the Department's information or information systems.

  27. Insider Threat Behaviors • Without need or authorization, taking sensitive information home via documents, thumb drives, computer disks, or email. • Remotely accessing the network while on vacation, sick leave, or at other odd times. • Disregarding organization policies on installing personal software or hardware, accessing restricted websites, conducting unauthorized searches, or downloading confidential information. • Working odd hours without authorization; notable enthusiasm for overtime work, weekend work, or unusual schedules when clandestine activities could be more easily conducted. • Taking short trips to foreign countries for unexplained or strange reasons.

  28. Social Engineering • Social engineering is the term used to describe the act of manipulating a person (using deception, persuasion, and influence) into divulging sensitive information. Technical controls may not catch these attacks as they exploit human weakness instead of technical weaknesses.

  29. Phishing Goal is to obtain information that can be used to conduct identity theft

  30. Spear Phishing • Sent to an individual or a smaller, more select group within a targeted organization • Appear as if they have been sent from a legitimate organization or known individual • May be personalized using information from social media and the Internet Goal is to obtain specific information or infect the target’s computer system with malware

  31. Whaling or Harpoon Phishing • Sent to senior executives or other high-level officials or their assistants • Customized with information directed to the recipient and are designed to masquerade as a critical agency business Goal is to gain access to highly confidential information and agency systems

  32. Identifying Phishing/Spear Phishing • Slow down and analyze email messages for one or more of these phishing indicators before taking action • You don’t know the sender • The sender’s email address match the “friendly” name displayed • The email is not similar to what you have received from the sender in the in the past • Includes a link • Contains an attachment you weren’t expecting or that is out of context for the sender • Includes information that may have been found on social media or refers to a current news event • Immediate action is required • Requests you provide sensitive information about yourself or the Department • Contains poor grammar, misspellings and punctuation errors

  33. Tips to Stay Out of The Phishing Net • Don’t open attachments or click on links received in unsolicited email messages. • If an email is asking you to click a link or submit personal information always check the senders name and email address. • NEVER follow links in emails that route you outside of your organization Network and NEVER give out information about your organization, or personal or financial information through email, regardless of who sends it. • Your system administrators would NEVER ask you for your password in an email or on the phone.

  34. Malware • If your computer starts to behave strangely or you experience one or more of the following, you may have malware installed on your computer. • Sluggish response • System crashes • Recurring pop-up advertisements or error messages • Changes in browser settings or toolbars • Inability to run programs or open files • Antivirus program disabled • Onscreen threats or demands for payment

  35. Ransomware • Ransomware is a class of malicious software designed to extort money from users by disabling important computer system functionality or by encrypting files on the infected device as well as on shared or networked drives. Anti-virus tools block known malware and may fail to stop an attack by new variants of ransomware.

  36. Mobile Computing Devices • Mobile computing devices can do almost anything a larger computer can do. • Their size makes them vulnerable to theft and loss. • Be extra vigilant when storing data on these devices. • Always maintain physical control. • Use password or password phrases.

  37. Dangers of Public or ”Free” Wi-Fi • Connections to public Wi-Fi networks can place your laptop, smart phone, or tablet at risk and could expose your sensitive information to identity thieves. • Dangers of public Wi-Fi include: • Lack of encryption • Rogue access points posing as legitimate networks • Malware • Unauthorized access to sensitive data

  38. Equifax Breach • Occurred May – July 2017 • Public notified September 2017 • 143 million individuals’ credit records • Included credit card numbers, drivers license numbers, social security numbers, addresses, birthdates • Check to see if you are impacted at: www.equifaxsecurity2017.com

  39. Cost of Breaches • Costs (decreased first time in over 10 years) • $3.62 million from $4 million in 2016 (10% decrease) • $141 from $158 cost per lost record ($221 in the U.S.) • Cost reduction factors: • Incident Response Team • Use of Encryption • Employee Training • Appointing a security Subject Matter Expert (SME) Source: Ponemon.org (2017)

  40. Potential Breach Sources Passwords? Informative files Leave information Phone numbers Unlocked screen

  41. Passwords not secure... • 99.9% of all user-generated passwords are insecure • Word-number-punctuation most commonly cracked ‘complex’ password • Solutions are based on two factor authentication • The myth of privacy and security • Password cracking by security experts: • Six characters: 12 seconds • Seven characters: 5 minutes • Eight characters: 4 hours https://www.privacyrights.org

  42. Breach Responsibility • YOU (and your organization) assume the risk for the loss of data • Cyber Security protects the data to the identified risk level • Data protection, breach prevention MUST be a joint operation for success • WE have an obligation to the students and parents to protect their PII information

  43. Correct Breach Process • Call your supervisor, the Help Desk, and Security and tell them exactly what is happening immediately • Don’t delete any files or turn off your system unless Security tells you otherwise • Don’t send the files/data in question to anyone • Supervisor, Help Desk, and/or Security must notify FSA at CPSSAIG@ed.gov

  44. In closing… • Only collect and use information that is absolutely necessary, and only share with those who absolutely need the information • “Review and reduce”—inventory your PII and PII data flows, and look for ways to reduce PII • Think before you hit the “send” button (Email is by far the #1 source of breaches) • “Scramble, don’t gamble”- encrypt, encrypt, encrypt • Minimize (or eliminate) the use of portable storage devices • Protect PII on paper—enforce a clean desk policy, use secure shredding bins, locked cabinets, etc.

  45. Resources https://www.privacyrights.org/ http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/ http://www.ponemon.org

  46. Resources • National Institute of Standards and Technology (NIST) Special Publications (http://csrc.nist.gov/publications/PubsSPs.html) • NIST Special Publication 800-37 Rev 1 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach • NIST Special Publication 800-53 Rev 4Security and Privacy Controls for Federal Information Systems and Organizations • NIST Special Publication 800-30 Rev 1 Guide for Conducting Risk Assessments • NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations • ISO/IEC 27001Information Security Management (International Organization for Standardization/International Electrotechnical Commission) • http://www.iso.org/iso/home/standards/management-standards/iso27001.htm

  47. Resources • National Institute of Standards and Technology (NIST) Special Publications (http://csrc.nist.gov/publications/PubsSPs.html) • NIST Special Publication 800-37 Rev 1 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach • NIST Special Publication 800-53 Rev 4Security and Privacy Controls for Federal Information Systems and Organizations • NIST Special Publication 800-30 Rev 1 Guide for Conducting Risk Assessments • NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations • ISO/IEC 27001Information Security Management (International Organization for Standardization/International Electrotechnical Commission) • http://www.iso.org/iso/home/standards/management-standards/iso27001.htm

  48. Contact Dr. Michael Dean Chief Enterprise Risk Officer Federal Student Aid US Department of Education 830 First Street, N.E Washington DC 20202 Email: Michael.Dean@ed.gov Phone: 202-377-4132

  49. Contact Dr. Linda Wilbanks Senior Advisor Cyber Security Risk Management Federal Student Aid US Department of Education 830 First Street, N.E Washington DC 20202 Email: Linda.Wilbanks@ed.gov Phone: 202-377-3396

  50. Contact Theon S. Dam IT Specialist INFOSEC Federal Student Aid US Department of Education 830 First Street, NE Washington DC 20202 Email: Theon.S.Dam@ed.gov Phone: 202-377-3106

More Related