Presentation is loading. Please wait.

Presentation is loading. Please wait.

Best Practices for Data Protection and Cyber Security Thursday February 24, 2011 24 th Annual MIS Conference – Austin, TX Mark Hall.

Published bySylvia Anderson Modified over 8 years ago

Similar presentations

Presentation on theme: "Best Practices for Data Protection and Cyber Security Thursday February 24, 2011 24 th Annual MIS Conference – Austin, TX Mark Hall."— Presentation transcript:

1 Best Practices for Data Protection and Cyber Security Thursday February 24, 2011 24 th Annual MIS Conference – Austin, TX Mark Hall

2 Social Change…. 2

3 3 Cyber attack’s in the news... 3 “Hacked: Data breach costly for Ohio State, victims of compromised info - Breach affects 760,000 people, expected to cost university $4 million” – The Lantern December 2010 “Hackers broke into the computer system at a New Jersey school district - gained access to student records system used by 160 schools across the state.” – Info Security January 2011 “UC-Berkeley records hacked - thieves able to access social security numbers, health files dating back to 1999, over 160,000 records stolen” – San Jose Mercury News May 2009

4 Agenda About PTAC Data Protection & Cyber Security Threats & Consequences National Focus Top Data Protection issues in Education’s Cyberspace Best Practices for Data Protection & Cyber Security PTAC Way-ahead for Cyber Security Questions 4

5 Privacy TA Center (PTAC) Mission The Privacy TA Center is designed to provide states with: A set of tools, resources, and other opportunities for states to receive assistance with privacy, security, and confidentiality of student-level longitudinal data systems. A means for states to share their best practices, documents, and other relevant resources in the areas of privacy, security, and confidentiality. A focal point for queries and responses to the privacy-related needs of State Education Agencies (SEAs), Local Education Agencies (LEAs), and Institutions of Higher Education (IHEs) in a confidential, safe environment. A set of resources to promote compliance with FERPA and other best practices for ensuring the confidentiality and security of personally identifiable information. http://nces.ed.gov/programs/Ptac/Home.aspx

6 6 Many ways to Protect Data Physical Security Policy ( What,who, how ) Access Controls Statistical Methods Cyber Security

7 Principles for Data Protection & Cyber Security Data Protection Act 1998 “eight enforceable principles of good practice”. Data must be: fairly and lawfully processed processed for limited purposes adequate, relevant and not excessive accurate not kept longer than necessary processed in accordance with the data subject's rights secure not transferred to other countries without adequate protection. 7 Cyber Security Principles Data should: Be confidential Maintain Integrity Be available Be authenticated Systems that process data should: Designed from the start with a security in-mind Be resilient to attack Maintained regularly

8 8 Advanced & Persistent Cyber Threats & Consequences Threats to your data: it’s happening it’s focused It’s sophisticated Social Security Numbers/Identity Education Records Employee Data Financial Records Disciplinary Actions Internal Memo’s Medical Information Personal Documents

9 9 Anatomy of a Cyber Attack: “Night Dragon” Case Study

10 Cyberspace - 2008 The interdependent network of information technology infrastructures, and includes the Internet, telecommuni- cations networks, computer systems, and embedded processors and controllers in critical industries. Common usage of the term also refers to the virtual environment of information and interactions between people. 10 US National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD23) “It's now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation.” President Barak Obama, May 2009

11 11 Cybersecurity – A National Focus NSPD-54/HSPD-23 Establish front line defense Defend against full spectrum of threats Strengthen future cybersecurity environment Leading from the Top Building Capacity for a Digital Nation Sharing Responsibility Information Sharing / Incident Response Encouraging Innovation http://www.whitehouse.gov/administration/eop/nsc/cybersecurity CNCI – Comprehensive National Cyber Initiative 60-Day Cyberspace Policy Review Awareness Month

12 12 Stay Safe Online.org

13 13 Top Data Protection issues in Education’s Cyberspace Protecting Personally Identifiable Information (PII) As we strive towards a “digital nation” it increases exposure to risk More records online & accessible Identity Theft (10% Children) Keeping pace with Network & Systems Security Protective measures are outpaced by the “bad-guy” Traditional “wack-a-mole” patching doesn’t work anymore Maintaining the foundation of Strategy, Policy & Governance Training, Education & Awareness is key Cloud computing complicates traditional architecture approaches

14 Best Practices 14

15 15 Best Practices – Cyber Security & PII According to the Open Security Foundation, the government sector (e.g. federal, state, and local) was accountable for 21 percent of all data breaches in 2009. This is not surprising as government agencies maintain a wealth of information including personally identifiable information (PII) on millions of employees and citizens. (Source RSA)

16 16 Best Practices – NIST Selected PII Security Controls Access Enforcement (ACLs, RBACs, encryption) Separation of Duties Least Privilege (read, write, edit) Remote Access (limit or deny) Access Control for Mobile Devices (deny or limit) Auditable events and Audit Reviews (policy that monitors certain events) Identification and Authentication Media Access, Marking, Storage, Transport, and Sanitization. Transmission Confidentiality (encryption) Protection of Information at Rest Information System Monitoring (automated tools to detect suspicious transfers) NIST Special Pub 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information,

17 Best Practices – Multi-Factor Authentication 1.Be reliable, scalable, and available 2.Be compatible and interoperable with your Technology and Policy 3.Seamlessly integrate with existing architectures and infrastructure 4.Support web applications and should not require client- side software 5.Be compliant with NIST, FIPS and other federal standards 6.Be based on mature technology and should be commercially available with a broad installed market base 17 If you have remote access users, MFA should be a high priority capability

18 Social Networking Sites: Are you protected? 18 Malware infects user on Social Network Site (e.g. Twitter, Facebook, Match.com) S t u d e n t D at a Internet facing application

19 Not connected to the internet? Removable Media 19 Policy, user training and monitoring Identity

20 20 http://www.staysafeonline.org/for-business/best-practices Best Practices – Network & System Security Use a firewall. A well configured firewall keeps criminals out and sensitive data in. Install and maintain anti-virus software. Computer viruses can steal and corrupt your privacy data. Install good anti-virus software on all your computers, and make sure it stays up-to-date. Install and maintain anti-spyware software. Like viruses, spyware can compromise privacy data. If kept up to date, a good anti-spyware program will protect you most of it. Use spam filters. Spam can carry malicious software and phishing scams, some aimed directly at a state agency or school. A good spam filter will block most of it and will make your email system safer and easier to use. Updates to your operating system and custom software often close serious security gaps. Set your software to auto-update, or make sure to download and install the updates yourself regularly.

21 21 Best Practices - Governance and Policy Governance: Do you have a Chief Information Security Officer (CISO)? Do the data collection experts work closely with the data protection organization? Do you have a strategy to address cyber security threats? Do you rely solely on audits to discover vulnerabilities? Do you have an independent third party to assist your team? Do you have security training? Mandatory, yearly Policy Do you have the right security policies Are they updated as new applications or technology are implemented? Are they enforced? (accountability) Is policy used in lieu of investing in technology?

22 22 http://nces.ed.gov/programs/Ptac/Home.aspx PTAC The Privacy Technical Assistance Center is your “one-stop-shop” frequently asked questions links to useful online resources training materials for data administrators and data users regional meetings and lessons learned forums for education stakeholders site visits to state and local education agencies a help desk to respond to inquiries an extension of your LDS team

23 Effective Cyber Security Management will: Meet privacy/data protection requirements Ensure the integrity of stored data Prevents data manipulation, re-identification, unauthorized access Safe money through reduced incidents PTAC can help you prioritize capabilities 23

24 PTAC Cyber Security Proposed Tasks Website Document: List of best practices resources Issue Brief: Effective response to security audits Website Document: Best practices for securing State LDS. 24

25 PTAC Cyber Security Proposed Tasks Webinar on best practices for responding to a breach of individual privacy in an education organization, including how to minimize harm, identify faulty practices and technologies, developing and implementing improved practices and technologies, and documenting lessons learned from the experience. 25

26 PTAC Cyber Security Proposed Tasks Issue Brief: Outline the threats against education institutions and consequences of stolen privacy data Power Point presentation: Covering issue brief around threats to education institutions and consequences of stolen data We would like your ideas and thoughts on cyber security topics that would be helpful to you! 26

27 27 Questions? http://nces.ed.gov/programs/Ptac/Home.aspx

Download ppt "Best Practices for Data Protection and Cyber Security Thursday February 24, 2011 24 th Annual MIS Conference – Austin, TX Mark Hall."

Similar presentations

Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Security for Today’s Threat Landscape Kat Pelak 1.

Security for Today’s Threat Landscape Kat Pelak 1.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.

STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
Internet safety By Lydia Snowden.

Internet safety By Lydia Snowden.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
A First Course in Information Security

A First Course in Information Security
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
General Awareness Training

General Awareness Training
Information Security Update CTC 18 March 2015 Julianne Tolson.

Information Security Update CTC 18 March 2015 Julianne Tolson.
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.

UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

Similar presentations

Ads by Google