uwm cio office institutional data privacy and security presenter: steve brukbacher, information...
TRANSCRIPT
UWM CIO Office
Institutional Data Privacy and
Security
Presenter: Steve Brukbacher, Information Security Architect
Moderated by: Bruce Maas, CIO
November 11, 2009
UWM CIO Office
UWM Information Security responsible for coordinating:• Policies
• Technical controls• Compliance• Communication• Forensics, investigations
and incident response
UWM CIO Office
Session Goals
• Answer “Why is this important?”
• Share Security Goals• Identify future steps and needs
First, some background…
UWM CIO Office
We are all data
custodians.
UWM CIO Office
Security Trends
Increasingly complex landscape
UWM CIO Office
Security Trends
Need to control where confidential data lands
UWM CIO Office
Security Trends
Challenging endpoint security
UWM CIO Office
Data breaches are costly.$202/record
500 records = $101K 1,000 records = $202K30,000 records = $6.06M
Source: Ponemon Institute ponemon.org
UWM CIO Office
Loss of trust.
Data breaches are costly.
Source: Ponemon Institute ponemon.org
UWM CIO Office
What dangers are on the
horizon?
UWM CIO Office
Threats
Datalossdb.org
UWM CIO Office
What have we gotten good at:
-Incident Response and Forensics-Day to day security issues-AV Management-Risk Assessments -Network Monitoring-Efficient Desktop Support
UWM CIO Office
So where is UWM in this
landscape?
UWM CIO Office
Data Sources
Students: Academic Health HR
Faculty/staff: HR Health
Research: Health Patent
UWM CIO Office
Types of Data
• SSNs• Credit card numbers• Grades• Personnel-related• Health-related• Research-related
UWM CIO Office
Personal Health Information Example
• CUPH (Aurora, Medical College, UWM)
• Milwaukee Health Report 2009
• Perinatal database hosting (80+ hospitals) statewide:
- Providing data to state vital records- Meeting reporting needs for
hospitals/health departments
UWM CIO Office
Health care issues such as:• Health care legislation• Pandemic issues• Socioeconomic disparity
Even more motivation for breach prevention!
UWM CIO Office
1.Manage access to and use of confidential data.
2. Understand where the data is
3. Develop efficient and consistent compliance processes
4. Offer “pre-fab” high security environments
Institutional Data Privacy and Security Goals
UWM CIO Office
1. Limit access to and use of confidential data
Institutional Data Privacy and Security Goals
UWM CIO Office
2. Know location of data
Institutional Data Privacy and Security Goals
UWM CIO Office
3. Employ a repeatable, cost-effective and reportable compliance methodology
$
Institutional Data Privacy and Security Goals
UWM CIO Office
4. Offer “pre fab” high security environments for researchers
Institutional Data Privacy and Security Goals
UWM CIO Office
What do we need?• Policy
• Procedures and processes
• Strengthened core IT infrastructure
• Security-enhanced networking environments
• Security-enhanced desktop environments
UWM CIO Office
Policies currently in place:• Acceptable Use Policy (AUP)• Campus Information Security Policy
UWM CIO Office
Policy Needs Identified/in ProcessResearch Data Security Policy:
- Integrate w/IRB process to secure confidential human subjects data
- Utilize form to gather basic info
- Work w/Security via checklist or
one-on-one engagement
UWM CIO Office
SSN Privacy & Security Policy:
- Establishes understanding to only collect/store data as necessary
- Formally ensures data is secured where
it is needed and used
Policy Needs Identified/in Process
UWM CIO Office
Procedures and Processes
• Need for GRC product?• IRB coordination• Ongoing process of procedure development
for security assessment and implementation
UWM CIO Office
New credit card data handling procedures/processes• Consolidation of card payment services
• Allowance for other options provided unit responsible for compliance efforts
UWM CIO Office
Strengthen Core IT
InfrastructureFramework: ITIL - IT Infrastructure Library:• Utilizes methodology for efficient and secure
IT management
• Focuses on defining services
• Clarifies requirements for: - Performance- Functionality- Security
UWM CIO Office
How do we do this?• Determine what you have• Stabilize the patient• Establish repeatable build processes• Enable continuous improvement
Strengthen Core IT
Infrastructure
UWM CIO Office
What are we working on?• More formal change management
process• Development of a unified patching
methodology• Contemplating a Log Management
system• Baseline system security standards
Strengthen Core IT
Infrastructure
UWM CIO Office
New Service/Service Enhancement Process
• Enumerates resource estimates and details impacts of systems/services
• Facilitates top-level resource decision-making
• Ensures right people at the table
• Helps balance service levels with service expectations
UWM CIO Office
• Need a network “home” for confidential data
• Need network-based firewall services
• Need flexible implementation
Security-enhanced Networking
Environments
UWM CIO Office
Tech Users Group providing foundation • Common identified solutions:
McAfee & EPOIdentity FinderNext Gen. endpoint securityCollaboration on OS deployments
• Needs:Patch ManagementFull support for FDEFile/folder level encryption software &
support
Security-enhanced Desktop
Environments
UWM CIO Office
1.Manage access to and use of confidential data.
2. Understand where the data is
3. Develop efficient and consistent compliance processes
4. Offer “pre-fab” high security environments – ability to execute
Institutional Data Privacy and Security Goals
UWM CIO Office
What do we need?• Policy to establish roles and “must do’s”
• Procedures and processes
• Strengthened core IT infrastructure
• Security-enhanced networking environments
• Security-enhanced desktop environments
UWM CIO Office
Specific Technical Needs:• Network firewall• GRC software• Identity Finder• Full disk encryption• File/folder-level encryption• Patch Management• Log management
UWM CIO Office
Requires Investment
:
Technology
People
UWM CIO Office
Shared responsibility of all to serve as data custodians
and ensure data is kept secure.
UWM CIO Office
Steve Brukbacher, [email protected]
Bruce Maas, [email protected]
Institutional Data Privacy and
Security