State of Jeffco Information SecurityJanuary 28th BOE study session

Brett T Miller Chief Information OfficerChris Paschke Director Information SecurityT.O. Owens TDPAC Chair

Agenda

´ Background Information

´ Information Security in Jeffco, the State and Nation

´ State of Data Security

´ Technology & Data Privacy Advisory Committee (TDPAC) update

´ Questions

Developing a Secure Network

´ Goals:´ Access - role based authentication

´ Confidentiality - information remains private

´ Integrity - information has not been modified

´ How we meet these Goals:´ Security Appliances

´ Policies

´ Data Governance

´ User Awareness & Training

Data Security in Jeffco, State & the Nation

´ Technology advances blending work/life´ Mobility, cloud based services, global classroom´ Jeffco Security team formed in 2006

What’s Happening at the State & Federal Level

´ Concern that the state is gathering too much student data without measurable goals or objectives

´ Pressure from parents to reform data collection and provide more transparency

´ Movement from legislature and the state board to better protect student data

´ Jeffco involvement in work to better protect students’ data

What Jeffco is Doing

´ Building security requirements into software RFPs

´ Measuring the security and privacy associated with purchased software, websites, and apps

´ Teaching staff members how to choose a tool keeping privacy in mind

´ Working to become more transparent with parents

What other Districts are Doing

´ Huge differences in district action ranging from:´ Ignoring

´ Waiting for passed legislation

´ Focusing on user awareness

´ Focusing increasing security efforts

´ De-identify student data

Challenges

´ We are a school District with:

´ Public buildings

´ Diverse user groups

´ Curious students

´ Innovative staff

´ Collaboration

Cha

llenges

Evolution of Information Security

´ Infrastructure – switches, firewalls, and servers

´ Incident Response – Providing resources and guidance when things go wrong

´ Online Collaboration – Keeping students and staff safe when working together online

´ The Cloud – Helping to manage the risk now that everything is connected

´ Privacy – Need to hold the District, District Departments, our partners, and cloud providers accountable

´ Oversight – Creating policies and processes, monitoring the environment for abnormalities, and auditing for compliance

´ Application Security – Ensuring that applications and tiers of systems are designed and implemented securely

Themes

´ Boundary Definition ´ We need clear definitions of what we are protecting to set expectations for the

District and our community

´ Measurable Standards ´ We must find ways to measure our success and prioritize need for improvements

´ Transparency´ Our work assists decision making for the IT department staff District leadership

while providing visibility for the community

Threats

´ Viruses

´ Ransom ware

´ Advanced persistent threats

´ Phishing

´ Watering hole attacks

´ Equipment loss

´ Social engineering

´ Cloud services

´ Encryption

´ Mobile apps

´ User error

Mitigation Strategies

Information Security policies

´ Foundational ´ EH - Data Management, EHAA - Computer Security, EHBA - Electronic Signatures, EHR -

Data Classification, EHAA-E - Incident Handling, EHAA-R4 - Risk Assessment

´ Configuration Management ´ EHA - Internet DMZ, EHAC - Exception Management, EHA-E1 - Linux Server Hardening,

EHA-E2 - Windows Server Hardening, EHA-E3 - Network Hardening, EHA-R Key Escrow, EHAA-R-1 - Audit, EHAA-R3 - Encryption, EHAC-E - Exception Request, GBEE-R -Elevated Privileges

´ Vendor Management ´ EHB - Cloud Vendor Assessment, EHB-E - Cloud Vendor Questionnaire

´ Acceptable Use´ GBEE - Staff Use of Internet, JS - Student Use of Internet, JSA - Student BYOD

Network Architecture

PrincipalsSchool NursesCounselors Financial Sec

TeachersAids

LabsStudent useGuests

Ed Center +

Quail

Data Center

+ Disaster

Recovery

Layering Security Controls Within Network Boundaries´ Building unique security requirements based on risk associated with the role

instead of one size fits all.

´ Leverage Technologies such as:´ Access to resources

´ Encryption

´ Log collection and retention

´ Vulnerability management

´ AV

´ Advanced threat detection

Monitoring the Environment

´ Log management´ Provide oversight to administrative access maintaining privacy´ Act as a repository for event logging making correlating complex activities easier

´ Malware detection´ Proactively detect malicious software before data loss or system breach

´ Vulnerability management´ Identify and measure risk associated with infrastructure and systems´ Prioritize remediation efforts based on the likelihood and impact of a vulnerability being

exploited

´ Industry trend and threat analysis ´ Monitor resources such as SANS, CERT, and other Districts

´ Incident response ´ Maintain relationships with key technical and leadership staff

Monitoring Stats Example

Software Purchasing Process(Cloud Vendor Assessments)

Proposed State and Federal Legislation

´ Multiple competing bills including: Student Digital Privacy and Parental Rights Act, SAFE Kids Act, and FERPA rewrites.

´ Bills focus on cloud partnerships in different ways but focus on the following:´ Data collection (including metadata)

´ Contract Management

´ Increased Transparency

´ Online Advertising

´ Data Sharing (Selling)

´ Subcontractor Management

´ Penalties

´ (No Training)

Software Purchasing Process

89

4

0

45

3

5 56

1415

8

6

8

67

9

Jul Aug Sept Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sept Oct Nov Dec

Completed Assessments

Why we Made These Choices

´ We want to be proactive

´ We want consistency in measuring risk

´ We want to measure our success

´ We feel that it is unfair to put educators in the position of managing risk

´ We have received feedback from concerned parents

´ We want to increase transparency

Security AwarenessCentral

Staff IT

Advanced HIPAA

Principals School Secretaries

Teacher Librarians Athletics Teachers Support

Staff

Security Basics

Privileged Access

Software Purchasing

PCI Awareness

Incident Response

Advanced PCI

FERPA Basics

HIPAA Basics

Digital Citizenship Digital Citizenship

HIPAA Basics

PCI Awareness

TDPAC´ Committee Members

´ Tonya Altman

´ Jennifer Butts´ Jorge “Yuri” Csapo´ Sunny Flynn´ Jill Green

´ Virge “T.O.” Owens´ Phillip Romig III´ Derec Shuler

´ John Sullivan

´ Staff Members´ Dan McMinimee

´ Brett Miller´ Syna Morgan´ Craig Hess´ Carol Eaton

´ Jeremy Felker´ Matt Flores´ Curtis Lee

´ Fran Williamson´ Mary Beth Bazzanella´ Chris Paschke´ Shawn Rhoades

´ Betty Standley

Questions …