Post on 28-Jan-2018
transcript
A Blueprint for Handling Sensitive Data: Security,
Privacy, and Other Considerations
David Escalante H. Morrow LongDirector of Computer Policy Director, Information Security
& Security Yale UniversityBoston College
NERCOMP Preconference Seminar
Monday, March 19, 2007 1:00 p.m. - 4:30 p.m.
2
Introductions
Ice-breaker BINGO!! 5 minutes First 10 people to get BINGO win a prize!
Introductions: Name Title or Functional Description of Duties Organizational Affiliation What do you want to get out of this session?
3
Overview to Seminar
Information security risks at colleges and universities present challenging legal, policy, technical, and operational issues.Security incidents have resulted in compromises of personal information which have led to bad publicity and the potential for identity theft. Risks to information security at colleges and universities continue to persist and necessitate that individuals at all levels of the institution become engaged to prevent further data breaches from occurring. This seminar will outline a blueprint for protecting sensitive data according to the EDUCAUSE/Internet2 Security Task Force.
4
Seminar Goals
At the end of this session:
You should feel comfortable discussing common cybersecurity threats plaguing higher education and computer users in general.
You will have a list of key strategies to follow for stopping the leakage of confidential/sensitive data.
You will be introduced to several security resources and best practices to help you apply the key strategies.
5
Today’s Roadmap
Foundations of Cybersecurity in Higher EdThe Blueprint Creating a Security Risk-Aware Culture Defining Institutional Data Types Clarify Responsibilities and Accountability Reducing Access to Data Not Absolutely Essential Establishing and Implementing Stricter Controls Providing Awareness and Training Verifying Compliance
Putting it All Together: Moving from Planning to Action
6
Higher Ed IT Environments
Technology Environment Distributed computing and wide range of hardware and software
from outdated to state-of-the-art Increasing demands for distributed computing, distance learning
and mobile/wireless capabilities which create unique security challenges
Leadership Environment Reactive rather than proactive Lack of clearly defined goals (what do we need to protect and why)
Academic Culture Persistent belief that security & academic freedom are antithetical Tolerance, experimentation, and anonymity highly valued
7
Higher Ed IT Environments
Current Status: “The information security environment has become increasingly more dangerous. News accounts have reported Higher Education institutions involved in dozens of incidents of compromised confidential information over the past year. The cost of notifying and offering assistance to those individuals who have had their privacy information compromised can run into the hundreds of thousands of dollars for each incident. Increased regulatory requirements also make it imperative that the University be able to show a level of due diligence in the protection of its systems and confidential data.”
Why is this in quotes?
8
Goals of Cybersecurity
Confidentiality - information requires protection from unauthorized use or disclosure.Integrity - information must be protected from unauthorized, unanticipated, or unintentional modification.Availability - computers, systems, networks, and information must be available on a timely basis to meet mission requirements or to avoid substantial losses.
9
Security Processes
DeterPreventDetectReactAdapt
Burton Group: A Systematic, Comprehensive Approach to Information Security (Feb. 2005)
10
Process
People
Technology
Systems must be built to technically
adhere to policy
People must understand their responsibilities
regarding policy
Policies must be developed,
communicated, maintained and
enforced
Processes mustbe developed thatshow how policies
will be implemented
Security ImplementationRelies On:
11
Framing the Problem
Discussion – Breaches in Higher Education How did they occur? Who was impacted? How much did it cost? Are there themes? What’s changed?
12
The Blueprint
Confidential Data Handling Blueprint Purpose
To provide a list of key strategies to follow for stopping the leakage of confidential/sensitive data.To provide a toolkit that constructs resources pertaining to confidential/sensitive data handling.
https://wiki.internet2.edu/confluence/display/secguide/Confidential+Data+Handling+Blueprint
13
The Blueprint
Confidential Data Handling Blueprint Introduction
Steps and ensuing sub-items are intended to provide a general roadmapInstitutions will be at varying stages of progressOrganized in a sequence that allows you to logically follow through each step Each item is recommended as an effective practice; state/local legal requirements, institutional policy, or campus culture might leave each institution approaching this differently
14
Step 1
Create a security risk-aware culture that includes an information security risk management programSub-steps1.1 Institution-wide security risk management program 1.2 Roles and responsibilities defined for overall
information security at the central and distributed level 1.3 Executive leadership support in the form of policies
and governance actions
15
Why Do We Care?
HIPAAFERPAGLBASarbanes Oxley ActGrant requirementsCompliance
Other local state and federal regulations
16
Risk Management
Risk = Threats x Vulnerabilities x Impact
17
Threat
An adversary that is motivated to exploit a system vulnerability
and is capable of doing so
National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)
18
Examples of Threats
HackersInsiders“Script Kiddies”Criminal OrganizationsTerroristsEnemy Nation States
19
Vulnerability
An error or a weaknessin the design, implementation, or
operation of a system.
National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)
20
Examples of Vulnerabilities
Networks – wired and wirelessOperating Systems – especially WindowsHosts and SystemsMalicious Code and VirusesPeopleProcessesPhysical Environments
21
Impact
Refers to the likelihood that a vulnerability will be exploited or
that a threat may become harmful.
National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)
22
Examples of Impact
Strategic ConsequencesFinancial ConsequencesLegal ConsequencesOperational ConsequencesReputational Consequences
Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
23
Risk Management
Risk = Threats x Vulnerabilities x Impact
24
Handling Risks
Risk AssumptionRisk ControlRisk MitigationRisk Avoidance
Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
25
What Defines Culture?
Strategic Planning and Decision-Making Examples:
• Top-down• Bottom-up• Consensus-based
Institutional Values Examples:
• Student honor code• Strong faculty influence• Emphasis on accountability at all levels of institution• High bond rating
26
What Defines Culture?
Control of Operational Functions Examples:
• Centralized
• Decentralized
Long-term Institutional Priorities Examples:
• Increase research• Increase community outreach
Other influences on culture?
27
Ideas For Using Culture
Decentralized Control Over Computing
Formalize and leverage network of departmental system administrators
How? Some Examples:University of Virginia LSP Program
http://www.itc.virginia.edu/dcs/lspGeorge Mason University SALT Group
http://itu.gmu.edu/security/sysadmin/salt-description.html
28
Ideas For Using Culture
Increasing Emphasis on Compliance
Spotlight Federal Regulations Related to Security & Privacy
How? Some Examples:IT Security for Higher Education: A Legal Perspective
http://www.educause.edu/ir/library/pdf/csd2746.pdfFamily Educational Rights & Privacy Act
http://www.ed.gov/policy/gen/guid/fpcp/ferpa/index.htmlGramm Leach Bliley Act
http://www.ftc.gov/privacy/glbact/index.htmlHealth Insurance Portability & Accountability Act
http://www.hhs.gov/ocr.hipaa
29
Ideas For Using Culture
Strong Leadership at the Top
Make Executive-level Awareness a Top Priority
How?ACE Letter to Presidents Regarding Cybersecurity
http://www.acenet.edu/washington/letters/2003/03march/cyber.cfmInformation Security: A Difficult Balance
http://www.educause.edu/pub/er/erm04/erm0456.aspGaining the President’s Support for IT Initiatives at Small Colleges
http://www.educause.edu/apps/eq/eqm04/eqm0417.aspPresidential Leadership for Information Technology
http://www.educause.edu/ir/library/pdf/erm0332.pdf
30
Morning Break
Break 10:15 AMReturn 10:30 AM
31
Step 2
Define institutional data typesSub-steps2.1 Compliance with applicable federal and state laws
and regulations - as well as contractual obligations - related to privacy and security of data held by the institution (also consider applicable international laws)
2.2 Data classification schema developed with input from legal counsel and data stewards
2.3 Data classification schema assigned to institutional data to the extent possible or necessary
32
Institutional Data Types
Discussion – Do you have a data classification
schema? Do you have a policy? Why is this step important?
33
Data Classification Policy
Provides the framework necessary to identify and classify data in order to assess risk and implement an appropriate level of security protection based on categorization.
Provides the framework necessary to comply with legislation, regulations, and internal policies that govern the protection of data
Provides the framework necessary to facilitate and make the Incident Response process more efficient. The level in which the data is classified determines the level of response.
34
Data Classification – Policy Objectives
Communicates data categories to the University community and provides examples of how data should be classified
Communications the high level requirements necessary to protect data based on category
Communicates the roles and responsibilities of various members of the University community and external associates as it relates to GW owned data
35
Data Classification at GW
ConfidentialOfficialPublic
EnterpriseSystem
DepartmentServer
Desktop/Laptop
Lowest SecurityLowest Operations
Privacy LevelsOperationsLevels
Highest SecurityHighest Operations
1
3 2
Note, numbers in boxes suggest the priority levels for mitigating risks.
342
2 2
1
36
Step 3
Clarify responsibilities and accountability for safeguarding confidential/sensitive dataSub-steps3.1 Data stewardship roles and responsibilities 3.2 Legally binding third party agreements that
assign responsibility for secure data handling
37
Example – University of North Carolina
Data Trustee: Data trustees are senior University officials (or their designees) who have planning and policy-level responsibility for data within their functional areas and management responsibilities for defined segments of institutional data. Responsibilities include assigning data stewards, participating in establishing policies, and promoting data resource management for the good of the entire University. Data Steward: Data stewards are University officials having direct operational-level responsibility for information management – usually department directors. Data stewards are responsible for data access and policy implementation issues. Data Custodian: Information Technology Services is the data custodian. The custodian is responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users as authorized by data trustees or their designees (usually the data stewards), and implementing and administering controls over the information. Data User: Data users are individuals who need and use University data as part of their assigned duties or in fulfillment of assigned roles or functions within the University community. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of those data.
http://its.uncg.edu/Policy_Manual/Data/
38
Step 4
Reduce access to confidential/sensitive data not absolutely essential to institutional processesSub-steps4.1 Data collection processes (including forms) should
request only the minimum necessary confidential/sensitive information
4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information
4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices
39
Step 4 continued…
Reduce access to confidential/sensitive data not absolutely essential to institutional processesSub-steps continued4.4 Eliminate unnecessary confidential/sensitive data on
servers, desktops, and mobile devices 4.5 Eliminate dependence on SSNs as primary
identifiers and as a form of authentication*
*Note: SSNs may need to be used for certain things (e.g., student employees, student financial aid, etc.) and we recommend that schools limit the use of SSNs to necessary processes only.
40
Elimination of SSNs
Federal and state law requires the collection of your Social Security number (SSN) for certain purposes (for example, IRS reporting forms). However, widespread use of an individual's SSN is a major privacy concern. With incidents of identity theft increasing, steps to secure an individual's SSN become more important. A large number of colleges and universities use SSNs as primary identifiers for faculty, staff, and students, which exposes institutions to risk because of changing legal and security environments. Therefore, many institutions are planning for the migration away from SSN use as a primary identifier. Undertaking such a task raises issues, challenges, and opportunities for any institution. EDUCAUSE has identified links concerning the elimination of SSNs as primary identifiers that may be useful to the higher education community.http://www.educause.edu/Browse/645?PARENT_ID=701
41
Step 5
Establish and implement stricter controls for safeguarding confidential/sensitive dataSub-steps5.1 Inventory and review/remediate security of devices 5.2 Configuration standards for applications, servers,
desktops, and mobile devices 5.3 Network level protections
5.4 Encryption strategies for data in transit and at rest
42
Step 5 continued…
Establish and implement stricter controls for safeguarding confidential/sensitive dataSub-steps continued5.5 Policies regarding confidential/sensitive data on
mobile devices and home computers and for data archival/storage
5.6 Identity management and resource provisioning processes
5.7 Secure disposal of equipment and data 5.8 Consider background checks on individuals
handling confidential/sensitive data
43
EncryptionCollaboration
Call for help – what are other universities doing?Privacy Committee, Compliance Committee, LSPsKey StakeholdersProject managementInformation Security Office + Technology Services + Technology Engineering = OneTeam
44
595Nice to Have
264274272Total
Vendor 3UtimacoVendor 1
444444Whole Disk - Management
545858Whole Disk - Integration
126126127Whole Disk - General
353738Whole Disk - Authentication
ProductEvaluation Category
Out of a possible total weighted score of 285, Utimaco scored the highest based on the requirements defined in the RFP, had the lowest price and was the only product fully compatible
with VMWare
Vendors were evaluated on RFP requirements that covered “Whole Disk” and “Nice to Have” requirements:
Recommended? X - No √ - Yes X - No
Note: Vendors were asked to respond to File and Folder Encryption Requirements but were not scored on them
GW Scoring Criteria/Selection Rationale
45
GW’s Encryption Pilot
PlanningTechnical set-upCentral IT Group 50%, Departments 50%Communicate, communicate, communicatePilot resultsParty!
46
GW Enterprise Rollout –50,000 Foot View
TBD
TBD
400 Laptops
Est #Machine
s
TBD
TBD
300 Machines1
(Laptops and Desktops)
1700
Est # Users
May ‘07 –May ‘10 (3 year FWI attrition cycle)
Faculty Machines (Laptops and Desktops) – FWI + self-identify case by case
B
June ‘07 – Dec ‘07
Administrative Desktops some Academic Dept Desktops used for Admin Purposes
C
Dec ‘06 – Feb ‘07Administrative Laptops and some Academic Dept Laptops used for Admin Purposes
A
TBDOther Devices (External Hard Drives, Thumb Drives, etc)
D
Estimated Timeframe
Description - Device TypeRollout Phase
1 Note: This assumes a 3 year plan FWI machine replacement plan for most faculty, except those that self –identify to adopt Safeguard Easy on an existing machine
47
Encryption Lessons Learned?
References provided invaluable adviceProject management support crucialFlexibility requiredKnow your cultureIntegrate with security philosophy and architectureEstablish generic policy and add guidelines/procedures as process maturesCommunication and partnerships were critical success factors
48
Step 5 continued…
Establish and implement stricter controls for safeguarding confidential/sensitive dataSub-steps continued5.5 Policies regarding confidential/sensitive data on
mobile devices and home computers and for data archival/storage
5.6 Identity management and resource provisioning processes
5.7 Secure disposal of equipment and data 5.8 Consider background checks on individuals
handling confidential/sensitive data
49
EDUCAUSE Identity Management Resources
Recent Library Submissions (3)CIC Identity Management Conference Session: Federated Identity Management and Sharing Resources (2007) by Jim Phelps, IT Architect in Academia Identity Management Conference Report (2007)by Committee on Institutional Cooperation A Report on the Identity Management Summit (2007) by Norma Holland, Ann West and Steve Worona, EDUCAUSE
Most Popular Library Content (3)Top-Ten IT Issues, 2006 (2006) by Barbara I. Dewey, Peter B. DeBlois, and the 2006 EDUCAUSE Current Issues Committee, EDUCAUSE Safeguarding the Tower: IT Security in Higher Education 2006 (2006) by Robert B. Kvavik, with John Voloudakis, ECAR Identity Management in Higher Education: A Baseline Study (2006) by Ronald Yanosky, with Gail Salaway, ECAR
http://www.educause.edu/Browse/645?PARENT_ID=679
50
Step 6
Provide awareness and trainingSub-steps6.1 Make confidential/sensitive data handlers aware of
privacy and security requirements 6.2 Require acknowledgement by data users of their
responsibility for safeguarding such data 6.3 Enhance general privacy and security awareness
programs to specifically address safeguarding confidential/sensitive data
6.4 Collaboration mechanisms such as e-mail have strengths and limitations in terms of access control, which must be clearly communicated and understood so that the data will be safe-guarded
51
Awareness and Training
GoalTo increase the awareness of the associated risks of computer and network use and the corresponding responsibilities of higher education executives and end-users of technology (faculty, staff, and students), and to further the professional development of information technology staff.
Programs Outreach to Higher Ed Associations and Beyond Annual Security Professionals Conference Education & Awareness Working Group
Initiatives Leadership Book on Computer & Network Security for Higher Ed National Cyber Security Awareness Month Cybersecurity Awareness Resources Executive Awareness, Student Awareness, & Training of IT Staff
52
What is Security Awareness?
Security awareness is knowledge of potential threats. It is the advantage of knowing what types of security issues and incidents members of our organization may face in the day-to-day routine of their University functions.
Technology alone cannot provide adequate information security. People, awareness and personal responsibility are critical to the success of any information security program.
53
Why is Awareness Important?
54
When I Go To U.Va….
http://www.itc.virginia.edu/pubs/docs/RespComp/videos/when-I-go-to-UVA-lg.mov
55
Who is your Audience?
FacultyStaffStudentsParentsContractorsVisitorsCommunity/industry partners - outreach
56
Step 7
Verify compliance routinely with your policies and proceduresSub-steps7.1 Routinely test network-connected devices and
services for weaknesses in operating systems, applications, and encryption
7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance
7.3 Routinely audit access privileges 7.4 Procurement procedures and contract language to
ensure proper data handling is maintained
57
Step 7 continued…
Verify compliance routinely with your policies and proceduresSub-steps continued7.5 System development methodologies that prevent
new data handling problems from being introduced into the environment
7.6 Utilize audit function within the institution to verify compliance
7.7 Incident response policies and procedures 7.8 Conduct regular meetings with stakeholders such as
data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed
58
GW Security Tool Kit
To provide departments managing systems outside of the GW Data Center with standard guidelines and procedures
Policies
Systems Checklist - Departmental Servers and Enterprise Systems - an inventory of the systems, functionality, system administration and security settings
Best Practices for Department Server and Enterprise System Checklist - these are the specific security categories that were assessed during the PWC Audit.
Server Management Best Practices - from the Center for Internet Security There are currently minimum security configurations for 14 types of systems
59
GW Security Tool Kitcontinued…
To provide departments managing systems outside of the GW Data Center with standard guidelines and procedures
Security Controls Matrix for Data Classification - to determine security controls based on the type of information on the system (Public, Official Use, Confidential) and the type of system itself (Desktop, Departmental Server, Enterprise System).
Information Security Training and Awareness - information about online training available to all employees.
Resources – encryption, incident response, presentations, etc.
60
Compliance Scenario
GW conducted an audit project of 236+ departmentally controlled servers for security and PII (aka: Server Information Security Project, or SISP)
Project commissioned by EVP&T and CIO
Audited configuration of computers and detection of SSNs
61
Compliance Scenario
PII on almost 50% of servers admins thought is was NOT on
About 75% of computers that were compromised had completely up-to-date antivirus and/or firewalls
Security efforts focused mostly on protecting servers as opposed to data
62
Compliance Scenario
Address problems in first passInclude all computers with *access* to sensitive data, not only known storageContrast locations of PII to current security architectureDesktops versus servers...Integration with patch management systems? Secure reporting Log parsing by junior-level security staff
63
Safety Analyzer
Free tool for higher education
Sensitive Data Detection SSNs with heuristics Credit Card numbers with Luhn algorithm validation
Compromise Detection Trojan file detection Kernel-level rootkit detection IR-related data harvesting
64
The Blueprint
Discussion Will you use the blueprint? Do you have suggestions to improve it? Do you have resources to submit?
65
Afternoon Break
Break 2:45 PMReturn 3:00 PM
66
Putting it All Together
Moving from Planning to Action!
67
Information Security Governance
If businesses, educational institutions, and non-profit organizations are to make significant progress securing their information assets, executives must make information security an integral part of core business operations. There is no better way to accomplish this goal than to highlight it as part of the existing internal controls and policies that constitute corporate governance.
Information Security Governance Report: Executive Summary
68
InfoSec Governance Self Assessment
Organizational Reliance on IT E.g., What is the impact of major system downtime on operations?
Risk Management E.g., Has your organization conducted a risk assessment and
identified critical assets?
People E.g., Is there a person or organization that has information security
as their primary duty?
Processes E.g., Do you have official written information security policies and
procedures?
Technology E.g., Is sensitive data encrypted?
Information Security Governance Assessment Tool for Higher Education
69
Best Practices & Metrics
Information Security Program Elements:Governance Boards/Senior Executives/Shared Governance
Management Directors and Managers
Technical Central and Distributed IT Support Staff
CISWG Final Report on Best Practices & Metrics
70
Governance
Oversee Risk Management and Compliance Programs Pertaining to Information Security (e.g., Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley)Approve and Adopt Broad Information Security Program Principles and Approve Assignment of Key Managers Responsible for Information SecurityStrive to Protect the Interests of all Stakeholders Dependent on Information SecurityReview Information Security Policies Regarding Strategic Partners and Other Third-partiesStrive to Ensure Business ContinuityReview Provisions for Internal and External Audits of the Information Security ProgramCollaborate with Management to Specify the Information Security Metrics to be Reported to the Board
71
Management
Establish Information Security Management Policies and Controls and Monitor ComplianceAssign Information Security Roles, Responsibilities, Required Skills, and Enforce Role-based Information Access PrivilegesAssess Information Risks, Establish Risk Thresholds and Actively Manage Risk MitigationEnsure Implementation of Information Security Requirements for Strategic Partners and Other Third-partiesIdentify and Classify Information AssetsImplement and Test Business Continuity PlansApprove Information Systems Architecture during Acquisition, Development, Operations, and MaintenanceProtect the Physical EnvironmentEnsure Internal and External Audits of the Information Security Program with Timely Follow-upCollaborate with Security Staff to Specify the Information Security Metrics to be Reported to Management
72
Technical
User Identification and AuthenticationUser Account ManagementUser PrivilegesConfiguration ManagementEvent and Activity Logging and MonitoringCommunications, Email, and Remote Access SecurityMalicious Code Protection, Including Viruses, Worms, and TrojansSoftware Change Management, including PatchingFirewallsData EncryptionBackup and RecoveryIncident and Vulnerability Detection and ResponseCollaborate with Management to Specify the Technical Metrics to be Reported to Management
73
Building Security Programs
Gain the support of the Administration.Define roles and responsibilities.Review your institution’s policies. Build long lasting partnerships with everyone, well maybe not everyone.Collaborate with security professionals in your region or State.Institutionalize a strong security awareness program.
74
Security Scenarios
Data breach exercises and realistic role playing scenariosBreak into 6 groupsEach group will be given scenarios30 minutes to brainstorm3 – 5 minutes for each group to present
75
Wrap-Up
Question & AnswerSeminar Evaluation & FeedbackProgram ends at 4:30PM
76
Listservs & Newsgroups
EDUCAUSE Security Discussion Listservhttp://www.educause.edu/SecurityDiscussionGroup/979
Microsoft Security Alertshttp://www.microsoft.com/security/bulletins/alerts.mspx
US-CERT Alerts and Tipshttp://www.us-cert.gov/cas/signup.html#choose
NIST Publication Mailing listhttp://csrc.nist.gov/compubs-mail.html
77
Contacts
David Escalantedavid.escalante@bc.edu
H. Morrow Longmorrow.long@yale.edu