information security office 1 copyright statement copyright mary ann blair 2008. this work is the...
Post on 23-Dec-2015
215 Views
Preview:
TRANSCRIPT
Information Security Officewww.cmu.edu/iso
1
Copyright Statement
Copyright Mary Ann Blair 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Identity Finder and Carnegie Mellon
Mary Ann BlairDirector of Information Security
Information Security Office (ISO)www.cmu.edu/iso
Information Security Officewww.cmu.edu/iso
3
Overview
1. Background
2. What We Did
3. How We Did It
4. What We Learned
5. What Next…
Information Security Officewww.cmu.edu/iso
4
Background
Information Security Officewww.cmu.edu/iso
5
What We Did
• SSN Remediation Project: local scanning fast tracked after laptop theft
• Learned from peers!• Vendor partnership as a
critical selection criterion• Enterprise license
including home use
Information Security Officewww.cmu.edu/iso
6
What We Did
• Voluntary for all faculty, staff, and students
• Appealed to stewardship
• Relied on the shock factor
• Big bang
Information Security Officewww.cmu.edu/iso
7
How We Did It
• Customized MSI– Embedded license key– Disabled recycle option– Disabled auto-update
• Customized user documentation
• Pre-announced to partners followed by mass mail
• Surveyed faculty & staff
Information Security Officewww.cmu.edu/iso
8
Mass Mail: Do your part to prevent Identity Theft
Protect Yourself, Others and the University from Identity Theft with Identity Finder!
Did You Know? - Your computer might be storing personally identifiable information (PII) such as your Social Security
Number, bank account numbers, credit card numbers and passwords without your knowledge
- If your computer or external media is lost, stolen or broken into over the Internet, someone might use it to steal your identity and the identities of anyone who shares your computer or whose personal information you might handle
- If you store sensitive PII for Carnegie Mellon work and your computer or external media is lost or compromised, the University is obligated under PA state law to notify everyone affected by the breach and could potentially be legally liable
- Over eight million Americans have their identities stolen annually and on average victims spend 600 hours clearing their good name -- Federal Trade Commission & Identity Theft Resource Center
Do Your Part!Clean Up Sensitive PII on Your Computer with Identity Finder!<site links>
NOTE: If your computer is managed by a Carnegie Mellon departmental computing administrator, please consult that person before making ANY system changes.
Information Security Officewww.cmu.edu/iso
9
How We Did It
http://www.cmu.edu/computing/doc/security/identity/index.html
Information Security Officewww.cmu.edu/iso
10
How We Did It
Information Security Officewww.cmu.edu/iso
11Information Security Officewww.cmu.edu/iso
11
What we told folks 1/3
1. Know what data is stored on your personal computer.
2. Delete or redact what you
don’t absolutely need.
Information Security Officewww.cmu.edu/iso
12Information Security Officewww.cmu.edu/iso
12
What we told folks 2/3
3. Don’t store it on your personal computer especially not on your laptop or home computer.
If you must store sensitive data, check with your departmental computing administrator about options to store it on a secured file server, one with robust access control mechanisms and encrypted transfer services.
Information Security Officewww.cmu.edu/iso
13Information Security Officewww.cmu.edu/iso
13
What we told folks 3/3
4. If you must store it on your personal computer:
A. Follow the “Securing your Computer guidelines”B. Password protect the file if possibleC. Encrypt the file (Identity Finder’s Secure Zip, PGP
Desktop or TrueCrypt)D. Only transmit via encrypted protocolsE. Secure delete it as soon as feasibleF. Reformat and/or destroy your hard drive before
disposal or giving your computer to someone elseG. Secure your backups and mediaH. Tell us why so that we can brainstorm alternatives
Information Security Officewww.cmu.edu/iso
14
What we learned
Three Month Adoption Rates
4%
0
2000
4000
6000
8000
10000
12000
Faculty Staff Student
Notified
Downloads
6%
11%
* Only 4% of downloads resulted in a completed survey.
Information Security Officewww.cmu.edu/iso
15
What we heard
• “Didn't realize info was stored liked it was.”• “I would not use it again until a MAC version is available,
operating at a more acceptable search rate.”• “I think this is an incredible, very valuable tool. THANKS
for making it available.”• “This was an eye-opener for me. This is a good addition
to our set of security tools.”• “No, the data on my computer was an oversight on my
part. Some of the data existed from a previous employee.”
• “Some 70 of my 90 passwords were from browsers -- that was a learning experience, but it was not worth the 3 hours for this.”
Information Security Officewww.cmu.edu/iso
16
What we learned
• Workloads don’t support volunteerism• There is a lot to secure and it’s hard and
time-consuming deciding how to do it• There are local as well as central
retention requirements• User requirements must be easy• Users expect communication via
local channels• We have an expert’s blind spot
Information Security Officewww.cmu.edu/iso
17
What Next…
• Getting better air cover (top-down)• Partnering w/local IT and user groups• Pushing installs via AD group policy• Offering hands on classroom training• Preparing for console functionality• Developing Macintosh support• Stopping release of SSNs into the wild• Developing SSN Usage Policy
Information Security Officewww.cmu.edu/iso
18
Q&A
Please e-mail for additional information.
macarr@cmu.edu
iso@andrew.cmu.edu
top related