making sense out of the information security and privacy alphabet soup in terms of data access a...
TRANSCRIPT
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access
A pragmatic, collaborative approach to promulgating campus-wide policies to address compliance with contractual, regulatory and statutory requirements related to data integrity, security, and privacy in a
heterogeneous, multi-platform IT environment at the Georgia Institute of Technology.
Michael Brandon, DirectorJaime Galiano, Project Director
Georgia Institute of TechnologyOffice of Information Technology – Policy & Strategy
© Georgia Institute of Technology, 2004
Copyright Statement
• Copyright Michael Brandon and Jaime M. Galiano, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
© Georgia Institute of Technology, 2004
Chef’s Conundrum:
© Georgia Institute of Technology, 2004
Background“Recipe Starter”
What?– Overhaul of existing Data Access Policy and procedures
Why?– New regulatory, statutory, and contractual requirements in terms
of privacy protection– Significant increase in information security threats– Minimize risk exposure associated with electronic commerce– Increasing scope and complexity of GT Information Technology
infrastructure
Why Now?– Contractual and legal compliance deadlines– Policy refreshment long overdue
© Georgia Institute of Technology, 2004
Requirements“Allspice”
• Legal– GLBA: FTC Safeguards Rule– HIPAA: OCR Privacy Rule– FERPA
• Contractual– Cardholder Information Security Program (CISP)
• Standards / Best Practices– ISO 17799– GIT Internal Control Guide– Incident Response Procedures
© Georgia Institute of Technology, 2004
Communicating at different levels“Appealing to the different tastes”
• Policy Issues
• Change Management Issues
• Implementation Strategy
• Safeguards Issues
• Implementation details – how? How much? Who?
© Georgia Institute of Technology, 2004
Policy Development Committee“Culinary Specialists”
Representatives from– Information Security– Internal Audit– Business Office– Office of the Registrar– Human Resources– Enterprise Information Systems (Software Dev.)– Academic Units– Sponsored Programs / Research– Computer Support Representatives– Policy & Strategy– Office of Legal Affairs
© Georgia Institute of Technology, 2004
Summary of Activities“Cooking Instructions”
8/1 9/1 10/1 11/1 12/1 1/1 2/1 3/1 4/1 5/1 6/1 7/1
3/1/04 - 6/30/08Presentation & Approval
5/16/03Kick-off
5/16 - 7/22Analysis & Safeguards Draft
7/22 - 10/17Policy & Procedures Update
10/17 - 1/23Detailed Review of DAP Safeguards
10/17Draft Policy
7/30Safeguards Draft
1/23Final Safeguards Document
3/1Impact Statement
1/23 - 2/29Impact Assessment
7/1/2004Policy Approval
© Georgia Institute of Technology, 2004
Deliverables “Soup Servings”
Data Classification
• Category 1 – Public Use
• Category 2 – Internal Use
• Category 3 – Sensitive
• Category 4 – Highly Sensitive
Roles
• Chief Data Stewards
• Data Stewards
• Data Coordinators
• Data Administrators
• Authorized Requestors
• Technical Authorities
• Data Users
Procedures
• Standardized Access Request Form–Three-way certification
© Georgia Institute of Technology, 2004
Deliverables “More Servings”
Unit-Level Servers hosting sensitive data
Deans, VP’s, Associate VP’s:
• Register w/ OIT IS
• Direct reviews and respond to technical reports for approved servers
• Coordinate w/OIT IS to verify security procedures
• Periodic access control assessments
Desktops/Laptops/ Workstations
• User responsibility
• Current firewall & anti-virus software must be installed & enabled
• OS patches must be kept up-to-date
© Georgia Institute of Technology, 2004
Data Protection Safeguards“The Spice Rack”
Major Safeguard Groupings– Physical Access Control– Information Security Policy– Firewall Protection– Security Patches– Protection of Stored Data– Network Data Encryption– Anti-virus Software– Access Control (need-to-know)– Unique identification (person or system)– System Configuration– Tracking Access by Unique ID– Testing of Security Systems and Processes
© Georgia Institute of Technology, 2004
Safeguards by Data Category“Mild or Extra Hot?”
• Category IV data safeguards are comprehensive and uncompromising; primarily contractual
• Category III data safeguards designed to meet all legal requirements in terms of “reasonable” protection
• Category I data mandatory requirements constitute “lowest common denominator” for protecting weakest nodes on network
• ^ Category = ^ Overhead
0
20
40
60
80
100
120
140
I II III IV
Mand
Rec
Sugg
© Georgia Institute of Technology, 2004
High Impact Implementation Issues“Heartburn”
Issue / SafeguardImpacted
CategoriesUpfront
CostRecurring
CostAdditional
StaffingAdditional Training
Technical Challenge
Keeping security patches up-to-date (Ref: Lines 60-64) All Low Low Low Med
Information Security Specialists and System Administrators within campus units (Ref: Lines 35-40)
All High High
Backup strategy and execution at the department level (Ref: Line 164)
Cat II, III & IV
High Low Low Med Low
Policy/implementation awareness and training All Low High
Standards and training for Technical Authorities Cat III & IV Med Med
Performing internal vulnerability scans (Ref: Line 149) All Low Med
Use of network intrusion detection systems to monitor all network traffic (Ref: Line 152)
All High High Low
Encryption of sensitive data sent across public networks (Ref: Line 80)
Cat III & IV High Med High
Performing external vulnerability scans (Ref: Line 48) All High Low Low
Not sending sensitive data via un-encrypted email (Ref: Line 81) Cat III & IV ?? High
Physical security measures Cat III & IV High Med
Preventing unauthorized access to network connections on campus (Ref: Line 11)
All High Low Low Low Med
Encryption of all passwords stored on network devices (Ref: Line 71)
All High Med High
Reviewing security, firewall, and server logs as specified (Ref: Line 147)
All High Med Low Med High
Encrypting access to sensitive databases (Ref: Line 82) Cat III & IV High Med High
Monitor failed system access attempts as specified (Ref: Line 110)
All ?? ?? Low High
Faculty and staff training for recovery plan execution and security breach response responsibilities (Ref: Lines 159,163)
All Med Med
Performing penetration tests (Ref: Line 151) Cat III & IV Low Low High
© Georgia Institute of Technology, 2004
What did we do differently?“Chef’s Corner”
• Broad representation on Policy Development Committee
• Combined “Top-down” and “Bottom-up” approaches to policy development
• Extensive review of, and consensus on, all key deliverables
• Implementation flexibility to account for current economic and organizational constraints, while still addressing all requirements
© Georgia Institute of Technology, 2004
What have we learned?“Adding soup to the menu…”
• Critical to engage all key constituencies and stakeholders early on
• Inclusionary approach involves making compromises
• Need to have (a) clearly-defined sponsor(s) and approval process
• Communicate early and frequently
© Georgia Institute of Technology, 2004
Soup anyone?
Mike BrandonDirector – OIT P&SGeorgia Institute of [email protected]
Jaime GalianoProject Director – OIT P&SGeorgia Institute of [email protected]