Data Security Data Security AtAt

CornellCornell

Steve SchusterSteve Schuster

Questions I’d like to AnswerQuestions I’d like to Answer

►Why do we care about data security?Why do we care about data security?►What are our biggest challenges at What are our biggest challenges at

Cornell?Cornell?►What can we do?What can we do?

Why Do We Care?Why Do We Care?

► Current federal and state lawCurrent federal and state law Family Educational Rights and Privacy Act (FERPA)Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act Health Insurance Portability and Accountability Act

(HIPAA)(HIPAA) Gramm-Leach-Bliley Act (GLBA)Gramm-Leach-Bliley Act (GLBA) Compromise notification lawsCompromise notification laws

►32 states32 states►NYS became law December 8, 2005NYS became law December 8, 2005

► Growing social expectations due to rise in Growing social expectations due to rise in identity theft awarenessidentity theft awareness

► Need to protect Cornell’s reputationNeed to protect Cornell’s reputation

NYS Notification LawNYS Notification Law

► Cornell must notify and report if protected Cornell must notify and report if protected data is reasonably believed to have been data is reasonably believed to have been inappropriately accessedinappropriately accessed

► Protected dataProtected data Name withName with

►Social security numberSocial security number►Credit card numberCredit card number►Bank account number with associated PINBank account number with associated PIN►Drivers license numberDrivers license number

►Notification requirementsNotification requirements Personal notificationPersonal notification NYS reportingNYS reporting

Why Do We Care?Why Do We Care?

Why Do We Care?Why Do We Care?

Why Do We Care?Why Do We Care?

Why Do We Care?Why Do We Care?

Our Biggest ChallengesOur Biggest Challenges

► Changing/emerging law Changing/emerging law ► Growing social expectations and requirementsGrowing social expectations and requirements► Our general “openness” can make us an easier targetOur general “openness” can make us an easier target

Cornell networkCornell network Home usersHome users Roaming Cornell resourcesRoaming Cornell resources

► Changing the way data are handled, transmitted and Changing the way data are handled, transmitted and protected around campusprotected around campus

► Answering institutional questions Answering institutional questions ► Complexity due to decentralized IT support Complexity due to decentralized IT support

complicates the identification of critical or sensitive complicates the identification of critical or sensitive resources/dataresources/data

► Preparing for a legal defense nowPreparing for a legal defense now

Steps the University Is TakingSteps the University Is Taking

►New policy addressing minimum security New policy addressing minimum security standardsstandards

► Continue to investigate optional/additional Continue to investigate optional/additional security measuressecurity measures

► Formation of a Data Incident Response Formation of a Data Incident Response TeamTeam

►Determine if we should be assessing Determine if we should be assessing computers as they come onto our networkcomputers as they come onto our network

►More active security assessmentsMore active security assessments► Better security awareness for our usersBetter security awareness for our users

Steps We Must Steps We Must AllAll Take Take► Identify the data on your systems and within your departments – You Identify the data on your systems and within your departments – You

are responsible for the dataare responsible for the data Social Security NumbersSocial Security Numbers Credit card numbersCredit card numbers Drivers license numbersDrivers license numbers

► Notify your IT staff of the data on your system if these data are Notify your IT staff of the data on your system if these data are sensitivesensitive

► Work with your local IT staff to ensure your system is protectedWork with your local IT staff to ensure your system is protected If in doubt askIf in doubt ask

► Before performing any action on your computer ask if there’s a chance Before performing any action on your computer ask if there’s a chance this action might put the data at riskthis action might put the data at risk Clicking on e-mail attachmentsClicking on e-mail attachments Turning off the firewall, anti-virusTurning off the firewall, anti-virus Installing programs from the internetInstalling programs from the internet

► If you work from home using personal computers If you work from home using personal computers YOU are responsible for the security of your computerYOU are responsible for the security of your computer Home wireless can be a particularly troublesome areaHome wireless can be a particularly troublesome area Unless it can’t be helped never store regulated data on home computersUnless it can’t be helped never store regulated data on home computers www.cit.cornell.edu/computer/security/secure.htmlwww.cit.cornell.edu/computer/security/secure.html

End User SecurityEnd User Security

www.cit.cornell.edu/computer/security/secure.html

Other Useful LinksOther Useful Links► Information on Identity TheftInformation on Identity Theft

www.consumer.gov/idtheftwww.consumer.gov/idtheft www.consumer.gov/idtheftwww.consumer.gov/idtheft

► User GuidanceUser Guidance www.cit.cornell.edu/computer/security/secure.htmlwww.cit.cornell.edu/computer/security/secure.html www.cit.cornell.edu/services/identity/www.cit.cornell.edu/services/identity/

► University PoliciesUniversity Policies Reporting Security IncidentsReporting Security Incidents

► www.policy.cornell.edu/vol5_4_2.cfmwww.policy.cornell.edu/vol5_4_2.cfm Network RegistrationNetwork Registration

► www.policy.cornell.edu/vol5_7.cfmwww.policy.cornell.edu/vol5_7.cfm Authentication of IT ResourcesAuthentication of IT Resources

► www.policy.cornell.edu/vol5_8.cfmwww.policy.cornell.edu/vol5_8.cfm Computer AbuseComputer Abuse

► www.policy.cornell.edu/Abuse_of_Computers_and_Network_Systems.cfmwww.policy.cornell.edu/Abuse_of_Computers_and_Network_Systems.cfm► General Campus Security LinksGeneral Campus Security Links

www.cit.cornell.edu/computer/security/www.cit.cornell.edu/computer/security/

Questions?