handling sensitive data: security, privacy, and other considerations rodney petersen government...
TRANSCRIPT
![Page 1: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/1.jpg)
Handling Sensitive Data:Security, Privacy, and Other Considerations
Rodney Petersen
Government Relations Officer
Security Task Force Coordinator
EDUCAUSE
![Page 2: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/2.jpg)
Security Task Force
Goals: Education and Awareness Standards, Policies, and Procedures Security Architecture and Tools Organization and Information Sharing
Working Groups Awareness and Training Policies and Legal Issues Risk Assessment Effective Practices and Solutions
Annual Security Professionals Conference
![Page 3: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/3.jpg)
Security Goals: C-I-A
Availability - computers, systems and networks must be available on a timely basis to meet mission requirements or to avoid substantial losses.Integrity - computers, systems, and networks that contain information must be protected from unauthorized, unanticipated, or unintentional modification.Confidentiality - computers, systems, and networks that contain information require protection from unauthorized use or disclosure.
![Page 4: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/4.jpg)
Security Approaches
People – awareness, training, policies, roles and responsibilities, staffing, etc.
Process – procedures, work flows, systems, physical security, compliance, etc.
Technology – layered security, vulnerability scanning, access controls, o/s and s/w updates, etc.
![Page 5: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/5.jpg)
ECAR IT Security Study
The Headlines You Won’t Read in the Chronicle of Higher Ed or New York Times:
The respondents feel more secure today than two years ago despite being in a perceived riskier environment.
Respondents feel that the academic community has become more sensitive to security and privacy in the last two years.
ECAR IT Security Study, 2006
![Page 6: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/6.jpg)
IT Security Incidents
Ten percent of the respondents in our survey indicated that they had an IT security incident in the last twelve months, which had been reported to the press (down from 19 percent in 2003).A majority of institutions (74.2 percent) report that the number of incidents is about the same or less in the past twelve months as compared with the year before.The primary perceived risks are viruses (72.6 percent), theft of personal financial information (64.8 percent), and spoofing and spyware (55.3 percent).
ECAR IT Security Study, 2006
![Page 7: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/7.jpg)
Data Security Incidents
Stolen Laptops
Missing Media
Unauthorized access to systems
Incident response teams
Notification to affected individuals
Identity theft and other types of fraud
Data Incident Notification Toolkit
![Page 8: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/8.jpg)
Blueprint for Handling Data
Step 1: Create a security risk-aware culture that includes an information security risk management programStep 2: Define institutional data typesStep 3: Clarify responsibilities and accountability for safeguarding confidential/sensitive dataStep 4: Reduce access to confidential/sensitive data not absolutely essential to institutional processesStep 5: Establish and implement stricter controls for safeguarding confidential/sensitive dataStep 6: Provide awareness and trainingStep 7: Verify compliance routinely with your policies and procedures
![Page 9: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/9.jpg)
Step 1: Risk Aware Culture
1.1 Institution-wide security risk management program
1.2 Roles and responsibilities defined for overall information security at the central and distributed level
1.3 Executive leadership support in the form of policies and governance actions
![Page 10: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/10.jpg)
Risk Management Framework
![Page 11: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/11.jpg)
Risks Incurred
ECAR IT Security Study, 2006
Damage Percent
Business application, including e-mail, unavailable 33.7%
Network unavailable 29.4%
Information confidentiality compromised 26.0%
Damage to software 21.5%
Damage to data 12.5%
Negative publicity in the press 10.0%
Identity theft 8.4%
Damage to hardware 7.4%
Financial losses 6.4%
![Page 12: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/12.jpg)
Risk Assessments
55 percent do some type of risk assessment
But less than 9 percent cover all institutional systems and data.
ECAR IT Security Study, 2006
![Page 13: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/13.jpg)
Responsibility for IT Security
IT Security Officer (up to 35% from 22%)
CIO (up to 14% from 8%)
Other IT Directors ( down to 50% from 67%)
![Page 14: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/14.jpg)
IT Security Plan
11.2 percent - a comprehensive IT security plan is in place
66.6 percent - a partial plan is in place.
20.4 percent - no IT security plan is in place
ECAR IT Security Study, 2006
![Page 15: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/15.jpg)
Policies in Place
Individual employee responsibilities for information security practices (73%)
Protection of organizational assets (73%)
Managing privacy issues, including breaches of personal information (72%)
Incident reporting and response (69%)
Disaster recovery contingency planning (68%)
![Page 16: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/16.jpg)
Policies in Place
Investigation and correction of the causes of security failures (68%)Notification of security events to: individuals, the law, etc. (67%)Sharing, storing, and transmitting data (51%)Data classification, retention, and destruction (51%)Identity Management (50%)
![Page 17: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/17.jpg)
Step 1: Risk Aware Culture
1.1 Institution-wide security risk management program
1.2 Roles and responsibilities defined for overall information security at the central and distributed level
1.3 Executive leadership support in the form of policies and governance actions
![Page 18: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/18.jpg)
Step 2: Define Data Types
2.1 Compliance with applicable federal and state laws and regulations - as well as contractual obligations - related to privacy and security of data held by the institution (also consider applicable international laws) 2.2 Data classification schema developed with input from legal counsel and data stewards 2.3 Data classification schema assigned to institutional data to the extent possible or necessary
![Page 19: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/19.jpg)
Step 3: Clarify Responsibilities
3.1 Data stewardship roles and responsibilities
3.2 Legally binding third party agreements that assign responsibility for secure data handling
![Page 20: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/20.jpg)
Step 4: Reduce Access to Data
4.1 Data collection processes (including forms) should request only the minimum necessary confidential/sensitive information 4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information 4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices 4.4 Eliminate unnecessary confidential/sensitive data on servers, desktops, and mobile devices 4.5 Eliminate dependence on SSNs as primary identifiers and as a form of authentication
![Page 21: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/21.jpg)
Step 5: Controls
5.1 Inventory and review/remediate security of devices 5.2 Configuration standards for applications, servers, desktops, and mobile devices 5.3 Network level protections5.4 Encryption strategies for data in transit and at rest 5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage 5.6 Identity management and resource provisioning processes 5.7 Secure disposal of equipment and data 5.8 Consider background checks on individuals handling confidential/sensitive data
![Page 22: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/22.jpg)
Security Approaches in Place
Perimeter firewalls 77%Centralized backups 77%VPNs for remote access 75%Enterprise directory 75%Interior network firewalls 65%Intrusion detection 62%Active filtering 59%
Intrusion prevention 44% (up from 33%)Security Standards for Applications 32% (up from 27%)
ECAR IT Security Study, 2006
![Page 23: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/23.jpg)
Step 6: Awareness and Training
6.1 Make confidential/sensitive data handlers aware of privacy and security requirements 6.2 Require acknowledgment by data users of their responsibility for safeguarding such data 6.3 Enhance general privacy and security awareness programs to specifically address safeguarding confidential/sensitive data 6.4 Clearly communicate how to safeguard data so that collaboration mechanisms such as e-mail have strengths and limitations in terms of access control
![Page 24: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/24.jpg)
Awareness Programs
ECAR IT Security Study, 2006
Students Faculty Staff
Program 2003 39.2% 38.2% 42.2%
Program 2005 62.3% 68.8% 69.1%
Percent change 23.1% 30.6% 26.9%
![Page 25: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/25.jpg)
Step 7: Verify Compliance
7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption 7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance 7.3 Routinely audit access privileges 7.4 Procurement procedures and contract language to ensure proper data handling is maintained 7.5 System development methodologies that prevent new data handling problems from being introduced into the environment 7.6 Utilize audit function within the institution to verify compliance 7.7 Incident response policies and procedures 7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed
![Page 26: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/26.jpg)
FTC Guide: Protecting Personal Information
Take stock.Know what personal information you have in your files and on your computers.
Scale down.Keep only what you need for your business.Lock it.Protect the information that you keep.Pitch it. Properly dispose of what you no longer need.Plan ahead. Create a plan to respond to security incidents.
![Page 27: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/27.jpg)
Characteristics of Successful IT Security Programs
Institutions with IT security plans in place characterize their IT security programs as more successful and feel more secure today.
The respondents who believe their institution provides necessary resources give higher ratings for IT security program success and their current sense of IT security.
The biggest barrier to IT security is lack of resources (64.4 percent) and especially at smaller institutions, followed by an academic culture of openness and autonomy (49.6 percent), and lack of awareness (36.4 percent).
ECAR IT Security Study, 2006
![Page 28: Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649e195503460f94b05c86/html5/thumbnails/28.jpg)
For more information
Rodney PetersenEmail: [email protected]: 202.331.5368EDUCAUSE/Internet2 Security Task Forcewww.educause.edu/securityEDUCAUSE Center for Applied Researchwww.educause.edu/ECARBlueprint for Handling Sensitive Datawiki.internet2.edu/confluence/display/secguide