Presentation on theme: "Information Security Office Risk Assessment, Disaster Recovery, Data Backups, Data Classification and Incident Reporting Melissa Guenther & Kelley Bogart."— Presentation transcript:
Information Security Office Risk Assessment, Disaster Recovery, Data Backups, Data Classification and Incident Reporting Melissa Guenther & Kelley Bogart
Information Security Office Security Risk Assessment Security ElementOKReview Requires Immediate Attention Physical Security Is our computing equipment properly secured? Account & Password Management Do we ensure only authorized personnel have access to our computers? Do we require and enforce appropriate passwords? Virus Protection Do we use, and regularly update, anti-virus software? OK - the element has been addressed by department action or policy. All the detailed questions can be answered affirmatively. Review - The basic issue has been addressed, but further review is warranted. Not all the detailed questions can be answered in the affirmative. Requires Immediate Attention - The element has not been addressed or recently reviewed. Few, if any, of the detailed questions can be answered in the affirmative
Information Security Office Physical Security - Is our computing equipment properly secured? It is easy to think that because a computer is located in an office or a lab, that it is secure. However, that is often not the case. Theft of computer equipment has occurred at the university. Physical security of computing equipment is closely tied to a department's attention of overall security of its facilities, e.g. office space, wiring closets, storage space, etc. Account & Password Management - Do we ensure only authorized personnel have access to our computers and do we require and enforce appropriate passwords? Ensuring that only authorized personnel are able to access department computers is very important to maintaining a secure computing environment. Only those who need access to carry out their work responsibilities should have an active computer account, and accounts should be deactivated when the need no longer exists. Regular use of strong passwords is another key first line of defense against unauthorized access and use of department computing resources. Passwords should be required for access to any computer or server. To be useful and effective, passwords should be easy to remember but difficult to guess. It is very important that passwords not be shared with anybody, or written where others might see it. Virus Protection - Do we use, and regularly update, anti-virus software? Computer viruses represent a significant and growing threat to personal computers and department servers. They can allow hackers to commander a computer and use it to launch attacks on other computers inside or outside the University. Virus infections can also destroy data files and cause loss of productive staff time. We recognize the threats from computer viruses, and as a result have obtained site licenses for (Sophos Anti- virus or other software). Use, and regular update, of anti-virus software is a critical element of security protection.
Information Security Office Data Backup and Restoration Do we periodically backup individual and department data? Operating Systems Are the operating systems we use updated with current security "patches"? Application Software Are our common applications configured for security? Security Risk Assessment (cont’d) Security ElementOKReview Requires Immediate Attention OK - the element has been addressed by department action or policy. All the detailed questions can be answered affirmatively. Review - The basic issue has been addressed, but further review is warranted. Not all the detailed questions can be answered in the affirmative. Requires Immediate Attention - The element has not been addressed or recently reviewed. Few, if any, of the detailed questions can be answered in the affirmative
Information Security Office Data Backup and Restoration - Do we periodically backup individual and department data? In today's technology environment almost everyone relies on a computer to store documents and scholarly papers, correspondence, financial reports, and many other invaluable resources. Imagine working for weeks or months on something and then it's all lost because a computer file is deleted or damaged. While hardware can be replaced and application software reloaded from original media, recovery of data files relies on regular backup procedures. Operating Systems - Are the operating systems we use updated with the appropriate security "patches"? Keeping personal computer and server operating system software up to date is a critical step in establishing a secure computing environment. As the SANS Institute noted in its initial list of "top 10 security vulnerabilities": A few software vulnerabilities account for the majority of successful attacks because attackers are opportunistic – taking the easiest and most convenient route. They exploit the best-known flaws with the most effective and widely available attack tools. They count on organizations not fixing the problems, and they often attack indiscriminately, by scanning the Internet for vulnerable systems. Application Software - Vulnerabilities and methods for closing them vary greatly from one operating system to another. Are our common applications configured for security? The expanded features and increased complexity of applications such as word processing, e-mail, and web browsing create new vulnerabilities. It is important to apply the safeguards that are in place and apply security updates in a timely manner.
Information Security Office Confidentiality of Sensitive Data Are we exercising our responsibility to protect sensitive data under our control? Disaster Recovery Do we have a current disaster recovery plan? Security Awareness and Education Are we providing information about computer security to our EMPLOYEES? Security Risk Assessment (cont’d) Security ElementOKReview Requires Immediate Attention OK - the element has been addressed by department action or policy. All the detailed questions can be answered affirmatively. Review - The basic issue has been addressed, but further review is warranted. Not all the detailed questions can be answered in the affirmative. Requires Immediate Attention - The element has not been addressed or recently reviewed. Few, if any, of the detailed questions can be answered in the affirmative
Information Security Office Confidentiality of Sensitive Data - Are all locations of automated and manual sensitive data records in the department known? Is access to sensitive data under the department's control restricted? Have faculty conducting research determined if the data they collect should be classified as sensitive? Do faculty and staff who administer sensitive data understand and follow appropriate federal, state, grant agency, or university regulations for protecting and backing up the data? Are student workers given access to confidential teaching or administrative data? If so, is their use of such data monitored closely? Is the unencrypted transmission of sensitive data or memos through e-mail discouraged? An answer of "no" to any of the above questions indicates a risk for which remedial steps should be considered. Disaster Recovery – Do we have a current disaster recovery plan? Knowing how to react properly in an emergency is critical to making the right decisions to minimize damage and quickly restore operations. A disaster recovery plan provides concrete information and procedures to guide decisions and operations in times of crisis. A disaster recovery plan can be tailored to fit your department circumstances and exposure to risk. Security Awareness and Education - Are we providing information about computer security to our employees? The primary goal of the security awareness program is to reduce security vulnerabilities through education and promotion of good security practices. Given the rapid changes in computing technology, security awareness must be an ongoing activity. This Security Assessment Checklist in it’s entirety is available at: http://security.arizona.edu/Security_Assessment_Checklist.pdf
Information Security Office Business Continuity Management and Disaster Recovery Planning 3D Memo From President Likins
Information Security Office October 28, 2002 TO: Vice Presidents, Deans and Department/Unit Heads FROM: Peter Likins SUBJECT:Business Continuity Management and Disaster Recovery Planning The principal business of the University of Arizona is academic operations, which includes teaching, research and outreach. The purpose of this memorandum is to solicit your help in another ABOR tasking that is a companion piece to our “Focused Excellence” endeavor. The task, precipitated by the 9/11 event, requires the development of a Business Continuity and Disaster Recovery Plan.
Information Security Office The purpose of such a plan is to ensure that if an incident occurs, natural or man-made, we will be prepared to deal with it in such a manner that the academic mission continues without disruption or if there is a disruption, it is restored as rapidly as possible. The most critical task that must be performed is identifying the most crucial University functions that need to be operational in order to preclude or minimize any disruption of our academic operations. In getting this process underway, deans, vice presidents and department heads are requested to complete a Critical Functions Assessment Survey. The survey is designed to gain your insights regarding the most crucial functions within your sphere of your leadership responsibility. The survey materials shall be disseminated on-line to facilitate receipt, ease of completion and return of responses. Vice presidents and deans are given the latitude of responding only to the first three questions. Departments/unit heads are requested to complete the entire survey.
Information Security Office The results of the survey shall be analyzed and an initial prioritization of the functions established. Subsequently, this prioritized listing shall be coordinated with the Faculty Senate and Deans Council prior to being submitted to the Cabinet for final decision. The Cabinet approved priority of the University of Arizona functions will serve as the basis of the Business Continuity and Disaster Recovery Plan. Once this aspect of the project is completed, a Business Continuity Management and Recovery Team, with University-wide representation, will utilize the Cabinet approved functions priority listing as the basis for developing the Business Continuity and Disaster Recovery Plan and also shall be responsible for updating and maintaining its current status. Our scheduled completion date of the plan is August 2003. This is a monumental task that may require additional assistance from your unit. I ask that you facilitate the accomplishment of any requests made to your respective organization.
Information Security Office Disaster Recovery Planning is an Information Technology function. In the event of a disaster, the IT department may need to take actions to restore the processing environment. This will depend on the organization, and what is defined as critical processing. Organizations will need to define how long systems can be down before declaring a disaster. Business Continuity Planning is a function of the entire organization. In the event of a complete disaster, the information technology department may be able to relocate the systems at a "hotsite." When the systems are brought back up, business operations can begin. Disaster Recovery vs. Business Continuity
Information Security Office Heads up Computing Refers to an attitude you need to bring to computer use. It means being alert to suspicious activity and putting plans into action to prevent the loss or destruction of important information. An important part of Heads up Computing includes backing up data.
Information Security Office Data Backups How effective would you be if your email, word processing documents, excel spreadsheets and contact database were wiped out? How many hours would it take to rebuild that information from scratch?
Information Security Office Methods of Backing Up Data Drive imaging and full system restores Making an identical copy of a partition (a grouping of some or all of the space on a hard drive so that the operating system can access it as a logical drive like c:) and storing it elsewhere Good Archiving Schedule daily backups of your documents on separate media, and restore those after you restore your drive image if something horrible happens. (hard drive, ZIP, floppy, tape CD, etc.)
Information Security Office General Back up Guidelines for Critical Data It’s a good idea to make at least two sets of backups for your critical data—one "live" set that you have available in your office, and one set that you store in a secure off-site location such as a safety-deposit box. You should rotate the backups at least every week, so that you have a recent backup that is protected against fire, theft or some other site- specific disaster.
Information Security Office What to back up back up your entire hard drive, just back up your important data Automated vs. manual Best to do them at 3 a.m. or some other slack time Can you leave your computer turned on overnight Tape Expensive and/or too complicated Have the advantage of being easily portable CDs and DVDs CDs don't hold enough data for most backups DVDs hold more data, but you'll still need maybe a dozen to back up your drive, and they cost $5 each. Software Many options
Information Security Office Files and Settings Transfer Wizard If all you're backing up is critical data, you should consider the Wizard in Windows XP. It's intended to move your data from an old machine to a new one. But it can also be used to make occasional backups of your documents, mail, and important application settings. Online Can costs as little as $6.95 a month. Storage space is limited--as "little" as 100MB. Hard drives Easiest ways to back up Cheap, fast
Information Security Office The Bottom Line Your best backup option is the one you'll actually use. It's all too easy to ignore the chore--so most people do. But if you think about how much it would cost to replace that information, then regular backups aren't really optional.
Information Security Office Data Classification
Information Security Office What are the Issues? Who Owns It? What’s It Worth? Who Can Use It? How Do We Handle It All?
Information Security Office Who Owns It? University Departments HR Students IT ???????????????
Information Security Office What’s It Worth? University Image Replacement Branding Daily Operations Competitive Advantage
Information Security Office What are the Threats/Risks? Threats –Competitors –Disgruntled Employees –Contractors –Students and Students Families –Patients and Patients’ Families Risks –Loss of Credibility –Loss of Competitive Advantage –Lawsuits –Regulatory Fines
Information Security Office Who Can Use It? Owners Custodians Employees 3 rd Parties Business Partners Regulators / Auditors
Information Security Office How Do We Handle It All? Email? FAX? File Transfers? Phone? To shred or not to shred? Electronic “shredding”?
Information Security Office University Data Classification Matrix 1 Classification Category A (Highest, most sensitive) Category B (Moderate level of sensitivity) Category C (Very low, but still some sensitivity) Legal requirements Protection of data is required by law (see attached list for specific HIPAA and FERPA data elements) U of A has a contractual obligation to protect the data Reputation riskHighMediumLow Other Institutional Risks Information which provides access to resources, physical or virtual Smaller subsets of Category A data from a school, large part of a school, department Data about very few people or other sensitive data assets
Information Security Office University Data Classification Matrix 1 (cont’d) Classification Category A (Highest, most sensitive) Category B (Moderate level of sensitivity) Category C (Very low, but still some sensitivity) Examples Medical Students Prospective Students Personnel Donor or prospect Financial Contracts Physical plant detail Credit Card numbers Certain management Info Information resources with access to Category-A data Research detail or results that are not Category-A Library transactions (e.g., catalog, circulation, acquisitions) Financial transactions which do not include Category-A data (e.g., telephone billing) Very small subsets of Category A data Email addresses on distribution list outside university Your personable identifiable information in public browser
Information Security Office Classification Operational/Eligible for Public Release ConfidentialRestricted DefinitionAvailable to employees for normal operational use. Available to the public based on appropriate request for disclosure of information. Information that the organization and its employees have a legal, regulatory, or social obligation to protect. Intended for use solely within defined groups in the organization Information intended solely for restricted use within the organization and is limited to those with an explicit, predetermined "need to know". Disclosure could result in severe personal or financial damage to individuals or the organization Examples General financial data Student directory data (non-opt out) Non-confidential personnel data Email addresses Employee ID Student ID Employee benefit information Student non- directory information SSN Passwords/PINS Credit card numbers Digitized signatures Encryption keys Medical Records Employee / Student / Research Subject University Data Classification Matrix 2
Information Security Office Regulatory Drivers and Other Drivers Arizona Law May opt out of using SSN as identifier Must disclose compromise of private information FERPA - Protect private student information HIPAA - Protect personal health information (PHI) GLBA - Protect “banking” transaction information SEVIS - Provide foreign student information DMCA - Protect copyrighted information SB1386 - Protects confidential information of ANY California resident when a computer-security breaches MAY have compromised it. Deployment of 802.11x Protects the security level of wire-less systems closer to that of wired ones. Arizona Law May opt out of using SSN as identifier Must disclose compromise of private information Regulatory and Other Drivers
Information Security Office Incident Response Planning responses for different violation scenarios in advance – without the burden of an actual event – is good practice. Know who to report any attempted security violation to – keep the number readily available Know what type of information to report (who, what, when, where) Timing is important – you need to be prepared to act quickly and accurately
Information Security Office SEC- -Y The key to security is embedded in the word security.
Information Security Office If not you, who? If not now, when?
Information Security Office University Information Security Office Bob Lancaster 4 University Information Security Officer 4 Co-Director – CCIT, Telecommunications 4 Lancaster@arizona.edu 4 621-4482 Security Incident Response Team (SIRT) 4 firstname.lastname@example.org 4 626-0100 Kelley Bogart 4 Information Security Office Analyst 4 Bogartk@u.arizona.edu 4 626-8232 http://security.arizona.edu