IT Security Challenges In Higher Education Steve Schuster Cornell University

Questions I’d like to Answer ► Why do we care about IT security? ► What are some of our universities biggest challenges? ► What can universities do to address these challenges?

Why Do We Care? ► Current federal and state law  Family Educational Rights and Privacy Act (FERPA)  Health Insurance Portability and Accountability Act (HIPAA)  Gramm-Leach-Bliley Act (GLBA)  Compromise notification laws ► 12 states ► NYS Breech of Security Bill -- December, 2005

Why Do We Care? ► Growing social expectations due to rise in identity theft awareness ► Reputational concerns ► Growing possibility for lawsuits

Why Do We Care? ► NY State Breech of Security Bill  Personally identifiable information ► Social security number ► Drivers license number ► Account number of credit/debit card with pin  Must notify if data was “reasonably believed to have been acquired by a person without valid authorization“  Notification ► Personal ► If NY resident  NYS Attorney General – Internet Bureau  NYS Attorney General – The Capitol  NYS Consumer Protection Board  NYS Office of Cyber Security and Critical Infrastructure Protection  Consequences of Non-compliance ► NYS can sue for damages on behave of individual ► Civil suites up to $150,000

Why Do We Care? ► First half of this year had 72 reported compromises  Education – 37  Business – 23  Government – 7  Healthcare – 5 ► Causes of the compromises  Hacking – 40  Stolen property – 16  Lost property – 6  Insider – 5  Fraud/social engineering – 2  – 1  Web – 1

Why Do We Care?

Our Biggest Challenges ► Not ending up on the front page of the NY Times ► Changing/emerging law ► Growing social expectations and requirements ► General “openness” of universities can make us an easier target ► Creating a common understanding about what data needs to be protected ► Complexity due to decentralized IT support complicates the identification of critical or sensitive resources/data ► Timely and accurate response to security incidents ► Institutional-level questions are difficult to get answered

Challenge: Not ending up on the front page of the NY Times ► Response  A combination of everything we do  Pray

Challenge: Changing/Emerging Law ► Response  Make friends with University Counsel  Develop a clear understanding and communicate what data needs to be protected  Periodic security awareness for at least those handling regulated data  Never miss a “learning” opportunity ► User/department notification  Make sure policy reflects current requirements ► Data Security/Management policy

Challenge: Growing Social Expectations and Requirements ► Response  Prepare your legal defense now ► Participate in internal and external audits ► Show consistent improvements ► Work to establish at least state-of-the-practice security technology, processes and procedures ► Develop analysis and incident handling standards and practices

Challenge: University “Openness” ► Response  Implement a security strategy that meets the business needs of the unit  Build trust and understanding across the community  Rise to the challenge ► Protected infrastructures DO NOT hinder research

Challenge: Understanding What Data Needs to be Protected ► Response  Data categories can help ► Regulated, Confidential and Public  Map specific data elements into each category  Work toward the identification of all IT resources that house each category  Communicate ► Awareness ► Policy ► “Educational” opportunities  The Audit Office can certainly help here

Challenge: Complexity Due to Decentralization ► Response  Building and maintaining trust is not an option  Establish best practices and strong recommendations  Gain the support of the University Audit Office  Support university-wide outreach ► IT Security Council ► Monthly Security Special Interest Group (SIG)

Challenge: Timely and accurate response to security incidents ► Response  Develop processes and procedures in advance  Ensure the procedures are universally available  Provide response training to local units  Ensure the central IT Security Office is involved with the incident  Automate as much of the response process as possible  Establish a Data Loss Response Team

Challenge: Answering Institutional Questions ► Response  Do not ask abstract questions  Work real world situations requiring action and decisions  Create a Data Loss Response Team

Responding to Incidents ► Clearly distinguish between IT security and data security ► Data Loss Response Team  Established to ensure the university responds appropriately  Members ► University AuditUniversity Counsel ► Public RelationsVP of IT ► Risk ManagementUniversity Police ► Data StewardsLocal Unit  Two meetings of this team per incident ► First meeting establishes understanding of incident and provides specific direction ► Second meeting weighs evidence and determines appropriate actions

Responding to Incidents ► Data Loss Response Team benefits  Helps answer tough questions for the university  Provides a balanced and effective decision making process  Helps establish minimum standards for analysis  Weighs in on established practices and procedures  Establishes a more thorough understanding of IT security challenges

Questions?