0
Protection of Electronic Research Data:   What Investigators Need to Know January 31, 2008 Kay Sommers VCU Information Sec...
Agenda <ul><li>Areas of Concern  </li></ul><ul><ul><li>Vulnerabilities and Threats </li></ul></ul><ul><li>Requirements </l...
Bad Things Continue to Happen… <ul><li>University Security Breaches </li></ul><ul><li>SANS TOP 20 highlights client-side r...
Regulations  <ul><li>State:   </li></ul><ul><ul><li>VITA State Security Policy and Standard </li></ul></ul><ul><ul><ul><li...
VCU Information  Security Program  <ul><li>Shaped by: </li></ul><ul><ul><li>Virginia Security Policy and Standard and vari...
VCU Information Security Standards  <ul><li>http:// www.ts.vcu.edu/security/ismanagement.html </li></ul><ul><li>Data Class...
Strategies – Protection of  Sensitive Data <ul><li>Risk Assessments (existing systems) </li></ul><ul><li>Security reviews ...
Strategies – Protection of Sensitive Data  <ul><li>Information Security Program - http://www.ts.vcu.edu/security/ismanagem...
Strategy – Data Classification <ul><li>HIPAA Security Rule (ePHI) </li></ul><ul><li>FIPS 199: </li></ul><ul><ul><li>High, ...
Strategy – Data Classification Guidelines <ul><li>Criteria for Classification:  </li></ul><ul><ul><li>Confidentiality, Int...
Strategies - Passwords <ul><li>Long-term vision: reduce/eliminate PWs </li></ul><ul><ul><li>Smart Cards/Tokens/Proximity  ...
Strategies – Passwords <ul><li>Use of eID for all University application access </li></ul><ul><li>Password Security Standa...
Strategies - Storage <ul><li>Mandate: All sensitive electronic information (SEI) must reside on network storage or be encr...
Strategies – Storage <ul><li>University Computer Center </li></ul><ul><ul><li>Storage and backup </li></ul></ul><ul><ul><l...
Strategies - Access <ul><li>Streamline Access Management  </li></ul><ul><li>Single authentication for local/remote access ...
Strategies – Access <ul><li>Standardization on eID and Banner Number </li></ul><ul><li>Increased bandwidth  </li></ul><ul>...
Strategies - Encryption <ul><li>Mobile devices – mandatory encryption  </li></ul><ul><li>Removable media – approved USB dr...
Strategies – Encryption <ul><li>Security Standard for Encryption  </li></ul><ul><li>Enterprise encryption solution will be...
Strategies – Desktops <ul><li>Approved vendors/devices </li></ul><ul><li>Comprehensive inventory (SMS mandate) </li></ul><...
Strategies – Desktops <ul><li>Anti-virus </li></ul><ul><ul><li>Sophos is free for VCU users </li></ul></ul><ul><li>Second ...
Strategies - Laptops <ul><li>Approved vendors/devices  </li></ul><ul><li>Mandatory encryption (Credant) </li></ul><ul><li>...
Strategies – Laptops <ul><li>Confidential data must be encrypted </li></ul><ul><li>Use laptop security devices  </li></ul>...
Strategies - Wireless <ul><li>Centrally-managed wireless networks only </li></ul><ul><li>WPA encryption </li></ul><ul><li>...
Strategies – Wireless <ul><li>Wireless is under CNAC </li></ul><ul><li>Secure wireless (WPA2) will be implemented in the s...
Strategies –  Using the Internet <ul><li>Policies & Education </li></ul><ul><li>URL filtering & blocking, in- and out-boun...
Strategies – Using the Internet  <ul><li>Packetshaping traffic </li></ul><ul><li>Controlling Spam </li></ul><ul><li>Self-D...
Interim Solutions – Security is An Ongoing Process <ul><li>Reduced Signon </li></ul><ul><li>Personal USB drives: “read-onl...
Interim Solutions – Security is An Ongoing Process <ul><li>Practice Safe Computing </li></ul><ul><ul><li>Be an Internet Sk...
Resources 1 <ul><li>VCU site licensed anti-virus software: </li></ul><ul><ul><li>http://www.ts.vcu.edu/security/virus.html...
Resources 2  <ul><li>Personal Firewall </li></ul><ul><ul><li>Windows XP SP2, ZoneAlarm </li></ul></ul><ul><li>Anti-spyware...
Resources 3 <ul><li>Truecrypt:  http://www.truecrypt.org/ </li></ul><ul><li>Omziff:  http://www.snapfiles.com/get/omziff.h...
Resources <ul><li>Visit VCU’s security website for current security information and tips: </li></ul><ul><ul><li>http://www...
Questions? <ul><li>Thank you for your attention. </li></ul>
Upcoming SlideShare
Loading in...5
×

Protection of Electronic Research Data: What Investigators ...

383

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
383
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • University Breaches In 2006 there were 31 breaches affecting approximately 882,000 people. In 2007 the number of incidents increased to 46; the number of people affected was approximately 765,800. There were fewer incidents in 2006 but more people affected due to a few of the incidents having a large number of people affected (four &gt; 100 and one that was 800,000). In 2007 there was only one that was &gt; 100,000. Of course, in 2007 TJX (TJMaxx) Companies was the winner in the data exposure area with 45.7 million customer credit cards exposed. SANS Top 20 – each year SANS releases the top vulnerabilities. For this past year, they have seen an increase in client-side vulnerabilities, including vulnerabilities in browsers, in office software, in media players and in other desktop applications. These vulnerabilities are being discovered on multiple operating systems and are being massively exploited in the wild, often to drive recruitment for botnets. – .
  • Agency Risk Management and Internal Control Standards (ARMICS) is an initiative of the Department of Accounts (DOA) for all state agencies. The purpose of ARMICS is to implement internal control standards and “best-practices” that directly support the Commonwealth’s vision and long-term objectives.
  • The program is also shaped by the security requirements of applicable regulations, such as the Family Educational Rights and Privacy Act, Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act and by practical and effective security practices such as those advocated by the EDUCAUSE Association and the Virginia Alliance for Secure Computing and Networking.. Identify confidential, sensitive and propriety and information resources, determine appropriate uses of the resources, and protect the resources from unauthorized access and/or disclosure. Ensure the accuracy, validity and completeness of information by protecting resources from unauthorized, both intentional or accidental, access and modification. Provide the assurance that University information resources are accessible and operational to support designated educational, research, service and administrative operations Goals are to IDENTIFY and PROTECT confidential data and resources from unauthorized access ENSURE accuracy, validity and completeness of information PROVIDE ASSURANCE that resources are accessible (in other words, aim to not let security get in the way of productivity and use).
  • The SEC standard is prescriptive and doesn’t provide guidelines on technologies and implementations. It was felt that in certain areas, more details and implementation guidelines were needed. So internal security standards were developed that are specific to the VCU environment and include guidelines. These are the standards that are probably most relevant to researchers. Data Classification Guidelines - classification of data using criteria of CIA Security Standard for Research - has several requirements cover data classification, contingency planning, system security, interoperability, logical access control, data protect, facilities security and personnel Remote Access Standard – remote access to confidential data must be encrypted Encryption Standard – confidential data should be stored on university servers; however, if authorized sensitive data must be used and stored locally, it must be encrypted.
  • CNAC has been implemented in the all residence halls and is in the second year. Security postures are in effect and student machines are put in quarantine VLAN if the computer fails the assessment. CNAC has also been enabled on the wireless network.
  • A high rating for confidentiality would put the data in Category I and only Category I has REQUIRED protection. The protection of the other categories is identified as recommended but not required. The Data Classification Guideline is in transition. It is being fine tuned and better examples are being provided to make the classification easier to understand and use.
  • VCU has 620 Mb allowed through our packetshaper.   Of that up to 190Mb can used by the Student Residence Halls but if not used during the day, it is used by the rest of the VCU Network.  At night, Students Residence Halls can get up to 220Mb if it is not being used by the rest of VCU Network.    The result is at least 430 Mb bandwidth for nonresident VCU network users.
  • How to Make the Experience Safer and More Productive: Packetshaper: VCU has 620 Mb allowed through our packetshaper.  Of that up to 190Mb can used by the Student Residence Halls but if not used during the day, it is used by the rest of the VCU Network.  At night, Students Residence Halls can get up to 220Mb if it is not being used by the rest of VCU Network.    The result is at least 430 Mb bandwidth for nonresident VCU network users. Spam Gateways: Spam volume also increased to an average of more than 120 billion unwanted messages per day, a 100-percent spike. Spam is a very profitable business. Spam at VCU – approximately 95% of the incoming messages are identified as threat messages. The gateway uses a technique called reputation filtering to stop the threat messages. At 9:00 on Monday night there were approximately 16,000 incoming messages per hour. On the mail summary, the number of incoming messages being processed were 7.4M messages and approximately 92% are identified as threat messages. Approximately 91% of the incoming messages are being blocked by reputation filtering. So of the 7.4M incoming messages, a total of 6.9M are being blocked. Self-Defending Network – several security appliances are now inline to watch traffic, detect anomalies and provide alerts. Awareness on the end user’s part is one of the key ingredients in a good security program. It’s possible to have the internal network protected with the best security equipment, but an end user can click on a link in an email message and the malware can enter the network because it is coming in on the web port, which is allowed.
  • Transcript of "Protection of Electronic Research Data: What Investigators ..."

    1. 1. Protection of Electronic Research Data: What Investigators Need to Know January 31, 2008 Kay Sommers VCU Information Security Officer [email_address] Dave Houlette VCU Health Systems Chief Information Security Officer [email_address]
    2. 2. Agenda <ul><li>Areas of Concern </li></ul><ul><ul><li>Vulnerabilities and Threats </li></ul></ul><ul><li>Requirements </li></ul><ul><li>Strategies </li></ul><ul><ul><li>What VCU and VCU HS provide </li></ul></ul><ul><ul><li>What You Can Do </li></ul></ul><ul><li>Resources </li></ul><ul><li>Q&A </li></ul>
    3. 3. Bad Things Continue to Happen… <ul><li>University Security Breaches </li></ul><ul><li>SANS TOP 20 highlights client-side risks </li></ul><ul><li>Accidental Data Exposures </li></ul><ul><ul><li>Loss of laptops, USB drives, backup tapes </li></ul></ul><ul><ul><li>Posting personal data to websites </li></ul></ul><ul><li>Intentional Exploits </li></ul><ul><ul><li>Theft of mobile devices </li></ul></ul><ul><ul><li>Compromises </li></ul></ul><ul><ul><li>Infected computers </li></ul></ul>
    4. 4. Regulations <ul><li>State: </li></ul><ul><ul><li>VITA State Security Policy and Standard </li></ul></ul><ul><ul><ul><li>SEC 500-02 and 501-01 </li></ul></ul></ul><ul><ul><li>ARMICS </li></ul></ul><ul><li>Federal: </li></ul><ul><ul><li>HIPAA, FERPA, Gramm-Leach-Bliley Act, PCI-DSS </li></ul></ul><ul><li>VCU: </li></ul><ul><ul><li>Information Security Standards - http://www.ts.vcu.edu/security/ismanagement.html </li></ul></ul>
    5. 5. VCU Information Security Program <ul><li>Shaped by: </li></ul><ul><ul><li>Virginia Security Policy and Standard and various federal standards </li></ul></ul><ul><ul><li>Best practices advocated by Educause, VA SCAN, SANS, NIST and ISO </li></ul></ul><ul><li>Goals: </li></ul><ul><ul><li>Identify and protect confidential data and resources from unauthorized access and/or disclosure </li></ul></ul><ul><ul><li>Ensure accuracy, validity and completeness of information by protecting resources from unauthorized access and modification </li></ul></ul><ul><ul><li>Provide assurance that resources are accessible and operational to support designated educational, research, service and administrative operations </li></ul></ul>
    6. 6. VCU Information Security Standards <ul><li>http:// www.ts.vcu.edu/security/ismanagement.html </li></ul><ul><li>Data Classification Guidelines </li></ul><ul><li>Security Standard for Research Data </li></ul><ul><li>Remote Access Standard </li></ul><ul><li>Encryption Standard </li></ul>
    7. 7. Strategies – Protection of Sensitive Data <ul><li>Risk Assessments (existing systems) </li></ul><ul><li>Security reviews (new proposals) </li></ul><ul><li>Security Audits via Internal Assurance </li></ul><ul><li>“ Network Intelligence”–SecureWorks et al </li></ul><ul><li>Intrusion Detection/Prevention systems </li></ul><ul><li>Network Access Control & URL blocking </li></ul><ul><li>Secure Messaging (Zix) </li></ul><ul><li>CEO/CIO mandate re encryption & storage </li></ul><ul><li>SEI Task Force </li></ul><ul><li>IT Policies </li></ul><ul><li>Training, Education & Awareness programs </li></ul>
    8. 8. Strategies – Protection of Sensitive Data <ul><li>Information Security Program - http://www.ts.vcu.edu/security/ismanagement.html </li></ul><ul><li>Risk Management </li></ul><ul><ul><li>Risk Assessments and Security Audits </li></ul></ul><ul><li>Network Defenses </li></ul><ul><ul><li>Segmentation of the network - Private addresses </li></ul></ul><ul><ul><li>Secure subnets (VLANS) </li></ul></ul><ul><ul><li>Network Access Control </li></ul></ul><ul><li>Threat Management </li></ul><ul><ul><li>Monitoring and logging </li></ul></ul><ul><li>End point security </li></ul><ul><ul><li>Enterprise encryption solution </li></ul></ul>
    9. 9. Strategy – Data Classification <ul><li>HIPAA Security Rule (ePHI) </li></ul><ul><li>FIPS 199: </li></ul><ul><ul><li>High, Moderate or Low Potential Impact </li></ul></ul><ul><ul><li> (Severe, Serious or Limited) </li></ul></ul><ul><ul><li>Addresses Confidentiality, Integrity and Availability </li></ul></ul><ul><li>Existing systems </li></ul><ul><ul><li>Risk Assessments (HIPAA mandate) </li></ul></ul><ul><ul><li>Periodic data “crawler” deployment (pending) </li></ul></ul><ul><li>New/proposed systems </li></ul><ul><ul><li>IRB request expanded w/security review link </li></ul></ul>
    10. 10. Strategy – Data Classification Guidelines <ul><li>Criteria for Classification: </li></ul><ul><ul><li>Confidentiality, Integrity and Availability </li></ul></ul><ul><li>Category I – data protected by regulation (federal, state or institution) </li></ul><ul><li>Category II – data that must be protected due to proprietary, ethical or privacy considerations </li></ul><ul><li>Category III – data available to the public </li></ul>
    11. 11. Strategies - Passwords <ul><li>Long-term vision: reduce/eliminate PWs </li></ul><ul><ul><li>Smart Cards/Tokens/Proximity </li></ul></ul><ul><ul><li>Biometrics </li></ul></ul><ul><li>In the meantime: </li></ul><ul><ul><li>Password standards (complexity, length, etc.) </li></ul></ul><ul><ul><li>Reduced Signon (SSO) </li></ul></ul>
    12. 12. Strategies – Passwords <ul><li>Use of eID for all University application access </li></ul><ul><li>Password Security Standard </li></ul><ul><ul><li>www.ts.vcu.edu/security/ismanagement/PasswordStandard.pdf </li></ul></ul><ul><ul><li>Complexity </li></ul></ul><ul><ul><li>Aging – password must be changed periodically </li></ul></ul><ul><ul><li>Intruder lockout – to prevent guessing </li></ul></ul>
    13. 13. Strategies - Storage <ul><li>Mandate: All sensitive electronic information (SEI) must reside on network storage or be encrypted! </li></ul><ul><li>SANS storage system w/offsite archives </li></ul><ul><li>“ Tiered storage” option pendiing </li></ul>
    14. 14. Strategies – Storage <ul><li>University Computer Center </li></ul><ul><ul><li>Storage and backup </li></ul></ul><ul><ul><li>Growing capacity with virtualization </li></ul></ul><ul><li>Sensitive Data </li></ul><ul><ul><li>Network Storage </li></ul></ul><ul><ul><li>Encrypted if local </li></ul></ul>
    15. 15. Strategies - Access <ul><li>Streamline Access Management </li></ul><ul><li>Single authentication for local/remote access (Active Directory) </li></ul><ul><li>“Pre-flight check” (Network Access Control) </li></ul><ul><li>SSL VPN (F5) </li></ul><ul><li>Security controls commensurate with risk </li></ul>
    16. 16. Strategies – Access <ul><li>Standardization on eID and Banner Number </li></ul><ul><li>Increased bandwidth </li></ul><ul><li>Network Access Control </li></ul><ul><li>WebVPN for remote access </li></ul><ul><ul><li>http://www.ts.vcu.edu/security/vcuvpn.html </li></ul></ul>
    17. 17. Strategies - Encryption <ul><li>Mobile devices – mandatory encryption </li></ul><ul><li>Removable media – approved USB drives only (Verbatim or VA-approved) </li></ul><ul><li>“Smart” phones & Blackberries: centrally-owned and –supported secure devices only </li></ul>
    18. 18. Strategies – Encryption <ul><li>Security Standard for Encryption </li></ul><ul><li>Enterprise encryption solution will be implemented this year </li></ul><ul><ul><li>Interim solutions (Open Source): </li></ul></ul><ul><ul><ul><li>Hard disk encryption: Truecrypt </li></ul></ul></ul><ul><ul><ul><li>File encryption: Omziff </li></ul></ul></ul><ul><li>Secure USB – Verbatim Store ‘n Go Corporate Secure </li></ul>
    19. 19. Strategies – Desktops <ul><li>Approved vendors/devices </li></ul><ul><li>Comprehensive inventory (SMS mandate) </li></ul><ul><li>Centrally-reporting and –updated anti-malware (McAfee or similar) </li></ul><ul><li>Documented patch management plan </li></ul><ul><li>Designated support contact </li></ul><ul><li>Designated security contact </li></ul>
    20. 20. Strategies – Desktops <ul><li>Anti-virus </li></ul><ul><ul><li>Sophos is free for VCU users </li></ul></ul><ul><li>Second antispyware </li></ul><ul><ul><li>Spybot or AdAware </li></ul></ul><ul><li>Recommendations for Securing Desktops: </li></ul><ul><ul><li>http://www.ts.vcu.edu/security/desktopsec.html </li></ul></ul><ul><li>LANDesk Desktop Management </li></ul>
    21. 21. Strategies - Laptops <ul><li>Approved vendors/devices </li></ul><ul><li>Mandatory encryption (Credant) </li></ul><ul><li>Physical security: cable locks </li></ul><ul><li>“ LoJack” software recommended </li></ul>
    22. 22. Strategies – Laptops <ul><li>Confidential data must be encrypted </li></ul><ul><li>Use laptop security devices </li></ul><ul><li>Practice safe computing </li></ul><ul><li>Laptop imaging </li></ul><ul><li>Laptop Security Recommendations: </li></ul><ul><ul><li>http://www.ts.vcu.edu/security/securelaptop.html </li></ul></ul>
    23. 23. Strategies - Wireless <ul><li>Centrally-managed wireless networks only </li></ul><ul><li>WPA encryption </li></ul><ul><li>Wireless Intrusion Prevention System (AirDefense) </li></ul><ul><li>Guest network for patients, visitors, vendors </li></ul>
    24. 24. Strategies – Wireless <ul><li>Wireless is under CNAC </li></ul><ul><li>Secure wireless (WPA2) will be implemented in the spring </li></ul><ul><ul><li>Interim: Use VPN for secure wireless connectivity </li></ul></ul>
    25. 25. Strategies – Using the Internet <ul><li>Policies & Education </li></ul><ul><li>URL filtering & blocking, in- and out-bound (WebSense) </li></ul><ul><li>Traffic throttling (social sites, P2P,etc) </li></ul>
    26. 26. Strategies – Using the Internet <ul><li>Packetshaping traffic </li></ul><ul><li>Controlling Spam </li></ul><ul><li>Self-Defending Network </li></ul><ul><ul><li>Specialized Network Fire Walls </li></ul></ul><ul><ul><li>Intrusion Protection System </li></ul></ul><ul><ul><li>Proactive Monitoring Systems </li></ul></ul><ul><li>Security awareness training </li></ul><ul><ul><li>Role-based Modules in Blackboard </li></ul></ul>
    27. 27. Interim Solutions – Security is An Ongoing Process <ul><li>Reduced Signon </li></ul><ul><li>Personal USB drives: “read-only” </li></ul><ul><li>IT Policy updates (in progress) </li></ul><ul><li>TEA (Training, Education, Awareness) </li></ul><ul><li>Monitoring & Auditing </li></ul>
    28. 28. Interim Solutions – Security is An Ongoing Process <ul><li>Practice Safe Computing </li></ul><ul><ul><li>Be an Internet Skeptic </li></ul></ul><ul><ul><li>Keep antivirus up-to-date </li></ul></ul><ul><ul><li>Use a personal fire wall </li></ul></ul><ul><ul><li>Keep patches up-to-date for operating system and applications </li></ul></ul><ul><li>Defense-in-Depth </li></ul><ul><ul><li>Layers of defenses to compensate for any failures </li></ul></ul><ul><li>Attack methodology changes </li></ul><ul><ul><li>Defenses have to adjust </li></ul></ul>
    29. 29. Resources 1 <ul><li>VCU site licensed anti-virus software: </li></ul><ul><ul><li>http://www.ts.vcu.edu/security/virus.html </li></ul></ul><ul><li>Info about Windows Update Service: </li></ul><ul><ul><li>http://www.ts.vcu.edu/security/nonstudent.html </li></ul></ul><ul><li>Password information: </li></ul><ul><ul><li>http://www.ts.vcu.edu/faq/security/strongpasswords.html </li></ul></ul>
    30. 30. Resources 2 <ul><li>Personal Firewall </li></ul><ul><ul><li>Windows XP SP2, ZoneAlarm </li></ul></ul><ul><li>Anti-spyware programs </li></ul><ul><ul><li>Spybot Search and Destroy, AdAware, Defender </li></ul></ul><ul><li>Protection on the Internet: </li></ul><ul><ul><li>http://www.ts.vcu.edu/security/nonstudent.html </li></ul></ul><ul><li>Securing laptops and other mobile devices: </li></ul><ul><ul><li>http://www.ts.vcu.edu/security/securelaptop.html </li></ul></ul>
    31. 31. Resources 3 <ul><li>Truecrypt: http://www.truecrypt.org/ </li></ul><ul><li>Omziff: http://www.snapfiles.com/get/omziff.html </li></ul>
    32. 32. Resources <ul><li>Visit VCU’s security website for current security information and tips: </li></ul><ul><ul><li>http://www.ts.vcu.edu/security/ </li></ul></ul>
    33. 33. Questions? <ul><li>Thank you for your attention. </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×