Peeling Back the Layers of an Ogre –
advertisement
Peeling Back the Layers of an Ogre (or for those who like boring titles – Where is Our Confidential Data Hiding?) Harvard Townsend IT Security Officer harv@ksu.edu October 31, 2007 Agenda Why should we care? What should we care about? What are the threats? What can we do about it? 2 Why Should We Care? 167,706,372 and counting… … the approximate number of records with personal identity information compromised due to security breaches since January 2005 www.privacyrights.org/ar/ChronDataBreaches.htm In 2006, 3 million college students possible victims of identity theft (CDW-G study) Identity theft is the fastest growing crime 3 Why Should We Care? Handling a breach very expensive 4 Why Should We Care? Damage to institution’s reputation 5 Why Should We Care? Your reputation or job may be on the line 6 Why Should We Care? It is the law: SB 196 Kansas Security Breach Law Protects personal identity information Mandates prompt investigation and notification FERPA (student records) HIPAA (medical records) GLB (financial records) ECPA (electronic communications) Federal Rules of Civil Procedure (e-Discovery) 7 Because Visa Said So Payment Card Industry Data Security Standards (PCI DSS) Version 1.1 published in Sept. 2006 www.pcisecuritystandards.org “PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted.” Do you know who is handling credit card info on campus and how they are doing it? 8 Credit Cards@K-State I’m not putting this info in the PowerPoint presentation!! 9 What Should We Care About? All data needs protection Particularly interested in confidential data Highly sensitive data that can only be disclosed to individuals with explicit authorization Protection required by law (FERPA, HIPAA) Unauthorized disclosure harmful or catastrophic to individual, group, or institution Examples: SSN. Credit card info, student grades, medical records 10 What Are the Threats? Ignorance Theft – external and internal Inadvertent disclosure Improper disposal Highly distributed IT services Backups Catastrophic failure or other disaster Mobility – laptops, wireless, USB thumb drives, SmartPhones 11 Fear Laptops! 12 What Can We Do About It? Know your data! Its value Its classification Its location (of every copy) Who is responsible for it Who has access to it The threats to it 13 What Can We Do About It? “Data Classification and Security Policy and Standards” Classify data based on sensitivity Specify security requirements for each classification Define roles and responsibilities 14 Policy “All University Data must be classified according to the K-State Data Classification Schema and protected according to K-State Data Security Standards. Exceptions must be approved in writing by the Chief Data Stewards and the Vice Provost for IT Services.” 15 Data Classification Schema 4 categories: Public Internal Confidential Proprietary 16 Data Security Standards Access Controls Copying/Printing Network Security System Security Physical Security Remote Access Storage Transmission Backup/DR Media Sanitization Training Audit Schedule 17 Implementation Strategy Focus on confidential data first SSNs Credit cards Serve as guideline for other data Eventually require classification of all data 18 Where is the data located? You would be surprised! Tools to help “Spider” from Cornell http://www.cit.cornell.edu/security/tools/ Sensitive Number Finder (SENF) from UT-Austin https://source.its.utexas.edu/groups/its-iso/projects/senf Not ready for your average user 19 Where is the data located? Gradebooks, esp. old spreadsheets Course web pages Homework assignments Exams Travel authorization forms Applications for admission Personnel papers E-mail Backup tapes, CDs, floppies, USB drives Where have you found confidential data? 20 What Can We Do About It? Delete unnecessary copies Make sure it’s gone when deleted Know how to protect it K-State Data Security Standards K-State SSN Policy PCI DSS for credit cards K-State Mobile Device Security Guidelines Encryption 21 What Can We Do About It? SSNs K-State Policy on “Collection, Use and Protection of Social Security Numbers” “Use of the SSN as an identifier will be discontinued, except where authorized for employment, IRS reporting, federal student financial aid processing, state and federal reporting requirements, and a limited number of other business transactions.” 22 What Can We Do About It? SSNs Appendix A lists approved uses: Employment Application and receipt of financial aid Tuition remission Benefits administration Insurance IRS reporting Student information exchange (transcripts) 23 What Can We Do About It? SSNs Start transitioning to use of the Wildcat ID (WID) iSIS a key component to this transition Also the People Database Departments are moving in that direction Where are the SSNs in your department? Run Spider from Cornell to find them 24 What Can We Do About It? Credit Cards Must comply with the Payment Card Industry Data Security Standards (PCI DSS) no matter the merchant level (we’re level 2) Are strong requirements 12 major requirements in 6 categories 238 individual controls Annual self-assessment questionnaire Quarterly network security scan by an “approved scanning vendor” 25 What Can We Do About It? Credit Cards The plan Internal Audit documented campus practices Working group formed to develop strategy Use central service or comply with DSS See http://www.pcisecuritystandards.org for more information Data Security Standard v1.1 Self-assessment questionnaire Network scanning procedure Security audit procedure 26 What Can We Do About It? Mobility Don’t store confidential data on mobile devices! Mobile device security guidelines http://www.k-state.edu/infotech/security/mobile.html 27 What Can We Do About It? Encryption Stored data Software encryption Hardware encryption Transmitted data SIRT team working on a software recommendation Laptops Removable devices 28 What’s on your mind?
