information security office risk assessment, disaster recovery, data backups, data classification...

Information Security Office

Risk Assessment, Disaster Recovery, Data Backups, Data

Classificationand

Incident Reporting

Melissa Guenther & Kelley Bogart


Security Risk Assessment Security Element OK Review

Requires Immediate Attention

Physical Security•Is our computing equipment properly secured?

Account & Password Management•Do we ensure only authorized personnel have access to our computers? •Do we require and enforce appropriate passwords?

Virus Protection•Do we use, and regularly update, anti-virus software?

OK - the element has been addressed by department action or policy. All the detailed questions can be answered affirmatively. Review - The basic issue has been addressed, but further review is warranted. Not all the detailed questions can be answered in the affirmative. Requires Immediate Attention - The element has not been addressed or recently reviewed. Few, if any, of the detailed questions can be answered in the affirmative


Physical Security - Is our computing equipment properly secured?It is easy to think that because a computer is located in an office or a lab, that it is secure. However, that is often not the case. Theft of computer equipment has occurred at the university. Physical security of computing equipment is closely tied to a department's attention of overall security of its facilities, e.g. office space, wiring closets, storage space, etc.

Account & Password Management - Do we ensure only authorized personnel have access to our computers and do we require and enforce appropriate passwords?Ensuring that only authorized personnel are able to access department computers is very important to maintaining a secure computing environment. Only those who need access to carry out their work responsibilities should have an active computer account, and accounts should be deactivated when the need no longer exists.Regular use of strong passwords is another key first line of defense against unauthorized access and use of department computing resources. Passwords should be required for access to any computer or server. To be useful and effective, passwords should be easy to remember but difficult to guess. It is very important that passwords not be shared with anybody, or written where others might see it.

Virus Protection - Do we use, and regularly update, anti-virus software?Computer viruses represent a significant and growing threat to personal computers and department servers. They can allow hackers to commander a computer and use it to launch attacks on other computers inside or outside the University. Virus infections can also destroy data files and cause loss of productive staff time. We recognize the threats from computer viruses, and as a result have obtained site licenses for (Sophos Anti-virus or other software). Use, and regular update, of anti-virus software is a critical element of security protection.


Data Backup and Restoration•Do we periodically backup individual and department data?

Operating Systems•Are the operating systems we use updated with current security "patches"?

Application Software•Are our common applications configured for security?

Security Risk Assessment (cont’d)

Security Element OK ReviewRequires

Immediate Attention



Data Backup and Restoration - Do we periodically backup individual and department data?In today's technology environment almost everyone relies on a computer to store documents and scholarly papers, correspondence, financial reports, and many other invaluable resources. Imagine working for weeks or months on something and then it's all lost because a computer file is deleted or damaged. While hardware can be replaced and application software reloaded from original media, recovery of data files relies on regular backup procedures.

Operating Systems - Are the operating systems we use updated with the appropriate security "patches"?Keeping personal computer and server operating system software up to date is a critical step in establishing a secure computing environment. As the SANS Institute noted in its initial list of "top 10 security vulnerabilities":

A few software vulnerabilities account for the majority of successful attacks because attackers are opportunistic – taking the easiest and most convenient route. They exploit the best-known flaws with the most effective and widely available attack tools. They count on organizations not fixing the problems, and they often attack indiscriminately, by scanning the Internet for vulnerable systems.

Application Software - Vulnerabilities and methods for closing them vary greatly from one operating system to another.

Are our common applications configured for security?The expanded features and increased complexity of applications such as word processing, e-mail, and web browsing create new vulnerabilities. It is important to apply the safeguards that are in place and apply security updates in a timely manner.


Confidentiality of Sensitive Data•Are we exercising our responsibility to protect sensitive data under our control?

Disaster Recovery•Do we have a current disaster recovery plan?

Security Awareness and Education•Are we providing information about computer security to our EMPLOYEES?

Security Risk Assessment (cont’d)

Security Element OK ReviewRequires

Immediate Attention



Confidentiality of Sensitive Data - Are all locations of automated and manual sensitive data records in the department known?• Is access to sensitive data under the department's control restricted?• Have faculty conducting research determined if the data they collect should be classified as sensitive? • Do faculty and staff who administer sensitive data understand and follow appropriate federal, state, grant agency, or university regulations for protecting and backing up the data?• Are student workers given access to confidential teaching or administrative data? If so, is their use of such data monitored closely?• Is the unencrypted transmission of sensitive data or memos through e-mail discouraged? An answer of "no" to any of the above questions indicates a risk for which remedial steps should be considered.

Disaster Recovery – Do we have a current disaster recovery plan?Knowing how to react properly in an emergency is critical to making the right decisions to minimize damage and quickly restore operations. A disaster recovery plan provides concrete information and procedures to guide decisions and operations in times of crisis. A disaster recovery plan can be tailored to fit your department circumstances and exposure to risk.

Security Awareness and Education - Are we providing information about computer security to our employees?

The primary goal of the security awareness program is to reduce security vulnerabilities through education and promotion of good security practices. Given the rapid changes in computing technology, security awareness must be an ongoing activity.

This Security Assessment Checklist in it’s entirety is available at:http://security.arizona.edu/Security_Assessment_Checklist.pdf


Business Continuity Management and Disaster

Recovery Planning

3D Memo From President Likins


October 28, 2002 TO: Vice Presidents, Deans and Department/Unit Heads FROM: Peter Likins SUBJECT:Business Continuity Management and Disaster Recovery Planning The principal business of the University of Arizona is academic operations, which includes teaching, research and outreach. The purpose of this memorandum is to solicit your help in another ABOR tasking that is a companion piece to our “Focused Excellence” endeavor. The task, precipitated by the 9/11 event, requires the development of a Business Continuity and Disaster Recovery Plan.


The purpose of such a plan is to ensure that if an incident occurs, natural or man-made, we will be prepared to deal with it in such a manner that the academic mission continues without disruption or if there is a disruption, it is restored as rapidly as possible. The most critical task that must be performed is identifying the most crucial University functions that need to be operational in order to preclude or minimize any disruption of our academic operations. In getting this process underway, deans, vice presidents and department heads are requested to complete a Critical Functions Assessment Survey. The survey is designed to gain your insights regarding the most crucial functions within your sphere of your leadership responsibility. The survey materials shall be disseminated on-line to facilitate receipt, ease of completion and return of responses. Vice presidents and deans are given the latitude of responding only to the first three questions. Departments/unit heads are requested to complete the entire survey.


The results of the survey shall be analyzed and an initial prioritization of the functions established. Subsequently, this prioritized listing shall be coordinated with the Faculty Senate and Deans Council prior to being submitted to the Cabinet for final decision. The Cabinet approved priority of the University of Arizona functions will serve as the basis of the Business Continuity and Disaster Recovery Plan. Once this aspect of the project is completed, a Business Continuity Management and Recovery Team, with University-wide representation, will utilize the Cabinet approved functions priority listing as the basis for developing the Business Continuity and Disaster Recovery Plan and also shall be responsible for updating and maintaining its current status. Our scheduled completion date of the plan is August 2003. This is a monumental task that may require additional assistance from your unit. I ask that you facilitate the accomplishment of any requests made to your respective organization.


Disaster Recovery Planning is an Information Technology function. In the event of a disaster, the IT department may need to take actions to restore the processing environment. This will depend on the organization, and what is defined as critical processing. Organizations will need to define how long systems can be down before declaring a disaster.

Business Continuity Planning is a function of the entire organization. In the event of a complete disaster, the information technology department may be able to relocate the systems at a "hotsite." When the systems are brought back up, business operations can begin.

Disaster Recovery vs. Business Continuity


Heads up Computing

Refers to an attitude you need to bring to computer use. It means being alert to

suspicious activity and putting plans into action to prevent the loss or destruction

of important information.

An important part of Heads up Computing includes backing up data.


Data Backups

How effective would you be if your email, word processing documents,

excel spreadsheets and contact database were wiped out?

How many hours would it take to rebuild that information from scratch?


Methods of Backing Up DataDrive imaging and full system restores

Making an identical copy of a partition (a grouping of

some or all of the space on a hard drive so that the

operating system can access it as a logical drive like c:)

and storing it elsewhere

Good Archiving

Schedule daily backups of your documents on separate

media, and restore those after you restore your drive image if something horrible happens. (hard drive, ZIP, floppy, tape CD, etc.)


General Back up Guidelines for Critical Data

• It’s a good idea to make at least two sets of backups for your critical data—one "live" set that you have available in your office, and one set that you store in a secure off-site location such as a safety-deposit box.

• You should rotate the backups at least every week, so that you have a recent backup that is protected against fire, theft or some other site-specific disaster.


What to back up• back up your entire hard drive, • just back up your important data

Automated vs. manual• Best to do them at 3 a.m. or some other slack time• Can you leave your computer turned on overnight

Tape• Expensive and/or too complicated• Have the advantage of being easily portable

CDs and DVDs• CDs don't hold enough data for most backups• DVDs hold more data, but you'll still need maybe a dozen to

back up your drive, and they cost $5 each.

Software• Many options


Files and Settings Transfer Wizard• If all you're backing up is critical data, you should

consider the Wizard in Windows XP. It's intended to move your data from an old machine to a new one. But it can also be used to make occasional backups of your documents, mail, and important application settings.

Online• Can costs as little as $6.95 a month. • Storage space is limited--as "little" as 100MB.

Hard drives• Easiest ways to back up• Cheap, fast


The Bottom Line

Your best backup option is the one you'll actually use.

It's all too easy to ignore the chore--so most people do.

But if you think about how much it would cost to replace

that information, then regular backups aren't really

optional.


Data Classification


Requirements

FERPA

HIPAA – Privacy – Security

GLBA

SB 1386


What are the Issues?

• Who Owns It?

• What’s It Worth?

• Who Can Use It?

• How Do We Handle It All?


Who Owns It?

University

Departments

HR

Students

IT

???????????????


What’s It Worth?

University Image

Replacement

Branding

Daily Operations

Competitive Advantage


What are the Threats/Risks?

Threats – Competitors – Disgruntled Employees – Contractors – Students and Students Families– Patients and Patients’ Families

Risks – Loss of Credibility – Loss of Competitive Advantage – Lawsuits – Regulatory Fines


Who Can Use It?

Owners

Custodians

Employees

3rd Parties

Business Partners

Regulators / Auditors


How Do We Handle It All?

Email?

FAX?

File Transfers?

Phone?

To shred or not to shred?

Electronic “shredding”?


University Data Classification Matrix 1

Classification Category A(Highest, most sensitive)

Category B(Moderate level of

sensitivity)

Category C(Very low, but still some sensitivity)

Legal requirements

Protection of data is required by law (see attached list for specific HIPAA and FERPA data elements)

U of A has a contractual obligation to protect the data

Reputation risk High Medium Low

Other Institutional Risks

Information which provides access to resources, physical or virtual

Smaller subsets of Category A data from a school, large part of a school, department

Data about very few people or other sensitive data assets


University Data Classification Matrix 1 (cont’d)

Classification Category A(Highest, most sensitive)

Category B(Moderate level of

sensitivity)

Category C(Very low, but still some sensitivity)

Examples • Medical• Students• Prospective Students • Personnel • Donor or prospect • Financial • Contracts• Physical plant detail • Credit Card numbers • Certain management Info

• Information resources with access to Category-A data• Research detail or results that are not Category-A• Library transactions (e.g., catalog, circulation, acquisitions)• Financial transactions which do not include Category-A data (e.g., telephone billing)• Very small subsets of Category A data

• Email addresses on distribution list outside university

• Your personable identifiable information in public browser


Classification Operational/Eligible for Public Release

Confidential Restricted

Definition Available to employees for normal operational use. Available to the public based on appropriate request for disclosure of information.

Information that the organization and its employees have a legal, regulatory, or social obligation to protect. Intended for use solely within defined groups in the organization

Information intended solely for restricted use within the organization and is limited to those with an explicit, predetermined "need to know". Disclosure could result in severe personal or financial damage to individuals or the organization

Examples • General financial data• Student directory data (non-opt out)• Non-confidential personnel data• Email addresses

• Employee ID• Student ID• Employee benefit information• Student non-directory information

• SSN• Passwords/PINS• Credit card numbers• Digitized signatures• Encryption keys• Medical Records• Employee / Student / Research Subject

University Data Classification Matrix 2


Arizona LawMay opt out of using SSN as identifierMust disclose compromise of private information

FERPA - Protect private student information

HIPAA - Protect personal health information (PHI)

GLBA - Protect “banking” transaction information

SEVIS - Provide foreign student information

DMCA - Protect copyrighted information

SB1386 - Protects confidential information of ANY California resident when a computer-security breaches MAY have compromised it.

Deployment of 802.11x

Protects the security level of wire-less systems closer to that of wired ones.

Arizona Law

• May opt out of using SSN as identifier

• Must disclose compromise of private information

Regulatory and Other Drivers


Incident ResponsePlanning responses for different violation scenarios in advance – without the burden

of an actual event – is good practice.

• Know who to report any attempted security violation to – keep the number readily available

• Know what type of information to report (who, what, when, where)

• Timing is important – you need to be prepared to act quickly and accurately


SEC- -Y

The key to security is embedded in the word security.


If not you, who?

If not now, when?


University Information Security Office

Bob LancasterUniversity Information Security OfficerCo-Director – CCIT, [email protected]

Security Incident Response Team (SIRT)[email protected]

Kelley BogartInformation Security Office [email protected]

http://security.arizona.edu

information security office risk assessment, disaster recovery, data backups, data classification...

Documents