A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations .

Uploaded on:
2. Presentations. Ice-breaker BINGO!!5 minutesFirst 10 individuals to get BINGO win a prize!Introductions:NameTitle or Functional Description of DutiesOrganizational AffiliationWhat would you like to escape this session?. 3. Outline to Seminar. Data security dangers at schools and colleges present testing legitimate, arrangement, specialized, and operational issues.Security episodes have come about
Slide 1

A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations David Escalante H. Morrow Long Director of Computer Policy Director, Information Security & Security Yale University Boston College NERCOMP Preconference Seminar Monday, March 19, 2007 1:00 p.m. - 4:30 p.m.

Slide 2

Introductions Ice-breaker BINGO!! 5 minutes First 10 individuals to get BINGO win a prize! Presentations: Name Title or Functional Description of Duties Organizational Affiliation What would you like to escape this session?

Slide 3

Overview to Seminar Information security dangers at schools and colleges display testing lawful, approach, specialized, and operational issues. Security episodes have brought about bargains of individual data which have prompted to awful reputation and the potential for wholesale fraud. Dangers to data security at schools and colleges proceed to continue and require that people at all levels of the foundation get to be distinctly connected with to keep advance information ruptures from happening. This class will plot a plan for ensuring touchy information as per the EDUCAUSE/Internet2 Security Task Force .

Slide 4

Seminar Goals At the finish of this session: You ought to feel great talking about basic cybersecurity dangers tormenting advanced education and PC clients as a rule. You will have a rundown of key techniques to take after for ceasing the spillage of private/touchy information. You will be acquainted with a few security assets and best practices to help you apply the key methodologies.

Slide 5

Today\'s Roadmap Foundations of Cybersecurity in Higher Ed The Blueprint Creating a Security Risk-Aware Culture Defining Institutional Data Types Clarify Responsibilities and Accountability Reducing Access to Data Not Absolutely Essential Establishing and Implementing Stricter Controls Providing Awareness and Training Verifying Compliance Putting it All Together:  Moving from Planning to Action

Slide 6

Higher Ed IT Environments Technology Environment Distributed processing and extensive variety of equipment and programming from obsolete to best in class Increasing requests for disseminated registering, separate learning and versatile/remote abilities which make one of a kind security challenges Leadership Environment Reactive instead of proactive Lack of unmistakably characterized objectives (what do we have to ensure and why) Academic Culture Persistent conviction that security & scholastic flexibility are contradictory Tolerance, experimentation, and namelessness very esteemed

Slide 7

Higher Ed IT Environments Current Status: "The data security environment has turned out to be progressively more hazardous. News accounts have announced Higher Education organizations required in many episodes of traded off classified data over the previous year. The cost of telling and offering help to those people who have had their security data traded off can keep running into the a huge number of dollars for every occurrence. Expanded administrative necessities additionally make it basic that the University have the capacity to demonstrate a level of due industriousness in the assurance of its frameworks and secret information." Why is this in quotes?

Slide 8

Goals of Cybersecurity Confidentiality - data requires insurance from unapproved utilize or exposure. Respectability - data must be shielded from unapproved, unexpected, or inadvertent change. Accessibility - PCs, frameworks, systems, and data must be accessible on an opportune premise to meet mission prerequisites or to maintain a strategic distance from considerable misfortunes.

Slide 9

Security Processes Deter Prevent Detect React Adapt Burton Group: A Systematic, Comprehensive Approach to Information Security (Feb. 2005)

Slide 10

Security Implementation Relies On: Systems must be worked to in fact hold fast to approach Policies must be produced, imparted, kept up and upheld Process Technology People Processes must be created that show how arrangements will be executed People must comprehend their obligations with respect to strategy

Slide 11

Framing the Problem Discussion – Breaches in Higher Education How did they happen? Who was affected? What amount did it cost? Are there topics? What\'s changed?

Slide 12

The Blueprint Confidential Data Handling Blueprint Purpose To give a rundown of key procedures to take after for halting the spillage of classified/touchy information. To give a toolbox that builds assets relating to private/delicate information handling.  https://wiki.internet2.edu/conversion/show/secguide/Confidential+Data+Handling+Blueprint

Slide 13

The Blueprint Confidential Data Handling Blueprint Introduction Steps and resulting sub-things are expected to give a general guide Institutions will be at different phases of advance Organized in an arrangement that permits you to intelligently finish every progression Each thing is prescribed as a powerful practice; state/neighborhood lawful prerequisites, institutional strategy, or grounds culture may leave every foundation moving toward this in an unexpected way

Slide 14

Step 1 Create a security chance mindful culture that incorporates a data security chance administration program Sub-steps 1.1 far reaching security chance administration program 1.2 Roles and duties characterized for general data security at the focal and conveyed level 1.3 Executive authority bolster as strategies and administration activities

Slide 15

Why Do We Care? HIPAA FERPA GLBA Sarbanes Oxley Act Grant prerequisites Compliance Other neighborhood state and government controls

Slide 16

Risk Management Risk = Threats x Vulnerabilities x Impact

Slide 17

Threat A foe that is roused to misuse a framework powerlessness and can do so National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)

Slide 18

Examples of Threats Hackers Insiders "Script Kiddies" Criminal Organizations Terrorists Enemy Nation States

Slide 19

Vulnerability A blunder or a shortcoming in the plan, usage, or operation of a framework. National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)

Slide 20

Examples of Vulnerabilities Networks – wired and remote Operating Systems – particularly Windows Hosts and Systems Malicious Code and Viruses People Processes Physical Environments

Slide 21

Impact Refers to the probability that a powerlessness will be misused or that a risk may get to be distinctly hurtful . National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)

Slide 22

Examples of Impact Strategic Consequences Financial Consequences Legal Consequences Operational Consequences Reputational Consequences Qayoumi, Mohammad H. "Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations," NACUBO (2002).

Slide 23

Risk Management Risk = Threats x Vulnerabilities x Impact

Slide 24

Handling Risks Risk Assumption Risk Control Risk Mitigation Risk Avoidance Qayoumi, Mohammad H. "Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations," NACUBO (2002).

Slide 25

What Defines Culture? Key Planning and Decision-Making Examples: Top-down Bottom-up Consensus-based Institutional Values Examples: Student respect code Strong staff impact Emphasis on responsibility at all levels of organization High bond rating

Slide 26

What Defines Culture? Control of Operational Functions Examples: Centralized Decentralized Long-term Institutional Priorities Examples: Increase examine Increase people group outreach Other impacts on culture?

Slide 27

Ideas For Using Culture Decentralized Control Over Computing Formalize and use system of departmental framework chairmen How? A few Examples: University of Virginia LSP Program http://www.itc.virginia.edu/dcs/lsp George Mason University SALT Group http://itu.gmu.edu/security/sysadmin/salt-description.html

Slide 28

Ideas For Using Culture Increasing Emphasis on Compliance Spotlight Federal Regulations Related to Security & Privacy How? A few Examples: IT Security for Higher Education: A Legal Perspective http://www.educause.edu/ir/library/pdf/csd2746.pdf Family Educational Rights & Privacy Act http://www.ed.gov/strategy/gen/guid/fpcp/ferpa/index.html Gramm Leach Bliley Act http://www.ftc.gov/protection/glbact/index.html Health Insurance Portability & Accountability Act http://www.hhs.gov/ocr.hipaa

Slide 29

Ideas For Using Culture Strong Leadership at the Top Make Executive-level Awareness a Top Priority How? Expert Letter to Presidents Regarding Cybersecurity http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm Information Security: A Difficult Balance http://www.educause.edu/bar/er/erm04/erm0456.asp Gaining the President\'s Support for IT Initiatives at Small Colleges http://www.educause.edu/applications/eq/eqm04/eqm0417.asp Presidential Leadership for Information Technology http://www.educause.edu/ir/library/pdf/erm0332.pdf

Slide 30

Morning Break 10:15 AM Return 10:30 AM

Slide 31

Step 2 Define institutional information sorts Sub-steps 2.1 Compliance with appropriate government and state laws and directions - and in addition authoritative commitments - identified with protection and security of information held by the organization (likewise consider material worldwide laws) 2.2 Data order pattern created with contribution from legitimate guidance and information stewards 2.3 Data grouping outline appointed to institutional information to the degree conceivable or vital

Slide 32

Institutional Data Types Discussion – Do you have an information characterization construction? Do you have a strategy? Why is this progression imperative?

Slide 33

Data Classification Policy Provides the structure important to recognize and group information keeping in mind the end goal to evaluate hazard and actualize an appr

View more...