Peeling Back the Layers of an Ogre(or for those who like boring titles – Where is Our Confidential Data Hiding?)

Harvard TownsendIT Security Officerharv@ksu.eduOctober 31, 2007

2

Agenda

Why should we care? What should we care about? What are the threats? What can we do about it?

3

Why Should We Care?

167,706,372 and counting…… the approximate number of records with personal identity information compromised due to security breaches since January 2005 www.privacyrights.org/ar/ChronDataBreaches.htm

In 2006, 3 million college students possible victims of identity theft (CDW-G study)

Identity theft is the fastest growing crime

4

Why Should We Care?

Handling a breach very expensive

5

Why Should We Care?

Damage to institution’s reputation

6

Why Should We Care?

Your reputation or job may be on the line

7

Why Should We Care? It is the law:

SB 196 Kansas Security Breach Law Protects personal identity information Mandates prompt investigation and notification

FERPA (student records) HIPAA (medical records) GLB (financial records) ECPA (electronic communications) Federal Rules of Civil Procedure (e-Discovery)

8

Because Visa Said So

Payment Card Industry Data Security Standards (PCI DSS)

Version 1.1 published in Sept. 2006 www.pcisecuritystandards.org “PCI DSS requirements are applicable if a

Primary Account Number (PAN) is stored, processed, or transmitted.”

Do you know who is handling credit card info on campus and how they are doing it?

9

Credit Cards@K-State

I’m not putting this info in the PowerPoint presentation!!

What Should We CareAbout?

All data needs protection Particularly interested in confidential

data Highly sensitive data that can only be disclosed

to individuals with explicit authorization Protection required by law (FERPA, HIPAA) Unauthorized disclosure harmful or catastrophic

to individual, group, or institution Examples: SSN. Credit card info, student

grades, medical records

10

What Are the Threats?

Ignorance Theft – external and internal Inadvertent disclosure Improper disposal Highly distributed IT services Backups Catastrophic failure or other disaster Mobility – laptops, wireless, USB thumb

drives, SmartPhones11

12

Fear Laptops!

13

What Can We Do About It?

Know your data! Its value Its classification Its location (of every copy) Who is responsible for it Who has access to it The threats to it

14

What Can We Do About It?

“Data Classification and Security Policy and Standards” Classify data based on sensitivity Specify security requirements for each

classification Define roles and responsibilities

15

Policy

“All University Data must be classified according to the K-State Data Classification Schema and protected according to K-State Data Security Standards. Exceptions must be approved in writing by the Chief Data Stewards and the Vice Provost for IT Services.”

16

Data Classification Schema

4 categories: Public Internal Confidential Proprietary

17

Data Security Standards

Access Controls Copying/Printing Network Security System Security Physical Security Remote Access

Storage Transmission Backup/DR Media Sanitization Training Audit Schedule

Implementation Strategy

18

Focus on confidential data first SSNs Credit cards

Serve as guideline for other data Eventually require classification of all

data

Where is the data located?

You would be surprised! Tools to help

“Spider” from Cornell http://www.cit.cornell.edu/security/tools/

Sensitive Number Finder (SENF) from UT-Austin

https://source.its.utexas.edu/groups/its-iso/projects/senf Not ready for your average user

19

Where is the data located?

Gradebooks, esp. old spreadsheets Course web pages Homework assignments Exams Travel authorization forms Applications for admission Personnel papers E-mail Backup tapes, CDs, floppies, USB drives Where have you found confidential data?

20

21

What Can We Do About It? Delete unnecessary copies Make sure it’s gone when deleted Know how to protect it

K-State Data Security Standards K-State SSN Policy PCI DSS for credit cards K-State Mobile Device Security

Guidelines Encryption

What Can We Do About It?SSNs

K-State Policy on “Collection, Use and Protection of Social Security Numbers”

“Use of the SSN as an identifier will be discontinued, except where authorized for employment, IRS reporting, federal student financial aid processing, state and federal reporting requirements, and a limited number of other business transactions.” 22

What Can We Do About It?SSNs

Appendix A lists approved uses: Employment Application and receipt of financial aid Tuition remission Benefits administration Insurance IRS reporting Student information exchange (transcripts)

23

What Can We Do About It?SSNs

Start transitioning to use of the Wildcat ID (WID) iSIS a key component to this transition Also the People Database Departments are moving in that direction

Where are the SSNs in your department? Run Spider from Cornell to find them

24

What Can We Do About It? Credit Cards

Must comply with the Payment Card Industry Data Security Standards (PCI DSS) no matter the merchant level (we’re level 2)

Are strong requirements 12 major requirements in 6 categories 238 individual controls Annual self-assessment questionnaire Quarterly network security scan by an

“approved scanning vendor” 25

What Can We Do About It? Credit Cards

The plan Internal Audit documented campus practices Working group formed to develop strategy Use central service or comply with DSS

See http://www.pcisecuritystandards.org for more information Data Security Standard v1.1 Self-assessment questionnaire Network scanning procedure Security audit procedure 26

What Can We Do About It?Mobility

Don’t store confidential data on mobile devices!

Mobile device security guidelineshttp://www.k-state.edu/infotech/security/mobile.html

27

What Can We Do About It?Encryption

Stored data Software encryption Hardware encryption

Transmitted data SIRT team working on a software

recommendation Laptops Removable devices

28

What’s on your mind?