Implementing an Information Security Program


Published on

The basics of implementing an Information Security Program .

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Implementing an Information Security Program

  1. 1. Implementing an Information Security Program Raymond K. Cunningham, Jr. CRM, CA, CIPP University of Illinois Foundation Session TU3-517
  2. 2. Security Breaches <ul><li>It is not a matter of if… but when. </li></ul>
  3. 4. Topics to be Discussed <ul><li>Security and Privacy </li></ul><ul><li>Standards for Information Security </li></ul><ul><li>Implementing a Security Program </li></ul><ul><li>The University of Illinois Foundation Security Program </li></ul>
  4. 5. Security and Privacy What is the difference? <ul><li>Security is an action and a process - you implement security to insure privacy </li></ul><ul><li>Security is a strategy, privacy is the outcome </li></ul><ul><li>Enterprise privacy and security management must be integrated </li></ul><ul><li>Security maintains confidentiality and privacy </li></ul>
  5. 6. Information Security It is not a technical issue <ul><li>Often Security is viewed as a technical issue </li></ul><ul><li>Many information breaches occur in the paper world </li></ul>
  6. 7. Information Privacy It is not a Legal issue <ul><li>Often viewed as a legal issue handed to legal counsel as a compliance issue </li></ul><ul><li>While many privacy officers report to legal, it is not strictly a legal issue </li></ul><ul><li>Privacy is a concern of all and should be a priority of any organization </li></ul>
  7. 8. Records Managers should be leaders in the Security and Privacy Arena <ul><li>RIM should be central in the security and privacy arena </li></ul><ul><li>Records Managers possess a better knowledge of the assets to be protected, usage statistics and an understanding of access to records </li></ul><ul><li>IT manages the machines and software, RIM manages the records throughout the life cycle </li></ul>
  8. 9. Standards for Information Security
  9. 10. General Trends <ul><li>Information Management Law is moving from the general to the specific </li></ul><ul><li>What was formerly ethical is now being required by law </li></ul><ul><li>Penalties are being strengthened and cases of theft/misuse are higher profile </li></ul><ul><li>The ethics of information management are evolving </li></ul>
  10. 11. Security and Privacy <ul><li>Canada – PIPEDA Personal Information and Electronic Documents Act 200 </li></ul><ul><li>EU Directive 95/46/EC </li></ul><ul><li>US – 38 States now have disclosure laws for the loss of information, based on California 1386 </li></ul><ul><li>Financial Modernization Act 1999 – Gramm Leach Bliley (GLBA) </li></ul>
  11. 12. Gramm-Leach-Bliley What is it and why does it matter? <ul><li>Financial Modernization Act 1999 </li></ul><ul><li>Applicable to Financial Institutions </li></ul><ul><li>Higher education was included in 2003 </li></ul><ul><li>GLBA security provisions are enforced by the FTC and are becoming a basic standard for protection of information in the USA </li></ul>
  12. 13. Gramm-Leach-Bliley Act 1999 <ul><li>GLBA provides for the protection of personal financial information </li></ul><ul><li>Records containing financial information are to be protected. </li></ul><ul><ul><li>Financial Institutions are to make disclosures regarding their privacy policies and release to third parties </li></ul></ul><ul><ul><li>Criminalizes certain practices of data collection services: obtaining financial and personal information by misrepresenting their right to such information </li></ul></ul>
  13. 14. Gramm-Leach-Bliley Act 1999 <ul><li>Financial Privacy Rule – governs the collection and disclosure of personal financial information. It applies to those who receive such information. </li></ul><ul><li>Pretexting Provisions – covers using false pretenses for obtaining personal financial information </li></ul><ul><li>Safeguards Rule – requires all financial institutions to design, implement and maintain safeguards to protect customer information </li></ul>
  14. 15. GLBA - Privacy <ul><li>GLBA protects consumers’ non-public information. Private information includes “personally identifiable financial information” </li></ul>
  16. 17. GLBA Safeguards Rule <ul><li>The Safeguards Rule requires financial institutions to develop a written information security plan that describes their program to protect customer information. </li></ul><ul><ul><li>Designate one or more employees to coordinate the safeguards </li></ul></ul><ul><ul><li>Identify and assess the risks to customer information relevant to the company’s operation </li></ul></ul>
  17. 18. GLBA – Safeguards Rule Compliance <ul><li>Select service providers that can maintain appropriate safeguards </li></ul><ul><li>Evaluate and adjust the program in light of relevant circumstances including changes in business or the results of security testing </li></ul><ul><li>Customer data stored at any off-site location </li></ul>
  18. 19. GLBA – Safeguards Rule Compliance <ul><li>Check references on employees before hiring who have access to customer information </li></ul><ul><li>Sign a confidentiality agreement or NDA </li></ul><ul><li>Limiting access to customer information based on business need </li></ul><ul><li>Develop specific policies for the appropriate use of laptops, PDAs, cell phones </li></ul>
  19. 20. GLBA – Safeguards Rule Compliance <ul><li>Confidentiality training is required </li></ul><ul><li>Encrypting information when it is transmitted </li></ul><ul><li>Reporting suspicious attempts to obtain customer information </li></ul><ul><li>Dispose of customer information according to the FTC Disposal Rule </li></ul>
  20. 21. Comparison of Legislative Mandates X X X USA Patriot Act X X FOIA X X Gramm-Leach-Bliley X X California Bill 1386 X X X HIPAA X X X X Sarbanes-Oxley Training Data Security and Privacy Records Management Processes and Risk Management Mandate
  21. 22. Payment Card Industry (PCI) Digital Security Standard (DSS) <ul><li>Visa, Master Card, Amex have enacted a DSS for merchants </li></ul><ul><li>This is a direct extension of the GLBA safeguard standards </li></ul><ul><li>The PCI DSS are over 170 specific standards divided into 12 areas </li></ul><ul><li>These are very specific for users of payment cards </li></ul>
  22. 23. State Personal Information Laws Illinois <ul><li>HB 1633 (PA 94-36) Effective January 1, 2006 </li></ul><ul><li>Personal information is defined as: SSN, driver’s license number or State ID card, account number, credit card number </li></ul><ul><li>Breach of security should be made in the most expedient time possible without delay </li></ul>
  23. 24. Illinois State Law <ul><li>Illinois law more broadly applicable than California statute – data collectors provisions are more broad – includes public and private corporations, universities, financial institutions. </li></ul><ul><li>Violation of the law is Consumer Fraud under Deceptive Business Practices Act </li></ul>
  24. 25. Implementing a Security Program
  25. 26. Beginning a Security Program <ul><li>Lay the groundwork – Gain support at the C level </li></ul><ul><li>Make the case for information security </li></ul><ul><li>The program is for all information regardless of format, not just information on servers or in record centers </li></ul>
  26. 27. Six steps for creating a Security Program <ul><li>Information Asset Inventory </li></ul><ul><li>Risk Assessment </li></ul><ul><li>Policy Review </li></ul><ul><li>Develop Policies and Practices </li></ul><ul><li>Conduct training </li></ul><ul><li>Monitoring </li></ul>
  27. 28. Asset Management <ul><li>Understand your information assets - inventory </li></ul><ul><li>Locate and identify what is to be protected </li></ul><ul><li>Differentiate between the “owner” and “user” </li></ul><ul><li>Record Retention Schedules – business need or regulatory requirements </li></ul>
  28. 29. Asset Classification <ul><li>Assets should be evaluated as to sensitivity and confidentiality, potential liability, intelligence value and criticality to the business </li></ul><ul><li>Classify assets – Confidential, Proprietary, Internal Use Only, Public </li></ul>
  29. 30. Map the Organizational Data Flow <ul><li>Map points of data collection – examine web forms, email collection, call centers, POS, Contests, Surveys, chat rooms, marketing lists </li></ul><ul><li>How does data move through the system? </li></ul><ul><li>Is the data held in-house or is storage outsourced? </li></ul><ul><li>Is any PII collected from outside the US? </li></ul>
  30. 31. Risk Assessment <ul><li>What are the risks with your storage practices? </li></ul><ul><li>What are the physical storage requirements? </li></ul><ul><li>Are personnel tasked with the protection of the information? </li></ul>
  31. 32. Vulnerabilities <ul><li>Recycling – paper, computers, any information storage device </li></ul><ul><li>Shredding – What are you sending? </li></ul><ul><li>Terminated employees with access to both servers and physical facilities </li></ul><ul><li>Off site storage </li></ul><ul><li>Printing of electronic confidential records </li></ul><ul><li>Who is tasked with security? </li></ul>
  32. 33. Vulnerabilities - Solutions <ul><li>Training – train your employees and tell them what is expected of them NO EXCEPTIONS </li></ul><ul><li>Recycling – Monitor recycling closely. Have each storage device wiped </li></ul><ul><li>Watch the trash </li></ul><ul><li>Shredding – inspect your vendor and examine your in-house shredding, use local shredders </li></ul><ul><li>Secure physical storage </li></ul><ul><li>Test your off site vendor </li></ul>
  33. 34. Conduct a Policy Review <ul><li>Develop the principles that will guide your strategy </li></ul><ul><li>Involve stakeholders, senior management and legal – Get Everyone on Board! </li></ul><ul><li>This is not an IT Problem </li></ul><ul><li>Review all applicable regulatory requirements particular to your industry </li></ul>
  34. 35. Training <ul><li>Training is one of the most often neglected piece of the program, yet it is one of the most important </li></ul><ul><li>Train your employees prior to exposure to information systems – supply handouts </li></ul><ul><li>Train employees to report information breaches - contacts </li></ul><ul><li>Train employees annually on your policies and compliance issues </li></ul><ul><li>Develop an ethical culture </li></ul>
  35. 36. Monitor Compliance <ul><li>Conduct audits of security procedures </li></ul><ul><li>Review systems annually </li></ul><ul><li>Conduct incident response drills – convene your incident response team </li></ul>
  36. 37. How the University of Illinois Foundation implemented a Security Program
  37. 38. What was at stake? <ul><li>Donor information on 700,000 people and corporations, including SSNs, credit card numbers, bank account numbers, medical information and other personal information </li></ul><ul><li>A loss of this information could seriously compromise our ability to solicit donors during a $2 billion campaign </li></ul>
  38. 39. We are all subject to information breaches
  39. 40. How the University of Illinois Foundation implemented a program <ul><li>The UIF serves three campuses in Chicago, Champaign-Urbana and Springfield and over 700 users of confidential information </li></ul><ul><li>Motivating factors: Fear, a review of present practices, audit findings, PCI DSS requirements, regulatory environment </li></ul><ul><li>In 2004 I began to ask why SSNs were used in fundraising </li></ul>
  40. 41. How the University of Illinois Foundation implemented a program <ul><li>In 2005 I secured all stakeholders in agreeing to remove SSNs from the donor database </li></ul><ul><li>During the summer and fall of 2006 I conducted sessions in information law </li></ul><ul><li>In March 2007 I certified as an IPP (IAPP) </li></ul><ul><li>A review of policies and job descriptions showed no one was in charge of security </li></ul><ul><li>Working with IT we began reviewing assets </li></ul><ul><li>Training became the core of our program </li></ul>
  41. 42. How the University of Illinois Foundation implemented a program <ul><li>Working with all stakeholders we drafted new security requirements, including confidentiality agreements and notice to all donors </li></ul><ul><li>We lobbied to make security training mandatory before users log into systems </li></ul><ul><li>We revised security procedures including a revision of our retention schedules </li></ul>
  42. 43. Conclusions
  43. 44. Ray’s Recommendations for Building and Information Security Program <ul><li>Gain the Support of Senior Management </li></ul><ul><li>Encourage a culture of confidentiality </li></ul><ul><li>Have a policy in place and enforce it </li></ul><ul><li>Be specific on roles within the organization </li></ul><ul><li>Have mechanisms in place to sign on and sign off users efficiently </li></ul><ul><li>Train all users before log-on in confidentiality and security </li></ul>
  44. 45. Ray’s Recommendations <ul><li>Monitor users </li></ul><ul><li>Create an incident response group and provide a way for employees to report data loss </li></ul><ul><li>Tell customers what you are doing with their data </li></ul><ul><li>Dump SSNs where not needed </li></ul><ul><li>Monitor Third Party Contracts </li></ul>
  45. 46. Ray’s Recommendations <ul><li>Have background checks on hires </li></ul><ul><li>Integrate security with your retention schedules – have a page for privacy and security inventorying the private information held and showing the access to the information </li></ul>
  46. 49. Ray’s Recommendations <ul><li>Prepare for information loss through an information breach response group </li></ul><ul><li>Think of this as similar to the Disaster Response Group </li></ul><ul><li>Members are typically from IT, HR, Financial, Communications and Records Management </li></ul><ul><li>Learn from other’s breaches: </li></ul>
  47. 50. Resources <ul><li>International Association of Privacy Professionals IAPP </li></ul><ul><li>Kahn, Randolph Privacy Nation 2006 </li></ul><ul><li>ISO 17799 International Organization for Standardization </li></ul><ul><li>PCI </li></ul>
  48. 51. Contact information <ul><li>Raymond K. Cunningham, Jr. </li></ul><ul><li>Manager of Records Services </li></ul><ul><li>University of Illinois Foundation </li></ul><ul><li>Urbana IL 61801 </li></ul><ul><li>[email_address] </li></ul><ul><li>217 244-0658 </li></ul>