IT Security Challenges In Higher Education Steve Schuster Cornell University Questions I’d like to Answer ► Why do we care about IT security? ► What are some of our universities biggest challenges? ► What can universities do to address these challenges? Why Do We Care? ► Current federal and state law Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act (GLBA) Compromise notification laws ►12states ►NYS Breech of Security Bill -- December, 2005 Why Do We Care? ► Growing social expectations due to rise in identity theft awareness ► Reputational concerns ► Growing possibility for lawsuits Why Do We Care? ► NY State Breech of Security Bill Personally identifiable information ► Social security number ► Drivers license number ► Account number of credit/debit card with pin Must notify if data was “reasonably believed to have been acquired by a person without valid authorization“ Notification ► Personal ► If NY resident NYS Attorney General – Internet Bureau NYS Attorney General – The Capitol NYS Consumer Protection Board NYS Office of Cyber Security and Critical Infrastructure Protection Consequences of Non-compliance ► NYS can sue for damages on behave of individual ► Civil suites up to $150,000 Why Do We Care? ► First half of this year had 72 reported compromises Education – 37 Business – 23 Government – 7 Healthcare – 5 ► Causes of the compromises Hacking – 40 Stolen property – 16 Lost property – 6 Insider – 5 Fraud/social engineering – 2 Email – 1 Web – 1 Why Do We Care? Why Do We Care? Why Do We Care? Why Do We Care? Our Biggest Challenges ► Not ending up on the front page of the NY Times ► Changing/emerging law ► Growing social expectations and requirements ► General “openness” of universities can make us an easier target ► Creating a common understanding about what data needs to be protected ► Complexity due to decentralized IT support complicates the identification of critical or sensitive resources/data ► Timely and accurate response to security incidents ► Institutional-level questions are difficult to get answered Challenge: Not ending up on the front page of the NY Times ► Response A combination of everything we do Pray Challenge: Changing/Emerging Law ► Response Make friends with University Counsel Develop a clear understanding and communicate what data needs to be protected Periodic security awareness for at least those handling regulated data Never miss a “learning” opportunity ►User/department notification Make sure policy reflects current requirements ►Data Security/Management policy Challenge: Growing Social Expectations and Requirements ► Response Prepare your legal defense now ►Participate in internal and external audits ►Show consistent improvements ►Work to establish at least state-of-the-practice security technology, processes and procedures ►Develop analysis and incident handling standards and practices Challenge: University “Openness” ► Response Implement a security strategy that meets the business needs of the unit Build trust and understanding across the community Rise to the challenge ►Protected infrastructures DO NOT hinder research Challenge: Understanding What Data Needs to be Protected ► Response Data categories can help ► Regulated, Confidential and Public Map specific data elements into each category Work toward the identification of all IT resources that house each category Communicate ► Awareness ► Policy ► “Educational” opportunities The Audit Office can certainly help here Challenge: Complexity Due to Decentralization ► Response Building and maintaining trust is not an option Establish best practices and strong recommendations Gain the support of the University Audit Office Support university-wide outreach ►ITSecurity Council ►Monthly Security Special Interest Group (SIG) Challenge: Timely and accurate response to security incidents ► Response Develop processes and procedures in advance Ensure the procedures are universally available Provide response training to local units Ensure the central IT Security Office is involved with the incident Automate as much of the response process as possible Establish a Data Loss Response Team Challenge: Answering Institutional Questions ► Response Do not ask abstract questions Work real world situations requiring action and decisions Create a Data Loss Response Team Responding to Incidents ► Clearly distinguish between IT security and data security ► Data Loss Response Team Established to ensure the university responds appropriately Members ► University Audit University Counsel ► Public Relations VP of IT ► Risk Management University Police ► Data Stewards Local Unit Two meetings of this team per incident ► Firstmeeting establishes understanding of incident and provides specific direction ► Second meeting weighs evidence and determines appropriate actions Responding to Incidents ► Data Loss Response Team benefits Helps answer tough questions for the university Provides a balanced and effective decision making process Helps establish minimum standards for analysis Weighs in on established practices and procedures Establishes a more thorough understanding of IT security challenges Questions?