Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data and Service Security A.S.Trew, G. Poxon & S.McGeever.

Published byNicholas Taton Modified over 10 years ago

Similar presentations

Presentation on theme: "Data and Service Security A.S.Trew, G. Poxon & S.McGeever."— Presentation transcript:

1 Data and Service Security A.S.Trew, G. Poxon & S.McGeever

2 Mobile Data Security In 2010 Records Management published a policy on sensitive data – necessary response to the Data Protection Act the Colleges thought this inadequate because: – of the gap between policy and practice – Support and guidance were seen as piecemeal and un-coordinated MVM and CSE surveyed staff and PG students to determine: – were sensitive data being transferred electronically? here, sensitive does not simply refer to Personal Data, but exam papers, proposals etc. – if so, was this being done in a secure manner? – and what type of person was most at risk? yes, we have problems – 79.5% use data outside the University network … of these, ~50% use sensitive data in this way most sensitive data are not controlled under the Data Protection Act exposure risk is strongly correlated with staff role individuals have a responsibility to ensure that they take all reasonable precautions to secure sensitive data … but this cannot be relied upon as the only defence – eg. 38% use their smartphone for University business, 35% of these do not even use a PIN

3 the challenge … is to address these in a way which is consistent with academic practice – though we all have to work within the law do you routinely forward University email to, say, gmail? If so, you could be breaking the Data Protection Act in a company it would be (relatively) easy to impose a common way of working to minimise the threat but we require different ways of working in different areas and easy collaboration with externals – and have a mindset which prioritises this over all other considerations – the problem is probably worst within CSE we combine technical demands with self-will – … leading to an attitude amongst many key staff which ignores the problem

4 the remedy? MVM will alert staff with targetted emails – ie different emails for Professors, PGR … we believe that this is not sufficient in CSE, we will: – have a co-ordinated, consistent roll-out of existing guidance to School IT teams, IS, School management … – encourage College to appoint a senior academic to lead compliance activity – report gaps and remedies to Records Management and ISG

5 RMISG CCPAG Schoo l IT School IT College ISG Academic Staff Use Cases & Recommendations Monitor Specific Help General Help Schoo l IT School IT

6 Mobile Data Security - actions actions: CCPAG has created a basic set of guidelines and use cases appropriate for CSE Email has gone out from HoC/HoSs requiring staff to comply with guidelines ICO increasingly looking at documented evidence of staff engagement should a breach occur but, we must keep peoples attention, identify / support new use cases, report incidents and change mindset. address these by : - Sending annual reminders to all staff - Incorporate security into induction process and provide (on-line) training - Work with IS, MVM, HSS and Data Practitioners to identify gaps in documentation, develop/identify further use cases, share best practice - Provide central mechanism for transparent feedback / reporting of incidents success metrics: - Re-run questionnaire in a few years time - CCPAG judgement (i.e. is it our impression that compliance is better? Has mindset changed?) - Records Management judgement - Have there been any incidents?

7 Services focus to date has been on mobile data & clients (e.g., laptops, smartphones) – where active management and monitoring is least likely … but recent compromises mainly concentrated on servers & services, also largely unmanaged – again, active management & monitoring rare even expertly managed servers and services, however, can be compromised – combinations of old and new attacks make guaranteed prevention impossible …also widespread use of third party services (e.g. Dropbox) – no management or monitoring available

8 … the problem four known break-ins within CSE in the last 18 months: – P&A: unpatched web services led to 34 unmanaged services compromised, machines used to relay spam – Informatics: weak password led to staff and student ssh services compromised, loss of service – Biology: unpatched web service attacked, servers used to sell Viagra; automated attack led to compromised service, usernames/passwords stolen => reputational damage – ICMS: unpatched, unmanaged web service compromised … – Engineering: main web server hacked to sell Viagra … but it is embarrassing to acknowledge such events, so we do not know the extent of break-ins, nor learn from experience also reluctance to acknowledge the problem because of its scale … do we have the time, skills, and resolution to fix? five

9 … the response the University decides to strengthen its 2009 Information Security Policy – the section describing the responsibilities of the Support Groups and Colleges/Schools updated to pass responsibility clearly to Hoss You are response for any loss of sensitive data from your School You are responsible for the integrity of any services provided by your School Brian Gilmore becomes Chief Information Technology Security Officer (CITSO) – the focal point for the provision of advice, and collector of security incidents across the institution His stated approach is to provide policies, but not how they should be implemented … this gives us the freedom to tailor approaches to meet local needs

10 what do we do? three approaches to minimising risks: – Extend centrally managed services to cover more of the use cases that are clearly required for academic success (e.g., where external collaborations drive technical requirements) – ensure owners of centrally unmanaged services/machines are aware of the risks and adopt these – provide training and education for the (decreasing?) remainder of unmanaged usage caveats: – even well-resourced Schools cannot guarantee protection (prevention, detection and recovery feedback loop essential) – price of world-class, research-focussed University = growing lag between individuals adoption and UoE-scale managed services – onus on academics to justify refusing extended managed services where these are proven fit for purpose.

11 Layered security (most) research data Mildly sensitive data Highly sensitive data

12 immediate recommendations identify a security representative per School – to provide technical support to HoS to enable them to meet their obligations under the Information Security Policy inform all staff of their responsibilities to keep data and services secure – potential of disciplinary action in cases of gross misconduct audit School IT activities to identify all services and key data sets – categorise risks – propose moving to managed (School or IS) services where possible – … where not possible take explicit steps to implement best practice – review, share, feedback … use CCPAG as clearing house

13 outstanding issues How do we: – accommodate academic needs with limited effort – implement the security policy cf. Informatics experience – identify Security Reps/Enforcers with the knowledge and seniority to fulfil their role cf. ISG practices – …

Download ppt "Data and Service Security A.S.Trew, G. Poxon & S.McGeever."

Similar presentations

Thematic evaluation on the contribution of UN Women to increasing women’s leadership and participation in Peace and Security and in Humanitarian Response.

Thematic evaluation on the contribution of UN Women to increasing women’s leadership and participation in Peace and Security and in Humanitarian Response.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Child Safeguarding Standards

Child Safeguarding Standards
Integrating Children and Young Peoples Services Will Greenhow - Home Affairs David Killip - Health and Social Security John Cain - Department of Education.

Integrating Children and Young Peoples Services Will Greenhow - Home Affairs David Killip - Health and Social Security John Cain - Department of Education.
The importance of a Compliance program is to ensure that our agency meets the highest possible standards for all relevant federal, state and local regulations,

The importance of a Compliance program is to ensure that our agency meets the highest possible standards for all relevant federal, state and local regulations,
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
1 Pertemuan 19 Organisational Back Up Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.

1 Pertemuan 19 Organisational Back Up Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.

Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Disaster Recovery Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.

Disaster Recovery Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
Network security policy: best practices

Network security policy: best practices
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Minnesota Adoption of the Green Book April 16, 2015 Jo Kane Internal Control & Accountability Specialist.

Minnesota Adoption of the Green Book April 16, 2015 Jo Kane Internal Control & Accountability Specialist.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google