Confidential Data Handling Blueprint
Added by Valerie Vogel, last edited by Valerie Vogel on Oct 14, 2008
Purpose
To provide a toolkit that constructs resources pertaining to confidential/sensitive data handling. Many of the EDUCAUSE/Internet2 Security Task Force working groups are working on components of the toolkit, but a consolidation of resources would anchor the overarching themes related to information protection.
Introduction
The following steps and ensuing sub-items are intended to provide a general roadmap. Institutions will be at varying stages of progress. Some will start with the need to establish actions in the areas of policies, processes, or technology. Some will be ready to implement, and some will be able to revise and fine-tune their processes. You will also need to prioritize your actions to mitigate risks because of the comprehensive nature of the recommendations. We've attempted to organize these in a sequence that allows you to logically follow through each step. Although each item is recommended as an effective practice, we recognize that state/local legal requirements, institutional policy, or campus culture might leave each institution approaching this differently.
Steps
· Step 1: Create a security risk-aware culture that includes an information security risk management program
· Step 2: Define institutional data types
· Step 3: Clarify responsibilities and accountability for safeguarding confidential/sensitive data
· Step 4: Reduce access to confidential/sensitive data not absolutely essential to institutional processes
· Step 5: Establish and implement stricter controls for safeguarding confidential/sensitive data
· Step 6: Provide awareness and training
· Step 7: Verify compliance routinely with your policies and procedures
Step 1: Create a security risk-aware culture that includes an information security risk management program
Sub-Step / Resource / Resource Type1.1 Institution-wide security risk management program / Risk Management Framework / Higher Education
ISG Self-Assessment Tool for Higher Education / Higher Education
NIST Risk Management Guide for Information Technology Systems (SP 800-30) / Government
Harvard University's Enterprise Security Policy / Higher Education
1.2 Roles and responsibilities defined for overall information security at the central and distributed level / Indiana University Trustees Resolution / Higher Education
Indiana University School of Medicine Roles & Responsibilities / Higher Education
1.3 Executive leadership support in the form of policies and governance actions
Step 2: Define institutional data types
Sub-Step / Resource / Resource Type2.1 Compliance with applicable federal and state laws and regulations - as well as contractual obligations - related to privacy and security of data held by the institution (also consider applicable international laws) / Policing the Internet: Higher Education Law and Policy / Higher Education
Liability for Negligent Security / Higher Education
Gramm Leach Bliley / Higher Education
HIPAA / Higher Education
FERPA / Higher Education
California Privacy Laws / Government
Virginia Privacy Law / Government
PCI Security Standards Council / Industry
PCI Data Security Standard (DSS) Requirements / Industry
MasterCard Site Data Protection (SDP) Program / Industry
Visa Cardholder Information Security Program / Industry
2.2 Data classification schema developed with input from legal counsel and data stewards / Data Classification Policies / Higher Education
SANS Information Sensitivity Policy / Industry
2.3 Data classification schema assigned to institutional data to the extent possible or necessary / SANS Information Sensitivity Policy / Industry
Step 3: Clarify responsibilities and accountability for safeguarding confidential/sensitive data
Sub-Step / Resource / Resource Type3.1 Data stewardship roles and responsibilities / Data Classification Policy of the University of North Carolina at Greensboro / Higher Education
3.2 Legally binding third party agreements that assign responsibility for secure data handling / Application Service Providers and Outsourcing: Protecting Your Assets / Higher Education
The Third Party Network Connection Agreement / Industry
Application Service Provider Standards / Industry
Step 4: Reduce access to confidential/sensitive data not absolutely essential to institutional processes
Sub-Step / Resource / Resource Type4.1 Data collection processes (including forms) should request only the minimum necessary confidential/sensitive information / FERPA White Paper / Higher Education
Information Sensitivity Policy / Industry
4.2 Application outputs (e.g., queries, hard copy reports, etc.) should provide only the minimum necessary confidential/sensitive information / Data Classification Policies / Higher Education
Elimination of Social Security Numbers / Higher Education
Guide for Mapping Types of Information and Information Systems to Security Categories / Industry
4.3 Inventory and review access to existing confidential/sensitive data on servers, desktops, and mobile devices / IT Asset Management / Higher Education
Cornell University Spider / Higher Education
George Washington University Safety Analyzer (Note: If you would like a copy of this tool mailed to you, please e-mail Krizi Trivisani.) / Higher Education
IdentityFinder / Industry
Northwestern University's Guideline for Using Sensitive Data Search Tools / Higher Education
University of Illinois at Urbana-Champaign Firefly SSN Finder for Windows / Higher Education
University of Texas at Austin Sensitive Number Finder (Senf) / Higher Education
Virginia Tech Find SSNs and CCNs Tool / Higher Education
4.4 Eliminate unnecessary confidential/sensitive data on servers, desktops, and mobile devices / Information Sensitivity Policy / Industry
4.5 Eliminate dependence on SSNs as primary identifiers and as a form of authentication* / Elimination of Social Security Numbers / Higher Education
*Note: SSNs may need to be used for certain things (e.g., student employees, student financial aid, etc.) and we recommend that schools limit the use of SSNs to necessary processes only...
Step 5: Establish and implement stricter controls for safeguarding confidential/sensitive data
Sub-Step / Resource / Resource Type5.1 Inventory and review/remediate security of devices / NetReg / Other
5.2 Configuration standards for applications, servers, desktops, and mobile devices / Benchmarks and Tools / Industry
5.3 Network level protections / Network Devices / Industry
5.4 Encryption strategies for data in transit and at rest / Yale University IT Acceptable Use Policy (see Section F for Data Encryption Policy) / Higher Education
Yale University Endorsed Encryption Implementation Procedure / Higher Education
Cryptographic Standards and Application / Industry
Acceptable Encryption Policy / Industry
5.5 Policies regarding confidential/sensitive data on mobile devices and home computers and for data archival/storage / Information Sensitivity Policy / Industry
Personal Communication Device / Industry
Remote Access - Mobile Computing and Storage Devices / Industry
5.6 Identity management and resource provisioning processes / Identity Management / Higher Education
5.7 Secure disposal of equipment and data / NIST Special Publication 800-88: Guidelines for Media Sanitization / Industry
Electronic Records Retention Policy / Industry
Records Management / Industry
5.8 Consider background checks on individuals handling confidential/sensitive data / Background Checks / Higher Education
Personal Identity Verification / Industry
Employment Background Checks / Industry
Step 6: Provide awareness and training
Sub-Step / Resource / Resource Type6.1 Make confidential/sensitive data handlers aware of privacy and security requirements / Building an Information Technology Security Awareness and Training Program, October 2003 / Industry
6.2 Require acknowledgment by data users of their responsibility for safeguarding such data / Confidentiality Agreement or Statement / Higher Education
6.3 Enhance general privacy and security awareness programs to specifically address safeguarding confidential/sensitive data / Campus-wide Security Education and Awareness (Chapter 7 in the online book "Computer and Network Security in Higher Education") / Higher Education
Building an Information Technology Security Awareness and Training Program, October 2003 / Industry
6.4 Clearly communicate how to safeguard data so that collaboration mechanisms such as e-mail have strengths and limitations in terms of access control
Step 7: Verify compliance routinely with your policies and procedures
Sub-Step / Resource / Resource Type7.1 Routinely test network-connected devices and services for weaknesses in operating systems, applications, and encryption / Vulnerabilities and Vulnerability Scanning / Industry
7.2 Routinely scan servers, desktops, mobile devices, and networks containing confidential/sensitive data to verify compliance / Nessus / Other
Vulnerabilities and Vulnerability Scanning / Industry
Security Self-Assessment Guide for Information Technology Systems / Industry
7.3 Routinely audit access privileges / Statement on Auditing Standards (SAS) No. 70
/ Other
7.4 Procurement procedures and contract language to ensure proper data handling is maintained
7.5 System development methodologies that prevent new data handling problems from being introduced into the environment / Security Considerations in the Information System Development Life Cycle / Industry
7.6 Utilize audit function within the institution to verify compliance / Auditing and Assessment / Industry
7.7 Incident response policies and procedures / Data Incident Notification Toolkit / Higher Education
Computer Security Incident Handling Guide / Industry
7.8 Conduct regular meetings with stakeholders such as data stewards, legal counsel, compliance officers, public safety, public relations, and IT groups to review institutional risk and compliance and to revise existing policies and procedures as needed
1
From wiki.internet2.edu/confluence/display/secguide/Confidential+Data+Handling+Blueprint 7 February 2009