Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Information security and research data


Published on

Information security risks today
Data classifications
Information Security in daily work
GDPR – The EU General Data Protection Regulation

  • Be the first to comment

  • Be the first to like this

Information security and research data

  1. 1. Information security and Research data - and something about GDPR… 17.11.2016 – Aalto university “With Data classification each one is able to distinguish critical information from public class information. Classification helps to optimize IT-system costs, controls the handling and is guidebook to good practices” • Information security today • Data classifications in Aalto • Information Security in daily work • GDPR – The EU General Data Protection Regulation Tomi Järvinen – IT-Security specialist
  2. 2. Information security organization in Aalto • Information Security Team • Riitta Gröhn, Chief information Security Officer • Timo Salin, Information Security Specialist • Aalto IT virtual security team, 8-10 members (networks, servers..) • Information security responsibles in schools and departments, ~120 • University legal team, close co-operation Information Security Team tasks, e.g. • development of Information security policies and instructions • information security and data protection consulting • information security training and seminars • computer Security and Incident Response “CSIRT” (with special CSIRT team) Aalto Information security organization
  3. 3. Information Security principles covered by technical & process controls 3 • Confidentiality • Technology, e.g. malware, encryption, • Processes, Policies, guidelines, • Integrity • Data validationChecker, Quality Assurance, Audit Logs • Availability • Monitoring, BCP/DRP Plans and Tests, Back-up, fault tolerant storage, Sufficient Capacity Ddos Leak Intrusion
  4. 4. Aalto wide Data survey 2014 Amount and type of classified data? ei: 142 kyllä: 225 Classified data? Data which is not public. Classified to confidential or internal security level. Legal or contractual requirements for data storage or processing 39 % 61 % 61% Work with confidential information 33% of them on daily basis Typical classified data in research? Data of the study or technical development, which can not leak to third party (52.2%)
  5. 5. Todays risks • ISF Security forum: 2016 - innovative and sophisticated attacks. Targeted campaigns with 0-day vulnerabilities • Targeted campaigns using emails & calls • Fake login pages • DOS(Ddos) • Encrypting the organization • Attacks on payment card data • Future? Jailbreaking the cloud? (e.g. malware built to crack cloud- based systems) • IoT, light bulps, fridges, cameras, ( 5
  6. 6. Risk is not a question, it is a fact Based on (Only US) (USA only source) Organization Type: EDU Year(s) of Breach: 2016, 2015, 2014 Breaches made public fitting this criteria: 60 Records total: 1,130,158 Breach Type: PAYMENT CARD, HACK, INSIDER, PHYSICAL, PORTABLE, Organization Type: ALL Year(s) of Breach: 2016, 2015 Breaches made public fitting this criteria: 636 Records total: 164,693,655 LA Hospital Servers Shut Down By Ransomware Posted Feb 17, 2016 by John Biggs (@johnbiggs)
  7. 7. How security breaches occur? 7 12.06.2014
  8. 8. Attacker motivation 12.06.2014 8 Attacker Motivation Goal Government Financial, influence Collecting information Criminals Financial Threats, blackmailing Commercial organizations Financial Disturbance of the competitor. Collection of information Insider self-interest, vengeance Economic benefits Damage to the organization's. Revenge Curious users (external or internal) curious Pressing any buttons and see what happens Hactivism power Placing an opponent in a bad light, collecting information
  9. 9. • Information security today • Data classifications in Aalto • Information Security in daily work • GDPR – The EU General Data Protection Regulation
  10. 10. Aalto Information Classification guideline University's information public by default, unless: • legal grounds • Section 24 of the Act on the Openness of Government Activities (“julkisuuslaki”) • Personal data act, e.g sensitive personal data • Business secrets of private company (see more in guideline) Aalto university Security classification guideline is based on Decree on Information Security in Central Government, (VAHTI 2010) same principles areused in other universities and CSC. Due to shared functions , it is important that the information classified to same level are marked with same labels and stored & processed with same principles.
  11. 11. Information Classification guideline • Is setting out the basis for classification in those situations where it may be necessary to apply security classification in order to protect interests. (Classification policy) • Guideline includes labels and markings in case of transfer or archive documents (Rules on the handling) • Defines the principles of IT-infrastructure design, detailed requirement specifications for IT-procurement (e.g. requirement spesifications, Inside help) “classification at too low level may compromise university's information security and activity. “The over-classification of information leads to unnecessary expenses and laborious handling processes. “
  12. 12. In practice In everyday work, the material is in owner’s responsibility– the owner is responsible for the correct handling. (as law, university policies & agreements requires) When materials are used in daily work for carrying out university activities, they are not formally classified. However, everyone must always distinguish classified information! Material is stored in an archive, classified as such or forwarded, and/or the content includes classified information, and/or the content includes especially confidential information due to regulation, contractual conditions or for other reasons. IF Public Internal Condidential Secret THEN And only then! Labels, Secrecy obligations (e.g. legal grounds: Act of Openness, section 24, paragraph 4)
  13. 13. “Non documents” (work files, drafts) • Notes, drafts, • Internal guides • Notes from team meetings • Internal Internal training material, work documents • internal communication, internal message YES Does section 5 of the Act on Openness apply to my university document? Secrecy obligations (most cases section 24) • psychological testing or aptitude testing • business secrets • Unbublished patentable research work • security arrangements • Person health state “University Document” (Legal definition) Internal Information security labelling Law (Act of Openness, Personal Data act) Or Contract tends to require the protection of the data Confidentiality label, university documents ”CONTENT” of the document is confidential, internal or secret? NO ”Public” YES Public and ”meant to be published” are not the same YES YES Delivery YES Delivery YES
  14. 14. Good poster : Back to basics, to help university users we created: “Examples of classified data” (on your desks) Table is indicative. User should evaluate the need for protection level. According reasearch data the real value can be estimated only by the data owner. If you are unsure, ask from legal team.
  15. 15. Classification in work • Controlling the practical work and information processing • Rules on the handling • Identifying the underlying data • Critical Information / internal information / public information • Examples of data table • Defining the need for protection, how strong security • Requirement specifications from IT • Storage proposals, the options listed • Rules on the handling • Making labels - when it comes to the need to transfer, assign or archive material • Classification guideline • Principles of planning IT environment •, Inside, Requirement specifications
  16. 16. System X for co-operation project Rules on the handling : (All guidelines are also in English) Label ST IV (SL IV) in University of Eastern Finland Label ST IV (SL IV) in Aalto university
  17. 17. Classification guideline, Rules on the Handling- IT service matrix:
  18. 18. Handle with extra care, if Think about your work and information you are processing! If: • the data is Aalto-university classified confidential or secret the data is confidential under a non-disclosure agreement, project agreement or other agreement containing confidentiality obligations • The data concerns a patentable invention or other non- published research results • the data have requirements from third party • University (or you) would suffer reputational or financial damage if the data leaks to external use • long term archiving requirement • value of data? what happens if the data is lost permanently • availability requirement, what happens if there is no access to data? third party service might be down, or network problems,
  19. 19. Confidentiality ”Data classification” Availability, how critical the service is to be available Integrity, impact of the incorrect information Low No redundant hardware Medium ”Business hours” High ”24/7” Redundant Standard /low ”Optional” Data Replacable Medium ”recommen ded” High ”required” Public Internal Confidential, ST IV, ST III Information Security Classification – just one view ?
  20. 20. • Information security today • Data classifications in Aalto • Information Security in daily work • GDPR – The EU General Data Protection Regulation
  21. 21.
  22. 22. 22 so-called, “Public Cloud” – • ready to use • scalable • no IT help needed • service for almost any possible use case • all possible bells and whistles • can be used anywhere • free of charge, (if your privacy and personal life has no value) 500 Mb video, 20 minutes • where is the data? • who gets it? • provider employees? • network traffic? • bottlenecks? • privacy policy? • Privacy Data collection and destruction? • terms of service? • investigation? (in case of illegal content, data theft, copyright etc.) • lock-in?
  23. 23. 23 Security in work, (C-I-A) • Take care of work material • Make sure that your files are always backed up. Dispose of confidential material in accordance with instructions. Be sure to log out from software and systems • Protect your equipment and the environment • Make sure that your computer security software is working and updated. Use the password-protected "screen saver". Lock your room and your computer when you leave for a short time • Be sure about source of information • The message may contain malware or be forged. the name and address of the sender does not guarantee anything, does not it. The programs should not be installed unless you are sure that it is safe. The file which you are not sure or do not know who it is, do not open. Be carefull with USB-Sticks • Be accurate in your own work • When you send something, please tell clearly what it is, do not send attachments without first informing the recipient about coming files. Also keep in mind the so-called Hidden Data (MS-Office meta-data). Be a always little suspicious when someone asks for confidential information, verify persons identity’
  24. 24. 24 Safety in web (SoMe, Cloud) • you cannot get anything “back” • services may claim ownership of the information • “free” services often collect and disclose information to third parties such as advertisers or collaboration partners. • malicious links, think before clicking, (malwertising) • think where you buy from • "fakeware / scareware“, think before buying (snake oil software) • be accurate, how and what you write • please do not comment on behalf of the University, unless it belongs to the job description :) https://www.washingtonpost-personal-data-points-that-facebook-uses-to-target-ads-to-you/
  25. 25. 25 Safety in web (e.g. SoMe, Cloud) • keep your password / username combination safe, if the worst happens (serious illness or matters related to legislation) • material may be financially or for some other reason valuable (university or relatives, e.g. script, photos, new “Kalevala under work) • use different password and user id, mnemonic?, software like "KeePass“ for password management • use "alias", account name e.g.”TeemuX2012”, etc... check if this is not against TOS.*, in some cases anonymity might be good idea • keep copies of everything on your own computer • do not accept all friend requests • if necessary, clear the browser cache • only "Sure" way to store files securely is an encryption * “Terms of Service; Didn't Read”
  26. 26. 26 Profitable tool for Criminals - Email • At the moment, the biggest threat • Aalto is an attractive target for criminals • a lot of users • in case of successful phishing -> huge capacity • Malicious email: – Spam (Spam), pharmacies, pornography, gambling. (Might be legal, just hidden costs with small letters) – Scams (Scam), financial or emotional benefits, wide variety of frauds. – Phishing – Malware, malicious links to services Cornell University 120 examples collected 2015: What happened? “urgency, stress, tiredness
  27. 27. 27 As a user, security in work
  28. 28. File/Folder level encryption • Sophos SafeGuard PrivateCrypto Aalto workstation software, • Create Encrypted package, send by email or share with , send password with SMS • VeraCrypt, heavier tool, for example project use. – Create ”container” to place where, every member have access – Share password with secure way Encryption, secure way to share or save to external storage (for example cloud)
  29. 29. 29 The service uses Adobe Acrobat PDF files with strong AES-256 encryption. (Secured also in Cloud, like O365) E-mails will be encrypted automatically by adding "AALTO-SECURE" (or aalto-secure) to subject field. like : AALTO-SECURE: your real subject • It is good practice to inform recipient in advance of an incoming message • outsiders can send encrypted message to Aalto by answering Aalto user's encrypted message Option, needs knowledge about PKI-infrastructure •GnuPGP + Thunderbird combination Aalto Email encryption
  30. 30. 30 Keep safety when traveling instructions Foreign travel _29052015_ENG.pdf • Activate lock out functions for screen savers – Computers with confidential data should be configured to "lock out" after 20 minutes of inactivity. PC in sleep mode can be hacked easily • Laptop hard drives should be encrypted, Ask for more information about from the IT Service Desk. • With kiosk PCs, clear browser cache • Before, write down important contact details, ITS-service desk, “if device is lost instructions” operator, credit card contact numbers • Use VPN, open WLAN is open • Change your password while abroad, your password will be valid for 180 days (approx. 6 months), • Take care of USB-sticks, don’t take USBs from unknown • Always transport your devices as hand luggage when traveling (e.g. train, ship, bus) • Make sure that the PIN and protection code inquiry features of your mobile phone are enabled. • Disable bluetooth if you really don’t need it • Be careful when (or avoid totally) printing and carrying confidential material
  31. 31. 31 Case 1, European Research Council Requirement, for example: … o Detailed information must be provided on the procedures that will be implemented for data collection, storage, protection, retention and destruction and confirmation that they comply with national and EU legislation o In case of data not publicly available, relevant authorisation must be .. Depending of confidential level, “normal NDA, level=confidential, one possible solution is Eduuni, SLIDE 12 IT-Service Matrix • Contact IT Account managers, E-Duuni admin will create workspace. • If needed ask Eduuni Security Statement from Research and Innovation Services or , add statement to research application • When project starts, create workspace for your project
  32. 32. 32 Case 2, project with secret level data Ask consultation from (Some schools have already high security facilities) Some typical requirements • Rooms must have electronic locks with audit log, who, when • Workstations with data disconnected from Web • All access to Data must have audit control, who, when, what • Data must be encrypted in shared drives or external devices, like USB-backup (Slide 19)
  33. 33. • Information security today • Data classifications in Aalto • Information Security in daily work • GDPR – The EU General Data Protection Regulation
  34. 34. The EU General Data Protection Regulation (GDPR) New thing? • In 1980, the OECD “Guidelines on the Protection of Privacy and TransborderFlows of Personal Data” that addressed 8 principles of privacy: »Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation and Accountability • basis of 1995 EU Directive 95/46 / 95/46 / 95/46 / 95/46 / 95/46 / 95/46 / EC, “Personal Data Directive” • 2012 first GDPR draft out, preparations started in Aalto • May 2016, GDPR approved (already in place) • Transition period, may 2018 everyone must follow
  35. 35. Roles from legislation point of view The data controller is the natural person, company, association or other entity that is factually in control of the processing of personal data and is empowered to take the essential decisions on the purposes and mechanisms of such processing including the applicable security measures. “Who is responsible and owns Data Subjects information”. A processor becomes a controller if he or she uses data for his or her own purposes, not following the instructions of a controller (Think about Google and targeted advertising)” Data Processor: Directive: “The natural or legal person, public authority, agency or any other body, which processes personal data on behalf of the controller. Article 2(e) of the Data Protection Directive” If an organization holds or processes personal data, but does not exercise responsibility for or control over the personal data, then this organization is a "processor." Examples of processors include payroll companies, accountants and market research companies, call centres of telecom or financial companies, all of which could hold or process personal information on behalf of someone else. Data Subject: The natural person a personal data relates to. One individual person (Directive goal, to give full control and knowledge about storing and handling his/hers personal data) 35
  36. 36. Personal data The definition is meant to be broad. "Personal data" : when someone is able to link the information to individual person, directly or indirectly. Credit card number, bank statements, medical record (just mention about rare disease), full name, photo, phone number, birth date, e-mail address, car license plate, physical characteristics…and IP address. The definition is also technology neutral. It does not matter how the personal data is stored – on paper, on an whatever IT system, on a CCTV system, photographs, etc 23/11/2016 36 EU Court of Justice ruled that IP addresses are protected personal data
  37. 37. what does the GDPR say? GDPR says “WHAT” , It doesn’t say “HOW” Nothing about: • specific tools to use • specific processes to use • specific standards to use • examples or templates for solutions • Best practices for development or guidelines actual ”privacy engineering (privacy by default)”
  38. 38. GDPR interpretation, 4 difficult (total amount 85 Articles) • Article 32 “Security of processing” “controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” What is appropriate? • Article 32 “Security of processing” continues “ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data”. “data in a timely manner”. How long is timely manner, next business day? • Breach notification process (article 33), “The processor shall notify the controller without undue delay after becoming aware of a personal data breach” What should be time limit in vendor agreements? • Article 20, ”Data protection by design and by default” How you actually should implement that to application development? 38 Before you start implementing GDPR organization needs to do interpretation about GDPR articles, instead of “WHAT”, you need answer to question “How”.
  39. 39. The Fines Check your security management against Article 83: General conditions for imposing administrative fines “When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following (11 issues):” You are pretty safe if you can answer to supervisory authority (“tietosuojavaltuutettu”) something to 11 topics, like: • The number of data subjects affected? • The categories of personal data affected by the infringement? • Encryption…organisational and technical' measures that are in place? My proposal: make a test, can you answer to those 11 issues if you do breach exercise? 39
  40. 40. GDPR help from externals? At the moment public guidelines are mostly at this level* • “Proactive not Reactive; Preventative not Remedial” • “Privacy as the Default Setting” • “Privacy Embedded into Design” • “End-to-End Security — Full Lifecycle Protection” • “Respect for User Privacy — Keep it User-Centric” 1. Not so practical or useful for system owners or application developers. 2. External consultants in most cases have same story. 3. Be aware of Snake oil applications, it is not possible to buy GDPR tool. 4. Externals cannot do interpretation for organization * Ann Cavoukian, Ph.D. Information & Privacy Commissioner Ontario, Canada P r i v a c y b y D e s i g n guideline: 40
  41. 41. And now, something more about “how” :) (organization) 41 • Setting up GDPR Project, top management participation and enough resources • State of analysis, self audit about information security, continuity and personal data management, set up development measures (framework ISO 27001, “VAHTI-2010 – System level P-I-A – Organization level P-I-A – Status of privacy policies, description of file, guidelines and policies review • Inventory of contracts and sub-contractors (personal data flow diagram) • Personal data inventory, check your systems containing personal data, (interpretation…) • Management reporting practice, the annual clock – Data protection status reports (amount of inquiries, incidents, close calls) – The risk and impact assessments carried out as well as their most significant findings • Establish awareness program, annual employee training, new employee package (register) • Communication plans (about coming GDPR) • Data subjects requests, procedures and plan, how to handle in required time • Analyze ongoing development and procurement projects • The development of risk management (formal, remember accountability) • Ensure data security and business continuity (organizational and technical measures)
  42. 42. How - Privacy by design 42 I (PET) • ”Privacy by Design” is today undefined • Official privacy by design will be defined aftre precedent legal cases Image: Based on PrivaOn material
  43. 43. Personal Data Flow – subcontractor management 43 Cloud based storage in USAApplication server in Finland Administration and support in India Remote connections to systems API Data analytics HTTPS / SSL encryption Finland USA EU India API Contractor Vendor Vendors subsidiary In all boxes, note: • Data retention (Right to erasure) • Minimisation • Agreements Application development partner Outside EU/ETA End user device Organization (controller) Data Subject HTTPS / SSL encryption, EULA, Input forms
  44. 44. How – agreements and vendor management 44 Start with subcontractors inventory, list all of you subcontractors, find out personal data related to contractor. Dataflow, to see where personal data moves and under what legislation (e.g. subcontractor’s subcontractors (Azure/O365 -> ~80 subcontractors) • Agreement (btw, controller, processor) e.g. • Processing activities, data processing only for specific use • Consent, transfer data outside EU, moving data to other processor • Data location, Right to change subcontractor? • The ability to restore the availability and access to “data in a timely manner” • Portability, erasure, data retention time • NDA – security agreement template, e.g. • vulnerability management, back-ups • Agree about breach notification process • Subcontractor obligation to use employee NDA …(ask legal team) • Requirement specifications, requirements related to security and continuity (ask from IT account managers) Me too!
  45. 45. How – data subject rights e.g. 45 – Right to be provided with information of his/hers data (Right of access Article 15) – Generally enhanced right to information and transparency, new e.g. • retention period of the personal data, • right to withdraw their consent at any moment, – Consent (Article 6, Lawfullnes of processing) • Cookie consent • log that action for later purposes • No pre-ticking, privacy by default – Right to restriction, only restrict processing, • data can still be stored – Data portability, data to other processor – Right to erasure, total erasure Not absolute rights, e.g. ”erasure”, article shall not apply: a,b,c,d and e: for the establishment, exercise or defence of legal claims.
  46. 46. GDPR Links Guide to the General Data Protection Regulation protection/files/factsheets/factsheet_data_protection_en.pdf VAHTI-raportti 1/2016 EU-tietosuojan kokonaisuudistus - Goog practical guideline for Finnish organizations Excel-työkalu VAHTI tool Excel-työkalu ilman riskienhallintaosiota - Excellent PIA Tool for assesment workshops
  47. 47. Thank you! All Information security related issues: