April 9, 2023

The Impact of Breaches on Higher Ed

Tammy Clark, CISSP, CISA, CISM, PMP, ISO 27001 Lead AuditorChief Information Security OfficerGeorgia State University

April 9, 2023Title of Presentation2

Is It Really As Bad As They Say it Is?!

Well, that depends on who you talk to– Educational Security Incidents (ESI), which catalogs Higher Education

Security Incidents/Data Breaches reports that in 2008:

• 173 separate incidents were reported

• 24.5% increase over 2007

• Primary Reasons:

– Unauthorized Disclosure - 75

– Theft - 40

– Unauthorized Access/Penetration – 35

– Privacy Rights Clearinghouse reports that so far in 2009, 38 colleges have reported incidents out of 196 total incidents reported…

– Of these, 17 were due to theft; 11 to unauthorized access/penetration, and 10 were the result of unauthorized disclosure

So What Are Our Major Issues?

• Standardization/Plans, Policies and Standards• Data Classification and Risk Management

• Misconfigured devices, apps and web sites• Inadequate perimeter protection• Lack of advanced intrusion detection & analysis skills

• Inadequate endpoint protection• Lack of encryption

• Open Ended Culture• Security ‘un-aware’ users—no ‘skin in the game’ or circumventing

controls

April 9, 2023Title of Presentation3

What ‘Drives Change’ in Higher Ed?

• Compliance: PCI, FERPA, HIPAA, GLBA, Red Flags, DMCA

• Research Grants that require minimum levels of security or compliance with FISMA or ISO 27001/2

• Data Breaches (either our own or a neighboring institution)

• Budget Cuts• Audits• Emergency Management• Risk Management• University President’s/Provost’s Priorities

April 9, 2023Title of Presentation4

What Are We Doing to Prevent Breaches?

Technology

– Renewed emphasis on endpoint security

– Encryption

– Vulnerability Assessments

– NIPS

– Host IPS

– Anti Malware

– NAC

– DLP

– IDM

– Integrated Solutions Suites that provide better, deeper visibility

April 9, 2023Title of Presentation5

What Are We Doing to Prevent Breaches?

Process

– Myriad of Compliance Initiatives

– Standards (ISO, FISMA, COBIT, ITIL) and Standardization (Yes! In higher Ed)

– Get Rid of Confidential Data We Don’t Need or Require!

– Data Classification and Risk Management

– Audits/Corrective & Preventive Controls

– Physical & Logical Controls

– Policies and guidelines for 3rd parties processing or storing our data

– Contract with customers on campus to manage their critical systems and data with central IT/Sec organizations

April 9, 2023Title of Presentation6

What Are We Doing to Prevent Breaches?

People

– Authority=Accountability (The Golden Rule)

– Responsible for Compliance – in Some Cases, Personal Liability

– Security Awareness Training

– Data Cleanup Parties

– Security Reviews and mandated controls for systems processing confidential data (require encryption, not running P2P apps, etc.)

April 9, 2023Title of Presentation7

Now What?

We’re Really Cleaning up our Act

– Getting better and better at protecting the perimeter

– Focusing Now on Testing and Securing Apps, Databases, Web Servers

– Using compliance as a driver to mandate and standardize our complex IT environments

– Endpoint Security – Building arsenals of tools such as anti malware, NAC, tools that enforce standardization, in addition to traditional AV/HIPS

– Turning to standards, especially ISO and NIST, for guidance and best practices based on risk management

– Emphasizing data classification and clean-up

– Selecting integrated solutions

– Making a lot of effort to educate our large user populations

April 9, 2023Title of Presentation8

April 9, 2023

Presentations will be available on the FOCUS website

www.mcafee.com/focus09

Password: protect2009