Cybersecurity in Higher Ed

Transcription

1 Cybersecurity in Higher Ed 1

2 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students, faculty and staff, applicants, alumni, donors, research, health systems, police, and athletics (to name a few!). 2

3 Agenda Current Environment Highlight of some Security Compliance Regs Discussing Cyber with Executives & BOD Develop an IT Security Strategy Adopt a Cyber Framework 3

4 Current Environment 4

5 Themes of the Environment Organizations have pressing needs to secure and protect their information. Regulatory (FERPA, GLBA, PCI, HIPAA, etc.) Student / Consumer Protection Reputation Risk Cyber attacks are continuing and not stopping / slowing. Malware, Social Engineering, DoS, Insiders, Supply Chain Lines between cyber actors are blurring Nation States, Org Crime, Hactivists, Insiders Too many organizations are allowing low hanging fruit to compromise them Simple passwords, lax system auditing, lax vendor management, over privileged users, etc. 5

6 What are the Compliance Regs? Family Educ Rights & Privacy Act (FERPA) Payment Card Industry (PCI) Data Security Standard (DSS) Health Insurance Portability and Accountability Act (HIPAA) Gramm Leach Bliley Act (GLBA) FACTA Red Flags Rule COV Data Breach Notification Law COV Information Security Standards International Data Privacy Laws Massachusetts Data Privacy Law Criminal Justice Information System 6

7 What are the Compliance Regs? Code of Virginia: LIS > Code of Virginia > In the event an individual or entity provides notice to more than 1,000 persons at one time pursuant to this section, the individual or entity shall notify, without unreasonable delay, the Office of the Attorney General and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. 1681a(p), of the timing, distribution, and content of the notice. 7

8 What is at Risk? Disclosure or Theft of PII, NPI, PHI, IP Identify theft Theft of $$$ Business interruption Reputational damage Financial losses due to breach impact and cost to investigate, monitor, recover Non-compliance with regulations 8

9 What DATA is at Risk? Students Univ Employees Alumni & Donors Community SSN Academic Records Medical Records Athletic Records Police Records Financial Records University Research Intellectual Property What else? 9

10 Cyber Criminals are Indiscriminate Cyber criminals have two primary methods: 1. Target high value information. 2. Target anything that moves. Simply send out viruses looking for security holes they can exploit. The viruses don t care if you are a big or small company. #2 means it doesn t matter if you are big or small you are a target, simply because you exist. 10

11 Steps to Improve Security Posture Perform Data Sensitivity Analysis Assess Current Cyber Posture Develop IT Security Strategy Adopt a Cyber Framework Provide Reports to the Board Make sure ISO and Team have Adequate Training Test your Employees and Systems more than once a year 11

12 Highlighting some Security Compliance Regulations 12

13 What are the Compliance Regs? Family Educ Rights & Privacy Act (FERPA) Payment Card Industry (PCI) Data Security Standard (DSS) Health Insurance Portability and Accountability Act (HIPAA) Gramm Leach Bliley Act (GLBA) FACTA Red Flags Rule COV Data Breach Notification Law COV Information Security Standards International Data Privacy Laws Massachusetts Data Privacy Law Criminal Justice Information System 13

14 FERPA Under the Family Educational Rights and Privacy Act (FERPA), higher education institutions are limited in the information they can reveal about students. FERPA also grants students certain rights, including the right to keep their educational records private. Access to records should be controlled and limited. 14

15 FERPA What responsibilities does Information Security have? 15

16 GLBA The Gramm-Leach-Bliley Act (GLBA) is federal legislation that was enacted by Congress in The primary purpose of GLBA was to reform the banking industry to allow financial institutions to share information. Colleges and universities are also subject to some of the provisions of GLBA because they collect and maintain financial information about their students and others with whom they interact. 16

17 GLBA Not required to comply with GLBA's privacy regulations because the regulations contain an exemption for higher education institutions that comply with the Family Educational Rights and Privacy Act (FERPA). The second set of regulations under GLBA are the Standards for Safeguarding Customer Information, which seek to protect the security of non-public financial information These are applicable to Higher Ed 17

18 GLBA What responsibilities does Information Security have? 18

19 COV Data Breach Notification Code of Virginia: LIS > Code of Virginia > What events / breaches require action? How fast to notify? Who do you notify? 19

20 Discussing Cyber Risk with Executives & the Board 20

21 Questions from Executives & BOD Are you prepared to answer these questions? 1. What regulations do we need to comply with? 2. Do we use a cybersecurity framework? If modified version, what are the differences? 3. What are our top five cybersecurity risks? 4. How are employees made aware of their role in cybersecurity? 5. Do our outsourced providers and contractors have cyber controls and policies in place and clearly monitored? 6. Do we have cyber insurance? If so, is it adequate? 7. In the event of a serious breach, has management, developed a robust response protocol? *Source: NACD Cyber-risk Oversight Guide 21

22 Be Proactive! Stay ahead of Management and the Board s questions You must be PROACTIVE in your approach! Assess your top risks. Re-visit the assessment frequently. See Slide 11 Risk management is a culture, not an project. 22

23 Develop an IT Security Strategy 23

24 Inputs to IT Security Strategy IT Strategy Compliance & Legal Corporate Strategy Business Strategy Security Strategy Analysis of Threats / Risks Current Security Status & Maturity 24

25 Develop an IT Security Strategy 1. Identify a Desired State Security Posture Maturity Level Risk Appetite 2. Risk Assessment Current business environment, including business initiatives, growth strategies, etc. Current technology and systems used Current data types and use Current policies and procedures in place Current regulations Desired or planned changes to the above Gaps between desired Security Posture 25

26 Develop an IT Security Strategy 3. Develop Road Map to Get to Desired State What needs to be done to fix gaps (e.g. updated controls, implement technology, implement reporting, implement processes, etc.) 4. Execute Road Map Prioritize, approve, find budget to execute road map Create project plans Monitor progress Report to leadership Employee training, communication, awareness 5. Continuous Improvement Re-evaluate desired state, strategy & needs, gaps 26

27 27

28 Adopt a Cyber Framework 28

29 Cyber Framework Objectives Provide a common language for understanding, managing, and expressing cybersecurity risk both internally and externally. Identify and prioritize actions for reducing cyber security risk. 29

30 Comparing Frameworks NIST Cyber Framework FFIEC Cyber Domains 30

31 The Big Picture NIST Roadmap for Improving Critical Infrastructure Cybersecurity 1. Introduction 2. Evolution of the Cybersecurity Framework 3. Strengthening Private Sector Involvement in Future Governance of the Framework 4. Areas for Development, Alignment, and Collaboration DHG Insight: The Cyber Framework is only 1 piece of the puzzle. This slide shows that more needs to be done to protect our critical infrastructure. 4.1 Authentication 4.2 Automated Indicator Sharing 4.3 Conformity Assessment 4.4 Cybersecurity Workforce 4.5 Data Analytics 4.6 Federal Agency Cybersecurity Alignment 4.7 International Aspects, Impacts, and Alignment 4.8 Supply Chain Risk Management 4.9 Technical Privacy Standards 31

32 Wrap Up 32

33 Recap of Agenda Current Environment Highlight of some Security Compliance Regs Discussing Cyber with Executives & BOD Develop an IT Security Strategy Adopt a Cyber Framework 33

34 Steps to Improve Security Posture Perform Data Sensitivity Analysis Assess Current Cyber Posture Develop IT Security Strategy Adopt a Cyber Framework Provide Reports to the Board Make sure ISO and Team have Adequate Training Test your Employees and Systems more than once a year 34

35 Final Thoughts What else should we do? Identify ownership of cyber risk Identify privacy officer Regular communication with Executives and the BOD Share information across organizations Metrics and benchmarking Two factor authentication solutions Don t rely on signature based solutions Vendor management Ensure incident response plan is in place and tested Continue to build a cybersecurity workforce Continue to build security awareness Perform review of cyber insurance policy 35

36 Questions? 36

37 Thank You! Ben Sady Director Risk Advisory Services