Session4807.ppt

Session # 48
Security on Your Campus: How
to Protect Privacy Information
Robert Ingwalson

3
We Implement Security
Based on Cost vs. Risk

4
Protecting personal information is
Everybody’s Job!
Personally Identifiable Information (PII):
Information about an individual including but not limited to,
Education, Employment, Financial Transactions, Medical History,
and Criminal Background information which can be used to
distinguish or trace and individual’s identity, such as their name,
social security number, date and place of birth, mother’s maiden
name, biometric records, etc, including any other personal
information that can be linked to an individual.
Don’t become a headline!

5
• In the Office
• On the System
• Data Transfers
• Remote Users
• Assess Your Security
Protecting Personally Identifiable Information

6
• In the Office
– Document handling and
storage
– Phones and Faxes
– Land Shipments
– Physical Office Security
– Personnel Security
– Policy and Training

7
• In the Office
– Document Handling
and Storage
• Limit printing of PII
• Clean Desk
• Sensitivity Identification
• Shredding
• Monitoring
• Secure storage

8
• In the Office
– Phones
• Limit PII conversations
• Don’t leave PII voicemails
• Prevent listeners
– Faxes
• Limit faxing of PII
• Confirm fax number
• Two way communication before
sending and upon receipt
• Monitor the Fax
• Safeguard document

9
• In the Office
– Land Shipments
• Limit shipments of PII
• Encrypt sent media
• Double package
• Send by reputable shipping
agent
• Include a manifest inside
the package.
• Communicate shipment
with receiver

10
• In the Office
– Physical Office Security
• Staffed reception counter
• After hours?
– Card/key access
– Change combinations & keys
– Logs
• Added Security
– Cameras
– Entry and exit checks

11
• In the Office
• Know who should be there
– Challenge others
• Personnel background checks
– Criminal
– Employment history
– Credit
• Train shortly after
employment begins and then
refresh periodically

12
• In the Office
• Know who should be there
– Challenge others
• Personnel background checks
– Criminal
– Employment history
– Credit
• Train shortly after
employment begins and then

13
• In the Office
– Policy and Training
• Policy provides basis for
controls and a roadmap
to follow
• Based on requirements
and good practice
• Individuals need
training on policy -
Include in Personnel
training

14
• On the System (Defense in
Depth)
– Policy
– Physical Security
– Network Security
– Host based Security
– Application Security
www.macroview.com/solutions/infosecurity/

15
• On the System
– Policy
• Technical, Managerial, Operational control
requirements
• Tells what needs to be done, not how
–Procedures provide the road maps on how
to comply with policy
• Covers all other aspects of Security
–Personnel
–Physical
–Network Security
–Host based Security
–Application Security

16
• On the System
• The same as in the office:
– Know who should be there
» Challenge others
– Personnel background checks
» Criminal
» Employment History
» Credit
– Train shortly after employment begins and then

17
• On the System
– Physical Security
• Includes environmental Security
• Access control
– Badges / Keycards
– Access lists and entry logs
– Escorted access
– Higher level of control for some areas
– Metal detectors and scanners
• Backup power
• Cameras

18
• On the System
– Network Security
• Firewalls
• NIDs (Network Intrusion Detection)
• Auditing
• IPS (Intrusion Prevention System)
• Honeypots

19
• On the System
– Host based Security
• Configuration compliance
• Internal Firewalls
• Access control
• HIDs (Host Based Intrusion Detection)
• Anti-Virus and Anti-Spyware
• Patch management
• Logging

20
• On the System
– Application Security
• Develop Application Security Plan
• Test for known vulnerabilities prior to
implementation
• Authorize access
• Rules of behavior
• Secure Web interface
• Limit PII entries and displays

21
• Data Transfers
– Electronic File Transfers
– Tapes and CDs
– Thumb Drives
– Email
– *Laptops

22
• Data Transfers
– Encryption
• Encrypt with strong Algorithms
– AES, Advance Encryption Standard or Triple DES,
Data Encryption Standard
– Use large key length, 256 or greater
– If passwords are used: make them strong
» Complex with a mixture of numbers, upper and
lower alpha characters, and special characters
» 8-12 characters in length
» No dictionary words or names
» Send separate from the data transfer
» Mask entry

23
• Remote Users
– Two types of remote users: Students and Staff
– Problem
• Work from personal or public PCs and laptops
• Data downloads need to be monitored
• Infected with viruses and spyware
• Open to phishing and pharming
• *Subject to Keylogger attacks
– Resolution
• Limit PII displayed or entered on the screen
• Employ two factor authentication for application access
• Provide Web site notices
• Offer assistance

24
• Remote Users
– Keylogger attacks
• What are Keyloggers?
• Why are we singling this threat out?
• What can be done about the Keylogger threat?
– Limit the amount of PII entered or displayed on the web site.
– Make sure that user passwords are changed frequently.
– Limit privileged users remote access.
– Use Two Factor authentication.
– Include warning banners on your web sites that provide a
warning and instructions for prevention.
– Let users know not to use computers with unknown security.
Cyber Cafes and other publicly accessible computers should
be avoided when accessing PII.

25
• Assess Your Security
– Identify data sensitivities for CIA
– Identify Likelihood
• Likelihood = threat*motivation
– Identify security risks
• Risk level = Impact*Likelihood
– Controls = level of risk
– Identify test methods based on risk level
• Documentation reviews
• Interviews
• Observations
• Technical tests (network, OS and
application scans, log reviews, penetration
testing, password cracking)
– Use Baseline Security Requirements
– Complete testing and identify
weaknesses / unmitigated vulnerabilities
– Create remediation plan

26
Protecting personal information is
Everybody’s Job!
Personally Identifiable Information (PII):
Information about an individual including but not limited to,
Education, Employment, Financial Transactions, Medical History,
and Criminal Background information which can be used to
distinguish or trace and individual’s identity, such as their name,
social security number, date and place of birth, mother’s maiden
name, biometric records, etc, including any other personal
information that can be linked to an individual.
Don’t become a headline!

27
Resources
Vulnerabilities:
– OWASP (http://www.owasp.org)
– SANS Top 20 (www.sans.org/top20)
– National Vulnerability Database (http://nvd.nist.gov)
– cgisecurity (http//www.cgisecurity.com)
Guidance:
– National Institute of Standards and Technology (NIST)
Computer Security Resource Center
(http://csrc.nist.gov/publications/nistpubs/)
– Center for Internet Security (CIS) (http://www.cisecurity.org/)
– Educause
(http://connect.educause.edu/term_view/Cybersecurity)

28
Contact Information
We appreciate your feedback and
comments. We can be reached
at:
Bob Ingwalson
• Phone: 202.377.3563
• Email: robert.ingwalson@ed.gov
• Fax: 202.275.0907

Session4807.ppt

Recommended

Recommended

More Related Content

Similar to Session4807.ppt

Similar to Session4807.ppt (20)

Recently uploaded

Recently uploaded (20)

Session4807.ppt