Best Practices for Security Management

1
Best Practices for Security Management
May 2007
2
Agenda

• What is Data Security?
• Why Is Data Security Such a Challenge?
• Data Privacy Laws, Regulations, Policy
• Data Security Laws, Regulations, Policy
• Best IT Security Practices
• IT Security Roadmap
• Summary

3
What Is Information Security?

• Maintain the Integrity, Availability and
  Confidentiality of Electronic Information

4
Information Security Challenges
High
Danger Leve l
High
Level of Effort
Low
5
In the News
Two men plead guilty in supermarket data security
breach By SearchSecurity.com Staff 31 May 2007
SearchSecurity.com Two men have plead
guilty and a third man is expected to plead
guilty to stealing credit and debit card data
using devices at Stop Shop supermarket checkout
counters. A case is pending against a fourth man
in connection with the theft.
800,000 are warned as FBI investigates By Dan
Laidman COPLEY NEWS SERVICE December 13, 2006
LOS ANGELES In one of the largest electronic
security breaches ever to hit an educational
institution, the University of California at Los
Angeles alerted 800,000 current and former
students, applicants, faculty and staff yesterday
that a hacker may have stolen their private data
from campus computers.
May 4, 2007 400 college students now at risk for
ID theft. A new employee at Montgomery College
accidentally placed a file with 400 student's
names and personal information - including social
security numbers - in a public server where
anyone could access it. Talk about starting off
on the wrong foot. The list was up for about a
day, and the 400 students whose information was
on it have been advised to check their credit
reports regularly.
CNET, March 29, 2005 The University of
California, Berkeley, is warning more than 98,000
people that the theft of a laptop from its
graduate school admissions office has exposed
their personal information. An individual stole
the computer from the offices of the school's
Graduate Division on March 11, the university
said in a statement released late Monday. Roughly
one-third of the files on the laptop contained
names, dates of birth, addresses and Social
Security numbers of 98,369 graduate students or
graduate-school applicants, it said. The files go
back three decades in some cases.
TJX Breach cost company 17 million to
date Published 2007-05-21 Retailer TJX
Companies announced last week in its earning
statements that recovering from the online
intrusion of its processing networks that
resulted in the theft of data on at least 45.6
million credit and debit cards cost the company
12 million in the last quarter, bringing the
firm's total to date to 17 million. The costs
include investigating the incident, upgrading the
company's network security, communicating with
its customers, and legal fees, TJX said in a
statement.
May 30, 2007 State computer server
breached (Copley News Service Via Thomson Dialog
NewsEdge) CHICAGO - The state's
professional-regulation department is notifying
roughly 300,000 licensees and applicants that a
computer server with some of their personal data
was breached early this year, a spokeswoman for
the agency said Friday.
6
Privacy Law, Regulation and Policy

• HIPAA Privacy Rule - Health Insurance Portability
  and Accountability Act
• FERPA Family Educational Rights and Privacy Act
• California Information Practices Act
• Notification, 1798 California Civil Code
• PCI Payment Card Industry
• Electronic Communications Policy, UC
• ECP Privacy and Access, UC Davis

7
Security Law, Regulation and Policy

• PCI Payment Card Industry Security Standards
• HIPAA Security Rule - Health Insurance
  Portability and Accountability Act
• FISMA Federal Information Security Management
  Act
• Information Systems Business and Finance Bulletin
  3, UC
• Cyber-safety Policy and Security Standards, UC
  Davis

8
Major Components of an IT Security Program
9
UC Data Security Policies

• UC Information Security, BFB IS-3
• Test conditions for Restricted information
• 1. Does the data include information that
  identifies or describes an individual?
• 2. Would unauthorized access, modification or
  loss of the data seriously affect the University?
  
• 3. Would unauthorized access, modification or
  loss of the data seriously affect a business
  partner of the University?
• 4. Would unauthorized access, modification or
  loss of the data seriously affect the public?
• 5. Has the Proprietor chosen to protect the data
  from general access or modification?

10
UC Data Security Policies

• Security Provisions for BFB IS-3
• Authentication Authorization
• Background Checks
• Control Administrative Accounts
• Data Backup/Retention/Storage and Transit
  Encryption
• Disaster Recovery Plan
• Incident Response/Notification Plan
• Physical Security Controls Media Controls

11
UC Davis Data Security Policy

• UC Davis Cyber-safety Policy (PPM 310-22)

• Physical/Environment Controls Spam Generation
• Open Proxy
• Audit Logs
• Backup/Recovery
• Security Training
• Spyware Removal
• Data Removal Prior to Hardware Retirement
• Incident Response Plans -new
• Web Application Security -new

• Software Vulnerabilities
• Virus Infections
• Non-secure Computer Programs/Services
• Authentication Measures
• Insecure Personal Information
• Firewall Services

12
Examples of Data Security Requirements
R Required A Addressable
13
Example of Data Security Requirements - Continued
14
Information Security Roadmap

• Initiate Risk Assessment
• Prioritize Security Areas Needing Attention
  Pareto Principle
• Seek Input in Developing and Implementing a
  Campus Unit Security Plan
• Implement Security Plan
• Annually Review Security Plan
• Keep Up to Date with Security News

15
An Information Security History Lesson
16
Summary

• Information Technology Resources Continue to Be
  At Risk From Common Security Threats
• Continuing Security Breaches Will Lead to More
  Regulations and Financial Sanctions
• Existing Security Regulations and Policy Provide
  Good Examples of Effective Security Practices
• Develop An IT Security Roadmap

17
Security References

• PCI Data Security Standard, https//www.pcisecurit
  ystandards.org/pdfs/pci_dss_v1-1.pdf
• Cyber-Safety Policy, UC Davis, http//manuals.ucda
  vis.edu/PPM/310/310-22.htm
• BFB Information Systems 3, http//www.ucop.edu/uco
  phome/policies/bfb/is3.pdf
• IRB Administration, http//research.ucdavis.edu/ho
  me.cfm?idOVC,1
• UC HIPAA Web Site, http//www.universityofcaliforn
  ia.edu/hipaa/
• UC Research and HIPAA, http//www.universityofcali
  fornia.edu/hipaa/docs/research_guidelines.pdf

18
Questions?