Enterprise data (decentralized control, data

security and privacy)

Prevention: People and Process

Rodney Petersen

Security Task Force Coordinator

EDUCAUSE

Framing the Problem

INFORMATION Privacy and Security Paper and Electronic Reliance on Networks and Technology

Business CONTINUITY

Critical Infrastructure PROTECTION Part of National Strategy to Secure Homeland

Security Processes

Deter

Prevent

Detect

React

Adapt

Burton Group: A Systematic, Comprehensive Approach to Information Security (Feb. 2005)

Points of Emphasis

People

Processes

Technology

Risk Management

Risk = Threats x Vulnerabilities x Impact

Threat

An adversary that is motivated to exploit a system vulnerability

and is capable of doing so

National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)

Examples of Threats

Hackers

Insiders

“Script Kiddies”

Criminal Organizations

Terrorists

Enemy Nation States

Vulnerability

An error or a weaknessin the design, implementation, or

operation of a system.

National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)

Examples of Vulnerabilities

Networks – wired and wireless

Operating Systems – especially Windows

Hosts and Systems

Malicious Code and Viruses

People

Processes

Physical Environments

Impact

Refers to the likelihood that a vulnerability will be exploited or

that a threat may become harmful.

National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)

Examples of Impact

Strategic ConsequencesFinancial ConsequencesLegal ConsequencesOperational ConsequencesReputational Consequences

Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).

Handling Risks

Risk AssumptionRisk ControlRisk MitigationRisk Avoidance

Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).

Framework for Risk Assessment

Phase 1: Identify Critical Assets and Security Strategies Strategic Perspective Operational Perspective Practice Perspective Consolidated View of Security Requirements

Phase 2: Identify Infrastructure Vulnerabilities (Technological View) Key Technology Components Selected Technology Components Evaluation

Phase 3: Develop Security Strategy and Plans (Risk Analysis) Risk Assessment Protection Strategy and Mitigation Plan

Institutional Policies

Policies are statements that reflect the philosophies, attitudes, or values of an organization related to a specific issue. They are generally represented in a paragraph or perhaps two but not pages. They might say “what” but not “how”. Checklists, procedures, standards, and guidelines all must implement, reflect, and support the applicable policy or policies. The entire set of statements is sometimes considered to be the “Policy”

Bruhn and Petersen, A Primer on Policy Development for Institutions of Higher Education, 2003.

Data Protection Policies

Acceptable Use Policy

Security Policy

Privacy Policy

Data Policy

Security Policies

RFC2196: A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.

RFC2196: The main purpose of a security policy is to inform users, staff and managers of their obligatory requirements for protecting technology and information assets.

Security Policy ComponentsRFC2196

Computer Technology Purchasing Privacy (i.e., sets reasonable expectations)Access Rights and PrivilegesAccountability (i.e., responsibilities)AuthenticationAvailability (sets user expectations)IT System and Network MaintenanceViolations ReportingContact Information

Privacy Policies

Setting “reasonable expectations”With respect to types of “personal info” Student Education Records (FERPA) Protected Health Information (HIPAA) Nonpublic Personal Financial Information (GLB Act)

Primary identifiers and use of SSN’sWith respect to collection of information – i.e., privacy statementsWith respect to disclosure of information, including public records requirements

Data Policies

Enterprise data management structureData classification – for example: Unrestricted Data Sensitive Data Critical Data

Roles and responsibilities – for example Data Trustees Data Stewards Data Managers

Access rights and privileges – i.e., data users

Protection of Sensitive Personal Information

Develop, implement, maintain, and enforce a written program for the security of sensitive personal information that you collect, maintain, sell, transfer, or dispose of, containing: administrative safeguards technical safeguards physical safeguards

to:1. ensure the security and confidentiality of such data;2. protect against any anticipated threats or hazards to the security or integrity of such data; and3. to protect against unauthorized access to, or use of, such data that could result in substantial harm to any individual.

S. 1408: Identity Theft Protection Act (109th Congress)

Awareness & Training

Who needs “awareness” (consciousness-raising)? All Users! Executives Faculty Staff Students Users of Sensitive Data IT Staff

Training (skills development) Especially for data stewards, IT staff, and information

security team

ACE Letter to Presidents

Set the tone: ensure that all campus stakeholders know that you take Cybersecurity seriously. Insist on community-wide awareness and accountability.Establish responsibility for campus-wide Cybersecurity at the cabinet level. At a large university, this responsibility might be assigned to the Chief Information Officer. At a small college, this person may have responsibility for many areas, including the institutional computing environment. Ask for a periodic Cybersecurity risk assessment that identifies the most important risks to your institution. Manage these risks in the context of institutional planning and budgeting.Request updates to your Cybersecurity plans on a regular basis in response to the rapid evolution of the technologies, vulnerabilities, threats, and risks.

Cybersecurity Awareness Resources CD

The Awareness and Training Working Group of the EDUCAUSE/Internet2 Security Task Force compiled cybersecurity awareness resources distributed on a CD.

The resources were collected to showcase the variety of security awareness efforts underway at institutions of higher education and to provide resources for colleges and universities that are looking to jump-start a program for their organization. 

What’s on the CD?

PamphletsPost CardsPresentationsSecurity Awareness DocumentsSecurity CardsSecurity ToolsSecurity QuizzesSurveysVideos

Book MarksBrochuresChecklists FlyersGamesGovernment ResourcesHandoutsIndustry ResourcesLinks to School’s Security Web Page(s)

Information Security Governance

If businesses, educational institutions, and non-profit organizations are to make significant progress securing their information assets, executives must make information security an integral part of core business operations. There is no better way to accomplish this goal than to highlight it as part of the existing internal controls and policies that constitute corporate governance.

Information Security Governance Report: Executive Summary

InfoSec Governance Self Assessment

Organizational Reliance on IT E.g., What is the impact of major system downtime on operations?

Risk Management E.g., Has your organization conducted a risk assessment and

identified critical assets?

People E.g., Is there a person or organization that has information security

as their primary duty?

Processes E.g., Do you have official written information security policies and

procedures?

Technology E.g., Is sensitive data encrypted?

Information Security Governance Assessment Tool for Higher Education

Best Practices & Metrics

Information Security Program Elements:

Governance Boards/Senior Executives/Shared Governance

Management Directors and Managers

Technical Central and Distributed IT Support Staff

CISWG Final Report on Best Practices & Metrics

Governance

Oversee Risk Management and Compliance Programs Pertaining to Information Security (e.g., Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley)Approve and Adopt Broad Information Security Program Principles and Approve Assignment of Key Managers Responsible for Information SecurityStrive to Protect the Interests of all Stakeholders Dependent on Information SecurityReview Information Security Policies Regarding Strategic Partners and Other Third-partiesStrive to Ensure Business ContinuityReview Provisions for Internal and External Audits of the Information Security ProgramCollaborate with Management to Specify the Information Security Metrics to be Reported to the Board

Management

Establish Information Security Management Policies and Controls and Monitor ComplianceAssign Information Security Roles, Responsibilities, Required Skills, and Enforce Role-based Information Access PrivilegesAssess Information Risks, Establish Risk Thresholds and Actively Manage Risk MitigationEnsure Implementation of Information Security Requirements for Strategic Partners and Other Third-partiesIdentify and Classify Information AssetsImplement and Test Business Continuity PlansApprove Information Systems Architecture during Acquisition, Development, Operations, and MaintenanceProtect the Physical EnvironmentEnsure Internal and External Audits of the Information Security Program with Timely Follow-upCollaborate with Security Staff to Specify the Information Security Metrics to be Reported to Management

Technical

User Identification and AuthenticationUser Account ManagementUser PrivilegesConfiguration ManagementEvent and Activity Logging and MonitoringCommunications, Email, and Remote Access SecurityMalicious Code Protection, Including Viruses, Worms, and TrojansSoftware Change Management, including PatchingFirewallsData EncryptionBackup and RecoveryIncident and Vulnerability Detection and ResponseCollaborate with Management to Specify the Technical Metrics to be Reported to Management