A Blueprint for Handling Sensitive Data: Security,

Privacy, and Other Considerations

H. Morrow Long Krizi TrivisaniDirector, Information Security Chief Security OfficerYale University The George Washington

University

EDUCAUSE Seminar SeriesLos Angeles, California

2

Introductions

Ice-breaker BINGO!! 5 minutes First 10 people to get BINGO win a prize!

Introductions: Name Title or Functional Description of Duties Organizational Affiliation What do you want to get out of this session?

3

Overview to Seminar

Information security risks at colleges and universities present challenging legal, policy, technical, and operational issues.Security incidents have resulted in compromises of personal information which have led to bad publicity and the potential for identity theft. Risks to information security at colleges and universities continue to persist and necessitate that individuals at all levels of the institution become engaged to prevent further data breaches from occurring. This seminar will outline a blueprint for protecting sensitive data according to the EDUCAUSE/Internet2 Security Task Force.

4

Seminar Goals

At the end of this session:

You should feel comfortable discussing common cybersecurity threats plaguing higher education and computer users in general.

You will have a list of key strategies to follow for stopping the leakage of confidential/sensitive data.

You will be introduced to several security resources and best practices to help you apply the key strategies.

5

Today’s Roadmap

Foundations of Cybersecurity in Higher EdThe Blueprint Creating a Security Risk-Aware Culture Defining Institutional Data Types Clarify Responsibilities and Accountability Reducing Access to Data Not Absolutely Essential Establishing and Implementing Stricter Controls Providing Awareness and Training Verifying Compliance

Putting it All Together:  Moving from Planning to Action

6

Higher Ed IT Environments

Technology Environment Distributed computing and wide range of hardware and software

from outdated to state-of-the-art Increasing demands for distributed computing, distance learning

and mobile/wireless capabilities which create unique security challenges

Leadership Environment Reactive rather than proactive Lack of clearly defined goals (what do we need to protect and why)

Academic Culture Persistent belief that security & academic freedom are antithetical Tolerance, experimentation, and anonymity highly valued

7

Higher Ed IT Environments

Current Status: “The information security environment has become increasingly more dangerous. News accounts have reported Higher Education institutions involved in dozens of incidents of compromised confidential information over the past year. The cost of notifying and offering assistance to those individuals who have had their privacy information compromised can run into the hundreds of thousands of dollars for each incident. Increased regulatory requirements also make it imperative that the University be able to show a level of due diligence in the protection of its systems and confidential data.”

Why is this in quotes?

8

Goals of Cybersecurity

Confidentiality - information requires protection from unauthorized use or disclosure.

Integrity - information must be protected from unauthorized, unanticipated, or unintentional modification.

Availability - computers, systems, networks, and information must be available on a timely basis to meet mission requirements or to avoid substantial losses.

9

Security Processes

Deter

Prevent

Detect

React

Adapt

Burton Group: A Systematic, Comprehensive Approach to Information Security (Feb. 2005)

10

Process

People

Technology

Systems must be built to technically

adhere to policy

People must understand their responsibilities

regarding policy

Policies must be developed,

communicated, maintained and

enforced

Processes mustbe developed thatshow how policies

will be implemented

Security ImplementationRelies On:

11

Framing the Problem

Discussion – Breaches in Higher Education How did they occur? Who was impacted? How much did it cost? Are there themes? What’s changed?

12

The Blueprint

Confidential Data Handling Blueprint Purpose

To provide a list of key strategies to follow for stopping the leakage of confidential/sensitive data.To provide a toolkit that constructs resources pertaining to confidential/sensitive data handling. 

https://wiki.internet2.edu/confluence/display/secguide/Confidential+Data+Handling+Blueprint

13

The Blueprint

Confidential Data Handling Blueprint Introduction

Steps and ensuing sub-items are intended to provide a general roadmapInstitutions will be at varying stages of progressOrganized in a sequence that allows you to logically follow through each step Each item is recommended as an effective practice; state/local legal requirements, institutional policy, or campus culture might leave each institution approaching this differently

14

Step 1

Create a security risk-aware culture that includes an information security risk management program

Sub-steps1.1 Institution-wide security risk management program

1.2 Roles and responsibilities defined for overall information security at the central and distributed level

1.3 Executive leadership support in the form of policies and governance actions

15

Why Do We Care?

HIPAA

FERPA

GLBA

Sarbanes Oxley Act

Grant requirements

Compliance

Other local state and federal regulations

16

Risk Management

Risk = Threats x Vulnerabilities x Impact

17

Threat

An adversary that is motivated to exploit a system vulnerability

and is capable of doing so

National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)

18

Examples of Threats

Hackers

Insiders

“Script Kiddies”

Criminal Organizations

Terrorists

Enemy Nation States

19

Vulnerability

An error or a weaknessin the design, implementation, or

operation of a system.

National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)

20

Examples of Vulnerabilities

Networks – wired and wireless

Operating Systems – especially Windows

Hosts and Systems

Malicious Code and Viruses

People

Processes

Physical Environments

21

Impact

Refers to the likelihood that a vulnerability will be exploited or

that a threat may become harmful.

National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)

22

Examples of Impact

Strategic ConsequencesFinancial ConsequencesLegal ConsequencesOperational ConsequencesReputational Consequences

Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).

23

Risk Management

Risk = Threats x Vulnerabilities x Impact

24

Handling Risks

Risk AssumptionRisk ControlRisk MitigationRisk Avoidance

Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).

25

What Defines Culture?

Strategic Planning and Decision-Making Examples:

• Top-down• Bottom-up• Consensus-based

Institutional Values Examples:

• Student honor code• Strong faculty influence• Emphasis on accountability at all levels of institution• High bond rating

26

What Defines Culture?

Control of Operational Functions Examples:

• Centralized

• Decentralized

Long-term Institutional Priorities Examples:

• Increase research• Increase community outreach

Other influences on culture?

27

Ideas For Using Culture

Decentralized Control Over Computing

Formalize and leverage network of departmental system administrators

How? Some Examples:University of Virginia LSP Program

http://www.itc.virginia.edu/dcs/lspGeorge Mason University SALT Group

http://itu.gmu.edu/security/sysadmin/salt-description.html

28

Ideas For Using Culture

Increasing Emphasis on Compliance

Spotlight Federal Regulations Related to Security & Privacy

How? Some Examples:IT Security for Higher Education: A Legal Perspective

http://www.educause.edu/ir/library/pdf/csd2746.pdfFamily Educational Rights & Privacy Act

http://www.ed.gov/policy/gen/guid/fpcp/ferpa/index.htmlGramm Leach Bliley Act

http://www.ftc.gov/privacy/glbact/index.htmlHealth Insurance Portability & Accountability Act

http://www.hhs.gov/ocr.hipaa

29

Ideas For Using Culture

Strong Leadership at the Top

Make Executive-level Awareness a Top Priority

How?ACE Letter to Presidents Regarding Cybersecurity

http://www.acenet.edu/washington/letters/2003/03march/cyber.cfmInformation Security: A Difficult Balance

http://www.educause.edu/pub/er/erm04/erm0456.aspGaining the President’s Support for IT Initiatives at Small Colleges

http://www.educause.edu/apps/eq/eqm04/eqm0417.aspPresidential Leadership for Information Technology

http://www.educause.edu/ir/library/pdf/erm0332.pdf

30

Morning Break

Break 10:15 AM

Return 10:30 AM

31

Step 2

Define institutional data types

Sub-steps2.1 Compliance with applicable federal and state laws

and regulations - as well as contractual obligations - related to privacy and security of data held by the institution (also consider applicable international laws)

2.2 Data classification schema developed with input from legal counsel and data stewards

2.3 Data classification schema assigned to institutional data to the extent possible or necessary

32

Institutional Data Types

Discussion – Do you have a data classification

schema? Do you have a policy? Why is this step important?

33

Data Classification Policy

Provides the framework necessary to identify and classify data in order to assess risk and implement an appropriate level of security protection based on categorization.

Provides the framework necessary to comply with legislation, regulations, and internal policies that govern the protection of data

Provides the framework necessary to facilitate and make the Incident Response process more efficient. The level in which the data is classified determines the level of response.

34

Data Classification – Policy Objectives

Communicates data categories to the University community and provides examples of how data should be classified

Communications the high level requirements necessary to protect data based on category

Communicates the roles and responsibilities of various members of the University community and external associates as it relates to GW owned data

35

Data Classification at GW

ConfidentialOfficialPublic

EnterpriseSystem

DepartmentServer

Desktop/Laptop

Lowest SecurityLowest Operations

Privacy LevelsOperationsLevels

Highest SecurityHighest Operations

1

3 2

Note, numbers in boxes suggest the priority levels for mitigating risks.

342

2 2

1

36

Step 3

Clarify responsibilities and accountability for safeguarding confidential/sensitive data

Sub-steps3.1 Data stewardship roles and responsibilities

3.2 Legally binding third party agreements that assign responsibility for secure data handling

37

Example – University of North Carolina

Data Trustee: Data trustees are senior University officials (or their designees) who have planning and policy-level responsibility for data within their functional areas and management responsibilities for defined segments of institutional data. Responsibilities include assigning data stewards, participating in establishing policies, and promoting data resource management for the good of the entire University. Data Steward: Data stewards are University officials having direct operational-level responsibility for information management – usually department directors. Data stewards are responsible for data access and policy implementation issues. Data Custodian: Information Technology Services is the data custodian. The custodian is responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users as authorized by data trustees or their designees (usually the data stewards), and implementing and administering controls over the information. Data User: Data users are individuals who need and use University data as part of their assigned duties or in fulfillment of assigned roles or functions within the University community. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of those data.

http://its.uncg.edu/Policy_Manual/Data/

38

Step 4

Reduce access to confidential/sensitive data not absolutely essential to institutional processesSub-steps4.1 Data collection processes (including forms) should

request only the minimum necessary confidential/sensitive information

4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information

4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices

39

Step 4 continued…

Reduce access to confidential/sensitive data not absolutely essential to institutional processesSub-steps continued4.4 Eliminate unnecessary confidential/sensitive data on

servers, desktops, and mobile devices 4.5 Eliminate dependence on SSNs as primary

identifiers and as a form of authentication*

*Note: SSNs may need to be used for certain things (e.g., student employees, student financial aid, etc.) and we recommend that schools limit the use of SSNs to necessary processes only.

40

Elimination of SSNs

Federal and state law requires the collection of your Social Security number (SSN) for certain purposes (for example, IRS reporting forms). However, widespread use of an individual's SSN is a major privacy concern. With incidents of identity theft increasing, steps to secure an individual's SSN become more important. A large number of colleges and universities use SSNs as primary identifiers for faculty, staff, and students, which exposes institutions to risk because of changing legal and security environments. Therefore, many institutions are planning for the migration away from SSN use as a primary identifier. Undertaking such a task raises issues, challenges, and opportunities for any institution. EDUCAUSE has identified links concerning the elimination of SSNs as primary identifiers that may be useful to the higher education community.http://www.educause.edu/Browse/645?PARENT_ID=701

41

Lunch

Break 12PM

Return 1PM

42

Step 5

Establish and implement stricter controls for safeguarding confidential/sensitive data

Sub-steps5.1 Inventory and review/remediate security of devices

5.2 Configuration standards for applications, servers, desktops, and mobile devices

5.3 Network level protections

5.4 Encryption strategies for data in transit and at rest

43

Step 5 continued…

Establish and implement stricter controls for safeguarding confidential/sensitive dataSub-steps continued5.5 Policies regarding confidential/sensitive data on

mobile devices and home computers and for data archival/storage

5.6 Identity management and resource provisioning processes

5.7 Secure disposal of equipment and data 5.8 Consider background checks on individuals

handling confidential/sensitive data

44

EncryptionCollaboration

Call for help – what are other universities doing?

Privacy Committee, Compliance Committee, LSPs

Key Stakeholders

Project management

Information Security Office + Technology Services + Technology Engineering = OneTeam

45

Vendor 1 Utimaco Vendor 3

Whole Disk - Authentication

38 37 35

Whole Disk - General

127 126 126

Whole Disk - Integration

58 58 54

Whole Disk - Management

44 44 44

Nice to Have 5 9 5

Total 272 274 264

ProductEvaluation Category

Out of a possible total weighted score of 285, Utimaco scored the highest based on the requirements defined in the RFP, had the lowest price and was the only product fully compatible

with VMWare

Vendors were evaluated on RFP requirements that covered “Whole Disk” and “Nice to Have” requirements:

Recommended? X - No √ - Yes X - No

Note: Vendors were asked to respond to File and Folder Encryption Requirements but were not scored on them

GW Scoring Criteria/Selection Rationale

46

GW’s Encryption Pilot

PlanningTechnical set-upCentral IT Group 50%, Departments 50%Communicate, communicate, communicatePilot resultsParty!

47

GW Enterprise Rollout –50,000 Foot View

Rollout Phase

Description - Device Type

Est # Users

Est #Machin

es

Estimated Timeframe

A Administrative Laptops and some Academic Dept Laptops used for Admin Purposes

1700 400 Laptops

Dec ‘06 – Feb ‘07

B Faculty Machines (Laptops and Desktops) – FWI + self-identify case by case

300 Machines1

(Laptops and Desktops)May ‘07 –May ‘10 (3 year FWI attrition cycle)

C Administrative Desktops some Academic Dept Desktops used for Admin Purposes

TBD TBD June ‘07 – Dec ‘07

D Other Devices (External Hard Drives, Thumb Drives, etc)

TBD TBD TBD

1 Note: This assumes a 3 year plan FWI machine replacement plan for most faculty, except those that self –identify to adopt Safeguard Easy on an existing machine

48

Encryption Lessons Learned?

References provided invaluable adviceProject management support crucialFlexibility requiredKnow your cultureIntegrate with security philosophy and architectureEstablish generic policy and add guidelines/procedures as process maturesCommunication and partnerships were critical success factors

49

Step 5 continued…

Establish and implement stricter controls for safeguarding confidential/sensitive dataSub-steps continued5.5 Policies regarding confidential/sensitive data on

mobile devices and home computers and for data archival/storage

5.6 Identity management and resource provisioning processes

5.7 Secure disposal of equipment and data 5.8 Consider background checks on individuals

handling confidential/sensitive data

50

EDUCAUSE Identity Management Resources

Recent Library Submissions (3)CIC Identity Management Conference Session: Federated Identity Management and Sharing Resources (2007) by Jim Phelps, IT Architect in Academia Identity Management Conference Report (2007)by Committee on Institutional Cooperation A Report on the Identity Management Summit (2007) by Norma Holland, Ann West and Steve Worona, EDUCAUSE

Most Popular Library Content (3)Top-Ten IT Issues, 2006 (2006) by Barbara I. Dewey, Peter B. DeBlois, and the 2006 EDUCAUSE Current Issues Committee, EDUCAUSE Safeguarding the Tower: IT Security in Higher Education 2006 (2006) by Robert B. Kvavik, with John Voloudakis, ECAR Identity Management in Higher Education: A Baseline Study (2006) by Ronald Yanosky, with Gail Salaway, ECAR

http://www.educause.edu/Browse/645?PARENT_ID=679

51

Step 6

Provide awareness and trainingSub-steps6.1 Make confidential/sensitive data handlers aware of

privacy and security requirements 6.2 Require acknowledgement by data users of their

responsibility for safeguarding such data 6.3 Enhance general privacy and security awareness

programs to specifically address safeguarding confidential/sensitive data

6.4 Collaboration mechanisms such as e-mail have strengths and limitations in terms of access control, which must be clearly communicated and understood so that the data will be safe-guarded

52

Awareness and Training

GoalTo increase the awareness of the associated risks of computer and network use and the corresponding responsibilities of higher education executives and end-users of technology (faculty, staff, and students), and to further the professional development of information technology staff.

Programs Outreach to Higher Ed Associations and Beyond Annual Security Professionals Conference Education & Awareness Working Group

Initiatives Leadership Book on Computer & Network Security for Higher Ed National Cyber Security Awareness Month Cybersecurity Awareness Resources Executive Awareness, Student Awareness, & Training of IT Staff

53

What is Security Awareness?

Security awareness is knowledge of potential threats. It is the advantage of knowing what types of security issues and incidents members of our organization may face in the day-to-day routine of their University functions.

Technology alone cannot provide adequate information security. People, awareness and personal responsibility are critical to the success of any information security program.

54

Why is Awareness Important?

55

When I Go To U.Va….

http://www.itc.virginia.edu/pubs/docs/RespComp/videos/when-I-go-to-UVA-lg.mov

56

Who is your Audience?

FacultyStaffStudentsParentsContractorsVisitorsCommunity/industry partners - outreach

57

Step 7

Verify compliance routinely with your policies and proceduresSub-steps7.1 Routinely test network-connected devices and

services for weaknesses in operating systems, applications, and encryption

7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance

7.3 Routinely audit access privileges 7.4 Procurement procedures and contract language to

ensure proper data handling is maintained

58

Step 7 continued…

Verify compliance routinely with your policies and proceduresSub-steps continued7.5 System development methodologies that prevent

new data handling problems from being introduced into the environment

7.6 Utilize audit function within the institution to verify compliance

7.7 Incident response policies and procedures 7.8 Conduct regular meetings with stakeholders such as

data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed

59

GW Security Tool Kit

To provide departments managing systems outside of the GW Data Center with standard guidelines and procedures

Policies

Systems Checklist - Departmental Servers and Enterprise Systems - an inventory of the systems, functionality, system administration and security settings

Best Practices for Department Server and Enterprise System Checklist - these are the specific security categories that were assessed during the PWC Audit.

Server Management Best Practices - from the Center for Internet Security There are currently minimum security configurations for 14 types of systems

60

GW Security Tool Kitcontinued…

To provide departments managing systems outside of the GW Data Center with standard guidelines and procedures

Security Controls Matrix for Data Classification - to determine security controls based on the type of information on the system (Public, Official Use, Confidential) and the type of system itself (Desktop, Departmental Server, Enterprise System).

Information Security Training and Awareness - information about online training available to all employees.

Resources – encryption, incident response, presentations, etc.

61

Compliance Scenario

GW conducted an audit project of 236+ departmentally controlled servers for security and PII (aka: Server Information Security Project, or SISP)

Project commissioned by EVP&T and CIO

Audited configuration of computers and detection of SSNs

62

Compliance Scenario

PII on almost 50% of servers admins thought is was NOT on

About 75% of computers that were compromised had completely up-to-date antivirus and/or firewalls

Security efforts focused mostly on protecting servers as opposed to data

63

Compliance Scenario

Address problems in first passInclude all computers with *access* to sensitive data, not only known storageContrast locations of PII to current security architectureDesktops versus servers...Integration with patch management systems? Secure reporting Log parsing by junior-level security staff

64

Safety Analyzer

Free tool for higher education

Sensitive Data Detection SSNs with heuristics Credit Card numbers with Luhn algorithm validation

Compromise Detection Trojan file detection Kernel-level rootkit detection IR-related data harvesting

65

The Blueprint

Discussion Will you use the blueprint? Do you have suggestions to improve it? Do you have resources to submit?

66

Afternoon Break

Break 2:45 PM

Return 3:00 PM

67

Putting it All Together

Moving from Planning to Action!

68

Information Security Governance

If businesses, educational institutions, and non-profit organizations are to make significant progress securing their information assets, executives must make information security an integral part of core business operations. There is no better way to accomplish this goal than to highlight it as part of the existing internal controls and policies that constitute corporate governance.

Information Security Governance Report: Executive Summary

69

InfoSec Governance Self Assessment

Organizational Reliance on IT E.g., What is the impact of major system downtime on operations?

Risk Management E.g., Has your organization conducted a risk assessment and

identified critical assets?

People E.g., Is there a person or organization that has information security

as their primary duty?

Processes E.g., Do you have official written information security policies and

procedures?

Technology E.g., Is sensitive data encrypted?

Information Security Governance Assessment Tool for Higher Education

70

Best Practices & Metrics

Information Security Program Elements:

Governance Boards/Senior Executives/Shared Governance

Management Directors and Managers

Technical Central and Distributed IT Support Staff

CISWG Final Report on Best Practices & Metrics

71

Governance

Oversee Risk Management and Compliance Programs Pertaining to Information Security (e.g., Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley)Approve and Adopt Broad Information Security Program Principles and Approve Assignment of Key Managers Responsible for Information SecurityStrive to Protect the Interests of all Stakeholders Dependent on Information SecurityReview Information Security Policies Regarding Strategic Partners and Other Third-partiesStrive to Ensure Business ContinuityReview Provisions for Internal and External Audits of the Information Security ProgramCollaborate with Management to Specify the Information Security Metrics to be Reported to the Board

72

Management

Establish Information Security Management Policies and Controls and Monitor ComplianceAssign Information Security Roles, Responsibilities, Required Skills, and Enforce Role-based Information Access PrivilegesAssess Information Risks, Establish Risk Thresholds and Actively Manage Risk MitigationEnsure Implementation of Information Security Requirements for Strategic Partners and Other Third-partiesIdentify and Classify Information AssetsImplement and Test Business Continuity PlansApprove Information Systems Architecture during Acquisition, Development, Operations, and MaintenanceProtect the Physical EnvironmentEnsure Internal and External Audits of the Information Security Program with Timely Follow-upCollaborate with Security Staff to Specify the Information Security Metrics to be Reported to Management

73

Technical

User Identification and AuthenticationUser Account ManagementUser PrivilegesConfiguration ManagementEvent and Activity Logging and MonitoringCommunications, Email, and Remote Access SecurityMalicious Code Protection, Including Viruses, Worms, and TrojansSoftware Change Management, including PatchingFirewallsData EncryptionBackup and RecoveryIncident and Vulnerability Detection and ResponseCollaborate with Management to Specify the Technical Metrics to be Reported to Management

74

Building Security Programs

Gain the support of the Administration.Define roles and responsibilities.Review your institution’s policies. Build long lasting partnerships with everyone, well maybe not everyone.Collaborate with security professionals in your region or State.Institutionalize a strong security awareness program.

75

Security Scenarios

Data breach exercises and realistic role playing scenarios

Break into 6 groups

Each group will be given scenarios

30 minutes to brainstorm

3 – 5 minutes for each group to present

76

Wrap-Up

Question & Answer

Seminar Evaluation & Feedback

Program ends at 4:30PM

77

Listservs & Newsgroups

EDUCAUSE Security Discussion Listservhttp://www.educause.edu/SecurityDiscussionGroup/979

Microsoft Security Alertshttp://www.microsoft.com/security/bulletins/alerts.mspx

US-CERT Alerts and Tipshttp://www.us-cert.gov/cas/signup.html#choose

NIST Publication Mailing listhttp://csrc.nist.gov/compubs-mail.html

78

Contacts

H. Morrow Long

morrow.long@yale.edu

Krizi Trivisanikrizi@gwu.edu