Data Management/Information Security Education and
Awareness
Standards ReviewInformation Security Program Office
Contacts• Sherry Pesino
• Instructional Technologist
• (860) 723-0021
• Jeff Clark
• Security and Policy Program Manager
• (860) 723-0744
October 2014Confidential 2
Data Management• Background
o What is Data Management?
• Importanceo Why is Data Management important?
• Essentialso What are some essential components of Data Management?
• Standardso What needs to be done?
• Reportingo What are the Reporting Requirements?
• Next Steps
October 2014Confidential 3
BackgroundWhat is Data Management?
What is Data Management?A basic understanding of:
• The policies, standards and procedures for
protecting data; confidentiality, integrity and
availability
• Potential risks of the loss of data confidentiality,
availability and accuracy of CSCU information
• How to protect information assets from loss of data
confidentiality, availability and accuracy
October 2014Confidential 5
Good Data Management Practices• Operate within the CSCU governance context of
policies, standards and procedures. Including data
management and Information Security User Education
and Awareness policies, standards and procedures
• Reduce risks associated with handling data by applying
controls in a way that will minimize the misuse,
misinterpretation, or unnecessary restrictions for access
to institutional data.
• Ensure institutional compliance with applicable
regulations, such as GLBA, CT Data Protection, FERPA, e-
Discovery, CT Record Retention.
• Minimize employee behaviors and actions that can
threaten information security
October 2014Confidential 6
ImportanceWhy is Data Management important?
Why is Data Management Important?• Data loss can occur for many reasons
o Cyber-threats ranging from malicious code (viruses, worms, Trojans) to
denial of service attacks.
o Physical theft of data or equipment
o Improper disposal of data
o Fire, electrical, water or other physical damage
• Consequences of Data Loss is far reachingo Lawsuits (e-discovery)
o FOIA
o Disaster recovery
o Business continuity
October 2014Confidential 8
Confidentiality• Privacy or the ability to control, restrict access,
monitor and assure that only authorized individuals
can view sensitive information.
• One of the underlying principles of confidentiality is
"need-to-know" or "least privilege".
October 2014Confidential 9
Integrity• Information is accurate and reliable and has not
been subtly changed or tampered with by an
unauthorized party. Integrity includes: o Authenticity & Authorization: The ability to verify content has not changed
in an unauthorized manner.
o Non-repudiation & Accountability: The origin of any action on the system
can be verified and associated with a user.
October 2014Confidential 10
Availability• Information and other critical assets are accessible
to customers and the business when needed.
• Data is retained and available in the event of FOIA
requests and e-Discovery requirements.
• Maintaining access to data for business continuity
and disaster recovery
October 2014Confidential 11
EssentialsWhat are some essential components of Data Management?
Data Classification• Data Classification is the process of grouping data
elements together by risk level.
• The four Data Classification Levels (DCL) are from 0
to 3
• Appropriate security controls will be applied to
each classification level.
• Increasingly restrictive data management and
security practices are required for each level, with
DCL0 requiring limited protection to DCL3 requiring
the most protection.
October 2014Confidential 13
CSCU Data ClassificationsDCL3
• DCL3 is protected confidential data, DCL3 data if improperly disclosed with identity data, could be used for identity theft or to cause financial harm to an individual or the CSCU. Unauthorized disclosure requires public notification and identity theft insuranceo Security at this level is very high (highest possible).
o Examples of DCL3 data are:
• Social Security number & Identity Data
• Bank account or debit card information and Identity Data
• Credit card number & cardholder information
• Student Loan Data
o DCL3 data must be protected from disclosure
October 2014Confidential 14
CSCU Data Classifications – Cont’dDCL2
• DCL2 is restricted data that is available for disclosure, but
only under strictly controlled circumstances.
Unauthorized disclosure does not require public
notification and identity theft insurance, but requires
documentation of the event.o Such information must typically be restricted due to proprietary, ethical or
privacy considerations.
o An example of such restrictions is the FERPA guidelines that govern publication
and disclosure of student information.
o Security at this level is high.
o Examples of DCL2 data are:
• Mother’s maiden name
• Academic records
• Employee Medical Records
October 2014Confidential 15
CSCU Data Classifications – Cont’dDCL1
• DCL1 is internal data that has not been approved
for general circulation outside the CSCU where its
disclosure would inconvenience the CSCU, but is
unlikely to result in financial loss or serious damage
to credibility.o Security at this level is controlled but normal.
o Examples of DCL1 data are:
• Internal memos
• Minutes of meetings
• Internal project reports
October 2014Confidential 16
CSCU Data Classifications – Cont’dDCL0
• DCL0 is public data that is not classified as DCL1
through DCL3 and is approved for distribution to the
public. Disclosure of public data requires no
authorization and may be freely disseminated
without potential harm to the CSCU.o Security at this level is minimal.
o Examples of DCL0 data are:
• Advertising
• Public Directory Information
• Press Releases
• Job postings
October 2014Confidential 17
Data DomainsData belongs to specific functional areas, also
referred to as a data domain
• Examples of Data Domains are:o Academic Records
o Admissions
o Development (Fundraising)
o Financial Aid
o Human Resources
o Information Technology
o Institutional Research
o Student Advising & Counseling
October 2014Confidential 18
Organizational Structure
October 2014Confidential 19
DCL3 Data
Data Users
Data Manager
Data Steward/Data Domain
Data Management Coordinator
RMLO
Data Management
DCL2 Data
DCL3 Data User• Has been authorized by the Data Steward for DCL3
data access.
• A data user has operational requirements to access
data and use data in performance of his/her
assigned duties.
• Receives yearly Security Awareness training
• Has Identity Finder installed on their computer to
scan for DCL3 data.
• Saved all DCL3 data in a secure folder
• Only sends files with DCL3 Data via public
communication (e-mail) that have be encrypted.
October 2014Confidential 20
Data Manager• A Data Manager has day-to-day responsibilities for
data management within a specific data domain
(functional area).
• Data Managers have responsibility for
understanding, protecting and managing access to
CSCU data.
October 2014Confidential 21
Data Steward• A Data Steward has planning and policy
responsibilities for data within a specific data
domain (functional area).
• Data Stewards have responsibility for understanding
where data is processed, transmitted and stored.
• They are responsible for protecting and granting
access to CSCU data.
October 2014Confidential 22
Data Management Coordinator• Coordinates and compiles data reporting for the
college, university, or system office
• Coordinates training for Data Stewards, Data
Managers and Data Users
• Communicates and provides resources to campus
staff on the Information Security Education
Awareness Training program.
• Acts as the point person for communication with
the Information Security Program Office.
October 2014Confidential 23
RMLO – Records Management Liaison Officer
The Records Management Liaison Officer is responsible for
coordinating with the State Librarian to carry out the
provisions Connecticut General Statutes (CGS) Sec. 11-8a
(f). The RMLO has primary responsibility for:
• Training of staff on records management requirements
• Coordinating with the state library on records destruction
Note - We recommend the role of RMLO is combined with the role of Data Steward and the institution assigns a primary RMLO of the institution and a secondary RMLO(s) for each Data Domain.
October 2014Confidential 24
StandardsWhat needs to be done?
Establish a Data Management Coordinator
• Identified by President
October 2014Confidential 26
Set Data Domains• Defined by Presidents
• Data Steward assigned to each Domain
October 2014Confidential 27
Management of Data• Designate Data Manager
• Maintain inventory of Data Domain Managers and
Users
• Maintain inventory of all data storage locations
• Verify DCL3 Data Storage
• Develop operational procedures for transmission,
processing and storage of data
October 2014Confidential 28
Records Management• Identify an institution wide Records Management
Liaison Officer, RMLO
• Coordinate with institution’s Data Stewards.
• Comply with State of CT Record Retention
Scheduleso Records retention is based on the content of the message not the media
in which it is communicated. Electronic messages, e.g. e-mail, texts,
instant messages, etc. need to retain the Meta data along with message
content. Any record that was required to be saved under records
retention needs to go through the records destruction approval process
before being deleted.
October 2014Confidential 29
Information Security Education and Awareness Program
Use a Comprehensive Program with the following components:
• Targeted training based on data access
• Mandatory annual training for DCL3 users, to also include on-going user education initiatives to support the training.
• Voluntary annual training for users with DCL2 data access.
• Assurance program to ensure users are following the Information Security Education and Awareness Program. E.g. targeted phishing, targeted social engineering attack, storage review, process review, etc.
October 2014Confidential 30
Information Security Education and Awareness Program - Con’t
• Must be taken within 2 weeks of employment or
change in job function
• Program covers minimum:o You Are the Target, Social Engineering, E-mail and Messaging, Browsing,
Social Networking, Mobile Device Security, Passwords, Encryption, Data
Security, Data Destruction, WI-FI Security, Working Remotely, Insider Threat,
Help Desk, IT Staff, Physical Security, Protecting Your Personal Computer,
Protecting Your Home Network, Hacked, Senior Leadership, Advanced
Persistent Threat, Cloud, PCI DSS, FERPA, HIPPA, Personal Identifiable
Information (PII), Federal Tax, GLBA-EDU, Red Flags Rule, Data Retention,
Social Security Numbers, Federal Personal Identifiable Information (PII),
and Privacy Security.
• CCC Training Procedures
October 2014Confidential 31
http://supportcenter.ct.edu/Service/securityeducation.asp
ReportingWhat are the Reporting Requirements?
Requirements• Annually - BOR Chief Information Officer shall
provide the Board of Regents a report detailing the
security program effectiveness and the risk the BOR
is currently accepting
• Annually – Data Management Coordinator from
each institution reports to ISPO the following:o List of Data Domains and assigned Data Stewards
o List of Data Domain users and training taken during the calendar year
o Additional reporting requirements as the DCL3 Data Protection model is
implemented.
October 2014Confidential 33
Next Steps• BOR DCL3 Data Protection Standard
o Overview – Create a protective enclave around the transmission, processing and storage of DCL3 data
• BOR DCL3/DCL2 Incident Management Standardo Incident management procedures for the CCC will change once Data
Management has been completed and Identity Finder reports are run consistently. Incident investigation and hardware(forensic) reviews will only need to be done on systems/users with access to DCL3 data
• Potential Administrative Controlso Two annual training refreshers per year
o Review of DCL3 data transmission, process and storage procedures
o Review of employee authorizations
• Potential Technical Controlso Data Loss Prevention (Identity Finder) – Finds and allows user to manage confidential
data
o Application White Listing (McAfee Application Control)
o Disk Encryption (McAfee Encryption)
October 2014Confidential 34
References• BOR Security Resolution
o http://www.ct.edu/files/it/BOR_Security_Resolution_10-17-2013.pdf
• BOR Security Policyo http://www.ct.edu/files/it/BOR_IT-003.pdf
• BOR Security Standardso http://supportcenter.ct.edu/Service/Standards/IT-STND-001.pdf
o http://supportcenter.ct.edu/Service/Standards/IT-STND-002.pdf
• State Records Management Programo http://www.ctstatelibrary.org/public-records-programs/state-records-
management-program
http://www.ct.edu/files/it/BOR_Security_Resolution_10-17-2013.pdfhttp://www.ct.edu/files/it/BOR_Security_Resolution_10-17-2013.pdfhttp://www.ct.edu/files/it/BOR_IT-003.pdfhttp://www.ct.edu/files/it/BOR_IT-003.pdfhttp://supportcenter.ct.edu/Service/standards.asphttp://supportcenter.ct.edu/Service/Standards/IT-STND-001.pdfhttp://supportcenter.ct.edu/Service/Standards/IT-STND-002.pdfhttp://www.ctstatelibrary.org/public-records-programs/state-records-management-programhttp://www.ctstatelibrary.org/public-records-programs/state-records-management-program
Questions/Closing Comments• Please Sign Attendance Sheet
• Q & A
October 2014Confidential 36