Data Privacy and Security: Sort of Urgency Praveen Panchal, CIO.
-
Upload
pearl-williams -
Category
Documents
-
view
212 -
download
0
Transcript of Data Privacy and Security: Sort of Urgency Praveen Panchal, CIO.
Data Privacy and Data Privacy and Security:Security:
Sort of Urgency Sort of Urgency
Praveen Panchal, CIOPraveen Panchal, CIO
Why?...Because
Within little over one year there were 237 reported security breaches…
Compromising more than 97 million records containing personal information
83 or 35% incidents involved High Ed institutions
Source – Privacy Rights Clearinghouse
Early threats were targeted on servers and computers connected to network to destroy them or use them to launch subsequent attacks
Now threats are no longer operating systems, networks, or control of machines but rather…
Personal data about the users on these machines for profit
Changing Nature of Threats
“Attackers are increasingly seeking financial gain rather than mere notoriety. During the past year we have seen a significant decrease in the number of large scale global virus outbreaks and, instead, are observing that attackers are moving towards smaller, more focused attacks”
Vincent Weafer – Senior Director at Symantec Corporation
Furious Constituents Negative Publicity Tarnished Reputation Public Embarrassment Investigations Lawsuits, Fines and Penalties Financial Losses Waste of Valuable Resources
Implications
Implement Technological Solutions Adopt “Soft” IT Security Approaches Change the Campus Culture Combination of all the above
What we can do?
Note: All the points addressed here have been adopted as an activity in the CUNY Security Plan.
Perimeter and Interior Firewalls Virtual Private Network Intrusion Detection and Prevention
System Enterprise Directory Filtering Technology Network Behavior Analysis
Technological Solutions
PlanningDevelop well-thought-out comprehensive IT security plan, risk assessment and IT security implementation strategy which is standards-based, flexible, mission-driven, adaptable, simple and measurable
ImplementationImplement IT security plan and make it intrinsic part of day-to-day operations of the campus
AuditingPeriodically examine, assess and analyze security of central and local applications, networks, and data
Policies and ProceduresDevelop policies and procedures for data backup, authentication and authorization, physical security, employee responsibilities, disaster recovery, formal incident-response procedures, etc.
“Soft” IT Security Approach
Invigorate Senior Management Interest and Support in IT Security (“Buck Stops Here!”)Garner “political” support which is critical to provide credibility to IT security program implementation
Define IT Security Functions (“Who Does What?”)Implement governance structure to institute CUNY mandated policies and procedures and empower Internet Security Officer (ISO) to implement these policies and procedures
Training and Awareness (“Think IT Security First!”)Provide training on current techniques, security awareness programs, change in institutional culture to respect for private information of our constituents and restrict the distribution of sensitive data
Maintain Assets Inventory (“What We Got?”)Identify and classify assets that require protection through classifications such as regulatory compliance, confidential, internal and public
Change the Campus Culture
Security Communication and TrainingSeminars and Workshops - Wireless Technology, Intrusion Management, Vulnerability Management and Microsoft Security
Security Policy, Advisement and ProceduresSecurity alerts and advisories - Phishing, Email/Passwords, Private Information and Spam EmailSecurity procedure authored and adopted for Breach ReportingSecurity policies (18) authored and adopted - Access to Sensitive or Non-Public University Data/Systems, Authentication, User IDs, Severance of Computer Accounts, Review of Computer Access, Student/Part-time Employees/Contractor User IDs, Passwords, Privileged Access, Mobile Devices, Incident Response and Reporting, Change of Data in Permanent Records, Centralized Data Management, Grade Changes, Changes in Information Systems, Vulnerability Assessments, Web Accessible Data, Management Responsibility, Information Security Policy Governance
CUNY Security Initiatives
Security Incident ResponseReporting and notification protocols and consistent follow through their execution
Information Security StrategyUniversity Security Plan oriented towards providing security services and increased capabilities to benefit the Colleges and the University while maintaining the collaborative approach with CUNY constituents
E-Signature InitiativeInitiative to gather input from University and College constituents to assess and recommend e-Signature opportunities for consideration during ERP implementation
CUNY Security Initiatives
Data WarehouseFormal review and approval process for vetting all requests to access the data warehouse (forms are published at security.cuny.edu)
Security Technology SelectionIntrusion Management Program - Network behavior analysis appliances from Mazu Networks and signature-based intrusion detection appliances from Symantec
AssessmentsCIS Portal Vulnerability Assessment, University Web Services Assessment and external vendor (Liveperson.com)
Security Integration – CIS ProjectsEDS Credit Card Processing/PCI Compliance, Enterprise Directory, Crystal Developer/Enterprise, CO LAN, Portal Authentication/Identity conflicts, Wireless Network Architecture, email Architecture, and VPN/firewall port requests (approver)
CUNY Security Initiatives
Family Educational Rights and Privacy Act (FERPA)
Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and
Accountability Act (HIPAA) Communications Assistance for Law
Enforcement Act (CALEA) Payment Card Industry Data Security
Standard (PCIDSS) Federal Information Security Management
Act (FISMA)
Information Security Laws and Regulations
Conclusion
Senior-Level Support and Involvement Enterprise view of Information Security
rather than just specific department Alignment of Technologies, Processes
and Campus Culture with Information Security
Flexible Information Security efforts to more easily adapt to new threats as they emerge
Questions?
Thank You!
Acknowledgement:
This presentation was made possible with the help of Mr. Carl Cammarata, CUNY Chief Information Security Officer and selected articles from Educause Review, September/October 2006.