enterprise data (decentralized control, data security and privacy) prevention: people and process...
TRANSCRIPT
Enterprise data (decentralized control, data
security and privacy)
Prevention: People and Process
Rodney Petersen
Security Task Force Coordinator
EDUCAUSE
Framing the Problem
INFORMATION Privacy and Security Paper and Electronic Reliance on Networks and Technology
Business CONTINUITY
Critical Infrastructure PROTECTION Part of National Strategy to Secure Homeland
Security Processes
Deter
Prevent
Detect
React
Adapt
Burton Group: A Systematic, Comprehensive Approach to Information Security (Feb. 2005)
Points of Emphasis
People
Processes
Technology
Risk Management
Risk = Threats x Vulnerabilities x Impact
Threat
An adversary that is motivated to exploit a system vulnerability
and is capable of doing so
National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)
Examples of Threats
Hackers
Insiders
“Script Kiddies”
Criminal Organizations
Terrorists
Enemy Nation States
Vulnerability
An error or a weaknessin the design, implementation, or
operation of a system.
National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)
Examples of Vulnerabilities
Networks – wired and wireless
Operating Systems – especially Windows
Hosts and Systems
Malicious Code and Viruses
People
Processes
Physical Environments
Impact
Refers to the likelihood that a vulnerability will be exploited or
that a threat may become harmful.
National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)
Examples of Impact
Strategic ConsequencesFinancial ConsequencesLegal ConsequencesOperational ConsequencesReputational Consequences
Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
Handling Risks
Risk AssumptionRisk ControlRisk MitigationRisk Avoidance
Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
Framework for Risk Assessment
Phase 1: Identify Critical Assets and Security Strategies Strategic Perspective Operational Perspective Practice Perspective Consolidated View of Security Requirements
Phase 2: Identify Infrastructure Vulnerabilities (Technological View) Key Technology Components Selected Technology Components Evaluation
Phase 3: Develop Security Strategy and Plans (Risk Analysis) Risk Assessment Protection Strategy and Mitigation Plan
Institutional Policies
Policies are statements that reflect the philosophies, attitudes, or values of an organization related to a specific issue. They are generally represented in a paragraph or perhaps two but not pages. They might say “what” but not “how”. Checklists, procedures, standards, and guidelines all must implement, reflect, and support the applicable policy or policies. The entire set of statements is sometimes considered to be the “Policy”
Bruhn and Petersen, A Primer on Policy Development for Institutions of Higher Education, 2003.
Data Protection Policies
Acceptable Use Policy
Security Policy
Privacy Policy
Data Policy
Security Policies
RFC2196: A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.
RFC2196: The main purpose of a security policy is to inform users, staff and managers of their obligatory requirements for protecting technology and information assets.
Security Policy ComponentsRFC2196
Computer Technology Purchasing Privacy (i.e., sets reasonable expectations)Access Rights and PrivilegesAccountability (i.e., responsibilities)AuthenticationAvailability (sets user expectations)IT System and Network MaintenanceViolations ReportingContact Information
Privacy Policies
Setting “reasonable expectations”With respect to types of “personal info” Student Education Records (FERPA) Protected Health Information (HIPAA) Nonpublic Personal Financial Information (GLB Act)
Primary identifiers and use of SSN’sWith respect to collection of information – i.e., privacy statementsWith respect to disclosure of information, including public records requirements
Data Policies
Enterprise data management structureData classification – for example: Unrestricted Data Sensitive Data Critical Data
Roles and responsibilities – for example Data Trustees Data Stewards Data Managers
Access rights and privileges – i.e., data users
Protection of Sensitive Personal Information
Develop, implement, maintain, and enforce a written program for the security of sensitive personal information that you collect, maintain, sell, transfer, or dispose of, containing: administrative safeguards technical safeguards physical safeguards
to:1. ensure the security and confidentiality of such data;2. protect against any anticipated threats or hazards to the security or integrity of such data; and3. to protect against unauthorized access to, or use of, such data that could result in substantial harm to any individual.
S. 1408: Identity Theft Protection Act (109th Congress)
Awareness & Training
Who needs “awareness” (consciousness-raising)? All Users! Executives Faculty Staff Students Users of Sensitive Data IT Staff
Training (skills development) Especially for data stewards, IT staff, and information
security team
ACE Letter to Presidents
Set the tone: ensure that all campus stakeholders know that you take Cybersecurity seriously. Insist on community-wide awareness and accountability.Establish responsibility for campus-wide Cybersecurity at the cabinet level. At a large university, this responsibility might be assigned to the Chief Information Officer. At a small college, this person may have responsibility for many areas, including the institutional computing environment. Ask for a periodic Cybersecurity risk assessment that identifies the most important risks to your institution. Manage these risks in the context of institutional planning and budgeting.Request updates to your Cybersecurity plans on a regular basis in response to the rapid evolution of the technologies, vulnerabilities, threats, and risks.
Cybersecurity Awareness Resources CD
The Awareness and Training Working Group of the EDUCAUSE/Internet2 Security Task Force compiled cybersecurity awareness resources distributed on a CD.
The resources were collected to showcase the variety of security awareness efforts underway at institutions of higher education and to provide resources for colleges and universities that are looking to jump-start a program for their organization.
What’s on the CD?
PamphletsPost CardsPresentationsSecurity Awareness DocumentsSecurity CardsSecurity ToolsSecurity QuizzesSurveysVideos
Book MarksBrochuresChecklists FlyersGamesGovernment ResourcesHandoutsIndustry ResourcesLinks to School’s Security Web Page(s)
Information Security Governance
If businesses, educational institutions, and non-profit organizations are to make significant progress securing their information assets, executives must make information security an integral part of core business operations. There is no better way to accomplish this goal than to highlight it as part of the existing internal controls and policies that constitute corporate governance.
Information Security Governance Report: Executive Summary
InfoSec Governance Self Assessment
Organizational Reliance on IT E.g., What is the impact of major system downtime on operations?
Risk Management E.g., Has your organization conducted a risk assessment and
identified critical assets?
People E.g., Is there a person or organization that has information security
as their primary duty?
Processes E.g., Do you have official written information security policies and
procedures?
Technology E.g., Is sensitive data encrypted?
Information Security Governance Assessment Tool for Higher Education
Best Practices & Metrics
Information Security Program Elements:
Governance Boards/Senior Executives/Shared Governance
Management Directors and Managers
Technical Central and Distributed IT Support Staff
CISWG Final Report on Best Practices & Metrics
Governance
Oversee Risk Management and Compliance Programs Pertaining to Information Security (e.g., Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley)Approve and Adopt Broad Information Security Program Principles and Approve Assignment of Key Managers Responsible for Information SecurityStrive to Protect the Interests of all Stakeholders Dependent on Information SecurityReview Information Security Policies Regarding Strategic Partners and Other Third-partiesStrive to Ensure Business ContinuityReview Provisions for Internal and External Audits of the Information Security ProgramCollaborate with Management to Specify the Information Security Metrics to be Reported to the Board
Management
Establish Information Security Management Policies and Controls and Monitor ComplianceAssign Information Security Roles, Responsibilities, Required Skills, and Enforce Role-based Information Access PrivilegesAssess Information Risks, Establish Risk Thresholds and Actively Manage Risk MitigationEnsure Implementation of Information Security Requirements for Strategic Partners and Other Third-partiesIdentify and Classify Information AssetsImplement and Test Business Continuity PlansApprove Information Systems Architecture during Acquisition, Development, Operations, and MaintenanceProtect the Physical EnvironmentEnsure Internal and External Audits of the Information Security Program with Timely Follow-upCollaborate with Security Staff to Specify the Information Security Metrics to be Reported to Management
Technical
User Identification and AuthenticationUser Account ManagementUser PrivilegesConfiguration ManagementEvent and Activity Logging and MonitoringCommunications, Email, and Remote Access SecurityMalicious Code Protection, Including Viruses, Worms, and TrojansSoftware Change Management, including PatchingFirewallsData EncryptionBackup and RecoveryIncident and Vulnerability Detection and ResponseCollaborate with Management to Specify the Technical Metrics to be Reported to Management