2. 2014 – Year of the breach!
Over a billion personal data records were compromised in 2014 - NBCNEWS.com
3. Largest Higher Education Breaches of 2014
University of Maryland - 300k record
North Dakota University – 300k records
Butler University – 200k records
Indiana University – 146k records
Arkansas State University – 50k records
All of these were bigger than the Sony breach!
- Huffington Post
4.
5.
6. Others Costs
• Loss of student trust
• Damage to reputation
• Loss of staff productivity
• Legal action
• Additional audit requirements
• ??
Financial Costs
12. Password Management
Unique passwords for services – Never use your email account
Use combination of words, numbers, symbols using upper- and lower- case letters
Don’t use easily guessed passwords (e.g. password, user)
Don’t use words found in dictionary or sequences
Complexity is nice but length is more import
Never keep a list of passwords around
Use two step or two factor authentication whenever possible
-krebsonsecurity.com
13. Mobile Device Security
Use pin, password or pattern lock your phone
Enable data encryption features
Download apps only from trusted stores
o Install an anti-malware program (e.g. Lookout)
o Install anti-theft software
Don’t root or jailbreak your phone
Keep your operating system and apps updated
Log out of sites after you make a payment
Switch off Wi-Fi and Bluetooth when not in use
- Techradar.com
14. Public WiFi Use
Know that you are never secure!
Use built in tools
Enable firewall
Block all incoming traffic
Disable file sharing
Look for Padlock
Confirm network name with your location
Use common sense
- CNET.com
15. Secure Processes
Don’t leave sensitive information lying around unprotected,
including on printers, fax machines, or copiers
Secure area, files and portable equipment before leaving them
unattended (ask IT to automatically lock unattended computers)
Shred sensitive paper records before disposing of them
Don’t use email to transmit sensitive data including scanned
document attachments
Don’t send paper mail that includes SSN, financial account
information, drivers license etc
Insure that all staff have their own logins and accounts (No sharing)
16. Email is not secure!
“Email was not designed with any privacy or security in mind”
- Geoff Duncan, Digital Trends
17. IT Security Best Practices
Encrypt your data
Use digital certificate to sign all of your sites
Implement a removable media policy
Protect school websites
Network endpoint security
Stay current with patches and upgrades
Establish policy of no PII data on laptops or mobile devices
18. Vendor Checklist
How is my data transmitted securely?
What algorithms are used to store my data?
How will my data be stored and protected?
How are the various levels of access granted and controlled?
Who at the vendor has access to my data? Is there background screening?
How are users authenticated? What is the password management functionality
What type of physical security is provided for your data center?
How are the various levels of access granted and controlled?
What security audits and/process audits do you comply with?
Is there explicit contract language for who owns data and how data can be used?
19. Alphabet Soup
Certification Purpose
SSAE 16, SOCC1 and 2 Auditing standard to ensure appropriate controls for your hosting provider.
Certification of controls for privacy and security.
TRUSTe Certification Privacy protection certification
PCI DSS Certifies data security of credit card payment processing
FedRAMP Government program that provides a standard approach to security
assessment, authorization and monitoring of cloud products and services
FIPS 140-2 Federal Information Processing Standard for accrediting data encryption
standards
ISO 27001 Audit and risk assessment framework for information security management
Vendors who are serious about security will certify on multiple of these based on the service.
20. Responding to a Breach
Have a Plan – Key Elements
First 24 Hour Checklist
Notification Requirements
Other Services
21. Elements of a Good Response Plan
Define a response team with clear roles and responsibilities
Executive Leader, IT, Public Relations, Student Services, Legal, Law Enforcement Liaison
Assign somebody to maintain a contact list quarterly basis
Have a documented plan and procedure for investigation, notification, support, legal review
Plan for increased call volume to a call center or other support help line
Provide for FAQ and support materials on Institution Website and/or student portals
Have policy for cases that warrant complimentary identity protection and credit monitoring
services
Pre-selection of a data forensic vendor to assist in breach response
Pre-selection and negotiation with a Breach Resolution Vendor who can guide you through
process of planning and support response
22. First 24 Hour Checklist
Record dates and times – Discovery, Response start
Alert Response Team – Internal and external resources as identified in your plan
Stop additional data loss – Take care to maintain forensic evidence
Secure premise or equipment to preserve evidence
Document Incident Report – Key facts, who discovered and when, scope of breach. Interview individuals who
found breach
Bring in forensics team
Notify law enforcement
Assess priorities and risks
Set response plan in action for notification, PR, call center and execution of support service (Credit Monitoring
- Experian Data Breach Response Guide
23. Notification Requirements
California Civil Code s. 1798.29 and California Civil Code s. 1798.82
DOE Privacy Technical Assistance Center
Consider notifying Family Policy Compliance Office (FPCO) about the breach. (FERPA does not require that you
notify FPCO of the breach; however, the U.S. Department of Education considers it a best practice.
FPCO can assist educational agencies and institutions by helping to determine the potential for harm resulting
from the release of the information
California Office of Privacy Protection
Notify Attorney General for breach > 500
Notify Credit Agencies if breach > 10,000
-http://oag.ca.gov
24. Notification to Students
Speed, Openness and transparency are the keys
Notify individuals within 10 business days of confirming the breach
The date of the notice. If the notice was delayed as the result of a law enforcement investigation, say so.
A general description of the breach incident.
The specific types of personal information that were involved.
The name and contact information
The toll-free telephone numbers and addresses of the major credit reporting agencies, but only in a breach
involving Social Security numbers or driver’s license or California ID numbers.
What you have done to protect the individual’s personal information from further unauthorized acquisition.
What your organization will do to assist individuals, including providing your toll free contact telephone number for
more information and assistance.
Information on what individuals can do to protect themselves from identity theft, as appropriate for the specific
type of personal information involved.
- http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/recom_breach_prac.pdf
26. Our cloud-based products help financial aid departments save time, decrease costs,
lower security risk and improve the student experience.
campuslogic.com
Gilbert, AZ
Chris Chumley, COO
chris.chumley@campuslogic.com
Follow on Twitter @cschumley
Editor's Notes
What other costs do you see of a breach?
What is your responsibility for protecting student data as an individual and as an FA Office?
How do you address security awareness at your campus for students and/or staff?
Self-test:
How many of you re-use the same password on multiple websites and you email so you can remember it?
How many of you have a post it note, a notepad file or other place where you keep passwords?
Apple Breach – 500 most common passwords with no account locking.
Utah state recent breach due to accidentally forwarded email
Customer just yesterday emailed screen shots
This is just a few examples other than the technical vulnerabilities
Web mail is even less secure
How many of you use email and scanned documents as your primary method of collecting documentation from students?
What alternatives are there?
Gartner predicts that cloud computing will be the bulk of ne IT-related spending in 2016. Cloud technologies and Software-as-a-service models have changed how solutions are sold and purchased. Business users are now driving the process. How do you screen for security before bringing a vendor solution to the table?
What should I be asking vendors before making a purchase? A good cloud vendor should have answers to these readily available and in writing. This will allow you to screen and then depending on the purchase schedule a more in depth call with the vendor and your IT team.
Research shows that individuals affected in a breach who receive free credit monitoring are six times less likely to file a lawsuit. This is also an investment to address loss of trust and reputation.
What are your notification requirements?
Formal written notification using plain simple language, guiding sub headings. Avoid jargon or technical language