Managing Sensitive Data
Harvard Townsend
Interim University IT Security Officer
harv@k-state.edu
532-2985
College Court 114
Oct 4, 2006
Dept Security Contacts Training
1
“…as we know, there are known knowns;
there are things we know we know. We
also know there are known unknowns;
that is to say we know there are some
things we do not know. But there are
also unknown unknowns - the ones we
don't know we don't know.”
Donald Rumsfeld, Secretary of Defense, 2002
Oct 4, 2006
Dept Security Contacts Training
2
Why Should We Care?
• 93,998,906 and counting…
… the approximate number of records with
personal identity information that have been
compromised due to security breaches since
February 15, 2005
• Privacy Rights Clearing House
www.privacyrights.org/ar/ChronDataBreaches.htm
Oct 4, 2006
Dept Security Contacts Training
3
Why Should We Care?
• Data entrusted to our care
• Handling a breach very expensive
• Damage to institution’s reputation
Oct 4, 2006
Dept Security Contacts Training
4
Oct 4, 2006
Dept Security Contacts Training
5
Why Should We Care?
• It is the law:
– SB 196 Kansas Security Breach Law takes effect Jan. 1, 2007
• Protects personal identity information
• Mandates prompt investigation and notification
–
–
–
–
FERPA (student records)
HIPAA (medical records)
GLB (financial records)
ECPA (electronic communications)
Oct 4, 2006
Dept Security Contacts Training
6
Why Should We Care?
• It is K-State policy
– PPM 3495 “Collection, Use, and Protection of Social
Security Numbers”
– PPM 3415 “Information Security Plan” (GLB)
– PPM 7010, section .430 “Intellectual Property Rights”
– PPM 7010, section .440 “Data Access and Retention”
– PPM 3485 “Protecting Sensitive Data by Desktop Search
Products”
– PPM 3060 “Kansas Open Records Act”
– PPM 3090 “Retention of Records”
– PPM 3430 “Security for Information, Computing and
Network Resources”
Oct 4, 2006
Dept Security Contacts Training
7
Oct 4, 2006
Dept Security Contacts Training
8
Oct 4, 2006
Dept Security Contacts Training
9
Spoofed Website
Hosted on the server in China
Legitimate Website
Oct 4, 2006
Dept Security Contacts Training
10
Harvested Data
Login from Romania
Victim
Source of Spam
Oct 4, 2006
Dept Security Contacts Training
Hosted in
Germany
11
What is “Sensitive Data?”
• Sensitivity = level of protection against
disclosure and abuse
• Criticality = level of importance to the
institution
• Risk = measure of negative impact of a
event and probability it will occur
Oct 4, 2006
Dept Security Contacts Training
12
Data Classification
•
•
•
•
Public data
Internal restricted data
Confidential data
National Security Interest data
Oct 4, 2006
Dept Security Contacts Training
13
Public Data
•
•
•
•
•
Approved for distribution to the public
No such thing as unauthorized disclosure
Very low sensitivity
Still needs protection
Examples:
–
–
–
–
–
Course catalog
Campus maps
Online people directory
Extension publications
Press releases
Oct 4, 2006
Dept Security Contacts Training
14
Internal Restricted Data
• Intended for use only within K-State for
University purposes
• Requires access controls
• Public disclosure could cause problems
• Moderate sensitivity
• Examples:
–
–
–
–
Departmental intranet
Transaction log files
Budget data
Purchase orders
Oct 4, 2006
Dept Security Contacts Training
15
Confidential Data
• Highly sensitive data that can only be disclosed to
individuals with explicit authorization
• Protection required by law (FERPA, HIPAA)
• Unauthorized disclosure harmful or catastrophic to
individual, group, or institution
• High sensitivity, thus requires highest level of
protection
• Examples: SSN, credit card #s, personal identity
data, student records, personnel records, medical
records
Oct 4, 2006
Dept Security Contacts Training
16
National Security Interest Data
• Federal government classified data
• Restrictions determined by the source agency
• Moderate to high sensitivity, depending on federal
classification
• Examples:
– Biosecurity Research Institute data
– DoD contracts
– Homeland Security contracts
Oct 4, 2006
Dept Security Contacts Training
17
Managing Confidential Data
General Guidelines
• Data owner must approve access
• Require strong authN/authZ for access
• Understand and secure all interfaces (“trust
relationships”)
• Secure test and development systems
• Secure developers’ desktops
• Don’t use real data for test and development
• Control printing
• Encrypt stored data where feasible
• Fear wireless!
Oct 4, 2006
Dept Security Contacts Training
18
Managing Confidential Data
General Guidelines
• Transmit securely (SFTP and SSH, not FTP and
Telnet)
• Don’t send in e-mail
• Store on a secure server, not desktop or laptop
• Place systems behind firewall with restrictive ruleset
• Restrict physical access and remote access to
server(s)
• Monitor 24x7x365
• Secure, frequent, off-site backups
• Destroy data thoroughly upon disposal
• Perform security audit at least annually
Oct 4, 2006
Dept Security Contacts Training
19
Social Security Numbers
• See policy on the “Collection, Use, and Protection
of Social Security Numbers”
http://www.k-state.edu/policies/ppm/3495.html#policy
• Removal from ID cards July 1, 2006
• Replaced with Wildcat ID (WID)
• Available in K-State Online, KATS, DARS, eID eprofile
• Full conversion in new SIS
Oct 4, 2006
Dept Security Contacts Training
20
What Should You Do About SSNs?
• Read “Understanding K-State IDs”
www.k-state.edu/infotech/personalid/understandingids.html
• Communicate the issue with your department
• Identify uses of SSNs and compare to policy
requirements
• Be paranoid!
• Watch IT Tuesday for more info
Oct 4, 2006
Dept Security Contacts Training
21
Credit Card Numbers
• Never store credit card numbers
• Use third party credit service company
• If you handle credit cards, review Payment
Card Industry Data Security Standards
(PCI DSS)
• K-State is currently level 3 merchant
• Become level 1 if compromised
Oct 4, 2006
Dept Security Contacts Training
22
Mobile Devices
•
•
•
•
•
Laptop or tablet PCs
Smart phones like Blackberry, Palm Treo
Personal Digital Assistants (PDAs)
Portable media players (iPod)
Storage media like USB flash drive, SD or
CompactFlash cards
Oct 4, 2006
Dept Security Contacts Training
23
Preventing Theft
• Use tracking and recovery software like
Computrace from Absolute Software
(www.absolute.com)
• Use lock cables
• Apply tamper-resistant asset tag or engrave cover
• Use a nondescript carrying case
• Don’t let it out of your sight when you travel
• Always take it in your carry-on luggage
• Don’t leave it in view in your car
• Lock it securely with a cable in your hotel room
Oct 4, 2006
Dept Security Contacts Training
24
Data on Mobile Devices
• DON’T store confidential data on mobile
devices
• If you must, encrypt it
• Beware of managing encryption keys
• Keep the original file(s) on a secure server
• Diligently manage the security of the device
(patches, antivirus software, firewalls, etc.)
Oct 4, 2006
Dept Security Contacts Training
25
Rumsfeldisms on IT Security
On interrogating hackers:
“I don't know what the facts are but somebody's certainly going
to sit down with him and find out what he knows that they
may not know, and make sure he knows what they know that
he may not know.”
On communicating with the media after a compromise:
“I believe what I said yesterday. I don't know what I said, but I
know what I think, and, well, I assume it's what I said.”
“If I said yes, that would then suggest that that might be the only
place where it might be done which would not be accurate,
necessarily accurate. It might also not be inaccurate, but I'm
disinclined to mislead anyone.”
“Learn to say 'I don't know.' If used when appropriate, it will be
often.”
“I am not going to give you a number for it because it's not my
business to do intelligent work.”
Questions?
Oct 4, 2006
Dept Security Contacts Training
27