Handling Sensitive Data: Security, Privacy, and Other Considerations

1
Handling Sensitive DataSecurity, Privacy, and
Other Considerations

• Rodney Petersen
• Government Relations Officer
• Security Task Force Coordinator
• EDUCAUSE

2
Security Task Force

• Goals
• Education and Awareness
• Standards, Policies, and Procedures
• Security Architecture and Tools
• Organization and Information Sharing
• Working Groups
• Awareness and Training
• Policies and Legal Issues
• Risk Assessment
• Effective Practices and Solutions
• Annual Security Professionals Conference

3
Security Goals C-I-A

• Availability - computers, systems and networks
  must be available on a timely basis to meet
  mission requirements or to avoid substantial
  losses.
• Integrity - computers, systems, and networks that
  contain information must be protected from
  unauthorized, unanticipated, or unintentional
  modification.
• Confidentiality - computers, systems, and
  networks that contain information require
  protection from unauthorized use or disclosure.

4
Security Approaches

• People awareness, training, policies, roles and
  responsibilities, staffing, etc.
• Process procedures, work flows, systems,
  physical security, compliance, etc.
• Technology layered security, vulnerability
  scanning, access controls, o/s and s/w updates,
  etc.

5
ECAR IT Security Study

• The Headlines You Wont Read in the Chronicle
  of Higher Ed or New York Times
• The respondents feel more secure today than two
  years ago despite being in a perceived riskier
  environment.
• Respondents feel that the academic community has
  become more sensitive to security and privacy in
  the last two years.
• ECAR IT Security Study, 2006

6
IT Security Incidents

• Ten percent of the respondents in our survey
  indicated that they had an IT security incident
  in the last twelve months, which had been
  reported to the press (down from 19 percent in
  2003).
• A majority of institutions (74.2 percent) report
  that the number of incidents is about the same or
  less in the past twelve months as compared with
  the year before.
• The primary perceived risks are viruses (72.6
  percent), theft of personal financial information
  (64.8 percent), and spoofing and spyware (55.3
  percent).
• ECAR IT Security Study, 2006

7
Data Security Incidents

• Stolen Laptops
• Missing Media
• Unauthorized access to systems
• Incident response teams
• Notification to affected individuals
• Identity theft and other types of fraud
• Data Incident Notification Toolkit

8
Blueprint for Handling Data

• Step 1 Create a security risk-aware culture that
  includes an information security risk management
  program
• Step 2 Define institutional data types
• Step 3 Clarify responsibilities and
  accountability for safeguarding
  confidential/sensitive data
• Step 4 Reduce access to confidential/sensitive
  data not absolutely essential to institutional
  processes
• Step 5 Establish and implement stricter controls
  for safeguarding confidential/sensitive data
• Step 6 Provide awareness and training
• Step 7 Verify compliance routinely with your
  policies and procedures

9
Step 1 Risk Aware Culture

• 1.1 Institution-wide security risk management
  program
• 1.2 Roles and responsibilities defined for
  overall information security at the central and
  distributed level
• 1.3 Executive leadership support in the form of
  policies and governance actions

10
Risk Management Framework
11
Risks Incurred

• ECAR IT Security Study, 2006

12
Risk Assessments

• 55 percent do some type of risk assessment
• But less than 9 percent cover all institutional
  systems and data.
• ECAR IT Security Study, 2006

13
Responsibility for IT Security

• IT Security Officer (up to 35 from 22)
• CIO (up to 14 from 8)
• Other IT Directors ( down to 50 from 67)

14
IT Security Plan

• 11.2 percent - a comprehensive IT security plan
  is in place
• 66.6 percent - a partial plan is in place.
• 20.4 percent - no IT security plan is in place
• ECAR IT Security Study, 2006

15
Policies in Place

• Individual employee responsibilities for
  information security practices (73)
• Protection of organizational assets (73)
• Managing privacy issues, including breaches of
  personal information (72)
• Incident reporting and response (69)
• Disaster recovery contingency planning (68)

16
Policies in Place

• Investigation and correction of the causes of
  security failures (68)
• Notification of security events to individuals,
  the law, etc. (67)
• Sharing, storing, and transmitting data (51)
• Data classification, retention, and destruction
  (51)
• Identity Management (50)

17
Step 1 Risk Aware Culture

• 1.1 Institution-wide security risk management
  program
• 1.2 Roles and responsibilities defined for
  overall information security at the central and
  distributed level
• 1.3 Executive leadership support in the form of
  policies and governance actions

18
Step 2 Define Data Types

• 2.1 Compliance with applicable federal and state
  laws and regulations - as well as contractual
  obligations - related to privacy and security of
  data held by the institution (also consider
  applicable international laws)
• 2.2 Data classification schema developed with
  input from legal counsel and data stewards
• 2.3 Data classification schema assigned to
  institutional data to the extent possible or
  necessary

19
Step 3 Clarify Responsibilities

• 3.1 Data stewardship roles and responsibilities
• 3.2 Legally binding third party agreements that
  assign responsibility for secure data handling

20
Step 4 Reduce Access to Data

• 4.1 Data collection processes (including forms)
  should request only the minimum necessary
  confidential/sensitive information
• 4.2 Application outputs (e.g., queries, hard copy
  reports, etc.) should provide only the minimum
  necessary confidential/sensitive information
• 4.3 Inventory and review access to existing
  confidential/sensitive data on servers, desktops,
  and mobile devices
• 4.4 Eliminate unnecessary confidential/sensitive
  data on servers, desktops, and mobile devices
• 4.5 Eliminate dependence on SSNs as primary
  identifiers and as a form of authentication

21
Step 5 Controls

• 5.1 Inventory and review/remediate security of
  devices
• 5.2 Configuration standards for applications,
  servers, desktops, and mobile devices
• 5.3 Network level protections
• 5.4 Encryption strategies for data in transit and
  at rest
• 5.5 Policies regarding confidential/sensitive
  data on mobile devices and home computers and for
  data archival/storage
• 5.6 Identity management and resource provisioning
  processes
• 5.7 Secure disposal of equipment and data
• 5.8 Consider background checks on individuals
  handling confidential/sensitive data

22
Security Approaches in Place

• Perimeter firewalls 77
• Centralized backups 77
• VPNs for remote access 75
• Enterprise directory 75
• Interior network firewalls 65
• Intrusion detection 62
• Active filtering 59
• Intrusion prevention 44 (up from 33)
• Security Standards for Applications 32 (up from
  27)
• ECAR IT Security Study, 2006

23
Step 6 Awareness and Training

• 6.1 Make confidential/sensitive data handlers
  aware of privacy and security requirements
• 6.2 Require acknowledgment by data users of their
  responsibility for safeguarding such data
• 6.3 Enhance general privacy and security
  awareness programs to specifically address
  safeguarding confidential/sensitive data
• 6.4 Clearly communicate how to safeguard data so
  that collaboration mechanisms such as e-mail have
  strengths and limitations in terms of access
  control

24
Awareness Programs

• ECAR IT Security Study, 2006

25
Step 7 Verify Compliance

• 7.1 Routinely test network-connected devices and
  services for weaknesses in operating systems,
  applications, and encryption
• 7.2 Routinely scan servers, desktops, mobile
  devices, and networks containing
  confidential/sensitive data to verify compliance
• 7.3 Routinely audit access privileges
• 7.4 Procurement procedures and contract language
  to ensure proper data handling is maintained
• 7.5 System development methodologies that prevent
  new data handling problems from being introduced
  into the environment
• 7.6 Utilize audit function within the institution
  to verify compliance
• 7.7 Incident response policies and procedures
• 7.8 Conduct regular meetings with stakeholders
  such as data stewards, legal counsel, compliance
  officers, public safety, public relations, and IT
  groups to review institutional risk and
  compliance and to revise existing policies and
  procedures as needed

26
FTC Guide Protecting Personal Information

• Take stock.Know what personal information you
  have in your files and on your computers.
• Scale down.Keep only what you need for your
  business.
• Lock it.Protect the information that you keep.
• Pitch it. Properly dispose of what you no
  longer need.
• Plan ahead. Create a plan to respond to
  security incidents.

27
Characteristics of Successful IT Security Programs

• Institutions with IT security plans in place
  characterize their IT security programs as more
  successful and feel more secure today.
• The respondents who believe their institution
  provides necessary resources give higher ratings
  for IT security program success and their current
  sense of IT security.
• The biggest barrier to IT security is lack of
  resources (64.4 percent) and especially at
  smaller institutions, followed by an academic
  culture of openness and autonomy (49.6 percent),
  and lack of awareness (36.4 percent).
• ECAR IT Security Study, 2006

28
For more information

• Rodney PetersenEmail rpetersen_at_educause.eduPho
  ne 202.331.5368
• EDUCAUSE/Internet2 Security Task
  Forcewww.educause.edu/security
• EDUCAUSE Center for Applied Researchwww.educause.
  edu/ECAR
• Blueprint for Handling Sensitive
  Datawiki.internet2.edu/confluence/display/secguid
  e