Best Practices for Data Protection and Cyber Security

Thursday February 24, 201124th Annual MIS Conference – Austin, TX

Mark Hall

Social Change….

2

3

Cyber attack’s in the news . . .

3

“Hacked: Data breach costly for Ohio State, victims of

compromised info - Breach affects 760,000 people,

expected to cost university $4 million”

– The LanternDecember 2010

“Hackers broke into the computer system at a

New Jersey school district - gained access to

student records system used by 160 schools

across the state.” – Info Security

January 2011

“UC-Berkeley records hacked - thieves able to access social security numbers, health files dating back to 1999, over 160,000 records

stolen” – San Jose Mercury News

May 2009

Agenda

• About PTAC

• Data Protection & Cyber Security

• Threats & Consequences

• National Focus

• Top Data Protection issues in Education’s Cyberspace

• Best Practices for Data Protection & Cyber Security

• PTAC Way-ahead for Cyber Security

• Questions

4

Privacy TA Center (PTAC) Mission

The Privacy TA Center is designed to provide states with:

• A set of tools, resources, and other opportunities for states to receive assistance with privacy, security, and confidentiality of student-level longitudinal data systems.

• A means for states to share their best practices, documents, and other relevant resources in the areas of privacy, security, and confidentiality.

• A focal point for queries and responses to the privacy-related needs of State Education Agencies (SEAs), Local Education Agencies (LEAs), and Institutions of Higher Education (IHEs) in a confidential, safe environment.

• A set of resources to promote compliance with FERPA and other best practices for ensuring the confidentiality and security of personally identifiable information.

http://nces.ed.gov/programs/Ptac/Home.aspx

6

Many ways to Protect Data

Principles for Data Protection & Cyber Security

• Data Protection Act 1998 • “eight enforceable principles of

good practice”.

• Data must be:• fairly and lawfully processed• processed for limited purposes• adequate, relevant and not

excessive• accurate• not kept longer than necessary• processed in accordance with the

data subject's rights• secure• not transferred to other countries

without adequate protection.

7

• Cyber Security Principles

• Data should:• Be confidential• Maintain Integrity• Be available• Be authenticated

• Systems that process data should:

• Designed from the start with a security in-mind

• Be resilient to attack• Maintained regularly

8

Advanced & Persistent Cyber Threats & Consequences

Threats to your data:

•it’s happening

•it’s focused

•It’s sophisticated

• Social Security Numbers/Identity• Education Records• Employee Data• Financial Records

• Disciplinary Actions• Internal Memo’s• Medical Information• Personal Documents

9

Anatomy of a Cyber Attack: “Night Dragon” Case Study

Cyberspace - 2008

The interdependent network of information technology infrastructures, and includes the Internet, telecommuni-cations networks, computer systems, and embedded processors and controllers in critical industries. Common usage of the term also refers to the virtual environment of information and interactions between people.

10

US National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD23)

“It's now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation.”

President Barak Obama, May 2009

11

Cybersecurity – A National Focus

• NSPD-54/HSPD-23• Establish front line defense• Defend against full

spectrum of threats• Strengthen future

cybersecurity environment

• Leading from the Top• Building Capacity for a Digital Nation• Sharing Responsibility• Information Sharing /

Incident Response• Encouraging Innovation

http://www.whitehouse.gov/administration/eop/nsc/cybersecurity

CNCI – Comprehensive National Cyber Initiative

60-Day Cyberspace Policy Review

Awareness Month

12

Stay Safe Online.org

13

Top Data Protection issues in Education’s Cyberspace 

•Protecting Personally Identifiable Information (PII)• As we strive towards a “digital nation” it increases exposure to

risk• More records online & accessible• Identity Theft (10% Children)

•Keeping pace with Network & Systems Security• Protective measures are outpaced by the “bad-guy”• Traditional “wack-a-mole” patching doesn’t work anymore

•Maintaining the foundation of Strategy, Policy & Governance

• Training, Education & Awareness is key• Cloud computing complicates traditional architecture

approaches

Best Practices

14

15

Best Practices – Cyber Security & PII   

According to the Open Security Foundation, the government sector (e.g. federal, state, and local) was accountable for 21 percent of all data breaches in 2009. This is not surprising as government agencies maintain a wealth of information including personally identifiable information (PII) on millions of employees and citizens. (Source RSA)

16

Best Practices – NIST Selected PII Security Controls  

• Access Enforcement (ACLs, RBACs, encryption)

• Separation of Duties• Least Privilege (read, write, edit)• Remote Access (limit or deny)• Access Control for Mobile Devices

(deny or limit)• Auditable events and Audit Reviews

(policy that monitors certain events)• Identification and Authentication• Media Access, Marking, Storage,

Transport, and Sanitization.• Transmission Confidentiality

(encryption)• Protection of Information at Rest• Information System Monitoring

(automated tools to detect suspicious transfers)

NIST Special Pub 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information,

Best Practices – Multi-Factor Authentication

1. Be reliable, scalable, and available

2. Be compatible and interoperable with your Technology and Policy

3. Seamlessly integrate with existing architectures and infrastructure

4. Support web applications and should not require client-side software

5. Be compliant with NIST, FIPS and other federal standards

6. Be based on mature technology and should be commercially available with a broad installed market base

17

If you have remote access users, MFA should be a high priority capability

Social Networking Sites: Are you protected?

18

Malware infects user onSocial Network Site (e.g. Twitter, Facebook, Match.com)

Student Data

Internet facing application

Not connected to the internet? Removable Media

19

Policy, user training and monitoring

Identity

20http://www.staysafeonline.org/for-business/best-practices

Best Practices – Network & System Security •Use a firewall. A well configured firewall keeps criminals out and sensitive data in.

•Install and maintain anti-virus software. Computer viruses can steal and corrupt your privacy data. Install good anti-virus software on all your computers, and make sure it stays up-to-date.

•Install and maintain anti-spyware software. Like viruses, spyware can compromise privacy data. If kept up to date, a good anti-spyware program will protect you most of it.

•Use spam filters. Spam can carry malicious software and phishing scams, some aimed directly at a state agency or school. A good spam filter will block most of it and will make your email system safer and easier to use.

•Updates to your operating system and custom software often close serious security gaps. Set your software to auto-update, or make sure to download and install the updates yourself regularly.

21

Best Practices - Governance and Policy •Governance:

• Do you have a Chief Information Security Officer (CISO)?• Do the data collection experts work closely with the data protection

organization? • Do you have a strategy to address cyber security threats?• Do you rely solely on audits to discover vulnerabilities?• Do you have an independent third party to assist your team?• Do you have security training?

• Mandatory, yearly

•Policy• Do you have the right security policies• Are they updated as new applications or technology are

implemented?• Are they enforced? (accountability)• Is policy used in lieu of investing in technology?

22

http://nces.ed.gov/programs/Ptac/Home.aspx

PTAC 

•The Privacy Technical Assistance Center is your “one-stop-shop”

• frequently asked questions• links to useful online resources• training materials for data administrators and data

users• regional meetings and lessons learned forums for

education stakeholders• site visits to state and local education agencies• a help desk to respond to inquiries• an extension of your LDS team

Effective Cyber Security Management will:

• Meet privacy/data protection requirements

• Ensure the integrity of stored data• Prevents data manipulation, re-identification,

unauthorized access

• Safe money through reduced incidents

PTAC can help you prioritize capabilities

23

PTAC Cyber Security Proposed Tasks

• Website Document: List of best practices resources

• Issue Brief: Effective response to security audits

• Website Document: Best practices for securing State LDS.

24

PTAC Cyber Security Proposed Tasks

• Webinar on best practices for responding to a breach of individual privacy in an education organization, including how to minimize harm, identify faulty practices and technologies, developing and implementing improved practices and technologies, and documenting lessons learned from the experience.

25

PTAC Cyber Security Proposed Tasks

• Issue Brief: Outline the threats against education institutions and consequences of stolen privacy data

• Power Point presentation: Covering issue brief around threats to education institutions and consequences of stolen data

• We would like your ideas and thoughts on cyber security topics that would be helpful to you!

26

27

Questions?

http://nces.ed.gov/programs/Ptac/Home.aspx