IT Staff Convention 2007:Security and Privacy Awareness

From Provider Wiki

Jump to: navigation, search

Security and Privacy Awareness

IT Staff Convention 2007, April 27, 2007

Moderators: Barry Wilson and Anna Kent, Wharton

Notes: Monica Troilo and Kristin Nelson, ISC


Issue #1: What would help get the message out about Security and Privacy?

  • Significant information overload regarding security awareness/issues by way of email
  • Faculty doesn’t pay attention to notices
  • Individuals don't read generic emails

Recommendations:

  • when sending an email, put the action statements right up front for people
  • Coordinate with faculty liasons (SPIA, spider reports) to get the message out in a way that people will read and not think that it is spam (i,e a pre-message that says "expect a message from "X" person about "YZ")
  • Establish liaisons that will facilitate the communication
  • Use paper, phone, text messaging, faculty meetings to help broaden the base of communications
  • Told specific things that were privacy violations (spider) – concrete examples that hit home to the end user [spider scans directories and finds & reports suspected ssn’s in files]
  • Low tech idea - put paper copy of information in mailboxes
  • Layered communications - attack from different viewpoints, levels of authority
    • LSP’s may engage department chairs as well as other sources at MULTIPLE layers of the organization – this could include BA’s - to help with the communication, especially among faculty who don’t always pay attention to notices
  • Almanac tips – take and add to your web or for any other location
  • Make communication relevant to the people receiving it
  • Scan and send messages to users that are specific to what they have; e.g., “We found n files with key data on your system; you should be concerned about security this information.”
  • Use Pro-WIKI
  • Use LSP Network
  • Use ISC Security mail list – SECURITY-SIG@LISTS.UPENN.EDU and participate in regular Security SIG meetings, which are held on even numbered months
  • Use PRIVACY@POBOX.UPENN.EDU to request helpful brochures, training, other materials and information; Lauren Steinfeld mentioned an FY08 goal of having an online Privacy & Security Awareness component


Issue #2: Handling sensitive data

  • Faculty & HR don’t always pay attention to notices about securing sensitive information such as ssn’s or payroll information
  • People (especially faculty) need to be more aware of securing passwords
  • Web developers have to deal with an ever-changing security landscape and this affects how secure their apps are
  • Certain apps can be breached (e.g., Faculty member using an Internet Café has their PennKEY and password intercepted by a hacker; hacker has access to faculty member’s payroll information, including W2, SSN, etc.)
  • Tools exist to improve security but they need to be easier to use
  • There needs to be an institution-wide procedure
  • There needs to be training
  • There needs to be some clarity around the kind of security that is needed for IRB data. HIPAA guidelines are not clear enough.

Recommendations:

  • Per Lauren Steinfeld, use SPIDER to scan for sensitive data
  • Regarding sending SSN or payroll information via email:
    • Use higher encryption
  • PDP hard drive & email encryption and set it up so that it’s easy to use
  • Key Escrows & procedures are needed (e.g., to handle SSN’s salary data, TIAA-CREF information)
  • Regarding application security:
    • Developers can add another layer of security: Implement code reviews
    • SPIA (Security Privacy Impact Assessment) has tools that can be used as a basis for doing these reviews; and it covers (7) key security threats
  • Reviews will encourage developers to utilize the tools
  • Regarding training/institution-wide procedures:
    • EDUCAUSE is a source for learning more
  • Regarding IRB (Institutional Review Board) information security:
    • There is a new document concerning compliance in the Social Sciences that may be helpful.
    • Need to contact for any surveys
    • Regulatory Affairs runs the 8 IRB boards
  • Announcements modified on the website to confirm email announcements
  • develop and publish best practices & Procedures (i.e. Encryption products – saving key to be able to recover)

Human Resources

  • Information for non-IT people dealing with central groups (e.g., HR) on how to do the right thing in communication.
  • how to encrypt attachments sent to HR – change to higher encryption
  • HR – ssn’s use pgp hardwire and email encryption
    • Add to prowiki – how to work with HR on sensitive data

Is there a vehicle to talk about best practices across Penn?

  • IT privacy committee
  • SUG presentations
  • Add information to prowiki – anyone can add to the wiki (http://prowiki.isc-cs.upenn.edu)
  • Use the LSP network to get the message out
  • Security-sig@lists (meets third Thursday of even numbered months)
  • privacy@pobox – sends to OACP
  • training & awareness packages either via web, or to let someone take to a meeting to use the same courseware – develop central
  • Next year - developing an on-line awareness module


Any thought on hardware solution for end user access (cost is an issue)?

  • Wharton has added ability to use a Passphrase
  • PennKey – caution of using in unknown location – keylogger

LSP’s – gaps in knowledge

  • questions about things not specifically IT (e.g., what needs to be shredded)
  • how to educate / cover in a consistent way / have the technical information available


  • IT providers – training for new IT professionals (IT Orientation)
    • don’t remember a lot of information about security – information overload – a big blur
    • take this and have a breakout
    • target message to groups (e.g., web developer / LSP / application developer)
    • SAS has web developer meetings to discuss issues (e.g., PHP lunches)
    • difficult for developers to keep up on the security information as it is a moving target
    • SANS training – bootcamp great intro / overview of security items
    • SANS in NY – web application security
    • On SANS web – mailing list for university
    • EDUCAUSE – security list
  • Suggestion… Security website – have area targeted to end users (target groups)

SPIA analysis – Security and Privacy Impact Assessment

  • tool developed by OACP / ISC.
  • Participation to evaluate applications.
  • Coordinated to look school & center wide.
  • Talk to school leadership or write to privacy@pobox for more information. You can use a portion of the tool to check application.
  • Particularly useful when someone wants to bring outside application – run through the SPIA to get the right questions out. It also raises awareness as it promotes dialog.
  • Information driven – what’s the information, what are you doing with it, how are you protecting it. Provides a common vocabulary of 7 threats.
Retrieved from "http://prowiki.isc.upenn.edu/wiki/IT_Staff_Convention_2007:Security_and_Privacy_Awareness"
Personal tools