Data Security and Identity Management

Similar documents
Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

NATIONAL CYBER SECURITY AWARENESS MONTH

Cyber Risks in the Boardroom

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Data Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com

Privilege Gone Wild: The State of Privileged Account Management in 2015

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Information Technology Services Information Security Incident Response Plan

How To Protect Yourself From A Hacker Attack

Privilege Gone Wild: The State of Privileged Account Management in 2015

Assuring Application Security: Deploying Code that Keeps Data Safe

Identity & Access Management in the Cloud: Fewer passwords, more productivity

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

Standard: Information Security Incident Management

plantemoran.com What School Personnel Administrators Need to know

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

Cloud Computing Security Considerations

2012 NCSA / Symantec. National Small Business Study

Jumpstarting Your Security Awareness Program

How To Protect Yourself From Cyber Threats

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

Common Data Breach Threats Facing Financial Institutions

Cybersecurity. Are you prepared?

Data Security Incident Response Plan. [Insert Organization Name]

Data Management Policies. Sage ERP Online

Cybersecurity: Protecting Your Business. March 11, 2015

Data Breach Strikes - Nerds & Geeks Unite: Effective Cooperation Between Privacy and Technical Experts Presented by: Paul H. Luehr, Managing Dir.

Aftermath of a Data Breach Study

Incident Response. Proactive Incident Management. Sean Curran Director

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Information Shield Solution Matrix for CIP Security Standards

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Arisant s Identity Management (IdM) for K-12 Education

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Into the cybersecurity breach

Data Security: Fight Insider Threats & Protect Your Sensitive Data

Wellesley College Written Information Security Program

FERPA: Data & Transport Security Best Practices

The economics of IT risk and reputation

PRIVACY BREACH POLICY

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

The Next Generation of Security Leaders

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Impact of Data Breaches

Third Annual Study: Is Your Company Ready for a Big Data Breach?

Cloud Security: Getting It Right

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

F G F O A A N N U A L C O N F E R E N C E

Jefferson Glassie, FASAE Whiteford, Taylor & Preston

Client Update SEC Releases Updated Cybersecurity Examination Guidelines

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Data Management & Protection: Common Definitions

Cyber Risks in Italian market

Information Security Incident Management Guidelines

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

KEY STEPS FOLLOWING A DATA BREACH

Security Officer s Checklist in a Sourcing Deal

Logging In: Auditing Cybersecurity in an Unsecure World

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Acceptable Use Policy

PCI Data Security Standards

Transcription:

Data Security and Identity Management Leading Change Data Pre-Conference June 16, 2014 Ed Jung Chief Technology Officer Arizona Department of Education

DATA SECURITY

Are you prepared Likelihood of a data breach is high http://www.databreachcalculator.com/ Likelihood of experiencing a data breach in the next 12 months: 9.5% Average cost per record: $ 190 Average cost per breach: $ 94,833 You are a target

Really, you are a target Some districts have reported that staff or parents have received emails from people purporting to work for Infinite Campus, requesting usernames, passwords and email accounts to confirm ownership of their Infinite Campus account. The notice says hackers have been able to steal personal information, file fake tax returns and redirect the money to themselves.

Do you know your data Impact definitions (National Institute of Standards and Technology FIPS-199) LOW: The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. MODERATE: The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. HIGH: The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Sample data classification Legal Requirements Restricted (highest, most sensitive) FERPA, HIPAA, state statute Sensitive (moderate level of sensitivity) Contractual obligations, privacy norms Reputation Risk High Medium Low Other Risks Access DATA Information which provides access to additional resources Explicit authorized access only, signed agreements Student education records, SSN, educator performance classifications, discipline Subsets of protected data Need to know based on role Salaries, staff personal contact information, library lending records Public (low sensitivity) At discretion of institution General information, embarrassment General LEA information Procurement records, calendar of events, school records for sports

Do you know where your data is What applications do you manage in-house? (e.g. SIS/SMS) What applications are vendor managed or cloud hosted? (e.g. SIS, learning management) Are there well understood policies over the use of third-party applications? (e.g. gradebooks, lesson planners, online courses)

It s the people Negligent staff are the top cause of data breaches in the United States 2011 Cost of a Data Breach Study: United States, Symantec Corp. and Ponemon Institute. Spear Phishing Attacks are Often the Root Cause of Security Breaches More than one third (34%) of respondents who reported experiencing a spear phishing attack in the past year believe that such an attack resulted in the compromise of user login credentials (e.g., usernames passwords) or unauthorized access to corporate IT systems. Policies on working in public places 12% 9% 24% 55% No policy I don't know Not allowed Restricted

Detection 66% percent of breaches took months or even years to discover Verizon Data Breach Investigation Report On average, it is taking companies three months to discover a malicious breach and then more than four months to resolve it Ponemon Institute report How can we speed this up?

Who is responsible Does your organization have a designated Information Security Officer Who develops information security related policies Who enforces policies

Communications and Action Plan Security Awareness Training FERPA and Privacy Training General training for all your users Differentiated by role Communications and Action Plan Develop, train, test, repeat Who needs to know and when Crisis response team Impact on other work Legal, law-enforcement, public

IDENTITY MANAGEMENT

Your users Who are they Roles How do you know who they are Student Staff Parents Roles Student Teacher, Finance, Administrator Systems they access Identity Verification SIS In-person, documentation Re-verification Annually None SIS, ERP, HR, Finance, Gradebook In-person, documentation Parent, Volunteer SIS, Website Where is all of this stored, how is it managed?

Your policies What systems do your users have access to Not just the systems you manage How are roles and permissions set on each one Consistency across systems What happens when a users access needs to be changed How do you know when a users access rights need to be changed How often do you audit access to systems Policies and procedures for onboarding new applications and users should capture the data required to manage identity and access.

ADE Entity Management Problem: Setting up and maintaining Common Logon accounts is tedious and error prone Program areas use different paper user authorization forms completed by LEA When access changes at LEA there is no automated process to update ADE records, resulting in delays giving or removing access to sensitive data Solution: Empower LEAs with the ability to manage their own users Super-user at each LEA

Federation with ADE Systems Problem: Entity management at LEAs is a duplication of effort Users still need to log onto ADE systems with the credentials created by the LEA Entity Administrator Solution: Enable direct access from LEA systems with no additional user account management required Industry standard security protocol Works with leading SIS vendors

Useful resources Estimate the likelihood and cost of a data breach http://www.databreachcalculator.com/ Security Breach Response Plan Toolkit https://www.privacyassociation.org/community/security_breach_response_plan_toolkit Model Data Security Breach Preparedness Guide http://www.americanbar.org/content/dam/aba/administrative/litigation/materials/sac_ 2012/22-15_intro_to_data_security_breach_preparedness.authcheckdam.pdf Data Breach Response Guide http://www.experian.com/assets/data-breach/brochures/response-guide.pdf Cyber Security training resources https://msisac.cisecurity.org/resources/videos/free-training.cfm Verizon Data Breach Investigation Report http://www.verizonenterprise.com/dbir/ Fordham Law School report on Privacy and Cloud Computing in Public Schools http://ir.lawnet.fordham.edu/clip/2/ Fundamentals of Identity and Access Management http://www.theiia.org/intauditor/itaudit/archives/2008/april/the-fundamentals-ofidentity-and-access-management/

Thank You Contact Ed Jung Chief Technology Officer (602) 542-3545 Ed.Jung@AZED.gov

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information