...
Sub-Step | Resource | Resource Type |
---|---|---|
1.1 Institution-wide security risk management program. | Higher Education | |
| Higher Education | |
| Higher Education | |
| Government | |
| Policy: NIST Risk Management Guide for Information Technology Systems (SP 800-30) | Government |
| Policy: NIST Managing Risk from Information Systems: An Organizational Perspective (DRAFT SP 800-39) | Government |
1.2 Roles and responsibilities defined for overall information security program at the central and distributed level. | Higher Education | |
| Higher Education | |
| Policy: Yale University Information Access and Security Policy | Higher Education |
1.3 Executive leadership support in the form of policies and governance actions. | Info: Information Technology Security: Governance, Strategy, and Practice in Higher Education | Higher Education |
| Info: Governing for Enterprise Security article series - Carnegie Mellon Software Engineering Institute | Research |
...
Sub-Step | Resource | Resource Type |
---|---|---|
3.1 Data stewardship roles and responsibilities. It is not sufficient to have a classification system as delineated in Step 2. Individuals both at the user level and in management must understand their role in classifying and protecting the data. Consider adding such responsibilities directly to the formal job description for key roles. | Policy: Data Classification Policy of the University of North Carolina at Greensboro | Higher Education |
| Higher Education | |
3.2 Legally binding third party agreements that assign responsibility for secure data handling. If you give confidential data to an outside party, for example, to maintain student loans, or develop a web site, or handle health insurance, you need to ensure in a contract that the other party understands that it is liable for properly safeguarding the information. The 2008 Verizon Business Data Breach Report, based on analysis of over 500 actual breaches, showed that 39% of the breaches stemmed from a business partner. While not legally binding, obtaining a SAS-70 statement, SAS-112 procedures, or a form from the BITS Shared Assessments program is helpful in gauging the strength of an outside party's data handling measures. | Higher Education | |
| Industry | |
| Industry | |
3.3 Develop policies and assign accountability for data retention, data disposal, and electronic discovery. Data has its own "life cycle" from its collection to its eventual disposal. Your policies should describe data handling at significant points in this cycle. | Info + Policy: Ohio State University Records Management | Higher Education |
| Higher Education | |
| Policy: Harvard secure disposal policy | Higher Education |
| Info: EDUCAUSE Review article - Electronically Stored Information and the Federal Rules of Civil Procedure | Higher Education |
| Higher Education |
...
Sub-Step | Resource | Resource Type |
---|---|---|
4.1 Establish, apply and maintain policies and procedures for data collection processes (including forms) to request only the minimum necessary confidential information. Not requesting nor collecting restricted/regulated data is the best method of ensuring that it is not leaked -- an organization doesn't have to worry about protecting (in storage or transit) what it does not have. This should apply to online and paper forms. | Info: EDUCAUSE FERPA resources | Higher Education |
| Policy: EDUCAUSE/Cornell ICPL Policies | Higher Education |
| Government | |
| Industry | |
4.2 Establish, apply and maintain policies and procedures for application outputs (e.g., queries, hard copy reports, etc.) to provide only the minimum necessary confidential information. In many or most cases an analysis of the information which is absolutely essential on a report or screen will reveal that full or even partial confidential information which is superfluous (e.g., an employee SSN on a pay stub is not needed and is a liability; a partial credit card number or the last few digits of a bank account are usually all that is needed on a payment screen when displaying a transaction). | Policy: Data Classification Policies | Higher Education |
| Tool/Info: Data Classification Toolkit | Higher Education |
| Info: NIST 800-60 (Rev. 1 2008): Guide for Mapping Types of Information and Information Systems to Security Categories (Guide, Appendices) | Government |
| Government | |
| Info: Sun Blueprint Series "Data Security Policy - Structure and Guidelines" | Industry |
| Info: Shon Harris on "Drafting Data Classification Policies and Guidelines" | Industry |
4.3 Inventory and review the presence of existing confidential data on servers, desktops, and mobile devices. Use data scanning tools and store/update the results in a database. IT GRC (Governance, Risk and Compliance) software now exists which can maintain an asset inventory database of confidential data sources and systems. | Higher Education | |
| Higher Education | |
| Info: Northwestern University's Guideline for Using Sensitive Data Search Tools | Higher Education |
| Tool: University of Illinois at Urbana-Champaign Firefly SSN Finder for Windows | Higher Education |
| Tool: University of Texas at Austin Sensitive Number Finder (SENF) | Higher Education |
| Higher Education | |
4.4 Establish, apply and maintain policies and procedures to eliminate unnecessary confidential data on servers, desktops, and mobile devices. Initiate a confidential data elimination project if there is not a continuous process currently in place. | Industry | |
4.5 Eliminate dependence on SSNs as primary identifiers and as a form of authentication* | Info: Elimination of Social Security Numbers As Primary Identifiers | Higher Education |
*Note: SSNs may need to be used for certain things (e.g., student employees, student financial aid, etc.) and we recommend that schools limit the use of SSNs to only necessary processes | Higher Education |
#Top of page
Anchor | ||||
---|---|---|---|---|
|
...
Sub-Step | Resource | Resource Type |
---|---|---|
5.1 Inventory and review/remediate security of computing resources. For network resources, segregate guest access and block unrestricted access to wired and wireless networks unless a known user logs in. For computational resources, consider testing computers upon network access to verify that they are fully patched. | Tool: NetReg | Other |
5.2 Establish and maintain standards for the security configuration of computing resources. This includes applications, servers, desktops, and mobile systems. It also includes network resources such as firewall, intrusion detection/prevention, and router configurations. Note that "standards" are not "policies" -- standards are specific, prescriptive lists of appropriate settings that change as the base of computing resources change, whereas policies tend to be both more general and more static over time. | Policy: Harvard policy on Internet access to confidential information | Higher Education |
| Government | |
| Government | |
| Government | |
| Government | |
| Info: CIS Benchmarks | Industry |
| Government | |
| Info: Network devices | Government |
5.3 Establish and maintain encryption standards and strategies for data in transit and at rest. If data is confidential, it is usually beneficial to encrypt it to protect it from unauthorized access, either as it transits networks, as it is stored in files or databases, or both. In some cases, such as credit card data, encryption is contractually required. | Policy: Yale University IT Acceptable Use Policy (see Section F for Data Encryption Policy) | Higher Education |
| Tool: Yale University Endorsed Encryption Implementation Procedure | Higher Education |
| Higher Education | |
| Industry | |
| Industry | |
5.4 Establish and maintain standards regarding (a) confidential data on mobile devices and home computers, and (b) data storage and archiving. These areas are frequently overlooked, and are also frequently the source of a data loss. | Higher Education | |
| Policy: SANS remote access policy | Industry |
| Policy: SANS mobile device encryption | Industry |
5.5 Establish and maintain policies concerning identity management and resource provisioning processes. Improper issuance of user credentials and improper controls over user access to resources can lead to unauthorized access by users who have access privileges but should not, or who have a login but also have access to systems or data they should not have such access to. Improper revocation of credentials and keys is as critical an issue as improper issuance, and must also be addressed fully. | Higher Education | |
| Info: InCommon | Higher Education |
| Higher Education | |
5.6 Establish and maintain technical procedures for data retention and secure disposal of equipment and data. Step 3.3 covers policies for data retention and disposal. It is also necessary to have detailed technical procedures. Computers, disk drives, tapes, and other data are all too often donated to charity, sent to a dump, or sold as surplus with confidential information intact on them. Technical procedures might include how to archive old documents and what specific steps should be taken to sanitize media prior to disposal. | Policy: Harvard secure disposal policy | Higher Education |
| Government | |
| Policy: NIST records management policy | Government |
| Info: an electronic record retention policy: no longer a luxury | Industry |
5.7 Consider performing background checks on individuals handling confidential data. Persons with criminal records or credit histories indicating an inability to handle money responsibly may not be ideal candidates to handle confidential data. Yet many institutions do not perform any checks on employees or potential employees handling confidential data. This is a sensitive topic at many institutions, thus the "consider" in the statement. | Higher Education | |
| Industry |
...
Sub-Step | Resource | Resource Type |
---|---|---|
6.1 Make confidential data handlers aware of privacy and security requirements. Changes to regulations for data privacy and security must be communicated to the affected areas of the higher education community. | Industry | |
6.2 Require acknowledgment by data users of their responsibility for safeguarding such data. Each person with access to confidential information should be presented with an acknowledgment to ensure understanding their role, whether its as a consumer/user of information, a creator of information, or a steward/manager of information. | Policy: Confidentiality Agreement or Statement | Higher Education |
6.3 Enhance general privacy and security awareness programs to specifically address safeguarding confidential data. A key component of any awareness program is instruction regarding the data sensitivity classifications for information as defined by your institution. In addition, the controls and safeguards for each confidential data classification should be described. | Higher Education | |
| Industry | |
6.4 Clearly communicate how to safeguard data so that collaboration mechanisms, and their respective strengths and limitations in terms of access control, are clearly understood. |
|
|
...
Sub-Step | Resource | Resource Type |
---|---|---|
7.1 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed |
|
|
7.2 Utilize audit function within the institution to verify compliance. This can be either an internal audit department or external auditors. | Info: Auditing and Assessment | Industry |
7.3 Routinely scan and test computing resources and services. Scan servers, desktops, mobile devices, and networks containing confidential data to verify compliance with institutional policy and standards. Test these devices for weaknesses in operating systems, applications, and encryption that would indicate that institutional procedures are not being followed properly. Remediate any issues uncovered. | Industry | |
| Industry | |
| Info: Security Self-Assessment Guide for Information Technology Systems | Industry |
| Tool: Nessus | Vendor |
7.4 Routinely monitor log files of critical computing resources. Seek out anomolous behavior. Flag changes to privileges so they can be spot-checked in mini-audits. Flag configuration changes for possible match-up to any change control process in place. Such monitoring can largely be automated. | Tool: Swatch | Other |
| Tool: AWStats | Other |
| Tool: Splunk (free version) | Vendor |
7.5 Routinely audit access privileges | Higher Education | |
| Other | |
7.6 Review procurement procedures and contract language to ensure that they protect data. Contract language is covered in Step 3.2, but it is vital to periodically check that these contracts are being consistently applied across a variety of procurement situations. |
|
|
7.7 Implement system development methodologies that prevent new data handling problems from being introduced into the environment | Info: Security Considerations in the Information System Development Life Cycle | Industry |
7.8 Implement incident response policies and procedures. Even after implementing this entire blueprint, if you hold confidential data, it will be at risk, albeit at a much lower level of risk. It is wise to have procedures in place should any of this data be exposed to unauthorized parties before such a breach occurs, as the environment when a potential breach is discovered is fast-moving and dynamic, making it difficult to follow proper procedures if they are not already in place. | Higher Education | |
| Industry |
...