The last morning of CSG kicks off with a policy discussion on minimizing use of SSN and other sensitive data.
Steve Shuster, Cornell
Started data security policy work two years ago. Has had a long-standing data stewardship program on campus, aligned to Vice President offices. There were gaps – VPs don’t think about security as rules change. Policies and practices haven’t always been consistent. Started Data Incident Response Team (DIRT) – determines need to notify, how much analysis is enough, etc. VP of IT, Policy Office, Audit, Counsel, etc. Were taking about one incident per month to that group where sensitive data were involved.
Stepped back to think about data exposure – three categories: public, restricted, confidential. “restricted” is the default – allows the stewards to just worry about the extremities. Defined specific security requirements for the three classifications. IT security council – lead security person from each of the units, meets monthly. Established strong exception process – first thing you hear when talking about requirements is why people can’t conform. Have mechanism to update requirements continuously.
Policy has highlighted some things: Missing some data stewards, pieces of data that run across the data stewards, eg SSN. Looking at having a PII Officer that would be responsible for that kind of data. Finding the data is hard. Created a Cornell Spider application that can crawl a computer to look for confidential data. 50-60% of computers on campus have some confidential data on them.
Randy Marchany, Virginia Tech
Their needs: Stay out of the press; stay out fo the courts; preserve data integrity; respect the privacy of students and employees.
privacyrights.org has a good chronology of data breaches.
Steps for managing sensitive data:
#1 – Do what you can do when you can do it.
Pre 2003 –
Building Blocks – a one page acceptable use policy; Data classification
Tools – SSL
Education – awareness seminars
Compliance – HR disciplinary action
#2 Create a framework for doing it – an IT Security Task Force – has lots of committees across the entire scope of the central IT division.
#4 (what happened to 3?) – Don’t think you’re done.
Built tools (including use of Cornell’s spider), encryption
Education – awareness sessions, faculty institute
Compliance – IT security reviews of departments, Audit
A complete solution is not needed to get something done.
Everyone has a role
Pulling all the pieces together is the challenge, and making sure it works
Cam Beasley, Texas
Formed compliance group with admin units in 2002.
Had a significant SSN incident in 2003, so got really serious.
2006 had another incident – turned out that they hadn’t involved very many academic representatives in their work.
Since that have implemented formal policies, how systems are to be managed and how apps are to be developed. The two major incidents were insecure apps.
Have developed data stewardship program.
By 2005-2006 had shut off admin sensitive info flows. But still had problems out in the units. Developed a point ‘n’ click sensitive number finder – built in Java, uses bit-mask pattern matching (faster than regexp). Applied it in client and also for open shares over SMB or NFS. Also worked with Sourcefire (their IDS vendor) to build this algorithm in as a preprocessor (also works with Snort).
Developed another tool (issora?) – federated risk assessment tool. Applied data classification tool to it, were able to classify data on almost 48k machines. Now have faculty members who speak the same language (eg. know what category 1 data means).
Klara Jelinkova, Duke
A lot of what they’re trying to do is about balance – divided problem: Duke Medicine security handles HIPAA data and policy; University handles FERPA and DMCA. That’s been very effective. As the two groups move closer together (joint ID mgmt, networking, etc), there’s more need for a higher-level policy group, which they’re exploring. As a technologist she’s been skeptical of policy and whether it works.
Longstanding policy – unique ID should be substituted for SSN. Talman Trask (exec VP) sent letter to all the deans – storage of SSN requires his approval. Had a breach in a departmentl web server – found out it had an app for brochure requests that asked for SSN to do later correlation. Who has the responsibility policies aren’t followed? Is it the CIO?
Lots of discussion – one question that came up is what’s the sensitivity of passport numbers? Wasn’t in any of the policies.