Data Management/Information Security Education and

Awareness

Standards ReviewInformation Security Program Office

Contacts• Sherry Pesino

• Instructional Technologist

• pesinos@ct.edu

• (860) 723-0021

• Jeff Clark

• Security and Policy Program Manager

• jclark@commnet.edu

• (860) 723-0744

October 2014Confidential 2

mailto:pesinos@ct.edumailto:jclark@commnet.edu

Data Management• Background

o What is Data Management?

• Importanceo Why is Data Management important?

• Essentialso What are some essential components of Data Management?

• Standardso What needs to be done?

• Reportingo What are the Reporting Requirements?

• Next Steps

October 2014Confidential 3

BackgroundWhat is Data Management?

What is Data Management?A basic understanding of:

• The policies, standards and procedures for

protecting data; confidentiality, integrity and

availability

• Potential risks of the loss of data confidentiality,

availability and accuracy of CSCU information

• How to protect information assets from loss of data

confidentiality, availability and accuracy

October 2014Confidential 5

Good Data Management Practices• Operate within the CSCU governance context of

policies, standards and procedures. Including data

management and Information Security User Education

and Awareness policies, standards and procedures

• Reduce risks associated with handling data by applying

controls in a way that will minimize the misuse,

misinterpretation, or unnecessary restrictions for access

to institutional data.

• Ensure institutional compliance with applicable

regulations, such as GLBA, CT Data Protection, FERPA, e-

Discovery, CT Record Retention.

• Minimize employee behaviors and actions that can

threaten information security

October 2014Confidential 6

ImportanceWhy is Data Management important?

Why is Data Management Important?• Data loss can occur for many reasons

o Cyber-threats ranging from malicious code (viruses, worms, Trojans) to

denial of service attacks.

o Physical theft of data or equipment

o Improper disposal of data

o Fire, electrical, water or other physical damage

• Consequences of Data Loss is far reachingo Lawsuits (e-discovery)

o FOIA

o Disaster recovery

o Business continuity

October 2014Confidential 8

Confidentiality• Privacy or the ability to control, restrict access,

monitor and assure that only authorized individuals

can view sensitive information.

• One of the underlying principles of confidentiality is

"need-to-know" or "least privilege".

October 2014Confidential 9

Integrity• Information is accurate and reliable and has not

been subtly changed or tampered with by an

unauthorized party. Integrity includes: o Authenticity & Authorization: The ability to verify content has not changed

in an unauthorized manner.

o Non-repudiation & Accountability: The origin of any action on the system

can be verified and associated with a user.

October 2014Confidential 10

Availability• Information and other critical assets are accessible

to customers and the business when needed.

• Data is retained and available in the event of FOIA

requests and e-Discovery requirements.

• Maintaining access to data for business continuity

and disaster recovery

October 2014Confidential 11

EssentialsWhat are some essential components of Data Management?

Data Classification• Data Classification is the process of grouping data

elements together by risk level.

• The four Data Classification Levels (DCL) are from 0

to 3

• Appropriate security controls will be applied to

each classification level.

• Increasingly restrictive data management and

security practices are required for each level, with

DCL0 requiring limited protection to DCL3 requiring

the most protection.

October 2014Confidential 13

CSCU Data ClassificationsDCL3

• DCL3 is protected confidential data, DCL3 data if improperly disclosed with identity data, could be used for identity theft or to cause financial harm to an individual or the CSCU. Unauthorized disclosure requires public notification and identity theft insuranceo Security at this level is very high (highest possible).

o Examples of DCL3 data are:

• Social Security number & Identity Data

• Bank account or debit card information and Identity Data

• Credit card number & cardholder information

• Student Loan Data

o DCL3 data must be protected from disclosure

October 2014Confidential 14

CSCU Data Classifications – Cont’dDCL2

• DCL2 is restricted data that is available for disclosure, but

only under strictly controlled circumstances.

Unauthorized disclosure does not require public

notification and identity theft insurance, but requires

documentation of the event.o Such information must typically be restricted due to proprietary, ethical or

privacy considerations.

o An example of such restrictions is the FERPA guidelines that govern publication

and disclosure of student information.

o Security at this level is high.

o Examples of DCL2 data are:

• Mother’s maiden name

• Academic records

• Employee Medical Records

October 2014Confidential 15

CSCU Data Classifications – Cont’dDCL1

• DCL1 is internal data that has not been approved

for general circulation outside the CSCU where its

disclosure would inconvenience the CSCU, but is

unlikely to result in financial loss or serious damage

to credibility.o Security at this level is controlled but normal.

o Examples of DCL1 data are:

• Internal memos

• Minutes of meetings

• Internal project reports

October 2014Confidential 16

CSCU Data Classifications – Cont’dDCL0

• DCL0 is public data that is not classified as DCL1

through DCL3 and is approved for distribution to the

public. Disclosure of public data requires no

authorization and may be freely disseminated

without potential harm to the CSCU.o Security at this level is minimal.

o Examples of DCL0 data are:

• Advertising

• Public Directory Information

• Press Releases

• Job postings

October 2014Confidential 17

Data DomainsData belongs to specific functional areas, also

referred to as a data domain

• Examples of Data Domains are:o Academic Records

o Admissions

o Development (Fundraising)

o Financial Aid

o Human Resources

o Information Technology

o Institutional Research

o Student Advising & Counseling

October 2014Confidential 18

Organizational Structure

October 2014Confidential 19

DCL3 Data

Data Users

Data Manager

Data Steward/Data Domain

Data Management Coordinator

RMLO

Data Management

DCL2 Data

DCL3 Data User• Has been authorized by the Data Steward for DCL3

data access.

• A data user has operational requirements to access

data and use data in performance of his/her

assigned duties.

• Receives yearly Security Awareness training

• Has Identity Finder installed on their computer to

scan for DCL3 data.

• Saved all DCL3 data in a secure folder

• Only sends files with DCL3 Data via public

communication (e-mail) that have be encrypted.

October 2014Confidential 20

Data Manager• A Data Manager has day-to-day responsibilities for

data management within a specific data domain

(functional area).

• Data Managers have responsibility for

understanding, protecting and managing access to

CSCU data.

October 2014Confidential 21

Data Steward• A Data Steward has planning and policy

responsibilities for data within a specific data

domain (functional area).

• Data Stewards have responsibility for understanding

where data is processed, transmitted and stored.

• They are responsible for protecting and granting

access to CSCU data.

October 2014Confidential 22

Data Management Coordinator• Coordinates and compiles data reporting for the

college, university, or system office

• Coordinates training for Data Stewards, Data

Managers and Data Users

• Communicates and provides resources to campus

staff on the Information Security Education

Awareness Training program.

• Acts as the point person for communication with

the Information Security Program Office.

October 2014Confidential 23

RMLO – Records Management Liaison Officer

The Records Management Liaison Officer is responsible for

coordinating with the State Librarian to carry out the

provisions Connecticut General Statutes (CGS) Sec. 11-8a

(f). The RMLO has primary responsibility for:

• Training of staff on records management requirements

• Coordinating with the state library on records destruction

Note - We recommend the role of RMLO is combined with the role of Data Steward and the institution assigns a primary RMLO of the institution and a secondary RMLO(s) for each Data Domain.

October 2014Confidential 24

StandardsWhat needs to be done?

Establish a Data Management Coordinator

• Identified by President

October 2014Confidential 26

Set Data Domains• Defined by Presidents

• Data Steward assigned to each Domain

October 2014Confidential 27

Management of Data• Designate Data Manager

• Maintain inventory of Data Domain Managers and

Users

• Maintain inventory of all data storage locations

• Verify DCL3 Data Storage

• Develop operational procedures for transmission,

processing and storage of data

October 2014Confidential 28

Records Management• Identify an institution wide Records Management

Liaison Officer, RMLO

• Coordinate with institution’s Data Stewards.

• Comply with State of CT Record Retention

Scheduleso Records retention is based on the content of the message not the media

in which it is communicated. Electronic messages, e.g. e-mail, texts,

instant messages, etc. need to retain the Meta data along with message

content. Any record that was required to be saved under records

retention needs to go through the records destruction approval process

before being deleted.

October 2014Confidential 29

Information Security Education and Awareness Program

Use a Comprehensive Program with the following components:

• Targeted training based on data access

• Mandatory annual training for DCL3 users, to also include on-going user education initiatives to support the training.

• Voluntary annual training for users with DCL2 data access.

• Assurance program to ensure users are following the Information Security Education and Awareness Program. E.g. targeted phishing, targeted social engineering attack, storage review, process review, etc.

October 2014Confidential 30

Information Security Education and Awareness Program - Con’t

• Must be taken within 2 weeks of employment or

change in job function

• Program covers minimum:o You Are the Target, Social Engineering, E-mail and Messaging, Browsing,

Social Networking, Mobile Device Security, Passwords, Encryption, Data

Security, Data Destruction, WI-FI Security, Working Remotely, Insider Threat,

Help Desk, IT Staff, Physical Security, Protecting Your Personal Computer,

Protecting Your Home Network, Hacked, Senior Leadership, Advanced

Persistent Threat, Cloud, PCI DSS, FERPA, HIPPA, Personal Identifiable

Information (PII), Federal Tax, GLBA-EDU, Red Flags Rule, Data Retention,

Social Security Numbers, Federal Personal Identifiable Information (PII),

and Privacy Security.

• CCC Training Procedures

October 2014Confidential 31

http://supportcenter.ct.edu/Service/securityeducation.asp

ReportingWhat are the Reporting Requirements?

Requirements• Annually - BOR Chief Information Officer shall

provide the Board of Regents a report detailing the

security program effectiveness and the risk the BOR

is currently accepting

• Annually – Data Management Coordinator from

each institution reports to ISPO the following:o List of Data Domains and assigned Data Stewards

o List of Data Domain users and training taken during the calendar year

o Additional reporting requirements as the DCL3 Data Protection model is

implemented.

October 2014Confidential 33

Next Steps• BOR DCL3 Data Protection Standard

o Overview – Create a protective enclave around the transmission, processing and storage of DCL3 data

• BOR DCL3/DCL2 Incident Management Standardo Incident management procedures for the CCC will change once Data

Management has been completed and Identity Finder reports are run consistently. Incident investigation and hardware(forensic) reviews will only need to be done on systems/users with access to DCL3 data

• Potential Administrative Controlso Two annual training refreshers per year

o Review of DCL3 data transmission, process and storage procedures

o Review of employee authorizations

• Potential Technical Controlso Data Loss Prevention (Identity Finder) – Finds and allows user to manage confidential

data

o Application White Listing (McAfee Application Control)

o Disk Encryption (McAfee Encryption)

October 2014Confidential 34

References• BOR Security Resolution

o http://www.ct.edu/files/it/BOR_Security_Resolution_10-17-2013.pdf

• BOR Security Policyo http://www.ct.edu/files/it/BOR_IT-003.pdf

• BOR Security Standardso http://supportcenter.ct.edu/Service/Standards/IT-STND-001.pdf

o http://supportcenter.ct.edu/Service/Standards/IT-STND-002.pdf

• State Records Management Programo http://www.ctstatelibrary.org/public-records-programs/state-records-

management-program

http://www.ct.edu/files/it/BOR_Security_Resolution_10-17-2013.pdfhttp://www.ct.edu/files/it/BOR_Security_Resolution_10-17-2013.pdfhttp://www.ct.edu/files/it/BOR_IT-003.pdfhttp://www.ct.edu/files/it/BOR_IT-003.pdfhttp://supportcenter.ct.edu/Service/standards.asphttp://supportcenter.ct.edu/Service/Standards/IT-STND-001.pdfhttp://supportcenter.ct.edu/Service/Standards/IT-STND-002.pdfhttp://www.ctstatelibrary.org/public-records-programs/state-records-management-programhttp://www.ctstatelibrary.org/public-records-programs/state-records-management-program

Questions/Closing Comments• Please Sign Attendance Sheet

• Q & A

October 2014Confidential 36