Presentation is loading. Please wait.

Presentation is loading. Please wait.

Session # 48 Security on Your Campus: How to Protect Privacy Information Robert Ingwalson.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Session # 48 Security on Your Campus: How to Protect Privacy Information Robert Ingwalson."— Presentation transcript:

1 Session # 48 Security on Your Campus: How to Protect Privacy Information Robert Ingwalson

2 2

3 3 We Implement Security Based on Cost vs. Risk

4 4 Protecting personal information is Everybody’s Job! Personally Identifiable Information (PII): Information about an individual including but not limited to, Education, Employment, Financial Transactions, Medical History, and Criminal Background information which can be used to distinguish or trace and individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc, including any other personal information that can be linked to an individual. Personally Identifiable Information (PII): Information about an individual including but not limited to, Education, Employment, Financial Transactions, Medical History, and Criminal Background information which can be used to distinguish or trace and individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc, including any other personal information that can be linked to an individual. Don’t become a headline!

5 5 In the Office On the System Data Transfers Remote Users Assess Your Security Protecting Personally Identifiable Information

6 6 In the Office –Document handling and storage –Phones and Faxes –Land Shipments –Physical Office Security –Personnel Security –Policy and Training Protecting Personally Identifiable Information

7 7 In the Office –Document Handling and Storage Limit printing of PII Clean Desk Sensitivity Identification Shredding Monitoring Secure storage Protecting Personally Identifiable Information

8 8 In the Office –Phones Limit PII conversations Don’t leave PII voicemails Prevent listeners –Faxes Limit faxing of PII Confirm fax number Two way communication before sending and upon receipt Monitor the Fax Safeguard document Protecting Personally Identifiable Information

9 9 In the Office –Land Shipments Limit shipments of PII Encrypt sent media Double package Send by reputable shipping agent Include a manifest inside the package. Communicate shipment with receiver Protecting Personally Identifiable Information

10 10 In the Office –Physical Office Security Staffed reception counter After hours? –Card/key access –Change combinations & keys –Logs Added Security –Cameras –Entry and exit checks Protecting Personally Identifiable Information

11 11 In the Office –Personnel Security Know who should be there –Challenge others Personnel background checks –Criminal –Employment history –Credit Train shortly after employment begins and then refresh periodically Protecting Personally Identifiable Information

12 12 In the Office –Personnel Security Know who should be there –Challenge others Personnel background checks –Criminal –Employment history –Credit Train shortly after employment begins and then refresh periodically Protecting Personally Identifiable Information

13 13 In the Office –Policy and Training Policy provides basis for controls and a roadmap to follow Based on requirements and good practice Individuals need training on policy - Include in Personnel training Protecting Personally Identifiable Information

14 14 On the System (Defense in Depth) –Policy –Personnel Security –Physical Security –Network Security –Host based Security –Application Security Protecting Personally Identifiable Information www.macroview.com/solutions/infosecurity/

15 15 On the System –Policy Technical, Managerial, Operational control requirements Tells what needs to be done, not how –Procedures provide the road maps on how to comply with policy Covers all other aspects of Security –Personnel –Physical –Network Security –Host based Security –Application Security Protecting Personally Identifiable Information

16 16 On the System –Personnel Security The same as in the office: –Know who should be there »Challenge others –Personnel background checks »Criminal »Employment History »Credit –Train shortly after employment begins and then refresh periodically Protecting Personally Identifiable Information

17 17 On the System –Physical Security Includes environmental Security Access control –Badges / Keycards –Access lists and entry logs –Escorted access –Higher level of control for some areas –Metal detectors and scanners Backup power Cameras Protecting Personally Identifiable Information

18 18 On the System –Network Security Firewalls NIDs (Network Intrusion Detection) Auditing IPS (Intrusion Prevention System) Honeypots Protecting Personally Identifiable Information

19 19 On the System –Host based Security Configuration compliance Internal Firewalls Access control HIDs (Host Based Intrusion Detection) Anti-Virus and Anti-Spyware Patch management Logging Protecting Personally Identifiable Information

20 20 On the System –Application Security Develop Application Security Plan Test for known vulnerabilities prior to implementation Authorize access Rules of behavior Secure Web interface Limit PII entries and displays Protecting Personally Identifiable Information

21 21 Data Transfers –Electronic File Transfers –Tapes and CDs –Thumb Drives –Email –*Laptops Protecting Personally Identifiable Information

22 22 Data Transfers –Encryption Encrypt with strong Algorithms –AES, Advance Encryption Standard or Triple DES, Data Encryption Standard –Use large key length, 256 or greater –If passwords are used: make them strong »Complex with a mixture of numbers, upper and lower alpha characters, and special characters »8-12 characters in length »No dictionary words or names »Send separate from the data transfer »Mask entry Protecting Personally Identifiable Information

23 23 Remote Users –Two types of remote users: Students and Staff –Problem Work from personal or public PCs and laptops Data downloads need to be monitored Infected with viruses and spyware Open to phishing and pharming *Subject to Keylogger attacks –Resolution Limit PII displayed or entered on the screen Employ two factor authentication for application access Provide Web site notices Offer assistance Protecting Personally Identifiable Information

24 24 Remote Users –Keylogger attacks What are Keyloggers? Why are we singling this threat out? What can be done about the Keylogger threat? –Limit the amount of PII entered or displayed on the web site. –Make sure that user passwords are changed frequently. –Limit privileged users remote access. –Use Two Factor authentication. –Include warning banners on your web sites that provide a warning and instructions for prevention. –Let users know not to use computers with unknown security. Cyber Cafes and other publicly accessible computers should be avoided when accessing PII. Protecting Personally Identifiable Information

25 25 Assess Your Security –Identify data sensitivities for CIA –Identify Likelihood Likelihood = threat*motivation –Identify security risks Risk level = Impact*Likelihood –Controls = level of risk –Identify test methods based on risk level Documentation reviews Interviews Observations Technical tests (network, OS and application scans, log reviews, penetration testing, password cracking) –Use Baseline Security Requirements –Complete testing and identify weaknesses / unmitigated vulnerabilities –Create remediation plan Protecting Personally Identifiable Information

26 26 Protecting personal information is Everybody’s Job! Personally Identifiable Information (PII): Information about an individual including but not limited to, Education, Employment, Financial Transactions, Medical History, and Criminal Background information which can be used to distinguish or trace and individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc, including any other personal information that can be linked to an individual. Personally Identifiable Information (PII): Information about an individual including but not limited to, Education, Employment, Financial Transactions, Medical History, and Criminal Background information which can be used to distinguish or trace and individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc, including any other personal information that can be linked to an individual. Don’t become a headline!

27 27 Resources Vulnerabilities: –OWASP (http://www.owasp.org) –SANS Top 20 (www.sans.org/top20) –National Vulnerability Database (http://nvd.nist.gov) –cgisecurity (http//www.cgisecurity.com) Guidance: –National Institute of Standards and Technology (NIST) Computer Security Resource Center (http://csrc.nist.gov/publications/nistpubs/)http://csrc.nist.gov/publications/nistpubs –Center for Internet Security (CIS) (http://www.cisecurity.org/)http://www.cisecurity.org/ –Educause (http://connect.educause.edu/term_view/Cybersecurity)

28 28 Contact Information We appreciate your feedback and comments. We can be reached at: Bob Ingwalson Phone: 202.377.3563 Email: robert.ingwalson@ed.gov Fax: 202. 275.0907

Download ppt "Session # 48 Security on Your Campus: How to Protect Privacy Information Robert Ingwalson."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
HIPAA Security.

HIPAA Security.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
Securing NPI Mary Schuster Mike Murphy.  Gramm-Leach-Bliley Act Enacted to control the ways that financial institutions deal with the private information.

Securing NPI Mary Schuster Mike Murphy.  Gramm-Leach-Bliley Act Enacted to control the ways that financial institutions deal with the private information.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Steps to Compliance: Electronic Devices Overview PRESENTED BY.

Steps to Compliance: Electronic Devices Overview PRESENTED BY.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Security Guidelines and Management

Security Guidelines and Management
HIPAA Privacy & Security EVMS Health Services 2004 Training.

HIPAA Privacy & Security EVMS Health Services 2004 Training.

Similar presentations

Ads by Google