staying ahead of the storm: know your role in information security before a crisis hits
DESCRIPTION
Staying ahead of the storm: know your role in information security before a crisis hits. Jason Testart , IST Karen Jack, Secretariat. Topics. Part I: Policy Overview (Jason) Part II: What to do when there’s a breach (Karen). Policy Goals. Reduce our exposure - PowerPoint PPT PresentationTRANSCRIPT
Staying ahead of the storm: know your role in information security before a crisis hits
Jason Testart, ISTKaren Jack, Secretariat
Topics
Part I: Policy Overview (Jason) Part II: What to do when there’s a breach (Karen)
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Policy Goals
Reduce our exposure Comply with laws and regulations Focus our information security efforts
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Information Security is about maintaining our integrity, not our egos!
STOP HOARDING INFORMATION!
On the topic of exposure…
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
You can’t compromise what’s not there
REDUCE what we collect
REDUCE what we duplicate
REDUCE what we keep
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Reduce your risk off campus
Remote access or data encryption.
Use a secure connection.
Beware of un-trusted computers!
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Don’t forget about Disposal!
Make sure that all confidential information is erased or not recoverable before computers, electronic storage media, or other electronic devices are disposed of.
See Electronic Media Disposal Guidelines
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Information Security Policies, Standards, and Procedures
Defense Production
Act
Privacy Laws
Payment Card
Industry DSS
Policy Development: Avoid disjointed policy statements
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Policy Documents
Statement on Security of UW Computing and Network Resources
Policy 8 – Information Security Statement on Electronic Business Breach Notification Procedure Computer Security Incident Response Procedure IT Security Standards (all under development)
Mobile Device Security Standards Standards for Secure Hosting Password Policy
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Security Classifications (from Policy 8)
Confidential
Restricted
Highly Restricted
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Public
Roles & Responsibilities(from Policy 8)
Information Steward: Governs the use of information
Information Custodian: Keeper of the information
User: Makes use of the data
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Example: Vision Test Results @ Optometry
Who is the steward? Director, School of Optometry
Who is the custodian? Support staff in Optometry who handle paper records. Systems Administrators of systems where results are
stored. Who is the user?
Faculty, and students in Optometry.
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Steward Responsibilities
Classify information. Assess risk. Delegating operational responsibility to one or
more Information Custodians. Establishing and maintaining rules and procedures. Ensuring Compliance.
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Custodian Responsibilities
Knowing the rules, set by the steward. Understanding how information flows. Making sure information is available to authorized
people and processes when needed. Making sure the integrity of information is
maintained. Making sure information is not available to
unauthorised people or processes.
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Tips for Classifying Data
Classify information that is obviously public. Identify information that is Highly Restricted.
Do you really need it? You need permission to use it.
…then Restricted We can help you, if needed.
Whatever’s left is either obviously confidential or it’s not obvious.
The information steward makes the call on public vs. confidential.
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
What to do when there’s a breach
Information Security Breaches
make headlines
“Servers containing
sensitive health information
stolen”
“Box of applications to
university mistakenly
thrown away”“Briefcase containing
sensitive student information lost”
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Despite your best efforts, there’s been a breach
Server Memory stick with grades Information sent to wrong recipient Student assignments
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
What do I do?
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Incident Security Breach Response Procedure (http://www.adm.uwaterloo.ca/infosec/guidelines/breachprocedure.html)
Computer Security Incident Response Procedure (http://ist.uwaterloo.ca/security/policy/ir.shtml)
Information Security Breach Circumvention of security controls Unauthorised use of information Unintended exposure of information
Purposes Legislation Identifying the cause(s) and prevention
Incident Security Breach Response Procedure
• What happened?
• Act with care, but act with speed
Contain / identify scope
• Nature of breach• What was disclosed• To whom• And, for how long• Advise others
Contact the privacy
coordinator to advise re:
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Notice – what it might entail
Restricted Information Personal information Personal health information Information subject to non-disclosure Passwords or private encryption keys
Notice Extent and specifics Steps individuals should take to protect themselves Immediate and long term solutions Privacy Commissioner of Ontario / FIPPA
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
What’s the purpose of all this?
Individuals may need to protect
themselves
Legislation
It’s the right
thing to do
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Results
Best PracticesLocal users. Others at UW.
Lessons Learned?
Changes to procedures? Useful information to share?Investigation
Have notice requirements been met? Review circumstances of the breach.
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm
Final thoughts
Shared responsibility
Treat others’ personal information as you would wish others to treat yours
WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm