2. Contents
2
• Welcome and What we Do
• Data Security and Compliance…what’s the
difference?
• Compliance landscape and strategies
• Advanced Data Security
• Target Story
• Common Denominators
• Our unique GW environment…lots going on
• Common risk factors
• Steps you can take
• Who to contact
3. What we do
3
The goal of the Compliance and Privacy Office is
to establish a voluntary compliance program to
ensure that faculty and staff are aware of and
comply with federal, state and local laws and
regulations.
We work closely with the Office of General
Counsel, the Division of IT, and the respective
academic and administrative functions of the
university
4. Data Security and Compliance
4
What’s the difference?
Data security is the application of deterrents or
security controls to protect data. The level of
deterrents or security is commensurate to how the
individual or entity uniquely “values” the data.
Compliance is applying a baseline of security
controls (people, process, technology) defined by a
standard. The baseline is applied to a specific type
of data….typically regulated; such as health
information, financial, personally identifiable
information
5. Data Security and Compliance
5
Does Compliance equal highest level of security?
No, it ensures a repeatable, stable baseline of security
that can be measured to meet a specific regulatory
requirement
Does highest level of security mean you are
“secure”?
Maybe, depends on where you place your security. Can
you cover 100%...probably not.
Data Security and Compliance are key pieces to
GW’s information risk management…ensuring
compliance and placing highest security controls on
assets that matter the most
8. Advanced data security…
8
Part of a defense in depth strategy to apply higher
levels of security to high value information/assets
Penetration tests/Red team analysis
Application code reviews
System hardening
Logging
Intrusion detection
Staff with advanced training/credentials (forensics,
malware analysis)
9. Examples of Data Security ≠
Compliance
9
40 million credit cards stolen, Target was PCI (Payment
Card Industry) compliant, attacked through HVAC vendor
10. Common Denominators
10
What are the common denominators?
Knowing what data you have
Knowing the value of the data
Knowing the risks to your data
Understanding likelihood and impact of these risks
Accepting a level of risk
This may seem obvious and easy…but ask your
colleagues if they see it the same way. Entities
need to define this…we do it here at GW
11. Our Unique GW Environment
11
Federal, State, Local
laws (over 400 GW
is required to
comply)
Rapidly changing
technology…
boundaries are
constantly moving
Affiliations with
hospitals, Public,
Private sector, other
universities
20,000 students
and over 6000
faculty and staff
Research Funding
12. Common Risk Factors
12
• Awareness of information in your care
• Access to information…need to know principle
• Dissemination of information…technology
makes it easy
• Lack of knowledge or training of staff…knowing
your role, how to identify and what to do in
situations
• Increased visibility of data loss…fines,
reputational hit, accreditation risks, grants
13. Best Practices you can Take
13
Referencing back to the Common Denominators
slide
Knowing what data you have
Knowing the value of the data
Knowing the risks to your data
Understanding the risk tolerance
• Ensure you and your team are leveraging
available resources (tools, training, seminars)
• Never hesitate to ask for assistance…better to
be safe
14. Resources
14
http://www.cspri.seas.gwu.edu/
http://www.inforisktoday.com
http://www.higheredcompliance.org/matrix
http://www.nist.gov/cyberframework/upload/cy
bersecurity-framework-021214.pdf
http://www.sans.org/critical-security-controls/
Division of IT Information Security Team
http://it.gwu.edu/security
15. Contact Info
15
Compliance and Privacy Office
George Guzman, Director of Compliance and Data Privacy,
gguzman@gwu.edu
202-994-6226
Compliance Office Email
comply@gwu.edu
Compliance Office direct line
202-994-3386