Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting Sensitive Data / Security Presented by:

Published byArnold Poole Modified over 5 years ago

Similar presentations

Presentation on theme: "Protecting Sensitive Data / Security Presented by:"— Presentation transcript:

1 Protecting Sensitive Data / Email Security Presented by:

2 Who We Are Qumulus Solutions provides organizations with access to the people, expertise, and technology needed to assist them with developing and reviewing their information security programs.

3 Jay Hochstetler Kyle Johnson Chief Information Security Officer (CISO)
Over 20 years of information security and IT experience Financial, Transportation, and IT Sectors Indiana Executive Council on Cybersecurity (IECC) CISSP, CISM, ECSA, C|EH Director, Security Operations and Risk Management Former Information Security Officer for Indiana Tech IT Sector Chief for Indiana Infragard CISSP, C|EH, GSEC, Security+, Cybersecurity Audit Certificate

4 Overview Financial Aid Departments in Higher Ed
Why Information Security - Regulatory Compliance Sensitive Data and Responsibilities Departmental involvement and security measures Types of Information Security Controls

5 What is Sensitive Data / Personal Information?
State of Indiana - first (initial) and last name AND CC, SSN, DL#, account #, (PW, security code) PII – any data that can be used to identify a specific individual SSN, TaxID, Passport, account #, DL#, , personal phone, personal property info, IP address, Patient ID Login IDs, biometric, geolocation, digital images, behavior data PHI – anything used in a medial context that can identify a patient

6 Importance of Safeguarding Information
Information Security is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information Protects the organizations ability to function Enables safe operation of IT systems Protects the data the organization collects Safeguards the technology

7 Regulatory Requirements
GLBA (Gramm Leach-Bliley Act) – Financial products or services develop and maintain an information security program/safeguards program, designate employee(s) with information security responsibilities, conduct risk assessments, due diligence on service providers. FERPA (Family Educational Right & Privacy Act)  Requires the use of “reasonable methods” to safeguard student records SAIG (Student Aid Internet Gateway ) agreement Clause stating the financial institution will protect all data and report any such breach Indiana Data Breach Law Requires organizations to report a data breach of “personal information” in a timely manner Department of Education Must directly notify ED or face fines

8 Who is responsible for Information Security?
Board, Senior Management Oversight responsibility and Overall responsibility Information Security Committee Setting security policies and reduction of identified risk Enterprise Risk Management (ERM) Framework for organizational risk management IT department Keeping the lights on (Security is not their primary focus) Implement Technical controls Information security Department Evaluate risk and ensuring the right amount of security Recommend security controls Audit Evaluate policies and security controls, recommend enhancements Departments/divisions Following policies and security guidelines

9 But what can the department do?

10 Information Security Policies and Procedures
Data Classification Program What data is sensitive and where is it located? Disaster Recovery This is an IT function BIA helps define backup frequency and recovery Incident Response Must understand what needs to be done BEFORE it happens Vendor Management Evaluate vendors for handling of sensitive data Be involved and ask questions!

11 Traditional IT systems and applications
Access Control Controlling who has access to the application and how much Systems not under the control of IT (cloud-based applications) Principal of least privilege Understand the application security parameters Review/audit users Multi-factor authentication Traditional IT systems and applications VS

12 Administrator Access to Computer End Users
Ideals of information freedom Free flow of data to share knowledge with all willing parties Communities of trust Many higher ed institutions still routinely grant admin rights to their users; IT staff are concerned that faculty and staff will push back against any strengthening of the policy

13 60% of institutions (respondents) allow faculty and staff to have an admin privileges or account

14 Administrator Access to Computer End Users
Bad practice to provide administrator privileges to end users Run and install unapproved software Elevate privileges on malicious software Disable and modify security controls and software Clear or disable logging capabilities and audit trails Unauthorized access to information

15 Gap Analysis / Risk Assessment
You don’t know what you don’t know FSA recommends using the NIST framework Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations Must be met by anyone who processes, stores, or transmits potentially sensitive information (CUI) for the DoD, GSA or other federal or state agencies

16 110 recommendations / requirements
NIST : 14 control families 110 recommendations / requirements Access Control Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Physical Protection Personnel Security Risk Assessment Security Assessment System Protection System and Information Integrity

17 Importance of Having an Awareness Training Program
Employees can either be the weakest or strongest line of defense What are YOU going to do to be the strongest? Educate yourselves and employees on phishing, identity theft, and data protection Reminder: GLBA requirement

18 Security Encrypt all outbound containing sensitive information SSN’s, financial information, etc. Spread the word about best practices IT or security team may have the ability to be alerted on sensitive data Be cautious of all links and attachments Report any suspicious to IT or security team

19 How to Spot and Avoid Phishing
4 W’s Who? Do you know the sender? What? What is the subject of the ? Are they asking you to perform a task? When? Is there urgency in the message? Where? Where does the link or attachment take you? Slow down. Read the entire message. Hover over the link without clicking it. Simply think about it. Does the message make sense?

20

21 Passphrase Review Long, complex, passphrases will help lower risk of compromise Characters from a favorite book, tv show, song lyrics, etc. Use a different password for each account Password managers such as LastPass can help with this

22 Two-Factor Authentication
Something you know + Something you have/are Password + FaceID, Password + Text Message/Code Adds an extra layer of protection Enable for all compatible accounts Google Authenticator, DUO, Microsoft Authenticator Twofactorauth.org Two-Factor Authentication

23 “We should strive to make cyberspace a safe place to live, work and raise a family."
-Dr. Eric Cole

24 THANK YOU Q & A

Download ppt "Protecting Sensitive Data / Security Presented by:"

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
Electronic Records Management: What Management Needs to Know May 2009.

Electronic Records Management: What Management Needs to Know May 2009.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
The 2009 HIMSS Security Survey: Insights into the Status of Healthcare Security Implementation sponsored by Symantec Meeting of the HIT Standards Committee,

The 2009 HIMSS Security Survey: Insights into the Status of Healthcare Security Implementation sponsored by Symantec Meeting of the HIT Standards Committee,
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Similar presentations

Ads by Google