UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information...
-
Upload
logan-atkins -
Category
Documents
-
view
218 -
download
0
Transcript of UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information...
![Page 1: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/1.jpg)
UWM CIO Office
Institutional Data Privacy and
Security
Presenter: Steve Brukbacher, Information Security Architect
Moderated by: Bruce Maas, CIO
November 11, 2009
![Page 2: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/2.jpg)
UWM CIO Office
UWM Information Security responsible for coordinating:• Policies
• Technical controls• Compliance• Communication• Forensics, investigations
and incident response
![Page 3: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/3.jpg)
UWM CIO Office
Session Goals
• Answer “Why is this important?”
• Share Security Goals• Identify future steps and needs
First, some background…
![Page 4: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/4.jpg)
UWM CIO Office
We are all data
custodians.
![Page 5: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/5.jpg)
UWM CIO Office
Security Trends
Increasingly complex landscape
![Page 6: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/6.jpg)
UWM CIO Office
Security Trends
Need to control where confidential data lands
![Page 7: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/7.jpg)
UWM CIO Office
Security Trends
Challenging endpoint security
![Page 8: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/8.jpg)
UWM CIO Office
Data breaches are costly.$202/record
500 records = $101K 1,000 records = $202K30,000 records = $6.06M
Source: Ponemon Institute ponemon.org
![Page 9: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/9.jpg)
UWM CIO Office
Loss of trust.
Data breaches are costly.
Source: Ponemon Institute ponemon.org
![Page 10: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/10.jpg)
UWM CIO Office
What dangers are on the
horizon?
![Page 11: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/11.jpg)
UWM CIO Office
Threats
Datalossdb.org
![Page 12: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/12.jpg)
UWM CIO Office
What have we gotten good at:
-Incident Response and Forensics-Day to day security issues-AV Management-Risk Assessments -Network Monitoring-Efficient Desktop Support
![Page 13: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/13.jpg)
UWM CIO Office
So where is UWM in this
landscape?
![Page 14: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/14.jpg)
UWM CIO Office
Data Sources
Students: Academic Health HR
Faculty/staff: HR Health
Research: Health Patent
![Page 15: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/15.jpg)
UWM CIO Office
Types of Data
• SSNs• Credit card numbers• Grades• Personnel-related• Health-related• Research-related
![Page 16: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/16.jpg)
UWM CIO Office
Personal Health Information Example
• CUPH (Aurora, Medical College, UWM)
• Milwaukee Health Report 2009
• Perinatal database hosting (80+ hospitals) statewide:
- Providing data to state vital records- Meeting reporting needs for
hospitals/health departments
![Page 17: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/17.jpg)
UWM CIO Office
Health care issues such as:• Health care legislation• Pandemic issues• Socioeconomic disparity
Even more motivation for breach prevention!
![Page 18: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/18.jpg)
UWM CIO Office
1.Manage access to and use of confidential data.
2. Understand where the data is
3. Develop efficient and consistent compliance processes
4. Offer “pre-fab” high security environments
Institutional Data Privacy and Security Goals
![Page 19: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/19.jpg)
UWM CIO Office
1. Limit access to and use of confidential data
Institutional Data Privacy and Security Goals
![Page 20: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/20.jpg)
UWM CIO Office
2. Know location of data
Institutional Data Privacy and Security Goals
![Page 21: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/21.jpg)
UWM CIO Office
3. Employ a repeatable, cost-effective and reportable compliance methodology
$
Institutional Data Privacy and Security Goals
![Page 22: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/22.jpg)
UWM CIO Office
4. Offer “pre fab” high security environments for researchers
Institutional Data Privacy and Security Goals
![Page 23: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/23.jpg)
UWM CIO Office
What do we need?• Policy
• Procedures and processes
• Strengthened core IT infrastructure
• Security-enhanced networking environments
• Security-enhanced desktop environments
![Page 24: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/24.jpg)
UWM CIO Office
Policies currently in place:• Acceptable Use Policy (AUP)• Campus Information Security Policy
![Page 25: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/25.jpg)
UWM CIO Office
Policy Needs Identified/in ProcessResearch Data Security Policy:
- Integrate w/IRB process to secure confidential human subjects data
- Utilize form to gather basic info
- Work w/Security via checklist or
one-on-one engagement
![Page 26: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/26.jpg)
UWM CIO Office
SSN Privacy & Security Policy:
- Establishes understanding to only collect/store data as necessary
- Formally ensures data is secured where
it is needed and used
Policy Needs Identified/in Process
![Page 27: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/27.jpg)
UWM CIO Office
Procedures and Processes
• Need for GRC product?• IRB coordination• Ongoing process of procedure development
for security assessment and implementation
![Page 28: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/28.jpg)
UWM CIO Office
New credit card data handling procedures/processes• Consolidation of card payment services
• Allowance for other options provided unit responsible for compliance efforts
![Page 29: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/29.jpg)
UWM CIO Office
Strengthen Core IT
InfrastructureFramework: ITIL - IT Infrastructure Library:• Utilizes methodology for efficient and secure
IT management
• Focuses on defining services
• Clarifies requirements for: - Performance- Functionality- Security
![Page 30: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/30.jpg)
UWM CIO Office
How do we do this?• Determine what you have• Stabilize the patient• Establish repeatable build processes• Enable continuous improvement
Strengthen Core IT
Infrastructure
![Page 31: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/31.jpg)
UWM CIO Office
What are we working on?• More formal change management
process• Development of a unified patching
methodology• Contemplating a Log Management
system• Baseline system security standards
Strengthen Core IT
Infrastructure
![Page 32: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/32.jpg)
UWM CIO Office
New Service/Service Enhancement Process
• Enumerates resource estimates and details impacts of systems/services
• Facilitates top-level resource decision-making
• Ensures right people at the table
• Helps balance service levels with service expectations
![Page 33: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/33.jpg)
UWM CIO Office
• Need a network “home” for confidential data
• Need network-based firewall services
• Need flexible implementation
Security-enhanced Networking
Environments
![Page 34: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/34.jpg)
UWM CIO Office
Tech Users Group providing foundation • Common identified solutions:
McAfee & EPOIdentity FinderNext Gen. endpoint securityCollaboration on OS deployments
• Needs:Patch ManagementFull support for FDEFile/folder level encryption software &
support
Security-enhanced Desktop
Environments
![Page 35: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/35.jpg)
UWM CIO Office
1.Manage access to and use of confidential data.
2. Understand where the data is
3. Develop efficient and consistent compliance processes
4. Offer “pre-fab” high security environments – ability to execute
Institutional Data Privacy and Security Goals
![Page 36: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/36.jpg)
UWM CIO Office
What do we need?• Policy to establish roles and “must do’s”
• Procedures and processes
• Strengthened core IT infrastructure
• Security-enhanced networking environments
• Security-enhanced desktop environments
![Page 37: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/37.jpg)
UWM CIO Office
Specific Technical Needs:• Network firewall• GRC software• Identity Finder• Full disk encryption• File/folder-level encryption• Patch Management• Log management
![Page 38: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/38.jpg)
UWM CIO Office
Requires Investment
:
Technology
People
![Page 39: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/39.jpg)
UWM CIO Office
Shared responsibility of all to serve as data custodians
and ensure data is kept secure.
![Page 40: UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649f095503460f94c1dfbc/html5/thumbnails/40.jpg)
UWM CIO Office
Steve Brukbacher, [email protected]
Bruce Maas, [email protected]
Institutional Data Privacy and
Security