making sense out of the information security and privacy alphabet soup in terms of data access a...

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access

A pragmatic, collaborative approach to promulgating campus-wide policies to address compliance with contractual, regulatory and statutory requirements related to data integrity, security, and privacy in a

heterogeneous, multi-platform IT environment at the Georgia Institute of Technology.

Michael Brandon, DirectorJaime Galiano, Project Director

Georgia Institute of TechnologyOffice of Information Technology – Policy & Strategy

© Georgia Institute of Technology, 2004

Copyright Statement

• Copyright Michael Brandon and Jaime M. Galiano, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.


Chef’s Conundrum:


Background“Recipe Starter”

What?– Overhaul of existing Data Access Policy and procedures

Why?– New regulatory, statutory, and contractual requirements in terms

of privacy protection– Significant increase in information security threats– Minimize risk exposure associated with electronic commerce– Increasing scope and complexity of GT Information Technology

infrastructure

Why Now?– Contractual and legal compliance deadlines– Policy refreshment long overdue


Requirements“Allspice”

• Legal– GLBA: FTC Safeguards Rule– HIPAA: OCR Privacy Rule– FERPA

• Contractual– Cardholder Information Security Program (CISP)

• Standards / Best Practices– ISO 17799– GIT Internal Control Guide– Incident Response Procedures


Communicating at different levels“Appealing to the different tastes”

• Policy Issues

• Change Management Issues

• Implementation Strategy

• Safeguards Issues

• Implementation details – how? How much? Who?


Policy Development Committee“Culinary Specialists”

Representatives from– Information Security– Internal Audit– Business Office– Office of the Registrar– Human Resources– Enterprise Information Systems (Software Dev.)– Academic Units– Sponsored Programs / Research– Computer Support Representatives– Policy & Strategy– Office of Legal Affairs


Summary of Activities“Cooking Instructions”

8/1 9/1 10/1 11/1 12/1 1/1 2/1 3/1 4/1 5/1 6/1 7/1

3/1/04 - 6/30/08Presentation & Approval

5/16/03Kick-off

5/16 - 7/22Analysis & Safeguards Draft

7/22 - 10/17Policy & Procedures Update

10/17 - 1/23Detailed Review of DAP Safeguards

10/17Draft Policy

7/30Safeguards Draft

1/23Final Safeguards Document

3/1Impact Statement

1/23 - 2/29Impact Assessment

7/1/2004Policy Approval


Deliverables “Soup Servings”

Data Classification

• Category 1 – Public Use

• Category 2 – Internal Use

• Category 3 – Sensitive

• Category 4 – Highly Sensitive

Roles

• Chief Data Stewards

• Data Stewards

• Data Coordinators

• Data Administrators

• Authorized Requestors

• Technical Authorities

• Data Users

Procedures

• Standardized Access Request Form–Three-way certification


Deliverables “More Servings”

Unit-Level Servers hosting sensitive data

Deans, VP’s, Associate VP’s:

• Register w/ OIT IS

• Direct reviews and respond to technical reports for approved servers

• Coordinate w/OIT IS to verify security procedures

• Periodic access control assessments

Desktops/Laptops/ Workstations

• User responsibility

• Current firewall & anti-virus software must be installed & enabled

• OS patches must be kept up-to-date


Data Protection Safeguards“The Spice Rack”

Major Safeguard Groupings– Physical Access Control– Information Security Policy– Firewall Protection– Security Patches– Protection of Stored Data– Network Data Encryption– Anti-virus Software– Access Control (need-to-know)– Unique identification (person or system)– System Configuration– Tracking Access by Unique ID– Testing of Security Systems and Processes


Safeguards by Data Category“Mild or Extra Hot?”

• Category IV data safeguards are comprehensive and uncompromising; primarily contractual

• Category III data safeguards designed to meet all legal requirements in terms of “reasonable” protection

• Category I data mandatory requirements constitute “lowest common denominator” for protecting weakest nodes on network

• ^ Category = ^ Overhead

0

20

40

60

80

100

120

140

I II III IV

Mand

Rec

Sugg


High Impact Implementation Issues“Heartburn”

Issue / SafeguardImpacted

CategoriesUpfront

CostRecurring

CostAdditional

StaffingAdditional Training

Technical Challenge

Keeping security patches up-to-date (Ref: Lines 60-64) All Low Low Low Med

Information Security Specialists and System Administrators within campus units (Ref: Lines 35-40)

All High High

Backup strategy and execution at the department level (Ref: Line 164)

Cat II, III & IV

High Low Low Med Low

Policy/implementation awareness and training All Low High

Standards and training for Technical Authorities Cat III & IV Med Med

Performing internal vulnerability scans (Ref: Line 149) All Low Med

Use of network intrusion detection systems to monitor all network traffic (Ref: Line 152)

All High High Low

Encryption of sensitive data sent across public networks (Ref: Line 80)

Cat III & IV High Med High

Performing external vulnerability scans (Ref: Line 48) All High Low Low

Not sending sensitive data via un-encrypted email (Ref: Line 81) Cat III & IV ?? High

Physical security measures Cat III & IV High Med

Preventing unauthorized access to network connections on campus (Ref: Line 11)

All High Low Low Low Med

Encryption of all passwords stored on network devices (Ref: Line 71)

All High Med High

Reviewing security, firewall, and server logs as specified (Ref: Line 147)

All High Med Low Med High

Encrypting access to sensitive databases (Ref: Line 82) Cat III & IV High Med High

Monitor failed system access attempts as specified (Ref: Line 110)

All ?? ?? Low High

Faculty and staff training for recovery plan execution and security breach response responsibilities (Ref: Lines 159,163)

All Med Med

Performing penetration tests (Ref: Line 151) Cat III & IV Low Low High


What did we do differently?“Chef’s Corner”

• Broad representation on Policy Development Committee

• Combined “Top-down” and “Bottom-up” approaches to policy development

• Extensive review of, and consensus on, all key deliverables

• Implementation flexibility to account for current economic and organizational constraints, while still addressing all requirements


What have we learned?“Adding soup to the menu…”

• Critical to engage all key constituencies and stakeholders early on

• Inclusionary approach involves making compromises

• Need to have (a) clearly-defined sponsor(s) and approval process

• Communicate early and frequently


Soup anyone?

Mike BrandonDirector – OIT P&SGeorgia Institute of [email protected]

Jaime GalianoProject Director – OIT P&SGeorgia Institute of [email protected]

mailto:[email protected]?subject=CUMREC%202004%20DAP%20Presentation

mailto:[email protected]?subject=CUMREC%202004%20DAP%20Presentation

making sense out of the information security and privacy alphabet soup in terms of data access a...

Documents

data safeguards

data protection

terms of data access

data integrity

data category mild

overdue slide

uptodate slide

overhead slide