Presentation on theme: "Security Is Everyone’s Responsibility October 22, 2014."— Presentation transcript:
Security Is Everyone’s Responsibility October 22, 2014
Agenda Introduction – Scott Douglass Legal Issues – Laure Ergin Risk & Challenges - Kirk Die What IT is Seeing & Doing – Jason Cash Unit & Employee Responsibilities – Karl Hassler Sensitive Data – Karl Hassler Wrap Up / Discussion - Scott Douglass Resources 2
Introduction Today’s Reality –More Organizations are revealing they’ve been breached Public pressure Disclosure laws Why We’re Here –Begin a dialogue –Raise awareness –Educate –Provide resources 3
Legal Issues Which law applies depends on: –Location of institution –Type of information –Role of person storing the information –How the information was obtained? Privacy / Security –Privacy – the freedom from having information from being disclosed without one’s consent –Security – the mechanism(s) in place to protect the privacy of information
Applicable Laws Family Educational Rights & Privacy Act (FERPA) – protects student educational records Gramm Leach Bliley Act (GLBA) – protects financial information of customers Health Insurance Portability & Accountability Act Of 1996 (HIPAA) – protects patient information Payment Card Industry-Data Security Standard (PCI-DSS) – protects credit card information Delaware Breach Notification Law - Del. Code, Title 6, Sec. 12B-101 et seq. – requires breach notification in the event of a data breach The Jeanne Clery Disclosure of Campus Security Policy & Campus Crime Statistics Act (Clery Act) – requires reporting of crime statistics to general public and federal government Computer Fraud & Abuse Act – crimializes hacking into computers and computer networks Communications Decency Act – regulates obscenity in cyberspace Children’s Online Privacy Protection Act (COPPA) – regulates commercial operators that are directing services to children under 13 Communications Assistance for Law Enforcement Act (CALEA) – regulates assistance that must be provided to law enforcement for phone tapping purposes Federal Information Security Management Act (FISMA) – regulates how federal information and computers and networks are secured through contracts and possibly soon grant documents.
Types of Laws Some laws are about what we can and can’t do with information we have – focus is protecting information. Some laws are about information we have that we must share with individuals, our community and report to state and federal governments – focus is disclosure. Some laws are about what you can and can’t do on your computer or on the internet – focus is on regulating conduct and behavior through or on the internet Some laws go beyond securing information and want to make sure your information systems (computers and networks) are secure and protected.
Potential Risks Legal Compliance –Failure to comply with privacy laws and regulations can result in significant legal sanctions, liability, fines, and other unpleasant consequences. –Regulatory agencies are stepping up enforcement – meaning surveys are being sent out, questions are being posed, and ultimately on site audits are conducted. –State attorneys general have enforcement power for state privacy/security laws plus they can enforce certain federal laws, too (HIPAA, COPPA). Privacy and security laws are expanding in their coverage.
Other Potential Risks Reputational Injuries Damage to Student Well-Being Damage to Employee Well-Being Soured Relationships Financial Injuries Time and Resources 8
University Data Security Challenges Open Environment – many have access to records, control their own data Social Security number as a student identifier – resides on many systems Data Retention – tend to archive vs. delete Research – studies can use vast amounts of sensitive information Sharing – culturally much data is shared among colleagues
Target Rich Environment In General – need to allow less access Social Security number and other personal identifiers – retain in as few places as possible and only when needed Data Retention – less is better Research – separate initiative to secure research data Sharing – be more careful on what we share and how
What IT Is Seeing 171 UDELNET accounts compromised 20 machines disabled on average per week due to malware, etc. 11
What IT Is Doing Created: –IT Security & Compliance Office (modernize policies) –Technical Security Group Locate old data (SSNs) Protect current data (more than SSNs!) Detect intrusions FireEye, snort, NGFW, etc. 14
What does IT need? Process PII/SSNs scan results. Desktop and laptop PII scanning software coming soon. More SSNs. No, really. 16
Unit Responsibilities Some Action Items Follow UD Policies Develop Information Security Plan - Inventory data and devices (Know what you have) - Classify (Assess Sensitivity and Risk ) - Establish protocols to Manage, Access and Use (Playbook) - Protect Data - Limit Use + Retention - Evaluate Processes (Where + How is data at risk?) 18
Employee Responsibilities Some Action Items Unit Administrators - Inventory - Classify - Protect - Communicate Employees - Understand responsibilities and requirements - Ask questions! 19
Employee Responsibilities Some Action Items Perform periodic reviews -Encrypt Sensitive Regulated data that must be retained -Purge or Archive unneeded data -Management standards followed? -New control gaps? Report the loss or misuse of devices immediately 20
Types of Sensitive Data (1) Confidential PII (Personally Identifiable Information) –First Name or Initial and Last Name, along with: –Social Security Number; –Driver’s License Number or State-Issued ID Number; –Alien Registration or Government Passport Number; or –Financial Information: Account, credit or debit card number 21
Types of Sensitive Data (2) Student Data Health Information Financial Account Information, Credit Card #s Certain Employment Data Personally Identifiable Human Subject Research Data UDelNet account passwords 22