securing nu data the problem and the solution…. headlines are being made…
TRANSCRIPT
All from the month of August!
In August 2006, 34 organizations reported incidents of data loss (SSN, Credit Card, personal information) 5 of the 34 incidents were at Universities. 7 of the 34 incidents were at Health Care
organizations. Largest number of people impacted in one case was
132,470 (US Dept. of Transportation) with most being in the thousands.
Even Fortune 500 companies with top-notch security (and lots of money to spend on security) are on the list. Chevron, AT&T, AFLAC, Williams Sonoma, AOL &
Toyota
And things are not getting better
Already 5 incidents reported in September impacting over 2.5 million people.
Universities are
Universities are a target today, as they have valuable information (SSN, health information, and credit card numbers) and little security.
In the past 18 months, colleges were the source of one-third to half of all publicly disclosed breaches, which is a larger share than financial services, government, retail, or health care.
Universities must protect their information assets just like any other organization since the threat is the same.
Many University departments keep very sensitive information about its students and employees.
Private information is kept throughout the University of Nebraska.
Legal Alphabet Soup?
Gramm-Leach-Bliley (G
LB)
Health Insurance Portability and Accountability Act (HIPAA)
Federal Information Security Management Act (FISMA)
Payment Card Industry (PCI) Data Security Standard
Family Educational Rights and Privacy Act (FERPA)
Communications Assistance for Law Enforcement Act (CALEA)
Any Students not from Nebraska?
Arkansas – SB 1167 Arizona – SB 1338 California - Civil Code Sec. 1798.80-
1798.82 Colorado – Co. Rev. Stat. §6-1-716(1)
(a) Connecticut – SB 650 Delaware – HB 116 Florida – HB 481 Georgia – SB 230 Idaho – Id. Code Ann. §28-51-104 Illinois – HB 1633, Public Act 094-0036 Indiana – Act No. 503 Kansas – SB 196 Louisiana – SB 205, Act 499 Maine – LD 1671 Minnesota – H.F. 2121
Montana – HB 732 Nebraska – L.B. 876 Nevada – SB 347 New Hampshire – HB 1660 FN New Jersey – A4001/S1914 New York – A4254, A3492 North Carolina – SB 1048 North Dakota – SB 2251 Ohio – HB 104 Pennsylvania – SB 712 Rhode Island – H. 6191 Tennessee – SB 2220 Texas – SB 122 Utah – SB 69 Washington – SB 6043 Wisconsin – SB 164
The Following States have separate laws for notification if there is a security breach. Each law is different!
Just ask Ohio University
Price of notification, including postage, printing and envelope stuffing? $77,000
Cost of credit reporting for 200,000 people? $1,600,000
Labor costs (Legal, Press, Management and Technical) Estimated at $700,000
Damage to the reputation of Ohio University Priceless
Do we have a concern?
SSN has been used extensively across the University up until recently.
Not enough has been done to create awareness and effect change down to every faculty, staff, and student.
Little effort has been done to find sensitive data, both at rest and in motion, and apply security controls.
We are doing things to protect NU
CSN and the campus continue to work to eliminate the use of SSN as a unique identifier.
CSN, UNMC, UNL, UNK, and UNO are constantly looking to improve their information security controls.
Most Information Security efforts to date have been focused on securing our information systems (applications, network, servers).
However, its not enough!
Firewalls and antivirus is not enough Even if each campus implemented the best security
technology and processes, it only takes one action to circumvent those controls. Just ask the Veteran’s Administration!
It takes technology, process, people, and diligence Policies have to be in place, enforceable, and
enforced Is enforcement a four-letter word at the University?
Steps to Better Security
1. Manage your “endpoints” Desktops, laptops, PDAs and now cell phones can be the entry
point for malicious activity.2. Continuously assess your vulnerabilities
New vulnerabilities (thanks Microsoft), new systems, and a constantly changing environment means new risks pop-up every day.
3. Store only required data, and store it in as few places as possible “Do I really need to collect and store this information?” “Is this data collected and stored somewhere else?”
4. Train and develop “Security Aware” employees Do your and your staff know what it takes to be part of the security
solution?5. Restrict access to data to those who need it
Grant access right the first time, change it when users change roles, and remove it when users leave.
Where to go for more information?
OECD Guidelines for the Security of Information Systems and Networks
www.oecd.org/document/42/0,2340,en_2649_33703_15582250_1_1_1_1,00.html
GAPP – “Generally Accepted Principles and Practices” NIST SP 800-18, “Guide for Developing Security Plans for Information Technology Systems”
http://csrc.nist.gov/publications/nistpubs/index.html
GAISP – Generally Accepted Information Security www.issa.org/gaisp.html
NIST 800-14 Generally Accepted Principles and Practices for Securing IT Systems
http://www.csrc.nist.gov/publications/nistpubs/index.html
NIST 800-26 Self Assessment Guide for IT Systems www.csrc.nist.gov/publications/nistpubs/index.html
NIST 800-27 Engineering Principles for IT Security www.csrc.nist.gov/publications/nistpubs/index.html
ISO 17799 – Information Technology – Code of Practice for Information Security Management
www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=39612&ICS1=35&ICS2=40&ICS3=
Trust Services Criteria; including SysTrust/WebTrust www.aicpa.org/trustservices
Standard of Good Practice for Information Security (Information Security Forum)
www.isfsecuritystandard.com
ISO TR 13335 “Guidelines for the Management of Information Security”,
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=39066&ICS1=35&ICS2=40&ICS3=
NIST 800-12 The Computer Security Handbook, 1995 http://csrc.nist.gov/publications/nistpubs/index.html
NIST 800-37 Guide for The Security Certification and Accreditation of Federal Information Systems
http://csrc.nist.gov/publications/nistpubs/index.html
For more information, or to report a problem, contact
the NU Information Security Office at
Images in this presentation make use of the US National Security Agency’s
collection of security awareness posters, the US Centers for Disease Control Public
Health Image Library, and the University of Miami Ethics Program Digital Image
Repository. All images are in the public domain.
This presentation may be used for non-commercial, educational purposes only,
with appropriate attribution of the source.
©2002