Goans-Helms-IT Security at Georgia Tech Library
•
1 like•848 views
This is a joint presentation provided by Doug Goans and Chris Helms of the Georgia Tech Library during the first segment of a NISO webinar, Digital Security: Securing Library Systems, held on November 9, 2016.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Goans-Helms-IT Security at Georgia Tech Library
Similar to Goans-Helms-IT Security at Georgia Tech Library (20)
More from National Information Standards Organization (NISO)
More from National Information Standards Organization (NISO) (20)
Recently uploaded
Recently uploaded (20)
Goans-Helms-IT Security at Georgia Tech Library
- 1. IT SECURITY AT GEORGIA TECH LIBRARY C U R R E N T E F F O R T S A N D E M E R G I N G P R A C T I C E S
- 2. OVERVIEW: IT SECURITY AND LIBRARY SYSTEMS / SERVICES IT Security Phishing Authentication Collaboration: Vendors Collaboration: Patron Data Internal Audit and Risk Self- Assessment / Data Safeguards Training and Future Plans
- 4. AUTHENTICATION, AUTHORIZATION & ACCESS CONTROL Authenticate • Integration with CAS, Shibboleth • Implementation of Duo (two-factor authentication) • LastPass Enterprise Authorize • PersonAffiliation, curriculum, department Access Control • Proxy logs into Splunk
- 5. COLLABORATION: GEORGIA TECH LIBRARY & EMORY LIBRARIES
- 6. COLLABORATION: VENDORS AND DATA / IT SECURITY Campus Security Review • Data in the System • Data Backup and Disaster Recovery • Vendor IT Security Practice/Compliance • Network Diagram and Firewalls and VLANs • Vendor’s internal testing, intrusion prevention and training. Results • Data Sensitivity is Low • Vendor use of independent auditing firm for security compliance (annual) • Manage user access, permissions and revocation • Vendor provides description of password complexity rules • Vendor demonstrates protocols do not transmit clear text
- 7. COLLABORATION: PATRON DATA Share the least amount of patron data necessary to support the sharing of collections. • First Name • Last Name • Unique identifier if using PPID in lieu of employee ID • Email Address
- 8. INTERNAL AUDIT AND RISK SELF-ASSESSMENT: OVERVIEW
- 9. INTERNAL AUDIT AND RISK SELF ASSESSMENT: STEWARDSHIP OUTCOMES Training • Provide training for library employees on IT Security and Data Stewardship Data Classification • Audited 42 servers to document the classification of data on the servers. We did not have category IV data. Logon Banner • Implemented a logon banner which displays the standard usage agreement and a 15- minute idle timeout Self Risk- Assessment • Conducted a self risk- assessment with the campus online tool
- 10. INTERNAL AUDIT AND RISK SELF ASSESSMENT: TRAINING Worked with Campus Cybersecurity to provide • 9 Training sessions for all library employees • Covered campus IT policies • Phishing • 1 Training session for Library IT employees on security, confidentiality of information and software copyright laws
- 11. INTERNAL AUDIT AND RISK SELF ASSESSMENT: TRAINING OUTCOMES • Computer & Network Usage and Security Policy (CNUSP) • Data Access Policy & Data Classification • Threats (Hacking and Phishing) • Email Security Basics • Common Phishing Attacks • URL Dissection • Password Policy • Picking a Strong Password
- 12. INTERNAL AUDIT AND RISK SELF ASSESSMENT: DATA CLASSIFICATION GT Data Categorization https://security.gatech.edu/DataCategorization • Public Use • Examples: Institute web site content, press releases, employee work addresses, Library Catalog Information Category I • Internal Use • Examples: directory listings, internal intranet web sites, gtID (alone), Library Resources • NOTE: This is the default data classification category. Category II • Sensitive • Examples: Social Security Number, research data, intellectual property of Georgia Tech, Library Circulation Records, Security Camera Recordings Category III • Highly Sensitive • Examples: Credit Card NumbersCategory IV
- 13. INTERNAL AUDIT AND RISK SELF ASSESSMENT: LOGON BANNER IT&D Desktop and Collaboration Services team updated the standard usage agreement on all library managed desktops and implemented a 15-minute idle timeout to ensure that computers do not become accessible for unauthorized use.
- 14. INTERNAL AUDIT AND RISK SELF ASSESSMENT: SELF AUDIT SAMPLE 1 RISK: If unit data is not properly protected, the unit’s ability to accomplish its organizational objectives may be hindered. CONTROLS: 1. Employees are notified of the CNUSP and DAP. 2. The data stored on information systems has been classified in accordance with the Data Access Policy (DAP). 3. Servers that store sensitive data are listed in the OIT sensitive server list. 4. User access to sensitive data is properly authorized 5. Policies / procedures are in place for data security breaches
- 15. INTERNAL AUDIT AND RISK SELF ASSESSMENT: SELF AUDIT SAMPLE 2 RISK: Inadequately secured web servers may result in compromise of data/campus network, system corruption, loss of productivity & adverse public relations or reputation. CONTROLS: 1. Web site development adheres to the Institute guide for the development of web sites. 2. Web site statistics are logged and maintained. 3. There are procedures/checklists in place to ensure the security of the web server. 4. There are intrusion detection systems protecting the network. 5. Proper change management procedures are utilized when making changes to web servers.
- 16. INTERNAL AUDIT AND RISK SELF ASSESSMENT: SELF AUDIT SAMPLE 3 RISK: Unauthorized access to data. CONTROLS: 1. Password Management process is in place. 2. Strong authentication controls for networks, servers, and applications. 3. Logs are kept and reviewed on a regular basis 4. Users are uniquely identifiable. 5. Restrict access based on individual's job 6. System safeguards are in place 7. Vulnerability scans are completed against the internal and external networks.
- 17. DATA SAFEGUARDS Servers, Endpoints (e.g. Desktop Computers, Laptop Computers, Workstations, USB Storage Devices), Mobile Devices (e.g. Smart Phones, Tablet Computers, Personal Digital Assistants, Handheld Scanners), Cloud Computing. Each page in the spreadsheet contains a matrix outlining the specific configurations or controls, as well as whether the configuration or control is Mandatory or Recommended based on the category of data being stored on the computing system in question. https://security.gatech.edu/security-standards- and-procedures
- 18. LIBRARY NEXT: PREPARING FOR THE FUTURE Vendors Security Practices and Compliance Vendor responses written into contracts Patron data privacy and data not being sold Data elimination written into contract Improve management and access via relocation of server room to centrally controlled facility Ongoing employee training and awareness of security issues, practices and policies Ongoing risk assessment and mitigation strategies (hardware, software, data, user behavior)
- 19. REFERENCES Georgia Tech Library: Library Next http://librarynext.gatech.edu/ Georgia Tech CNUSP http://policylibrary.gatech.edu/information-technology/computer-and-network- usage-and-security Georgia Tech DAP http://policylibrary.gatech.edu/data-access Georgia Tech Phish Bowl https://stats.security.gatech.edu/phishbowl/ Georgia Tech Security Standards and Procedures https://security.gatech.edu/security-standards-and-procedures
- 20. THANK YOU Doug Goans < doug.goans@library.gatech.edu > Head of IT&D, Georgia Tech Library Chris Helms <chris.helms@library.gatech.edu > Application Development Manager, Georgia Tech Library