Handling Sensitive Data:Security, Privacy, and Other Considerations

Rodney Petersen

Government Relations Officer

Security Task Force Coordinator

EDUCAUSE

Security Task Force

Goals: Education and Awareness Standards, Policies, and Procedures Security Architecture and Tools Organization and Information Sharing

Working Groups Awareness and Training Policies and Legal Issues Risk Assessment Effective Practices and Solutions

Annual Security Professionals Conference

Security Goals: C-I-A

Availability - computers, systems and networks must be available on a timely basis to meet mission requirements or to avoid substantial losses.Integrity - computers, systems, and networks that contain information must be protected from unauthorized, unanticipated, or unintentional modification.Confidentiality - computers, systems, and networks that contain information require protection from unauthorized use or disclosure.

Security Approaches

People – awareness, training, policies, roles and responsibilities, staffing, etc.

Process – procedures, work flows, systems, physical security, compliance, etc.

Technology – layered security, vulnerability scanning, access controls, o/s and s/w updates, etc.

ECAR IT Security Study

The Headlines You Won’t Read in the Chronicle of Higher Ed or New York Times:

The respondents feel more secure today than two years ago despite being in a perceived riskier environment.

Respondents feel that the academic community has become more sensitive to security and privacy in the last two years.

ECAR IT Security Study, 2006

IT Security Incidents

Ten percent of the respondents in our survey indicated that they had an IT security incident in the last twelve months, which had been reported to the press (down from 19 percent in 2003).A majority of institutions (74.2 percent) report that the number of incidents is about the same or less in the past twelve months as compared with the year before.The primary perceived risks are viruses (72.6 percent), theft of personal financial information (64.8 percent), and spoofing and spyware (55.3 percent).

ECAR IT Security Study, 2006

Data Security Incidents

Stolen Laptops

Missing Media

Unauthorized access to systems

Incident response teams

Notification to affected individuals

Identity theft and other types of fraud

Data Incident Notification Toolkit

Blueprint for Handling Data

Step 1: Create a security risk-aware culture that includes an information security risk management programStep 2: Define institutional data typesStep 3: Clarify responsibilities and accountability for safeguarding confidential/sensitive dataStep 4: Reduce access to confidential/sensitive data not absolutely essential to institutional processesStep 5: Establish and implement stricter controls for safeguarding confidential/sensitive dataStep 6: Provide awareness and trainingStep 7: Verify compliance routinely with your policies and procedures

Step 1: Risk Aware Culture

1.1 Institution-wide security risk management program

1.2 Roles and responsibilities defined for overall information security at the central and distributed level

1.3 Executive leadership support in the form of policies and governance actions

Risk Management Framework

Risks Incurred

ECAR IT Security Study, 2006

Damage Percent

Business application, including e-mail, unavailable 33.7%

Network unavailable 29.4%

Information confidentiality compromised 26.0%

Damage to software 21.5%

Damage to data 12.5%

Negative publicity in the press 10.0%

Identity theft 8.4%

Damage to hardware 7.4%

Financial losses 6.4%

Risk Assessments

55 percent do some type of risk assessment

But less than 9 percent cover all institutional systems and data.

ECAR IT Security Study, 2006

Responsibility for IT Security

IT Security Officer (up to 35% from 22%)

CIO (up to 14% from 8%)

Other IT Directors ( down to 50% from 67%)

IT Security Plan

11.2 percent - a comprehensive IT security plan is in place

66.6 percent - a partial plan is in place.

20.4 percent - no IT security plan is in place

ECAR IT Security Study, 2006

Policies in Place

Individual employee responsibilities for information security practices (73%)

Protection of organizational assets (73%)

Managing privacy issues, including breaches of personal information (72%)

Incident reporting and response (69%)

Disaster recovery contingency planning (68%)

Policies in Place

Investigation and correction of the causes of security failures (68%)Notification of security events to: individuals, the law, etc. (67%)Sharing, storing, and transmitting data (51%)Data classification, retention, and destruction (51%)Identity Management (50%)

Step 1: Risk Aware Culture

1.1 Institution-wide security risk management program

1.2 Roles and responsibilities defined for overall information security at the central and distributed level

1.3 Executive leadership support in the form of policies and governance actions

Step 2: Define Data Types

2.1 Compliance with applicable federal and state laws and regulations - as well as contractual obligations - related to privacy and security of data held by the institution (also consider applicable international laws) 2.2 Data classification schema developed with input from legal counsel and data stewards 2.3 Data classification schema assigned to institutional data to the extent possible or necessary

Step 3: Clarify Responsibilities

3.1 Data stewardship roles and responsibilities

3.2 Legally binding third party agreements that assign responsibility for secure data handling

Step 4: Reduce Access to Data

4.1 Data collection processes (including forms) should request only the minimum necessary confidential/sensitive information 4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information 4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices 4.4 Eliminate unnecessary confidential/sensitive data on servers, desktops, and mobile devices 4.5 Eliminate dependence on SSNs as primary identifiers and as a form of authentication

Step 5: Controls

5.1 Inventory and review/remediate security of devices 5.2 Configuration standards for applications, servers, desktops, and mobile devices 5.3 Network level protections5.4 Encryption strategies for data in transit and at rest 5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage 5.6 Identity management and resource provisioning processes 5.7 Secure disposal of equipment and data 5.8 Consider background checks on individuals handling confidential/sensitive data

Security Approaches in Place

Perimeter firewalls 77%Centralized backups 77%VPNs for remote access 75%Enterprise directory 75%Interior network firewalls 65%Intrusion detection 62%Active filtering 59%

Intrusion prevention 44% (up from 33%)Security Standards for Applications 32% (up from 27%)

ECAR IT Security Study, 2006

Step 6: Awareness and Training

6.1 Make confidential/sensitive data handlers aware of privacy and security requirements 6.2 Require acknowledgment by data users of their responsibility for safeguarding such data 6.3 Enhance general privacy and security awareness programs to specifically address safeguarding confidential/sensitive data 6.4 Clearly communicate how to safeguard data so that collaboration mechanisms such as e-mail have strengths and limitations in terms of access control

Awareness Programs

ECAR IT Security Study, 2006

Students Faculty Staff

Program 2003 39.2% 38.2% 42.2%

Program 2005 62.3% 68.8% 69.1%

Percent change 23.1% 30.6% 26.9%

Step 7: Verify Compliance

7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption 7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance 7.3 Routinely audit access privileges 7.4 Procurement procedures and contract language to ensure proper data handling is maintained 7.5 System development methodologies that prevent new data handling problems from being introduced into the environment 7.6 Utilize audit function within the institution to verify compliance 7.7 Incident response policies and procedures 7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed

FTC Guide: Protecting Personal Information

Take stock.Know what personal information you have in your files and on your computers.

Scale down.Keep only what you need for your business.Lock it.Protect the information that you keep.Pitch it. Properly dispose of what you no longer need.Plan ahead. Create a plan to respond to security incidents.

Characteristics of Successful IT Security Programs

Institutions with IT security plans in place characterize their IT security programs as more successful and feel more secure today.

The respondents who believe their institution provides necessary resources give higher ratings for IT security program success and their current sense of IT security.

The biggest barrier to IT security is lack of resources (64.4 percent) and especially at smaller institutions, followed by an academic culture of openness and autonomy (49.6 percent), and lack of awareness (36.4 percent).

ECAR IT Security Study, 2006

For more information

Rodney PetersenEmail: rpetersen@educause.eduPhone: 202.331.5368EDUCAUSE/Internet2 Security Task Forcewww.educause.edu/securityEDUCAUSE Center for Applied Researchwww.educause.edu/ECARBlueprint for Handling Sensitive Datawiki.internet2.edu/confluence/display/secguide