IT Security

Document Sample
IT Security Powered By Docstoc
					IT Security Challenges
   Higher Education
      Steve Schuster
     Cornell University
    Questions I’d like to Answer
► Why   do we care about IT security?
► What are some of our universities biggest
► What can universities do to address these
            Why Do We Care?
► Current   federal and state law
   Family Educational Rights and Privacy Act
   Health Insurance Portability and Accountability
    Act (HIPAA)
   Gramm-Leach-Bliley Act (GLBA)
   Compromise notification laws
    ►NYS Breech of Security Bill -- December, 2005
            Why Do We Care?
► Growing   social expectations due to rise in
  identity theft awareness
► Reputational concerns
► Growing possibility for lawsuits
                         Why Do We Care?
►   NY State Breech of Security Bill
      Personally identifiable information
         ►   Social security number
         ►   Drivers license number
         ►   Account number of credit/debit card with pin
      Must notify if data was “reasonably believed to have been acquired by a
       person without valid authorization“
      Notification
         ►   Personal
         ►   If NY resident
                  NYS   Attorney General – Internet Bureau
                  NYS   Attorney General – The Capitol
                  NYS   Consumer Protection Board
                  NYS   Office of Cyber Security and Critical Infrastructure Protection
      Consequences of Non-compliance
         ►   NYS can sue for damages on behave of individual
         ►   Civil suites up to $150,000
                  Why Do We Care?
►   First half of this year had 72 reported compromises
       Education – 37
       Business – 23
       Government – 7
       Healthcare – 5
►   Causes of the compromises
       Hacking – 40
       Stolen property – 16
       Lost property – 6
       Insider – 5
       Fraud/social engineering – 2
       Email – 1
       Web – 1
Why Do We Care?
Why Do We Care?
Why Do We Care?
Why Do We Care?
         Our Biggest Challenges
► Not ending up on the front page of the NY Times
► Changing/emerging law
► Growing social expectations and requirements
► General “openness” of universities can make us an easier
► Creating a common understanding about what data needs
  to be protected
► Complexity due to decentralized IT support complicates the
  identification of critical or sensitive resources/data
► Timely and accurate response to security incidents
► Institutional-level questions are difficult to get answered
  Challenge: Not ending up on the
    front page of the NY Times
► Response
   A combination of everything we do
   Pray
Challenge: Changing/Emerging Law
► Response
   Make friends with University Counsel
   Develop a clear understanding and
    communicate what data needs to be protected
   Periodic security awareness for at least those
    handling regulated data
   Never miss a “learning” opportunity
    ►User/department   notification
   Make sure policy reflects current requirements
    ►Data   Security/Management policy
     Challenge: Growing Social
   Expectations and Requirements
► Response
   Prepare your legal defense now
    ►Participate in internal and external audits
    ►Show consistent improvements
    ►Work to establish at least state-of-the-practice
     security technology, processes and procedures
    ►Develop analysis and incident handling standards
     and practices
Challenge: University “Openness”

► Response
   Implement a security strategy that meets the
    business needs of the unit
   Build trust and understanding across the
   Rise to the challenge
    ►Protected   infrastructures DO NOT hinder research
Challenge: Understanding What Data
       Needs to be Protected

► Response
   Data categories can help
     ► Regulated,   Confidential and Public
   Map specific data elements into each category
   Work toward the identification of all IT resources that
    house each category
   Communicate
     ► Awareness
     ► Policy
     ► “Educational”   opportunities
   The Audit Office can certainly help here
    Challenge: Complexity Due to
► Response
   Building and maintaining trust is not an option
   Establish best practices and strong
   Gain the support of the University Audit Office
   Support university-wide outreach
    ►ITSecurity Council
    ►Monthly Security Special Interest Group (SIG)
      Challenge: Timely and accurate
       response to security incidents
► Response
   Develop processes and procedures in advance
   Ensure the procedures are universally available
   Provide response training to local units
   Ensure the central IT Security Office is involved
    with the incident
   Automate as much of the response process as
   Establish a Data Loss Response Team
 Challenge: Answering Institutional
► Response
   Do not ask abstract questions
   Work real world situations requiring action and
   Create a Data Loss Response Team
          Responding to Incidents
►   Clearly distinguish between IT security and data security
►   Data Loss Response Team
     Established to ensure the university responds appropriately
     Members
        ► University Audit       University Counsel
        ► Public Relations       VP of IT
        ► Risk Management                 University Police
        ► Data Stewards          Local Unit
     Two meetings of this team per incident
        ► Firstmeeting establishes understanding of incident and provides
          specific direction
        ► Second meeting weighs evidence and determines appropriate actions
         Responding to Incidents
► Data   Loss Response Team benefits
   Helps answer tough questions for the university
   Provides a balanced and effective decision
    making process
   Helps establish minimum standards for analysis
   Weighs in on established practices and
   Establishes a more thorough understanding of
    IT security challenges