Presentation is loading. Please wait.

Presentation is loading. Please wait.

Peeling Back the Layers of an Ogre (or for those who like boring titles – Where is Our Confidential Data Hiding?) Harvard Townsend IT Security Officer.

Published byHope Melton Modified over 9 years ago

Similar presentations

Presentation on theme: "Peeling Back the Layers of an Ogre (or for those who like boring titles – Where is Our Confidential Data Hiding?) Harvard Townsend IT Security Officer."— Presentation transcript:

1 Peeling Back the Layers of an Ogre (or for those who like boring titles – Where is Our Confidential Data Hiding?) Harvard Townsend IT Security Officer harv@ksu.edu October 31, 2007

2 2 Agenda Why should we care? What should we care about? What are the threats? What can we do about it?

3 3 Why Should We Care? 167,706,372 and counting… … the approximate number of records with personal identity information compromised due to security breaches since January 2005 www.privacyrights.org/ar/ChronDataBreaches.htm www.privacyrights.org/ar/ChronDataBreaches.htm In 2006, 3 million college students possible victims of identity theft (CDW-G study) Identity theft is the fastest growing crime

4 4 Why Should We Care? Handling a breach very expensive

5 5 Why Should We Care? Damage to institution’s reputation

6 6 Why Should We Care? Your reputation or job may be on the line

7 7 Why Should We Care? It is the law:  SB 196 Kansas Security Breach Law Protects personal identity information Mandates prompt investigation and notification  FERPA (student records)  HIPAA (medical records)  GLB (financial records)  ECPA (electronic communications)  Federal Rules of Civil Procedure (e-Discovery)

8 8 Because Visa Said So Payment Card Industry Data Security Standards (PCI DSS) Version 1.1 published in Sept. 2006 www.pcisecuritystandards.org “PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted.” Do you know who is handling credit card info on campus and how they are doing it?

9 9 Credit Cards@K-State I’m not putting this info in the PowerPoint presentation!!

10 What Should We Care About? All data needs protection Particularly interested in confidential data  Highly sensitive data that can only be disclosed to individuals with explicit authorization  Protection required by law (FERPA, HIPAA)  Unauthorized disclosure harmful or catastrophic to individual, group, or institution  Examples: SSN. Credit card info, student grades, medical records 10

11 What Are the Threats? Ignorance Theft – external and internal Inadvertent disclosure Improper disposal Highly distributed IT services Backups Catastrophic failure or other disaster Mobility – laptops, wireless, USB thumb drives, SmartPhones 11

12 12 Fear Laptops!

13 13 What Can We Do About It? Know your data!  Its value  Its classification  Its location (of every copy)  Who is responsible for it  Who has access to it  The threats to it

14 14 What Can We Do About It? “Data Classification and Security Policy and Standards”  Classify data based on sensitivity  Specify security requirements for each classification  Define roles and responsibilities

15 15 Policy “All University Data must be classified according to the K-State Data Classification Schema and protected according to K-State Data Security Standards. Exceptions must be approved in writing by the Chief Data Stewards and the Vice Provost for IT Services.”

16 16 Data Classification Schema 4 categories:  Public  Internal  Confidential  Proprietary

17 17 Data Security Standards Access Controls Copying/Printing Network Security System Security Physical Security Remote Access Storage Transmission Backup/DR Media Sanitization Training Audit Schedule

18 Implementation Strategy 18 Focus on confidential data first  SSNs  Credit cards Serve as guideline for other data Eventually require classification of all data

19 Where is the data located? You would be surprised! Tools to help  “Spider” from Cornell http://www.cit.cornell.edu/security/tools/http://www.cit.cornell.edu/security/tools/  Sensitive Number Finder (SENF) from UT-Austin https://source.its.utexas.edu/groups/its-iso/projects/senf  Not ready for your average user 19

20 Where is the data located? Gradebooks, esp. old spreadsheets Course web pages Homework assignments Exams Travel authorization forms Applications for admission Personnel papers E-mail Backup tapes, CDs, floppies, USB drives Where have you found confidential data? 20

21 21 What Can We Do About It? Delete unnecessary copies Make sure it’s gone when deleted Know how to protect it  K-State Data Security Standards  K-State SSN Policy  PCI DSS for credit cards  K-State Mobile Device Security Guidelines  Encryption

22 What Can We Do About It? SSNs K-State Policy on “Collection, Use and Protection of Social Security Numbers” “Use of the SSN as an identifier will be discontinued, except where authorized for employment, IRS reporting, federal student financial aid processing, state and federal reporting requirements, and a limited number of other business transactions.” 22

23 What Can We Do About It? SSNs Appendix A lists approved uses:  Employment  Application and receipt of financial aid  Tuition remission  Benefits administration  Insurance  IRS reporting  Student information exchange (transcripts) 23

24 What Can We Do About It? SSNs Start transitioning to use of the Wildcat ID (WID)  iSIS a key component to this transition  Also the People Database  Departments are moving in that direction Where are the SSNs in your department?  Run Spider from Cornell to find them 24

25 What Can We Do About It? Credit Cards Must comply with the Payment Card Industry Data Security Standards (PCI DSS) no matter the merchant level (we’re level 2) Are strong requirements  12 major requirements in 6 categories  238 individual controls  Annual self-assessment questionnaire  Quarterly network security scan by an “approved scanning vendor” 25

26 What Can We Do About It? Credit Cards The plan  Internal Audit documented campus practices  Working group formed to develop strategy  Use central service or comply with DSS See http://www.pcisecuritystandards.org for more informationhttp://www.pcisecuritystandards.org  Data Security Standard v1.1  Self-assessment questionnaire  Network scanning procedure  Security audit procedure 26

27 What Can We Do About It? Mobility Don’t store confidential data on mobile devices! Mobile device security guidelines http://www.k-state.edu/infotech/security/mobile.html 27

28 What Can We Do About It? Encryption Stored data  Software encryption  Hardware encryption Transmitted data SIRT team working on a software recommendation  Laptops  Removable devices 28

29 What’s on your mind?

Download ppt "Peeling Back the Layers of an Ogre (or for those who like boring titles – Where is Our Confidential Data Hiding?) Harvard Townsend IT Security Officer."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Gaucho Round-Up FAQ’s This presentation covers some of the FAQ’s about campus clean-up day. Presentation #4 2/3/2015 1.

Gaucho Round-Up FAQ’s This presentation covers some of the FAQ’s about campus clean-up day. Presentation #4 2/3/
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Oct 4, 2006Dept Security Contacts Training1 Managing Sensitive Data Harvard Townsend Interim University IT Security Officer 532-2985 College.

Oct 4, 2006Dept Security Contacts Training1 Managing Sensitive Data Harvard Townsend Interim University IT Security Officer College.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.

FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
Securing NPI Mary Schuster Mike Murphy.  Gramm-Leach-Bliley Act Enacted to control the ways that financial institutions deal with the private information.

Securing NPI Mary Schuster Mike Murphy.  Gramm-Leach-Bliley Act Enacted to control the ways that financial institutions deal with the private information.
Information Security Awareness April 13, 2003. Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.

Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.

Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop

Similar presentations

Ads by Google