Your SlideShare is downloading. ×
Implementing an Information Security Program
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Implementing an Information Security Program


Published on

The basics of implementing an Information Security Program .

The basics of implementing an Information Security Program .

Published in: Business, Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Implementing an Information Security Program Raymond K. Cunningham, Jr. CRM, CA, CIPP University of Illinois Foundation Session TU3-517
  • 2. Security Breaches
    • It is not a matter of if… but when.
  • 3.  
  • 4. Topics to be Discussed
    • Security and Privacy
    • Standards for Information Security
    • Implementing a Security Program
    • The University of Illinois Foundation Security Program
  • 5. Security and Privacy What is the difference?
    • Security is an action and a process - you implement security to insure privacy
    • Security is a strategy, privacy is the outcome
    • Enterprise privacy and security management must be integrated
    • Security maintains confidentiality and privacy
  • 6. Information Security It is not a technical issue
    • Often Security is viewed as a technical issue
    • Many information breaches occur in the paper world
  • 7. Information Privacy It is not a Legal issue
    • Often viewed as a legal issue handed to legal counsel as a compliance issue
    • While many privacy officers report to legal, it is not strictly a legal issue
    • Privacy is a concern of all and should be a priority of any organization
  • 8. Records Managers should be leaders in the Security and Privacy Arena
    • RIM should be central in the security and privacy arena
    • Records Managers possess a better knowledge of the assets to be protected, usage statistics and an understanding of access to records
    • IT manages the machines and software, RIM manages the records throughout the life cycle
  • 9. Standards for Information Security
  • 10. General Trends
    • Information Management Law is moving from the general to the specific
    • What was formerly ethical is now being required by law
    • Penalties are being strengthened and cases of theft/misuse are higher profile
    • The ethics of information management are evolving
  • 11. Security and Privacy
    • Canada – PIPEDA Personal Information and Electronic Documents Act 200
    • EU Directive 95/46/EC
    • US – 38 States now have disclosure laws for the loss of information, based on California 1386
    • Financial Modernization Act 1999 – Gramm Leach Bliley (GLBA)
  • 12. Gramm-Leach-Bliley What is it and why does it matter?
    • Financial Modernization Act 1999
    • Applicable to Financial Institutions
    • Higher education was included in 2003
    • GLBA security provisions are enforced by the FTC and are becoming a basic standard for protection of information in the USA
  • 13. Gramm-Leach-Bliley Act 1999
    • GLBA provides for the protection of personal financial information
    • Records containing financial information are to be protected.
      • Financial Institutions are to make disclosures regarding their privacy policies and release to third parties
      • Criminalizes certain practices of data collection services: obtaining financial and personal information by misrepresenting their right to such information
  • 14. Gramm-Leach-Bliley Act 1999
    • Financial Privacy Rule – governs the collection and disclosure of personal financial information. It applies to those who receive such information.
    • Pretexting Provisions – covers using false pretenses for obtaining personal financial information
    • Safeguards Rule – requires all financial institutions to design, implement and maintain safeguards to protect customer information
  • 15. GLBA - Privacy
    • GLBA protects consumers’ non-public information. Private information includes “personally identifiable financial information”
  • 17. GLBA Safeguards Rule
    • The Safeguards Rule requires financial institutions to develop a written information security plan that describes their program to protect customer information.
      • Designate one or more employees to coordinate the safeguards
      • Identify and assess the risks to customer information relevant to the company’s operation
  • 18. GLBA – Safeguards Rule Compliance
    • Select service providers that can maintain appropriate safeguards
    • Evaluate and adjust the program in light of relevant circumstances including changes in business or the results of security testing
    • Customer data stored at any off-site location
  • 19. GLBA – Safeguards Rule Compliance
    • Check references on employees before hiring who have access to customer information
    • Sign a confidentiality agreement or NDA
    • Limiting access to customer information based on business need
    • Develop specific policies for the appropriate use of laptops, PDAs, cell phones
  • 20. GLBA – Safeguards Rule Compliance
    • Confidentiality training is required
    • Encrypting information when it is transmitted
    • Reporting suspicious attempts to obtain customer information
    • Dispose of customer information according to the FTC Disposal Rule
  • 21. Comparison of Legislative Mandates X X X USA Patriot Act X X FOIA X X Gramm-Leach-Bliley X X California Bill 1386 X X X HIPAA X X X X Sarbanes-Oxley Training Data Security and Privacy Records Management Processes and Risk Management Mandate
  • 22. Payment Card Industry (PCI) Digital Security Standard (DSS)
    • Visa, Master Card, Amex have enacted a DSS for merchants
    • This is a direct extension of the GLBA safeguard standards
    • The PCI DSS are over 170 specific standards divided into 12 areas
    • These are very specific for users of payment cards
  • 23. State Personal Information Laws Illinois
    • HB 1633 (PA 94-36) Effective January 1, 2006
    • Personal information is defined as: SSN, driver’s license number or State ID card, account number, credit card number
    • Breach of security should be made in the most expedient time possible without delay
  • 24. Illinois State Law
    • Illinois law more broadly applicable than California statute – data collectors provisions are more broad – includes public and private corporations, universities, financial institutions.
    • Violation of the law is Consumer Fraud under Deceptive Business Practices Act
  • 25. Implementing a Security Program
  • 26. Beginning a Security Program
    • Lay the groundwork – Gain support at the C level
    • Make the case for information security
    • The program is for all information regardless of format, not just information on servers or in record centers
  • 27. Six steps for creating a Security Program
    • Information Asset Inventory
    • Risk Assessment
    • Policy Review
    • Develop Policies and Practices
    • Conduct training
    • Monitoring
  • 28. Asset Management
    • Understand your information assets - inventory
    • Locate and identify what is to be protected
    • Differentiate between the “owner” and “user”
    • Record Retention Schedules – business need or regulatory requirements
  • 29. Asset Classification
    • Assets should be evaluated as to sensitivity and confidentiality, potential liability, intelligence value and criticality to the business
    • Classify assets – Confidential, Proprietary, Internal Use Only, Public
  • 30. Map the Organizational Data Flow
    • Map points of data collection – examine web forms, email collection, call centers, POS, Contests, Surveys, chat rooms, marketing lists
    • How does data move through the system?
    • Is the data held in-house or is storage outsourced?
    • Is any PII collected from outside the US?
  • 31. Risk Assessment
    • What are the risks with your storage practices?
    • What are the physical storage requirements?
    • Are personnel tasked with the protection of the information?
  • 32. Vulnerabilities
    • Recycling – paper, computers, any information storage device
    • Shredding – What are you sending?
    • Terminated employees with access to both servers and physical facilities
    • Off site storage
    • Printing of electronic confidential records
    • Who is tasked with security?
  • 33. Vulnerabilities - Solutions
    • Training – train your employees and tell them what is expected of them NO EXCEPTIONS
    • Recycling – Monitor recycling closely. Have each storage device wiped
    • Watch the trash
    • Shredding – inspect your vendor and examine your in-house shredding, use local shredders
    • Secure physical storage
    • Test your off site vendor
  • 34. Conduct a Policy Review
    • Develop the principles that will guide your strategy
    • Involve stakeholders, senior management and legal – Get Everyone on Board!
    • This is not an IT Problem
    • Review all applicable regulatory requirements particular to your industry
  • 35. Training
    • Training is one of the most often neglected piece of the program, yet it is one of the most important
    • Train your employees prior to exposure to information systems – supply handouts
    • Train employees to report information breaches - contacts
    • Train employees annually on your policies and compliance issues
    • Develop an ethical culture
  • 36. Monitor Compliance
    • Conduct audits of security procedures
    • Review systems annually
    • Conduct incident response drills – convene your incident response team
  • 37. How the University of Illinois Foundation implemented a Security Program
  • 38. What was at stake?
    • Donor information on 700,000 people and corporations, including SSNs, credit card numbers, bank account numbers, medical information and other personal information
    • A loss of this information could seriously compromise our ability to solicit donors during a $2 billion campaign
  • 39. We are all subject to information breaches
  • 40. How the University of Illinois Foundation implemented a program
    • The UIF serves three campuses in Chicago, Champaign-Urbana and Springfield and over 700 users of confidential information
    • Motivating factors: Fear, a review of present practices, audit findings, PCI DSS requirements, regulatory environment
    • In 2004 I began to ask why SSNs were used in fundraising
  • 41. How the University of Illinois Foundation implemented a program
    • In 2005 I secured all stakeholders in agreeing to remove SSNs from the donor database
    • During the summer and fall of 2006 I conducted sessions in information law
    • In March 2007 I certified as an IPP (IAPP)
    • A review of policies and job descriptions showed no one was in charge of security
    • Working with IT we began reviewing assets
    • Training became the core of our program
  • 42. How the University of Illinois Foundation implemented a program
    • Working with all stakeholders we drafted new security requirements, including confidentiality agreements and notice to all donors
    • We lobbied to make security training mandatory before users log into systems
    • We revised security procedures including a revision of our retention schedules
  • 43. Conclusions
  • 44. Ray’s Recommendations for Building and Information Security Program
    • Gain the Support of Senior Management
    • Encourage a culture of confidentiality
    • Have a policy in place and enforce it
    • Be specific on roles within the organization
    • Have mechanisms in place to sign on and sign off users efficiently
    • Train all users before log-on in confidentiality and security
  • 45. Ray’s Recommendations
    • Monitor users
    • Create an incident response group and provide a way for employees to report data loss
    • Tell customers what you are doing with their data
    • Dump SSNs where not needed
    • Monitor Third Party Contracts
  • 46. Ray’s Recommendations
    • Have background checks on hires
    • Integrate security with your retention schedules – have a page for privacy and security inventorying the private information held and showing the access to the information
  • 47.  
  • 48.  
  • 49. Ray’s Recommendations
    • Prepare for information loss through an information breach response group
    • Think of this as similar to the Disaster Response Group
    • Members are typically from IT, HR, Financial, Communications and Records Management
    • Learn from other’s breaches:
  • 50. Resources
    • International Association of Privacy Professionals IAPP
    • Kahn, Randolph Privacy Nation 2006
    • ISO 17799 International Organization for Standardization
    • PCI
  • 51. Contact information
    • Raymond K. Cunningham, Jr.
    • Manager of Records Services
    • University of Illinois Foundation
    • Urbana IL 61801
    • [email_address]
    • 217 244-0658