Presentation to Executive Adm ng 08112014

Download Report

Transcript Presentation to Executive Adm ng 08112014

Data Privacy Laws/Regulations
• FERPA – Family Educational Rights and Privacy Act
• HIPAA – Health Insurance Portability and Accountability
Act
• GLBA – Gramm-Leach-Bliley Act
• RFR – Red Flags Rule of the Federal Trade Commission
• FISMA – Federal Information Security Management Act
• PCI DSS – Payment Card Industry Data Security
Standards
• Others exist, but the above are primary
Information & Communication Technologies 08 2014
2
NMSU All About Discovery!
General Institutional Requirements
• FERPA, HIPAA, GLBA, RFR, FISMA, and PCIDSS require the following:
– Designated information security responsibility
– Risk-based information security program
– Data security policies and procedures
– Monitoring and incident handling/compliance
– Data security training and awareness
Information & Communication Technologies 08 2014
3
NMSU All About Discovery!
Consequences of Noncompliance
•
•
•
•
•
•
FERPA – Loss of federal funding to institution
HIPAA – Monetary penalties of up to $6M / year
GLBA – Fines and imprisonment
RFR – Federal fines
FISMA – Loss of research and contract funding
PCI DSS
– Fines
– Removal of institution’s ability to take credit card
payments
Information & Communication Technologies 08 2014
4
NMSU All About Discovery!
Recent Higher Ed Data Breaches
• Butler University, June 2014
– 163,000 records taken
• Iowa State University (NMSU peer), April 2014
– 48,729 records taken
• North Dakota University, March 2014
– 291,465 records taken
• Indiana University, February 2014
– 146,000 records taken
• University of Maryland, February 2014
– 309,079 records taken
Information & Communication Technologies 08 2014
5
NMSU All About Discovery!
Hard Costs Related to Breaches
• Maricopa Community College District for last
year's data breach costs are approaching $20
million
• University of Maryland to pay $2.6M just for
credit monitoring of data breach victims. Other
costs TBD
• Target estimates data breach costs at nearly
$150 million and shares are down
• These are just a few examples…
Information & Communication Technologies 08 2014
6
NMSU All About Discovery!
NMSU’s Risk
If hackers compromised Banner, how many
unique social security numbers would they have
access to?
A. 10,000
B. 25,000
C. 50,000
D. I already have enough trouble sleeping at night
Information & Communication Technologies 08 2014
7
NMSU All About Discovery!
~ 500,000
(including the SSNs of the people sitting to your right and left)
Information & Communication Technologies 08 2014
8
NMSU All About Discovery!
NMSU’s Risk (continued)
• In addition to social security numbers and other
Personally Identifiable Information (PII), NMSU’s
systems contain other regulated data
• Not all regulated data resides centrally --desktop/shadow systems and departmental
servers may also contain regulated data
• We still get reports of PII data being transmitted
“in the clear” despite NMSU data security policy
Information & Communication Technologies 08 2014
9
NMSU All About Discovery!
Estimated Cost of a Data Breach
• Based on 2013 Study by Ponemon Institute &
Symantec
– $111 per record at US universities and colleges
– $136 per record across industry
• Estimated cost of a breach at NMSU
– $55,500,000 based on loss of 500,000 records at
$111 per record
• Includes costs associated with loss of public confidence,
reputation, etc.
Information & Communication Technologies 08 2014
10
NMSU All About Discovery!
Breaches Bring Greater Focus
• Higher education institutions are reacting to
data breaches by committing to improved data
security
– University of Maryland created a President's
Task Force on Cybersecurity, adding more staff
and purchasing expensive security tools
– Iowa State University is creating policies and
deploying security tools, etc.
Information & Communication Technologies 08 2014
11
NMSU All About Discovery!
NMSU is being proactive
• Enhancing security practices within the
technology – network, servers, software
• Implementing new security tools
• Beefing up training & awareness, compliance
across the institution
• Working to establish a risk-based information
security program
• Doing what we can with available resources, but
more is needed
Information & Communication Technologies 08 2014
12
NMSU All About Discovery!
Changing IT Landscape
• Factors that are now shaping IT
– Greater and very real threats to institutional data
– Integration of information technology into all
areas of NMSU’s business, requiring a strategic
versus strictly operational perspective of IT
– Competition for IT resources is growing,
requiring better planning, resource allocation,
and sharing
• A move to IT Governance is key!
Information & Communication Technologies 08 2014
13
NMSU All About Discovery!
Information Technology Governance
• Just what is IT Governance?
– The processes that ensure the effective and efficient
use of IT in enabling an organization to achieve its
goals. (Gartner)
• What does IT Governance do for NMSU?
– Ensures the effective evaluation, selection,
prioritization, and funding of competing IT investments
– Optimizes resources
– Lowers risk
– Enhances measurement of institutional IT performance
Information & Communication Technologies 08 2014
14
NMSU All About Discovery!
IT Governance, Then Data Governance
• Data governance is born of IT governance
– Once IT governance is established, data governance
follows
Information & Communication Technologies 08 2014
15
NMSU All About Discovery!
Governance Leads to Security
• IT and Data Governance are the foundation of
data security, culminating in protection that is
based on identified risk
– Awareness is the first step
– Information security is everyone’s responsibility
• Appropriate governance ensures that the
university is in compliance with data security
laws and NMSU policies
Information & Communication Technologies 08 2014
16
NMSU All About Discovery!
To successfully protect our
data, we need your support!
Information & Communication Technologies 08 2014
17
NMSU All About Discovery!
What Can You Do?
•
•
•
•
Participate in IT and data governance
taskforces
See IT as a strategic asset
Endorse a risk-based information
security program
You and your staff should participate in
online or in person data security training
Information & Communication Technologies 08 2014
18
NMSU All About Discovery!
Risk-Based Information Security
Program at NMSU
Questions?
Thanks
Norma Grijalva
John Roberts
Carlos S. Lobato
Information & Communication Technologies 08 2014
NMSU All About Discovery!