securing nu data the problem and the solution…. headlines are being made…
TRANSCRIPT
Securing NU Data
The problem and the solution…
Headlines are Being Made…
All from the month of August!
In August 2006, 34 organizations reported incidents of data loss (SSN, Credit Card, personal information) 5 of the 34 incidents were at Universities. 7 of the 34 incidents were at Health Care
organizations. Largest number of people impacted in one case was
132,470 (US Dept. of Transportation) with most being in the thousands.
Even Fortune 500 companies with top-notch security (and lots of money to spend on security) are on the list. Chevron, AT&T, AFLAC, Williams Sonoma, AOL &
Toyota
And things are not getting better
Already 5 incidents reported in September impacting over 2.5 million people.
You may think that only the military needs to worry about security.
Or that only banks need to worry about locking things up.
Universities must protect the information they keep too.
Universities are
Universities are a target today, as they have valuable information (SSN, health information, and credit card numbers) and little security.
In the past 18 months, colleges were the source of one-third to half of all publicly disclosed breaches, which is a larger share than financial services, government, retail, or health care.
Universities must protect their information assets just like any other organization since the threat is the same.
Many University departments keep very sensitive information about its students and employees.
Private information is kept throughout the University of Nebraska.
Someone you care about -- even you -- may have personal information stored here.
Federal laws require protection of every person’s personal information.
Legal Alphabet Soup?
Gramm-Leach-Bliley (G
LB)
Health Insurance Portability and Accountability Act (HIPAA)
Federal Information Security Management Act (FISMA)
Payment Card Industry (PCI) Data Security Standard
Family Educational Rights and Privacy Act (FERPA)
Communications Assistance for Law Enforcement Act (CALEA)
State law requires it too.
Any Students not from Nebraska?
Arkansas – SB 1167 Arizona – SB 1338 California - Civil Code Sec. 1798.80-
1798.82 Colorado – Co. Rev. Stat. §6-1-716(1)
(a) Connecticut – SB 650 Delaware – HB 116 Florida – HB 481 Georgia – SB 230 Idaho – Id. Code Ann. §28-51-104 Illinois – HB 1633, Public Act 094-0036 Indiana – Act No. 503 Kansas – SB 196 Louisiana – SB 205, Act 499 Maine – LD 1671 Minnesota – H.F. 2121
Montana – HB 732 Nebraska – L.B. 876 Nevada – SB 347 New Hampshire – HB 1660 FN New Jersey – A4001/S1914 New York – A4254, A3492 North Carolina – SB 1048 North Dakota – SB 2251 Ohio – HB 104 Pennsylvania – SB 712 Rhode Island – H. 6191 Tennessee – SB 2220 Texas – SB 122 Utah – SB 69 Washington – SB 6043 Wisconsin – SB 164
The Following States have separate laws for notification if there is a security breach. Each law is different!
Failure to keep information secure can cost a lot. No kidding!
Just ask Ohio University
Price of notification, including postage, printing and envelope stuffing? $77,000
Cost of credit reporting for 200,000 people? $1,600,000
Labor costs (Legal, Press, Management and Technical) Estimated at $700,000
Damage to the reputation of Ohio University Priceless
None of those costs go towards fixing the problems
. . .can I have another $4 million?
Do we have a concern?
SSN has been used extensively across the University up until recently.
Not enough has been done to create awareness and effect change down to every faculty, staff, and student.
Little effort has been done to find sensitive data, both at rest and in motion, and apply security controls.
We are committed to protecting student, employee, and University information and keeping it secure.
We are doing things to protect NU
CSN and the campus continue to work to eliminate the use of SSN as a unique identifier.
CSN, UNMC, UNL, UNK, and UNO are constantly looking to improve their information security controls.
Most Information Security efforts to date have been focused on securing our information systems (applications, network, servers).
However, its not enough!
Firewalls and antivirus is not enough Even if each campus implemented the best security
technology and processes, it only takes one action to circumvent those controls. Just ask the Veteran’s Administration!
It takes technology, process, people, and diligence Policies have to be in place, enforceable, and
enforced Is enforcement a four-letter word at the University?
What does that mean for you?
Improving security involves you, no matter what your job.
It means respecting all private information at at all times.
In means logging off whenever you leave your computer …
… and being very careful about what you put in email.
REMEMBER! Information sent over the Internet may not be secure or private.
Any computer security problem puts all our information at risk.
That’s why we take every computer security violation seriously.
We do this to protect information, not to spy on you.
Take care with any information you carry around, whether on paper or in a computer.
Avoid putting sensitive information on a portable computer, flash drive, or PDA.
And be especially careful with ANY information that you take off premises.
Most security problems come from people inside the organization …
… not ‘spies’ from outside.
We want to catch simple mistakes early …
… before there is a serious problem.
Good security doesn’t require super powers …
… or that you catch any ‘fever.’
It does require thinking about security …
… taking time to do things in a secure way ...
… and using common sense.
Steps to Better Security
1. Manage your “endpoints” Desktops, laptops, PDAs and now cell phones can be the entry
point for malicious activity.2. Continuously assess your vulnerabilities
New vulnerabilities (thanks Microsoft), new systems, and a constantly changing environment means new risks pop-up every day.
3. Store only required data, and store it in as few places as possible “Do I really need to collect and store this information?” “Is this data collected and stored somewhere else?”
4. Train and develop “Security Aware” employees Do your and your staff know what it takes to be part of the security
solution?5. Restrict access to data to those who need it
Grant access right the first time, change it when users change roles, and remove it when users leave.
Where to go for more information?
OECD Guidelines for the Security of Information Systems and Networks
www.oecd.org/document/42/0,2340,en_2649_33703_15582250_1_1_1_1,00.html
GAPP – “Generally Accepted Principles and Practices” NIST SP 800-18, “Guide for Developing Security Plans for Information Technology Systems”
http://csrc.nist.gov/publications/nistpubs/index.html
GAISP – Generally Accepted Information Security www.issa.org/gaisp.html
NIST 800-14 Generally Accepted Principles and Practices for Securing IT Systems
http://www.csrc.nist.gov/publications/nistpubs/index.html
NIST 800-26 Self Assessment Guide for IT Systems www.csrc.nist.gov/publications/nistpubs/index.html
NIST 800-27 Engineering Principles for IT Security www.csrc.nist.gov/publications/nistpubs/index.html
ISO 17799 – Information Technology – Code of Practice for Information Security Management
www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=39612&ICS1=35&ICS2=40&ICS3=
Trust Services Criteria; including SysTrust/WebTrust www.aicpa.org/trustservices
Standard of Good Practice for Information Security (Information Security Forum)
www.isfsecuritystandard.com
ISO TR 13335 “Guidelines for the Management of Information Security”,
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=39066&ICS1=35&ICS2=40&ICS3=
NIST 800-12 The Computer Security Handbook, 1995 http://csrc.nist.gov/publications/nistpubs/index.html
NIST 800-37 Guide for The Security Certification and Accreditation of Federal Information Systems
http://csrc.nist.gov/publications/nistpubs/index.html
What could it cost if we do nothing?
For more information, or to report a problem, contact
the NU Information Security Office at
Images in this presentation make use of the US National Security Agency’s
collection of security awareness posters, the US Centers for Disease Control Public
Health Image Library, and the University of Miami Ethics Program Digital Image
Repository. All images are in the public domain.
This presentation may be used for non-commercial, educational purposes only,
with appropriate attribution of the source.
©2002