The IPAS Project aims to enhance data security practices across Penn State through two phases. Phase I focused on PCI compliance to allow processing of credit cards. Phase II focuses on security and privacy initiatives for all institutional information, including data classification, scanning computers for personal information, and encrypting laptops. Ag IT is helping to guide the College of Agricultural Sciences through this ongoing process of implementation and security standardization across the university network and systems over several months and years.

1. Information Privacy and
Security at Penn State
Vince Verbeke, Penn State

2. IPAS Project
• Information Privacy and Security
• University-wide mission to enhance the data
security practices at Penn State
• Supported by the highest levels of the university
• Two phases to the IPAS Project
• Phase I
• Phase II

3. IPAS Phase I
• Focused on the Payment Card Industry Data
Security Standard (PCI/DSS) compliance
• This was necessary if PSU wanted to continue
to take credit cards for payment of goods and
services
• This was not something Penn State created, it
is a world wide requirement for anyone
processing credit cards

4. IPAS Phase 1
• Involved creating very secure networks and
workstations
• Firewall with Intrusion Prevention (IPS)
• VMware ACE client
• 29 offices at University Park and in County
Extension offices are now processing credit
cards under PCI compliance

5. IPAS Phase II
• Focuses on security and privacy initiatives for
all of Penn State’s institutional information
• Initiatives
• Data Classification
• Scanning of all university computers for Personally
Identifiable Information or PII
• Encryption of all university notebook computers

6. Data Classification ... Why?
• Legal and Regulatory Compliance
• More Effective IT Management
• First step – We must know what needs
protection and define the appropriate security
commensurate with the data value and risk

7. DefCon 1 - Public
• Intended for distribution to the general
public, both internal and external to the
University
• Release of the data would have no or minimal
damage to the institution

8. DefCon 2 - Internal/Controlled
• Intended for distribution within Penn State only,
generally to defined subsets of the user
population
• Release of the data has potential to create
moderate damage to the institution
• Damage may be legal, academic (loss or
alteration of intellectual property), financial, or
intangible (loss of reputation)

9. DefCon 3 - Restricted
• Data which the University has legal, regulator or
contractual obligation to protect
• Access must be strictly and individually
controlled and logged
• Release of such data has the potential to create
major damage to the institution
• Damage may be legal, academic (loss or
alteration of intellectual property) financial, or
intangible (loss of reputation)

10. DefCon 4 - 'Other'
• Some data or projects have special restrictions
imposed by the originator
• Those restrictions may be over and above the
security required by the general University
standard

11. Security Standards
• These are applied to the different data
classifications
• For all practical purposed there are only two
data classifications
• Public
• Non-public

12. Problems at Penn State
• 1790 system scanned: 1004 have PII data
• Laptop theft or loss is a growing concern
• 4 Penn State Web sites allegedly serving
malware (June 17-19, 2008), global trend
• Continuous hostile probes of PSU network
• ~9,000 individual record breach notifications in
past 12 months by PSU or its data sources
• >12,000 known compromises of PSU systems
since 2002

13. Scanning for SSN or CC#'s
• Coordinated centrally by IPAS/ITS
• Process
• Client installed and scan started
• Report sent back to a central server
• AG IT gets a copy of report and reviews
• If PII data is found, user asked to remove or delete
• Scan re-run on computer
• Service installed
• IPAS/ITS will trigger periodic scans

14. Join the Scanning Circle
Install
Client
Scan-Sent
Re-Scan
to PSU
User- IT-Request
Remediation Report
IT-Review
Report

15. Challenges Faced
• Effort is from PSU Central IT ... Ag IT is not part
of that quot;teamquot;
• Ag IT was not in control of the technology
• Technology was not quot;ready for prime timequot;
• No Mac or Linux clients
• Scanner skips files over 50 Mb
• Can't scan Outlook

16. Delivering the Software
• Network version via SMS or Group Policy
• Standlone version via Web download or
Sneakerware
• Software pieces
• Proventsure AsariumScanner
• SafeGuard PrivateCrypto

17. Moving the Package
• Post-scan quot;packagequot; goes to Central IT
• Ag IT needs to request by Inventory
• Issues with getting reports from first scans
• Changes in Central IT personnel
• Magically package reports began to arrive

18. Ag IT Reviews - Killing Trees
• Reports are physically printed
• Processed by 1 Ag IT staff
• Eric Mailloux, ejm21@psu.edu
• Most secure, Print is in your face
• Largest report 67,000 rows

19. Remediation - How to Delete

20. Start the Circle Again
http://www.flickr.com/photos/lonelyradio/60264298/

21. Did Well
• Communication
• Dept Heads to End Users
• Peers in College
• Time Line
• % Complete - Ahead of University

22. Do Different
• Group Policy to install Secure Delete rather
than SMS
• TEST ... TEST... TEST
• Test more outside quot;AG world'

23. Challenges Going Forward
• Setup issues within County offices
• Current 192.168.xx.1 in 66 out of 67 offices
• PSU Security wants to RE-IP these networks
• Central IT won't open their Firewalls
• Manual Installs ... How do we reach them?
• eDiscovery
• Notebook Encryption

24. eDiscovery
• e-Discovery refers to any process in which
electronic data is sought, located, secured, and
searched with the intent of using it as evidence
in a civil or criminal legal case. According to
legislation, Information Technology (IT) teams
have a legal obligation to respond appropriately
and provide Electronically Stored Information as
requested if their company (College) would
become involved in litigation.

25. Notebook Encryption
• Centrally managed by IPAS/ITS
• Cost is being covered centrally by ITS
• Ag IT will install client and disk encryption will
be initiated
• This will take several hours to complete
• Notebook should be configured to always ask
for a password when coming out of sleep or
hibernation.
• Support issues are to be determined

26. 10 Security quot;Commandmentsquot;
1. Protection from the public Internet or external
network segments
2. Systems connecting to the Penn State network
will be free from known vulnerabilities
3. Access to system will be individually
controlled. All actions must be traceable to
unique UserID
4. Access to system and application will be
logged

27. 10 Security quot;Commandmentsquot;
5. Units will maintain local policies in accordance
with and augmenting Univ Policy AD20
6. Data will be secured at rest or in transit
commensurate with its sensitivity
7. Sensitive data must be sanitized or destroyed
prior to system re-use by another entity
8. Physical and facility security must be
maintained

28. 10 Security quot;Commandmentsquot;
9. A development and risk assessment process
must be in place commensurate with the
sensitivity of the data
10.Backup and Disaster Recovery measures
must be in place commensurate with the value
of the computer and network resources, and
the data held

29. Summary
• So what does that all mean?
• There will be changes in how we use the Penn
State network, computers and how they operate
• These are all positive security changes
• This is not a once and done project, it is an on-
going change in how technology is used at Penn
State
• Ag IT is attempting to guide the college through this
this process over the coming months ...
and years