Upload
cschumley
View
287
Download
1
Embed Size (px)
Citation preview
2014 – Year of the breach!
Over a billion personal data records were compromised in 2014 - NBCNEWS.com
Largest Higher Education Breaches of 2014University of Maryland - 300k record
North Dakota University – 300k records
Butler University – 200k records
Indiana University – 146k records
Arkansas State University – 50k records
All of these were bigger than the Sony breach!- Huffington Post
Others Costs• Loss of student trust
• Damage to reputation
• Loss of staff productivity
• Legal action
• Additional audit requirements
• ??
Financial Costs
Password ManagementUnique passwords for services – Never use your email account
Use combination of words, numbers, symbols using upper- and lower- case letters
Don’t use easily guessed passwords (e.g. password, user)
Don’t use words found in dictionary or sequences
Complexity is nice but length is more import
Never keep a list of passwords around
Use two step or two factor authentication whenever possible
-krebsonsecurity.com
Mobile Device SecurityUse pin, password or pattern lock your phone
Enable data encryption features
Download apps only from trusted storeso Install an anti-malware program (e.g. Lookout)
o Install anti-theft software
Don’t root or jailbreak your phone
Keep your operating system and apps updated
Log out of sites after you make a payment
Switch off Wi-Fi and Bluetooth when not in use
- Techradar.com
Public WiFi UseKnow that you are never secure!
Use built in tools Enable firewall
Block all incoming traffic
Disable file sharing
Look for Padlock
Confirm network name with your location
Use common sense
- CNET.com
Secure ProcessesDon’t leave sensitive information lying around unprotected, including on printers, fax machines, or copiers
Secure area, files and portable equipment before leaving them unattended (ask IT to automatically lock unattended computers)
Shred sensitive paper records before disposing of them
Don’t use email to transmit sensitive data including scanned document attachments
Don’t send paper mail that includes SSN, financial account information, drivers license etc
Insure that all staff have their own logins and accounts (No sharing)
Email is not secure!
“Email was not designed with any privacy or security in mind”- Geoff Duncan, Digital Trends
IT Security Best PracticesEncrypt your data
Use digital certificate to sign all of your sites
Implement a removable media policy
Protect school websites
Network endpoint security
Stay current with patches and upgrades
Establish policy of no PII data on laptops or mobile devices
Vendor Checklist How is my data transmitted securely?
What algorithms are used to store my data?
How will my data be stored and protected?
How are the various levels of access granted and controlled?
Who at the vendor has access to my data? Is there background screening?
How are users authenticated? What is the password management functionality
What type of physical security is provided for your data center?
How are the various levels of access granted and controlled?
What security audits and/process audits do you comply with?
Is there explicit contract language for who owns data and how data can be used?
Alphabet SoupCertification Purpose
SSAE 16, SOCC1 and 2 Auditing standard to ensure appropriate controls for your hosting provider. Certification of controls for privacy and security.
TRUSTe Certification Privacy protection certification
PCI DSS Certifies data security of credit card payment processing
FedRAMP Government program that provides a standard approach to security assessment, authorization and monitoring of cloud products and services
FIPS 140-2 Federal Information Processing Standard for accrediting data encryption standards
ISO 27001 Audit and risk assessment framework for information security management
Vendors who are serious about security will certify on multiple of these based on the service.
Responding to a BreachHave a Plan – Key Elements
First 24 Hour Checklist
Notification Requirements
Other Services
Elements of a Good Response Plan Define a response team with clear roles and responsibilities Executive Leader, IT, Public Relations, Student Services, Legal, Law Enforcement Liaison
Assign somebody to maintain a contact list quarterly basis
Have a documented plan and procedure for investigation, notification, support, legal review
Plan for increased call volume to a call center or other support help line
Provide for FAQ and support materials on Institution Website and/or student portals
Have policy for cases that warrant complimentary identity protection and credit monitoring services
Pre-selection of a data forensic vendor to assist in breach response
Pre-selection and negotiation with a Breach Resolution Vendor who can guide you through process of planning and support response
First 24 Hour Checklist Record dates and times – Discovery, Response start
Alert Response Team – Internal and external resources as identified in your plan
Stop additional data loss – Take care to maintain forensic evidence
Secure premise or equipment to preserve evidence
Document Incident Report – Key facts, who discovered and when, scope of breach. Interview individuals who found breach
Bring in forensics team
Notify law enforcement
Assess priorities and risks
Set response plan in action for notification, PR, call center and execution of support service (Credit Monitoring
- Experian Data Breach Response Guide
Notification RequirementsCalifornia Civil Code s. 1798.29 and California Civil Code s. 1798.82
DOE Privacy Technical Assistance Center Consider notifying Family Policy Compliance Office (FPCO) about the breach. (FERPA does not require that you
notify FPCO of the breach; however, the U.S. Department of Education considers it a best practice.
FPCO can assist educational agencies and institutions by helping to determine the potential for harm resulting from the release of the information
California Office of Privacy Protection Notify Attorney General for breach > 500
Notify Credit Agencies if breach > 10,000
-http://oag.ca.gov
Notification to Students Speed, Openness and transparency are the keys
Notify individuals within 10 business days of confirming the breach The date of the notice. If the notice was delayed as the result of a law enforcement investigation, say so.
A general description of the breach incident.
The specific types of personal information that were involved.
The name and contact information
The toll-free telephone numbers and addresses of the major credit reporting agencies, but only in a breach involving Social Security numbers or driver’s license or California ID numbers.
What you have done to protect the individual’s personal information from further unauthorized acquisition.
What your organization will do to assist individuals, including providing your toll free contact telephone number for more information and assistance.
Information on what individuals can do to protect themselves from identity theft, as appropriate for the specific type of personal information involved.
- http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/recom_breach_prac.pdf
Our cloud-based products help financial aid departments save time, decrease costs,
lower security risk and improve the student experience.
campuslogic.com
Gilbert, AZ
Chris Chumley, COO
[email protected] on Twitter @cschumley