Embed Size (px)
DESCRIPTION
The Information Privacy and Security (IPAS) project is a University-wide mission to enhance the data security practices at Penn State. This session will explain the 2 phases of the Penn State IPAS project and how it is being implemented in the College of Ag Sciences. We will explore issues faced and those that will continue to be addressed. IPAS Phase I is focused on Payment Card Industry Data Security Standard (PCI/DSS) compliance. We were required to create secure networks and workstations from our Extension offices back to the University Park campus. IPAS Phase II is focused on security and privacy initiatives for all of Penn State’s institutional information. We are now required to scanning of all College computers for personally identifiable information such as Social Security Numbers (SSNs) and Credit card numbers. Additionally, we are being asked to install disk encryption software on all College notebooks. The University-wide mission also comes with its own 10 Security Requirements (Commandments). These will be reviewed as well Our College's Information Technology group has had to adjust our own practices to meet these goals.
Citation preview
Information Privacy and Security at Penn StateVince Verbeke, Penn State
IPAS Project• Information Privacy and Security
• University-wide mission to enhance the data security practices at Penn State
• Supported by the highest levels of the university• Two phases to the IPAS Project
• Phase I• Phase II
IPAS Phase I• Focused on the Payment Card Industry Data
Security Standard (PCI/DSS) compliance• This was necessary if PSU wanted to continue
to take credit cards for payment of goods and services
• This was not something Penn State created, it is a world wide requirement for anyone processing credit cards
IPAS Phase 1• Involved creating very secure networks and
workstations• Firewall with Intrusion Prevention (IPS)• VMware ACE client
• 29 offices at University Park and in County Extension offices are now processing credit cards under PCI compliance
IPAS Phase II• Focuses on security and privacy initiatives for
all of Penn State’s institutional information• Initiatives
• Data Classification• Scanning of all university computers for Personally
Identifiable Information or PII• Encryption of all university notebook computers
Data Classification ... Why?• Legal and Regulatory Compliance• More Effective IT Management• First step – We must know what needs
protection and define the appropriate security commensurate with the data value and risk
DefCon 1 - Public• Intended for distribution to the general public,
both internal and external to the University• Release of the data would have no or minimal
damage to the institution
DefCon 2 - Internal/Controlled• Intended for distribution within Penn State only,
generally to defined subsets of the user population
• Release of the data has potential to create moderate damage to the institution
• Damage may be legal, academic (loss or alteration of intellectual property), financial, or intangible (loss of reputation)
DefCon 3 - Restricted • Data which the University has legal, regulator
or contractual obligation to protect• Access must be strictly and individually
controlled and logged• Release of such data has the potential to create
major damage to the institution• Damage may be legal, academic (loss or
alteration of intellectual property) financial, or intangible (loss of reputation)
DefCon 4 - 'Other' • Some data or projects have special restrictions
imposed by the originator• Those restrictions may be over and above the
security required by the general University standard
Security Standards• These are applied to the different data
classifications• For all practical purposed there are only two
data classifications• Public• Non-public
Problems at Penn State• 1790 system scanned: 1004 have PII data• Laptop theft or loss is a growing concern• 4 Penn State Web sites allegedly serving
malware (June 17-19, 2008), global trend • Continuous hostile probes of PSU network• ~9,000 individual record breach notifications in
past 12 months by PSU or its data sources• >12,000 known compromises of PSU systems
since 2002
Scanning for SSN or CC#'s• Coordinated centrally by IPAS/ITS• Process
• Client installed and scan started• Report sent back to a central server• AG IT gets a copy of report and reviews• If PII data is found, user asked to remove or delete• Scan re-run on computer
• Service installed• IPAS/ITS will trigger periodic scans
Join the Scanning CircleInstall Client
Scan-Sent to PSU
IT-Request Report
IT-Review Report
User-Remediation
Re-Scan
Challenges Faced• Effort is from PSU Central IT ... Ag IT is not part
of that "team"• Ag IT was not in control of the technology• Technology was not "ready for prime time"
• No Mac or Linux clients• Scanner skips files over 50 Mb• Can't scan Outlook
Delivering the Software• Network version via SMS or Group Policy• Standlone version via Web download or
Sneakerware• Software pieces
• Proventsure AsariumScanner• SafeGuard PrivateCrypto
Moving the Package• Post-scan "package" goes to Central IT• Ag IT needs to request by Inventory• Issues with getting reports from first scans• Changes in Central IT personnel• Magically package reports began to arrive
Ag IT Reviews - Killing Trees• Reports are physically printed• Processed by 1 Ag IT staff
• Eric Mailloux, [email protected]• Most secure, Print is in your face• Largest report 67,000 rows
Remediation - How to Delete
Start the Circle Again
http://www.flickr.com/photos/lonelyradio/60264298/
Did Well• Communication
• Dept Heads to End Users• Peers in College
• Time Line• % Complete - Ahead of University
Do Different• Group Policy to install Secure Delete rather
than SMS• TEST ... TEST... TEST• Test more outside "AG world'
Challenges Going Forward• Setup issues within County offices
• Current 192.168.xx.1 in 66 out of 67 offices• PSU Security wants to RE-IP these networks• Central IT won't open their Firewalls
• Manual Installs ... How do we reach them?• eDiscovery• Notebook Encryption
eDiscovery• e-Discovery refers to any process in which
electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. According to legislation, Information Technology (IT) teams have a legal obligation to respond appropriately and provide Electronically Stored Information as requested if their company (College) would become involved in litigation.
Notebook Encryption• Centrally managed by IPAS/ITS• Cost is being covered centrally by ITS• Ag IT will install client and disk encryption will
be initiated• This will take several hours to complete
• Notebook should be configured to always ask for a password when coming out of sleep or hibernation.
• Support issues are to be determined
10 Security "Commandments"
1. Protection from the public Internet or external network segments
2. Systems connecting to the Penn State network will be free from known vulnerabilities
3. Access to system will be individually controlled. All actions must be traceable to unique UserID
4. Access to system and application will be logged
10 Security "Commandments"
5. Units will maintain local policies in accordance with and augmenting Univ Policy AD20
6. Data will be secured at rest or in transit commensurate with its sensitivity
7. Sensitive data must be sanitized or destroyed prior to system re-use by another entity
8. Physical and facility security must be maintained
10 Security "Commandments"
9. A development and risk assessment process must be in place commensurate with the sensitivity of the data
10.Backup and Disaster Recovery measures must be in place commensurate with the value of the computer and network resources, and the data held
Summary• So what does that all mean?
• There will be changes in how we use the Penn State network, computers and how they operate
• These are all positive security changes• This is not a once and done project, it is an on-
going change in how technology is used at Penn State
• Ag IT is attempting to guide the college through this this process over the coming months ...and years
