SlideShare a Scribd company logo

Session4807.ppt

Download as PPT, PDF
T
talkaton

The presentation covered: 1) Defining PII and the importance of protecting it. 2) Security best practices for handling PII in the office, on systems, during data transfers, for remote users, and for assessing security. 3) Recommendations included limiting printing and sharing of PII, access controls, encryption, authentication, training and more. The goal is for security to be everyone's responsibility.

Career
1 of 28
Session # 48 Security on Your Campus: How to Protect Privacy Information Robert Ingwalson
2
3 We Implement Security Based on Cost vs. Risk
4 Protecting personal information is Everybody’s Job! Personally Identifiable Information (PII): Information about an individual including but not limited to, Education, Employment, Financial Transactions, Medical History, and Criminal Background information which can be used to distinguish or trace and individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc, including any other personal information that can be linked to an individual. Don’t become a headline!
5 • In the Office • On the System • Data Transfers • Remote Users • Assess Your Security Protecting Personally Identifiable Information
6 • In the Office – Document handling and storage – Phones and Faxes – Land Shipments – Physical Office Security – Personnel Security – Policy and Training Protecting Personally Identifiable Information
7 • In the Office – Document Handling and Storage • Limit printing of PII • Clean Desk • Sensitivity Identification • Shredding • Monitoring • Secure storage Protecting Personally Identifiable Information
8 • In the Office – Phones • Limit PII conversations • Don’t leave PII voicemails • Prevent listeners – Faxes • Limit faxing of PII • Confirm fax number • Two way communication before sending and upon receipt • Monitor the Fax • Safeguard document Protecting Personally Identifiable Information
9 • In the Office – Land Shipments • Limit shipments of PII • Encrypt sent media • Double package • Send by reputable shipping agent • Include a manifest inside the package. • Communicate shipment with receiver Protecting Personally Identifiable Information
10 • In the Office – Physical Office Security • Staffed reception counter • After hours? – Card/key access – Change combinations & keys – Logs • Added Security – Cameras – Entry and exit checks Protecting Personally Identifiable Information
11 • In the Office – Personnel Security • Know who should be there – Challenge others • Personnel background checks – Criminal – Employment history – Credit • Train shortly after employment begins and then refresh periodically Protecting Personally Identifiable Information
12 • In the Office – Personnel Security • Know who should be there – Challenge others • Personnel background checks – Criminal – Employment history – Credit • Train shortly after employment begins and then refresh periodically Protecting Personally Identifiable Information
13 • In the Office – Policy and Training • Policy provides basis for controls and a roadmap to follow • Based on requirements and good practice • Individuals need training on policy - Include in Personnel training Protecting Personally Identifiable Information
14 • On the System (Defense in Depth) – Policy – Personnel Security – Physical Security – Network Security – Host based Security – Application Security Protecting Personally Identifiable Information www.macroview.com/solutions/infosecurity/
15 • On the System – Policy • Technical, Managerial, Operational control requirements • Tells what needs to be done, not how –Procedures provide the road maps on how to comply with policy • Covers all other aspects of Security –Personnel –Physical –Network Security –Host based Security –Application Security Protecting Personally Identifiable Information
16 • On the System – Personnel Security • The same as in the office: – Know who should be there » Challenge others – Personnel background checks » Criminal » Employment History » Credit – Train shortly after employment begins and then refresh periodically Protecting Personally Identifiable Information
17 • On the System – Physical Security • Includes environmental Security • Access control – Badges / Keycards – Access lists and entry logs – Escorted access – Higher level of control for some areas – Metal detectors and scanners • Backup power • Cameras Protecting Personally Identifiable Information
18 • On the System – Network Security • Firewalls • NIDs (Network Intrusion Detection) • Auditing • IPS (Intrusion Prevention System) • Honeypots Protecting Personally Identifiable Information
19 • On the System – Host based Security • Configuration compliance • Internal Firewalls • Access control • HIDs (Host Based Intrusion Detection) • Anti-Virus and Anti-Spyware • Patch management • Logging Protecting Personally Identifiable Information
20 • On the System – Application Security • Develop Application Security Plan • Test for known vulnerabilities prior to implementation • Authorize access • Rules of behavior • Secure Web interface • Limit PII entries and displays Protecting Personally Identifiable Information
21 • Data Transfers – Electronic File Transfers – Tapes and CDs – Thumb Drives – Email – *Laptops Protecting Personally Identifiable Information
22 • Data Transfers – Encryption • Encrypt with strong Algorithms – AES, Advance Encryption Standard or Triple DES, Data Encryption Standard – Use large key length, 256 or greater – If passwords are used: make them strong » Complex with a mixture of numbers, upper and lower alpha characters, and special characters » 8-12 characters in length » No dictionary words or names » Send separate from the data transfer » Mask entry Protecting Personally Identifiable Information
23 • Remote Users – Two types of remote users: Students and Staff – Problem • Work from personal or public PCs and laptops • Data downloads need to be monitored • Infected with viruses and spyware • Open to phishing and pharming • *Subject to Keylogger attacks – Resolution • Limit PII displayed or entered on the screen • Employ two factor authentication for application access • Provide Web site notices • Offer assistance Protecting Personally Identifiable Information
24 • Remote Users – Keylogger attacks • What are Keyloggers? • Why are we singling this threat out? • What can be done about the Keylogger threat? – Limit the amount of PII entered or displayed on the web site. – Make sure that user passwords are changed frequently. – Limit privileged users remote access. – Use Two Factor authentication. – Include warning banners on your web sites that provide a warning and instructions for prevention. – Let users know not to use computers with unknown security. Cyber Cafes and other publicly accessible computers should be avoided when accessing PII. Protecting Personally Identifiable Information
25 • Assess Your Security – Identify data sensitivities for CIA – Identify Likelihood • Likelihood = threat*motivation – Identify security risks • Risk level = Impact*Likelihood – Controls = level of risk – Identify test methods based on risk level • Documentation reviews • Interviews • Observations • Technical tests (network, OS and application scans, log reviews, penetration testing, password cracking) – Use Baseline Security Requirements – Complete testing and identify weaknesses / unmitigated vulnerabilities – Create remediation plan Protecting Personally Identifiable Information
26 Protecting personal information is Everybody’s Job! Personally Identifiable Information (PII): Information about an individual including but not limited to, Education, Employment, Financial Transactions, Medical History, and Criminal Background information which can be used to distinguish or trace and individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc, including any other personal information that can be linked to an individual. Don’t become a headline!
27 Resources Vulnerabilities: – OWASP (http://www.owasp.org) – SANS Top 20 (www.sans.org/top20) – National Vulnerability Database (http://nvd.nist.gov) – cgisecurity (http//www.cgisecurity.com) Guidance: – National Institute of Standards and Technology (NIST) Computer Security Resource Center (http://csrc.nist.gov/publications/nistpubs/) – Center for Internet Security (CIS) (http://www.cisecurity.org/) – Educause (http://connect.educause.edu/term_view/Cybersecurity)
28 Contact Information We appreciate your feedback and comments. We can be reached at: Bob Ingwalson • Phone: 202.377.3563 • Email: robert.ingwalson@ed.gov • Fax: 202.275.0907

Recommended

Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information Privacy
Perry Slack
 
it-security.ppt
it-security.pptit-security.ppt
it-security.ppt
AmanSoni665879
 
cybersecurity
cybersecurity cybersecurity
cybersecurity
AkshaySajith3
 
Harshit security
Harshit securityHarshit security
Harshit security
HarshitGupta435
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1
Asad Zaman
 
17 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_201217 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_2012
RECIPA
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
lgcdcpas
 
Identity theft and data responsibilities
Identity theft and data responsibilitiesIdentity theft and data responsibilities
Identity theft and data responsibilities
Peter Henley
 

Recommended

Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information Privacy
Perry Slack
 
it-security.ppt
it-security.pptit-security.ppt
it-security.ppt
AmanSoni665879
 
cybersecurity
cybersecurity cybersecurity
cybersecurity
AkshaySajith3
 
Harshit security
Harshit securityHarshit security
Harshit security
HarshitGupta435
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1
Asad Zaman
 
17 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_201217 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_2012
RECIPA
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
lgcdcpas
 
Identity theft and data responsibilities
Identity theft and data responsibilitiesIdentity theft and data responsibilities
Identity theft and data responsibilities
Peter Henley
 
Need for cybersecurity
Need for cybersecurityNeed for cybersecurity
Need for cybersecurity
Sri Manakula Vinayagar Engineering College
 
Cyber security
Cyber securityCyber security
Cyber security
Peter Henley
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
Security Innovation
 
Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android Apps
Symosis Security (Previously C-Level Security)
 
2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...
David Cunningham
 
educational content,educational content,educational content,
educational content,educational content,educational content,educational content,educational content,educational content,
educational content,educational content,educational content,
Olajide Kuku
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
IGN MANTRA
 
Database Security And Authentication
Database Security And AuthenticationDatabase Security And Authentication
Database Security And Authentication
Sudeb Das
 
47890finalpresentation-180407201958.pptx
47890finalpresentation-180407201958.pptx47890finalpresentation-180407201958.pptx
47890finalpresentation-180407201958.pptx
NareenAsad
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdf
Ndheh
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
Evan Francen
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
Royalzig Luxury Furniture
 
Information Security
Information SecurityInformation Security
Information Security
vadapav123
 
Lecture 01 Information Security BS computer Science
Lecture 01 Information Security BS computer ScienceLecture 01 Information Security BS computer Science
Lecture 01 Information Security BS computer Science
maqib8373
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
centralohioissa
 
security in is.pptx
security in is.pptxsecurity in is.pptx
security in is.pptx
selvapriyabiher
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)
ITNet
 
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlStopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
SecureAuth
 
DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015
T. J. Saotome
 
欧洲杯外围-欧洲杯外围赛程-欧洲杯外围压注|【​网址​🎉ac99.net🎉​】
欧洲杯外围-欧洲杯外围赛程-欧洲杯外围压注|【​网址​🎉ac99.net🎉​】欧洲杯外围-欧洲杯外围赛程-欧洲杯外围压注|【​网址​🎉ac99.net🎉​】
欧洲杯外围-欧洲杯外围赛程-欧洲杯外围压注|【​网址​🎉ac99.net🎉​】
karimimorine448
 
办理阿卡迪亚大学毕业证(uvic毕业证)本科文凭证书原版一模一样
办理阿卡迪亚大学毕业证(uvic毕业证)本科文凭证书原版一模一样办理阿卡迪亚大学毕业证(uvic毕业证)本科文凭证书原版一模一样
办理阿卡迪亚大学毕业证(uvic毕业证)本科文凭证书原版一模一样
kkkkr4pg
 

More Related Content

Similar to Session4807.ppt

Need for cybersecurity
Need for cybersecurityNeed for cybersecurity
Need for cybersecurity
Sri Manakula Vinayagar Engineering College
 
Cyber security
Cyber securityCyber security
Cyber security
Peter Henley
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
Security Innovation
 
Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android Apps
Symosis Security (Previously C-Level Security)
 
2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...
David Cunningham
 
educational content,educational content,educational content,
educational content,educational content,educational content,educational content,educational content,educational content,
educational content,educational content,educational content,
Olajide Kuku
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
IGN MANTRA
 
Database Security And Authentication
Database Security And AuthenticationDatabase Security And Authentication
Database Security And Authentication
Sudeb Das
 
47890finalpresentation-180407201958.pptx
47890finalpresentation-180407201958.pptx47890finalpresentation-180407201958.pptx
47890finalpresentation-180407201958.pptx
NareenAsad
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdf
Ndheh
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
Evan Francen
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
Royalzig Luxury Furniture
 
Information Security
Information SecurityInformation Security
Information Security
vadapav123
 
Lecture 01 Information Security BS computer Science
Lecture 01 Information Security BS computer ScienceLecture 01 Information Security BS computer Science
Lecture 01 Information Security BS computer Science
maqib8373
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
centralohioissa
 
security in is.pptx
security in is.pptxsecurity in is.pptx
security in is.pptx
selvapriyabiher
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)
ITNet
 
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlStopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
SecureAuth
 
DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015
T. J. Saotome
 

Similar to Session4807.ppt (20)

Need for cybersecurity
Need for cybersecurityNeed for cybersecurity
Need for cybersecurity
 
Cyber security
Cyber securityCyber security
Cyber security
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android Apps
 
2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...
 
educational content,educational content,educational content,
educational content,educational content,educational content,educational content,educational content,educational content,
educational content,educational content,educational content,
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
 
Database Security And Authentication
Database Security And AuthenticationDatabase Security And Authentication
Database Security And Authentication
 
47890finalpresentation-180407201958.pptx
47890finalpresentation-180407201958.pptx47890finalpresentation-180407201958.pptx
47890finalpresentation-180407201958.pptx
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdf
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
 
Information Security
Information SecurityInformation Security
Information Security
 
Lecture 01 Information Security BS computer Science
Lecture 01 Information Security BS computer ScienceLecture 01 Information Security BS computer Science
Lecture 01 Information Security BS computer Science
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
 
security in is.pptx
security in is.pptxsecurity in is.pptx
security in is.pptx
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)
 
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlStopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
 
DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015
 

Recently uploaded

欧洲杯外围-欧洲杯外围赛程-欧洲杯外围压注|【​网址​🎉ac99.net🎉​】
欧洲杯外围-欧洲杯外围赛程-欧洲杯外围压注|【​网址​🎉ac99.net🎉​】欧洲杯外围-欧洲杯外围赛程-欧洲杯外围压注|【​网址​🎉ac99.net🎉​】
欧洲杯外围-欧洲杯外围赛程-欧洲杯外围压注|【​网址​🎉ac99.net🎉​】
karimimorine448
 
办理阿卡迪亚大学毕业证(uvic毕业证)本科文凭证书原版一模一样
办理阿卡迪亚大学毕业证(uvic毕业证)本科文凭证书原版一模一样办理阿卡迪亚大学毕业证(uvic毕业证)本科文凭证书原版一模一样
办理阿卡迪亚大学毕业证(uvic毕业证)本科文凭证书原版一模一样
kkkkr4pg
 
欧洲杯投注-欧洲杯投注投注官方网站-欧洲杯投注买球投注官网|【​网址​🎉ac99.net🎉​】
欧洲杯投注-欧洲杯投注投注官方网站-欧洲杯投注买球投注官网|【​网址​🎉ac99.net🎉​】欧洲杯投注-欧洲杯投注投注官方网站-欧洲杯投注买球投注官网|【​网址​🎉ac99.net🎉​】
欧洲杯投注-欧洲杯投注投注官方网站-欧洲杯投注买球投注官网|【​网址​🎉ac99.net🎉​】
mukeshomran942
 
Khushi Saini, An Intern from The Sparks Foundation
Khushi Saini, An Intern from The Sparks FoundationKhushi Saini, An Intern from The Sparks Foundation
Khushi Saini, An Intern from The Sparks Foundation
khushisaini0924
 
BUKU PENJAGAAN BUKU PENJAGAAN BUKU PENJAGAAN
BUKU PENJAGAAN BUKU PENJAGAAN BUKU PENJAGAANBUKU PENJAGAAN BUKU PENJAGAAN BUKU PENJAGAAN
BUKU PENJAGAAN BUKU PENJAGAAN BUKU PENJAGAAN
cahgading001
 
Connect to Grow: The power of building networks
Connect to Grow: The power of building networksConnect to Grow: The power of building networks
Connect to Grow: The power of building networks
Eirini SYKA-LERIOTI
 
Learnings from Successful Jobs Searchers
Learnings from Successful Jobs SearchersLearnings from Successful Jobs Searchers
Learnings from Successful Jobs Searchers
Bruce Bennett
 
一比一原版布拉德福德大学毕业证(bradford毕业证)如何办理
一比一原版布拉德福德大学毕业证(bradford毕业证)如何办理一比一原版布拉德福德大学毕业证(bradford毕业证)如何办理
一比一原版布拉德福德大学毕业证(bradford毕业证)如何办理
taqyea
 
按照学校原版(ArtEZ文凭证书)ArtEZ艺术学院毕业证快速办理
按照学校原版(ArtEZ文凭证书)ArtEZ艺术学院毕业证快速办理按照学校原版(ArtEZ文凭证书)ArtEZ艺术学院毕业证快速办理
按照学校原版(ArtEZ文凭证书)ArtEZ艺术学院毕业证快速办理
evnum
 
LinkedIn for Your Job Search June 17, 2024
LinkedIn for Your Job Search June 17, 2024LinkedIn for Your Job Search June 17, 2024
LinkedIn for Your Job Search June 17, 2024
Bruce Bennett
 
一比一原版(uwm毕业证书)美国威斯康星大学密尔沃基分校毕业证如何办理
一比一原版(uwm毕业证书)美国威斯康星大学密尔沃基分校毕业证如何办理一比一原版(uwm毕业证书)美国威斯康星大学密尔沃基分校毕业证如何办理
一比一原版(uwm毕业证书)美国威斯康星大学密尔沃基分校毕业证如何办理
aweuwyo
 
一比一原版(surrey毕业证书)英国萨里大学毕业证成绩单修改如何办理
一比一原版(surrey毕业证书)英国萨里大学毕业证成绩单修改如何办理一比一原版(surrey毕业证书)英国萨里大学毕业证成绩单修改如何办理
一比一原版(surrey毕业证书)英国萨里大学毕业证成绩单修改如何办理
gnokue
 
美洲杯投注-美洲杯投注比分-美洲杯投注比分投注|【​网址​🎉ac44.net🎉​】
美洲杯投注-美洲杯投注比分-美洲杯投注比分投注|【​网址​🎉ac44.net🎉​】美洲杯投注-美洲杯投注比分-美洲杯投注比分投注|【​网址​🎉ac44.net🎉​】
美洲杯投注-美洲杯投注比分-美洲杯投注比分投注|【​网址​🎉ac44.net🎉​】
balliuvilla512
 
Community Skills Building Workshop | PMI Silver Spring Chapter | June 12, 2024
Community Skills Building Workshop | PMI Silver Spring Chapter | June 12, 2024Community Skills Building Workshop | PMI Silver Spring Chapter | June 12, 2024
Community Skills Building Workshop | PMI Silver Spring Chapter | June 12, 2024
Hector Del Castillo, CPM, CPMM
 
在线办理(UOIT毕业证书)安大略省理工大学毕业证在读证明一模一样
在线办理(UOIT毕业证书)安大略省理工大学毕业证在读证明一模一样在线办理(UOIT毕业证书)安大略省理工大学毕业证在读证明一模一样
在线办理(UOIT毕业证书)安大略省理工大学毕业证在读证明一模一样
yhkox
 
A Guide to a Winning Interview June 2024
A Guide to a Winning Interview June 2024A Guide to a Winning Interview June 2024
A Guide to a Winning Interview June 2024
Bruce Bennett
 
一比一原版美国西北大学毕业证(NWU毕业证书)学历如何办理
一比一原版美国西北大学毕业证(NWU毕业证书)学历如何办理一比一原版美国西北大学毕业证(NWU毕业证书)学历如何办理
一比一原版美国西北大学毕业证(NWU毕业证书)学历如何办理
1wful2fm
 
Gabrielle M. A. Sinaga Portfolio, Film Student (2024)
Gabrielle M. A. Sinaga Portfolio, Film Student (2024)Gabrielle M. A. Sinaga Portfolio, Film Student (2024)
Gabrielle M. A. Sinaga Portfolio, Film Student (2024)
GabrielleSinaga
 
按照学校原版(UofT文凭证书)多伦多大学毕业证快速办理
按照学校原版(UofT文凭证书)多伦多大学毕业证快速办理按照学校原版(UofT文凭证书)多伦多大学毕业证快速办理
按照学校原版(UofT文凭证书)多伦多大学毕业证快速办理
evnum
 
一比一原版坎特伯雷大学毕业证(UC毕业证书)学历如何办理
一比一原版坎特伯雷大学毕业证(UC毕业证书)学历如何办理一比一原版坎特伯雷大学毕业证(UC毕业证书)学历如何办理
一比一原版坎特伯雷大学毕业证(UC毕业证书)学历如何办理
cenaws
 

Recently uploaded (20)

欧洲杯外围-欧洲杯外围赛程-欧洲杯外围压注|【​网址​🎉ac99.net🎉​】
欧洲杯外围-欧洲杯外围赛程-欧洲杯外围压注|【​网址​🎉ac99.net🎉​】欧洲杯外围-欧洲杯外围赛程-欧洲杯外围压注|【​网址​🎉ac99.net🎉​】
欧洲杯外围-欧洲杯外围赛程-欧洲杯外围压注|【​网址​🎉ac99.net🎉​】
 
办理阿卡迪亚大学毕业证(uvic毕业证)本科文凭证书原版一模一样
办理阿卡迪亚大学毕业证(uvic毕业证)本科文凭证书原版一模一样办理阿卡迪亚大学毕业证(uvic毕业证)本科文凭证书原版一模一样
办理阿卡迪亚大学毕业证(uvic毕业证)本科文凭证书原版一模一样
 
欧洲杯投注-欧洲杯投注投注官方网站-欧洲杯投注买球投注官网|【​网址​🎉ac99.net🎉​】
欧洲杯投注-欧洲杯投注投注官方网站-欧洲杯投注买球投注官网|【​网址​🎉ac99.net🎉​】欧洲杯投注-欧洲杯投注投注官方网站-欧洲杯投注买球投注官网|【​网址​🎉ac99.net🎉​】
欧洲杯投注-欧洲杯投注投注官方网站-欧洲杯投注买球投注官网|【​网址​🎉ac99.net🎉​】
 
Khushi Saini, An Intern from The Sparks Foundation
Khushi Saini, An Intern from The Sparks FoundationKhushi Saini, An Intern from The Sparks Foundation
Khushi Saini, An Intern from The Sparks Foundation
 
BUKU PENJAGAAN BUKU PENJAGAAN BUKU PENJAGAAN
BUKU PENJAGAAN BUKU PENJAGAAN BUKU PENJAGAANBUKU PENJAGAAN BUKU PENJAGAAN BUKU PENJAGAAN
BUKU PENJAGAAN BUKU PENJAGAAN BUKU PENJAGAAN
 
Connect to Grow: The power of building networks
Connect to Grow: The power of building networksConnect to Grow: The power of building networks
Connect to Grow: The power of building networks
 
Learnings from Successful Jobs Searchers
Learnings from Successful Jobs SearchersLearnings from Successful Jobs Searchers
Learnings from Successful Jobs Searchers
 
一比一原版布拉德福德大学毕业证(bradford毕业证)如何办理
一比一原版布拉德福德大学毕业证(bradford毕业证)如何办理一比一原版布拉德福德大学毕业证(bradford毕业证)如何办理
一比一原版布拉德福德大学毕业证(bradford毕业证)如何办理
 
按照学校原版(ArtEZ文凭证书)ArtEZ艺术学院毕业证快速办理
按照学校原版(ArtEZ文凭证书)ArtEZ艺术学院毕业证快速办理按照学校原版(ArtEZ文凭证书)ArtEZ艺术学院毕业证快速办理
按照学校原版(ArtEZ文凭证书)ArtEZ艺术学院毕业证快速办理
 
LinkedIn for Your Job Search June 17, 2024
LinkedIn for Your Job Search June 17, 2024LinkedIn for Your Job Search June 17, 2024
LinkedIn for Your Job Search June 17, 2024
 
一比一原版(uwm毕业证书)美国威斯康星大学密尔沃基分校毕业证如何办理
一比一原版(uwm毕业证书)美国威斯康星大学密尔沃基分校毕业证如何办理一比一原版(uwm毕业证书)美国威斯康星大学密尔沃基分校毕业证如何办理
一比一原版(uwm毕业证书)美国威斯康星大学密尔沃基分校毕业证如何办理
 
一比一原版(surrey毕业证书)英国萨里大学毕业证成绩单修改如何办理
一比一原版(surrey毕业证书)英国萨里大学毕业证成绩单修改如何办理一比一原版(surrey毕业证书)英国萨里大学毕业证成绩单修改如何办理
一比一原版(surrey毕业证书)英国萨里大学毕业证成绩单修改如何办理
 
美洲杯投注-美洲杯投注比分-美洲杯投注比分投注|【​网址​🎉ac44.net🎉​】
美洲杯投注-美洲杯投注比分-美洲杯投注比分投注|【​网址​🎉ac44.net🎉​】美洲杯投注-美洲杯投注比分-美洲杯投注比分投注|【​网址​🎉ac44.net🎉​】
美洲杯投注-美洲杯投注比分-美洲杯投注比分投注|【​网址​🎉ac44.net🎉​】
 
Community Skills Building Workshop | PMI Silver Spring Chapter | June 12, 2024
Community Skills Building Workshop | PMI Silver Spring Chapter | June 12, 2024Community Skills Building Workshop | PMI Silver Spring Chapter | June 12, 2024
Community Skills Building Workshop | PMI Silver Spring Chapter | June 12, 2024
 
在线办理(UOIT毕业证书)安大略省理工大学毕业证在读证明一模一样
在线办理(UOIT毕业证书)安大略省理工大学毕业证在读证明一模一样在线办理(UOIT毕业证书)安大略省理工大学毕业证在读证明一模一样
在线办理(UOIT毕业证书)安大略省理工大学毕业证在读证明一模一样
 
A Guide to a Winning Interview June 2024
A Guide to a Winning Interview June 2024A Guide to a Winning Interview June 2024
A Guide to a Winning Interview June 2024
 
一比一原版美国西北大学毕业证(NWU毕业证书)学历如何办理
一比一原版美国西北大学毕业证(NWU毕业证书)学历如何办理一比一原版美国西北大学毕业证(NWU毕业证书)学历如何办理
一比一原版美国西北大学毕业证(NWU毕业证书)学历如何办理
 
Gabrielle M. A. Sinaga Portfolio, Film Student (2024)
Gabrielle M. A. Sinaga Portfolio, Film Student (2024)Gabrielle M. A. Sinaga Portfolio, Film Student (2024)
Gabrielle M. A. Sinaga Portfolio, Film Student (2024)
 
按照学校原版(UofT文凭证书)多伦多大学毕业证快速办理
按照学校原版(UofT文凭证书)多伦多大学毕业证快速办理按照学校原版(UofT文凭证书)多伦多大学毕业证快速办理
按照学校原版(UofT文凭证书)多伦多大学毕业证快速办理
 
一比一原版坎特伯雷大学毕业证(UC毕业证书)学历如何办理
一比一原版坎特伯雷大学毕业证(UC毕业证书)学历如何办理一比一原版坎特伯雷大学毕业证(UC毕业证书)学历如何办理
一比一原版坎特伯雷大学毕业证(UC毕业证书)学历如何办理
 

Session4807.ppt

  • 1. Session # 48 Security on Your Campus: How to Protect Privacy Information Robert Ingwalson
  • 2. 2
  • 3. 3 We Implement Security Based on Cost vs. Risk
  • 4. 4 Protecting personal information is Everybody’s Job! Personally Identifiable Information (PII): Information about an individual including but not limited to, Education, Employment, Financial Transactions, Medical History, and Criminal Background information which can be used to distinguish or trace and individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc, including any other personal information that can be linked to an individual. Don’t become a headline!
  • 5. 5 • In the Office • On the System • Data Transfers • Remote Users • Assess Your Security Protecting Personally Identifiable Information
  • 6. 6 • In the Office – Document handling and storage – Phones and Faxes – Land Shipments – Physical Office Security – Personnel Security – Policy and Training Protecting Personally Identifiable Information
  • 7. 7 • In the Office – Document Handling and Storage • Limit printing of PII • Clean Desk • Sensitivity Identification • Shredding • Monitoring • Secure storage Protecting Personally Identifiable Information
  • 8. 8 • In the Office – Phones • Limit PII conversations • Don’t leave PII voicemails • Prevent listeners – Faxes • Limit faxing of PII • Confirm fax number • Two way communication before sending and upon receipt • Monitor the Fax • Safeguard document Protecting Personally Identifiable Information
  • 9. 9 • In the Office – Land Shipments • Limit shipments of PII • Encrypt sent media • Double package • Send by reputable shipping agent • Include a manifest inside the package. • Communicate shipment with receiver Protecting Personally Identifiable Information
  • 10. 10 • In the Office – Physical Office Security • Staffed reception counter • After hours? – Card/key access – Change combinations & keys – Logs • Added Security – Cameras – Entry and exit checks Protecting Personally Identifiable Information
  • 11. 11 • In the Office – Personnel Security • Know who should be there – Challenge others • Personnel background checks – Criminal – Employment history – Credit • Train shortly after employment begins and then refresh periodically Protecting Personally Identifiable Information
  • 12. 12 • In the Office – Personnel Security • Know who should be there – Challenge others • Personnel background checks – Criminal – Employment history – Credit • Train shortly after employment begins and then refresh periodically Protecting Personally Identifiable Information
  • 13. 13 • In the Office – Policy and Training • Policy provides basis for controls and a roadmap to follow • Based on requirements and good practice • Individuals need training on policy - Include in Personnel training Protecting Personally Identifiable Information
  • 14. 14 • On the System (Defense in Depth) – Policy – Personnel Security – Physical Security – Network Security – Host based Security – Application Security Protecting Personally Identifiable Information www.macroview.com/solutions/infosecurity/
  • 15. 15 • On the System – Policy • Technical, Managerial, Operational control requirements • Tells what needs to be done, not how –Procedures provide the road maps on how to comply with policy • Covers all other aspects of Security –Personnel –Physical –Network Security –Host based Security –Application Security Protecting Personally Identifiable Information
  • 16. 16 • On the System – Personnel Security • The same as in the office: – Know who should be there » Challenge others – Personnel background checks » Criminal » Employment History » Credit – Train shortly after employment begins and then refresh periodically Protecting Personally Identifiable Information
  • 17. 17 • On the System – Physical Security • Includes environmental Security • Access control – Badges / Keycards – Access lists and entry logs – Escorted access – Higher level of control for some areas – Metal detectors and scanners • Backup power • Cameras Protecting Personally Identifiable Information
  • 18. 18 • On the System – Network Security • Firewalls • NIDs (Network Intrusion Detection) • Auditing • IPS (Intrusion Prevention System) • Honeypots Protecting Personally Identifiable Information
  • 19. 19 • On the System – Host based Security • Configuration compliance • Internal Firewalls • Access control • HIDs (Host Based Intrusion Detection) • Anti-Virus and Anti-Spyware • Patch management • Logging Protecting Personally Identifiable Information
  • 20. 20 • On the System – Application Security • Develop Application Security Plan • Test for known vulnerabilities prior to implementation • Authorize access • Rules of behavior • Secure Web interface • Limit PII entries and displays Protecting Personally Identifiable Information
  • 21. 21 • Data Transfers – Electronic File Transfers – Tapes and CDs – Thumb Drives – Email – *Laptops Protecting Personally Identifiable Information
  • 22. 22 • Data Transfers – Encryption • Encrypt with strong Algorithms – AES, Advance Encryption Standard or Triple DES, Data Encryption Standard – Use large key length, 256 or greater – If passwords are used: make them strong » Complex with a mixture of numbers, upper and lower alpha characters, and special characters » 8-12 characters in length » No dictionary words or names » Send separate from the data transfer » Mask entry Protecting Personally Identifiable Information
  • 23. 23 • Remote Users – Two types of remote users: Students and Staff – Problem • Work from personal or public PCs and laptops • Data downloads need to be monitored • Infected with viruses and spyware • Open to phishing and pharming • *Subject to Keylogger attacks – Resolution • Limit PII displayed or entered on the screen • Employ two factor authentication for application access • Provide Web site notices • Offer assistance Protecting Personally Identifiable Information
  • 24. 24 • Remote Users – Keylogger attacks • What are Keyloggers? • Why are we singling this threat out? • What can be done about the Keylogger threat? – Limit the amount of PII entered or displayed on the web site. – Make sure that user passwords are changed frequently. – Limit privileged users remote access. – Use Two Factor authentication. – Include warning banners on your web sites that provide a warning and instructions for prevention. – Let users know not to use computers with unknown security. Cyber Cafes and other publicly accessible computers should be avoided when accessing PII. Protecting Personally Identifiable Information
  • 25. 25 • Assess Your Security – Identify data sensitivities for CIA – Identify Likelihood • Likelihood = threat*motivation – Identify security risks • Risk level = Impact*Likelihood – Controls = level of risk – Identify test methods based on risk level • Documentation reviews • Interviews • Observations • Technical tests (network, OS and application scans, log reviews, penetration testing, password cracking) – Use Baseline Security Requirements – Complete testing and identify weaknesses / unmitigated vulnerabilities – Create remediation plan Protecting Personally Identifiable Information
  • 26. 26 Protecting personal information is Everybody’s Job! Personally Identifiable Information (PII): Information about an individual including but not limited to, Education, Employment, Financial Transactions, Medical History, and Criminal Background information which can be used to distinguish or trace and individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc, including any other personal information that can be linked to an individual. Don’t become a headline!
  • 27. 27 Resources Vulnerabilities: – OWASP (http://www.owasp.org) – SANS Top 20 (www.sans.org/top20) – National Vulnerability Database (http://nvd.nist.gov) – cgisecurity (http//www.cgisecurity.com) Guidance: – National Institute of Standards and Technology (NIST) Computer Security Resource Center (http://csrc.nist.gov/publications/nistpubs/) – Center for Internet Security (CIS) (http://www.cisecurity.org/) – Educause (http://connect.educause.edu/term_view/Cybersecurity)
  • 28. 28 Contact Information We appreciate your feedback and comments. We can be reached at: Bob Ingwalson • Phone: 202.377.3563 • Email: robert.ingwalson@ed.gov • Fax: 202.275.0907