Professional Documents
Culture Documents
Data Privacy and Security-Rev1
Data Privacy and Security-Rev1
Data Privacy and Security-Rev1
Why?...Because
Within little over one year there were 237 reported security breaches Compromising more than 97 million records containing personal information 83 or 35% incidents involved High Ed institutions
Early threats were targeted on servers and computers connected to network to destroy them or use them to launch subsequent attacks Now threats are no longer operating systems, networks, or control of machines but rather Personal data about the users on these machines for profit
Attackers are increasingly seeking financial gain rather than mere notoriety. During the past year we have seen a significant decrease in the number of large scale global virus outbreaks and, instead, are observing that attackers are moving towards smaller, more focused attacks Vincent Weafer Senior Director at Symantec Corporation
Implications
Furious Constituents Negative Publicity Tarnished Reputation Public Embarrassment Investigations Lawsuits, Fines and Penalties Financial Losses Waste of Valuable Resources
Implement Technological Solutions Adopt Soft IT Security Approaches Change the Campus Culture Combination of all the above
Note: All the points addressed here have been adopted as an activity in the CUNY Security Plan.
Technological Solutions
Perimeter and Interior Firewalls Virtual Private Network Intrusion Detection and Prevention System Enterprise Directory Filtering Technology Network Behavior Analysis
Planning
Develop well-thought-out comprehensive IT security plan, risk
assessment and IT security implementation strategy which is standards-based, flexible, mission-driven, adaptable, simple and measurable
Implementation
Implement IT security plan and make it intrinsic part of dayto-day operations of the campus
Auditing
Periodically examine, assess and analyze security of central and local applications, networks, and data
Invigorate Senior Management Interest and Support in IT Security (Buck Stops Here!)
Garner political support which is critical to provide credibility to IT security program implementation
E-Signature Initiative
Initiative to gather input from University and College constituents to assess and recommend e-Signature opportunities for consideration during ERP implementation
Data Warehouse
Formal review and approval process for vetting all requests to access the data warehouse (forms are published at security.cuny.edu)
Assessments
CIS Portal Vulnerability Assessment, University Web Services Assessment and external vendor (Liveperson.com)
Family Educational Rights and Privacy Act (FERPA) Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Communications Assistance for Law Enforcement Act (CALEA) Payment Card Industry Data Security Standard (PCIDSS) Federal Information Security Management Act (FISMA)
Conclusion
Senior-Level Support and Involvement Enterprise view of Information Security rather than just specific department Alignment of Technologies, Processes and Campus Culture with Information Security Flexible Information Security efforts to more easily adapt to new threats as they emerge
Questions?
Thank You!
Acknowledgement: This presentation was made possible with the help of Mr. Carl Cammarata, CUNY Chief Information Security Officer and selected articles from Educause Review, September/October 2006.