IPAS at Penn State

2,573 views

Published on

The Information Privacy and Security (IPAS) project is a University-wide mission to enhance the data security practices at Penn State. This session will explain the 2 phases of the Penn State IPAS project and how it is being implemented in the College of Ag Sciences. We will explore issues faced and those that will continue to be addressed.

IPAS Phase I is focused on Payment Card Industry Data Security Standard (PCI/DSS) compliance. We were required to create secure networks and workstations from our Extension offices back to the University Park campus.

IPAS Phase II is focused on security and privacy initiatives for all of Penn State’s institutional information. We are now required to scanning of all College computers for personally identifiable information such as Social Security Numbers (SSNs) and Credit card numbers. Additionally, we are being asked to install disk encryption software on all College notebooks.

The University-wide mission also comes with its own 10 Security Requirements (Commandments). These will be reviewed as well Our College's Information Technology group has had to adjust our own practices to meet these goals.

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,573
On SlideShare
0
From Embeds
0
Number of Embeds
91
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Data Classification-In general, data will be broken down into various categories. PublicIntended for distribution to the general public, both internal and external to the University.Release of the data would have no or minimal damage to the institutionInternal/ControlledIntended for distribution within Penn State only, generally to defined subsets of the user populationRelease of the data has the potential to create moderate damage to the institution. (Such damage may be legal, academic (loss or alteration of intellectual property), financial, or intangible (loss of reputation)Examples:– Bulk email address listings containing all members of a major population (e.g., all students, all faculty/staff)– Class rosters not containing SSN or other restricted information– Employment applications unless restricted information is included
  • Campus Maps– Directory information (where no Confidentiality Hold applies)– Email addresses of individuals (not bulk listings of all entries data mined from central services)– News stories (subject to copyright restrictions)
  • - Library Collections limited to Penn State use only– Bulk email address listings containing all members of a major population (e.g., all students, all faculty/staff)– Class rosters not containing SSN or other restricted information– Employment applications unless restricted information is included
  • – Social Security Numbers– Drivers’ License numbers– Personally Identifiable Health Information (PHI) - May have additional HIPAA controls– Salary and tax information related to individuals– Details of University Budgets– Tenure or promotion information– Staff employee review information– Password or other system access control information (to include biometric identification parameters)– Human Subject Information (May have additional security requirements as identified by the originator or the Institutional Review Board)– Non-directory information, to include photographs of individuals unless permission has been obtained for their use– Workman’s Compensation or Disability Claims– Employee background check information– Admission and financial aid information– Bursar bills that are personally identifiable– Personally identifiable grade or transcript information– Donor information– Security settings or details of security configurations (e.g., detailed firewall rule sets)– Information to/from University Legal Counsel unless otherwise designated– Ethnicity data other than aggregate statistics– Disability status other than aggregate statistics
  • What if the computer is not in the office during the scan window?Computer will still be scanned. They next time the computer is connected to the office network, the package will be uploaded to the server to be analyzed.What if computer is powered off during the scan window?Scan will happen at the next boot. So scan may happen on Wed rather than Tues.What if the computer is asleep or in hibernate?Scan will not run. But, the Scanner Service ASSUMES that the it ran!!
  • Can't have the Network version and the Standalone version on the same computer
  • IPAS at Penn State

    1. 1. Information Privacy and Security at Penn State Vince Verbeke, Penn State
    2. 2. IPAS Project • Information Privacy and Security • University-wide mission to enhance the data security practices at Penn State • Supported by the highest levels of the university • Two phases to the IPAS Project • Phase I • Phase II
    3. 3. IPAS Phase I • Focused on the Payment Card Industry Data Security Standard (PCI/DSS) compliance • This was necessary if PSU wanted to continue to take credit cards for payment of goods and services • This was not something Penn State created, it is a world wide requirement for anyone processing credit cards
    4. 4. IPAS Phase 1 • Involved creating very secure networks and workstations • Firewall with Intrusion Prevention (IPS) • VMware ACE client • 29 offices at University Park and in County Extension offices are now processing credit cards under PCI compliance
    5. 5. IPAS Phase II • Focuses on security and privacy initiatives for all of Penn State’s institutional information • Initiatives • Data Classification • Scanning of all university computers for Personally Identifiable Information or PII • Encryption of all university notebook computers
    6. 6. Data Classification ... Why? • Legal and Regulatory Compliance • More Effective IT Management • First step – We must know what needs protection and define the appropriate security commensurate with the data value and risk
    7. 7. DefCon 1 - Public • Intended for distribution to the general public, both internal and external to the University • Release of the data would have no or minimal damage to the institution
    8. 8. DefCon 2 - Internal/Controlled • Intended for distribution within Penn State only, generally to defined subsets of the user population • Release of the data has potential to create moderate damage to the institution • Damage may be legal, academic (loss or alteration of intellectual property), financial, or intangible (loss of reputation)
    9. 9. DefCon 3 - Restricted • Data which the University has legal, regulator or contractual obligation to protect • Access must be strictly and individually controlled and logged • Release of such data has the potential to create major damage to the institution • Damage may be legal, academic (loss or alteration of intellectual property) financial, or intangible (loss of reputation)
    10. 10. DefCon 4 - 'Other' • Some data or projects have special restrictions imposed by the originator • Those restrictions may be over and above the security required by the general University standard
    11. 11. Security Standards • These are applied to the different data classifications • For all practical purposed there are only two data classifications • Public • Non-public
    12. 12. Problems at Penn State • 1790 system scanned: 1004 have PII data • Laptop theft or loss is a growing concern • 4 Penn State Web sites allegedly serving malware (June 17-19, 2008), global trend • Continuous hostile probes of PSU network • ~9,000 individual record breach notifications in past 12 months by PSU or its data sources • >12,000 known compromises of PSU systems since 2002
    13. 13. Scanning for SSN or CC#'s • Coordinated centrally by IPAS/ITS • Process • Client installed and scan started • Report sent back to a central server • AG IT gets a copy of report and reviews • If PII data is found, user asked to remove or delete • Scan re-run on computer • Service installed • IPAS/ITS will trigger periodic scans
    14. 14. Join the Scanning Circle Install Client Scan-Sent Re-Scan to PSU User- IT-Request Remediation Report IT-Review Report
    15. 15. Challenges Faced • Effort is from PSU Central IT ... Ag IT is not part of that quot;teamquot; • Ag IT was not in control of the technology • Technology was not quot;ready for prime timequot; • No Mac or Linux clients • Scanner skips files over 50 Mb • Can't scan Outlook
    16. 16. Delivering the Software • Network version via SMS or Group Policy • Standlone version via Web download or Sneakerware • Software pieces • Proventsure AsariumScanner • SafeGuard PrivateCrypto
    17. 17. Moving the Package • Post-scan quot;packagequot; goes to Central IT • Ag IT needs to request by Inventory • Issues with getting reports from first scans • Changes in Central IT personnel • Magically package reports began to arrive
    18. 18. Ag IT Reviews - Killing Trees • Reports are physically printed • Processed by 1 Ag IT staff • Eric Mailloux, ejm21@psu.edu • Most secure, Print is in your face • Largest report 67,000 rows
    19. 19. Remediation - How to Delete
    20. 20. Start the Circle Again http://www.flickr.com/photos/lonelyradio/60264298/
    21. 21. Did Well • Communication • Dept Heads to End Users • Peers in College • Time Line • % Complete - Ahead of University
    22. 22. Do Different • Group Policy to install Secure Delete rather than SMS • TEST ... TEST... TEST • Test more outside quot;AG world'
    23. 23. Challenges Going Forward • Setup issues within County offices • Current 192.168.xx.1 in 66 out of 67 offices • PSU Security wants to RE-IP these networks • Central IT won't open their Firewalls • Manual Installs ... How do we reach them? • eDiscovery • Notebook Encryption
    24. 24. eDiscovery • e-Discovery refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. According to legislation, Information Technology (IT) teams have a legal obligation to respond appropriately and provide Electronically Stored Information as requested if their company (College) would become involved in litigation.
    25. 25. Notebook Encryption • Centrally managed by IPAS/ITS • Cost is being covered centrally by ITS • Ag IT will install client and disk encryption will be initiated • This will take several hours to complete • Notebook should be configured to always ask for a password when coming out of sleep or hibernation. • Support issues are to be determined
    26. 26. 10 Security quot;Commandmentsquot; 1. Protection from the public Internet or external network segments 2. Systems connecting to the Penn State network will be free from known vulnerabilities 3. Access to system will be individually controlled. All actions must be traceable to unique UserID 4. Access to system and application will be logged
    27. 27. 10 Security quot;Commandmentsquot; 5. Units will maintain local policies in accordance with and augmenting Univ Policy AD20 6. Data will be secured at rest or in transit commensurate with its sensitivity 7. Sensitive data must be sanitized or destroyed prior to system re-use by another entity 8. Physical and facility security must be maintained
    28. 28. 10 Security quot;Commandmentsquot; 9. A development and risk assessment process must be in place commensurate with the sensitivity of the data 10.Backup and Disaster Recovery measures must be in place commensurate with the value of the computer and network resources, and the data held
    29. 29. Summary • So what does that all mean? • There will be changes in how we use the Penn State network, computers and how they operate • These are all positive security changes • This is not a once and done project, it is an on- going change in how technology is used at Penn State • Ag IT is attempting to guide the college through this this process over the coming months ... and years

    ×