Guide to Data Protection

snakesailboatSécurité

23 févr. 2014 (il y a 3 années et 4 mois)

542 vue(s)




Information Owner’s

Guide
to Data Protection



-

Lessons Learned and Best Practices
-


July
, 2010


1


Information Owner’s Guide to Data
Protection

-

Lessons Learned and Best Practices
-



Audience and Purpose

The purpose of this
document

is to provide
U
niversity administrators and others who serve in a
n


Information

Owner” role with
guidance

needed to protect the information resources

fo
r
which they are
responsible.


It

is assumed that the reader
is an Information Owner, therefore guidance i
s stated in the
second person; it speaks to “you”.

Emphasis is on

protection of “data” because experience
indicates

that
the vast majority of

informati
on security attacks

and breaches
target an institution’s data
. This fact
is reflected in t
he increase in federal and state regulations

concerning data security and privacy
enacted
over the past few years
.



Guidance provided herein is based

on security incidents that have occurred within University of Texas
System institutions
,

other universities
,

and
other
government agencies
, lessons learned from th
e
se
incidents, and best practices that should be used
to prevent security breaches.
Here you

will find
practical
guidance
designed specifically
for

individuals
who are responsible for running
U
n
iversity
programs,
departments, research operations, or
other functions.


Throughout th
is

guide
,

you will find “Lessons Learned
.


These are lessons
relevant to the Info
rmation
Owner role based on
observations
of

incident
s
, their causes, and underlying contributing factors.

T
he
first of these
relates to the need for Information Owner training.




Lesson Learned:
Some information security incidents
ar
e attributable,

in part,
to

lack of
understanding and execution of

Information Owner responsibilities.
Information
Owners

need

specialized training
and guidance
regarding their

unique information security responsibilities.

Thi s
g ui de i s one r es our c e f or
pr ov i di ng g ui danc e.



The “I nf or mat i on Owner ” Rol e:

The r ol e of I nf or mat i on Owner

is

defined and assigned
important

information security responsibilities by
Texas law
.

In practical terms, an Information Owner is usually
the lead administrator of a
Univer
sity

department, program, unit, or business function.

Titles may vary
considerably. Be it dean, chairman, director, principal investigator, manager, coordinator, etc. the
person filling an Information Owner role has important information security respons
ibilities that must be
understood and executed upon to properly safeguard University information assets. University
p
olicy
refers to the role simply as “Owner”. Within this guide, the terms “Information Owner, “Data Owner”,
and “Owner” have the same mean
ing and are used interchangeably.
Your institution may have an
established policy that formally identifies Information Owners. Check with your Information Security
Officer.


2

Texas Administra
tive

Code, Title 1, Part 10, §202.75
defines the

Information
Owner


a
s,


A person with
statutory or operational authority for specified information (e.g., supporting a specific business function)
and responsibility for establishing the controls for its generation, collection, processing, access,
dissemination, and d
isposal. The Information Owner may also be responsible for other information
resources including personnel, equipment, and information technology that support the Information
Owner's business function




The
U. T. System Information Resources Use and Secu
rity Policy (
UTS
-
165
)

defines “Owner” as:
“The
manager or agent responsible for the business function that is supported by the information resource or
the individual upon whom responsibility rests for carrying out the program that uses the resources. The
o
wner is responsible for establishing the controls that provide the security and authorizing access to the
information resource. The owner of a collection of information is the person responsible for the
business results of that system or the business use o
f the information. Where appropriate, ownership
may be shared.”


Note that “shared ownership”, though permitted by policy
,

increases

risk
.
If you are in a shared
ownership situation, confer with the other Owners

and put in writing who the responsible pa
rty will be
for
the various

Owner responsibilities.



Lesson Learned:
When responsibilities are shared, it raises the risk that security tasks will fail to be
performed because people assume tasks are being performed by anoth
er of the responsible parties
.
This is a common contributor to information security incidents.
In such situations, it is important to
clearly define and communicate who is to perform various Owner duties.



How to Use this Guide

The guide is broken into three sections. Section
1
, “Things an Information Owner
Must

Know” focuses
on the responsibilities of the Information Owner role and
provides or identifies information

an Owner
must know in order to
effectively execute his/her responsibilities
.


Section
2
, “
An
Owner’s
Ten Step
Data Protection Plan


provides a suggested
process

for
an
Owner to follow
to
secure data.

Use
this
to
systematically
execute a plan to secure your

data.

Section
3
, “Best Practices” identifies policies and
procedures that
an effective

Owner
will consider

when determining
the
controls to be used to

protect
informa
tion

resources for which he/she is responsible.

At the end of each section, you will find a
che
cklist

tool

to help guide you as you perform

your Owner responsibilities.


It is
expected that some

readers
will

not be familiar with the Information Owner role and its
responsibilities, the tasks that an Owner should perform,
who

to engage

for assistance,
and
some
of
the
best practices for securing data. If this is your situation,
you
should
read the
guide from

start to
finish.
Afterwards
,

use the guide

as a reference
.

C
omplete the checklists at least once

and
then
review

them
periodically to ensure that security
controls

remain in effect

over time.


3

Section
1:
Things an Information Owner
Must

Know


Understand the Importance of Information Security

Students, employees, patients, granting authorities such as the National Science Foundation and the
National Institute of Health, and others who provide information to the
University
, or fund research
,
expect that information will be properly protected and personal privacy preserved


and rightfully so.
As public stewards we have legal, contractual, and moral obligations to protect the information
resources of the
U
niversity and the confidential data
of employees and the students and patients we
serve. Beyond this, the stakes for failing to secure data are high. A single successful cyber attack
against a University of Texas System institution can lead to one or more of the following:



Compromise of
student, patient, or employee privacy,



Violations of the FERPA, HIPAA, or other federal or state regulations,



Disruption of patient care, instructional services and administrative functions,



Loss of reputation for the institution,



Financial loss to the
University

resulting from payments of mandated notifications or for providing
credit monitoring services to individuals whose personal data has been exposed, and payment of
any regulatory fines,



Increased regulatory oversight,



Loss of good will and potenti
al loss of donations,



Loss of grants,



Loss or corruption of research data,



Extortion, with
University

data being held for ransom,



Equipment malfunctions that
can

impact
University

operations or patient care.



Know and Understand

the
other Information Secu
rity Roles

Rest assured, you
,

as an Information Owner
,

do not

have to become a security expert to
meet your
security responsibilities and
properly
secure your data
.
There are other information security roles
defined by state law and U. T. System policy,
and there

are
employees

on your campus
performing
these roles
.
There are four
roles
,

in particular
,

with which
you need to be familiar
. It is important that
you

understand the relationship between
your

role
of
Owner and
each of
the
se
roles.




User:

A “Us
er” is a person (or sometimes a computer program) who an Owner has authorized to
access data under his/her authority.
Data must be used
only
for

purposes s
pecified by the Owner.
Also, Users must

comply with any controls specified by the Owner

and
must
pr
event disclosure of
confidential or sensitive data
.


The
Rela
tionship between Owner and User:

Working within policies of the

institution,
the Owner

establish
e
s

the rules

about handling of data

under
his/her

authority

and informs Users

as to what
data they can access, what
the data
can be used for, and how it

must be protected while under
the

User

s control.

Users must comply with the Owner’s requirements.


4



Custodian:

A “Custodian” is a person or organization responsible for implementing Owner
-
defined
controls and access to data or other information resources. Most often, specialized security tasks
are

assigned
to
organizational units such as the Central IT group or a

departmental IT group, or to
specific individuals

within a department. Each of these organizations and
individuals

serve in the
role of Custodian.
For out
sourced services,
private vendors serve as Custodians.


The
Relationship between Owner and Custodian
:

Within institutional policy,
the Owner identifies or
selects Custodians
to

perform IT security functions

for the resources under his/her authority
. The
Owner
s
pecifies security controls
that Custodians in turn implement and monitor
.

In other words,
Cus
todians
provide services to

Owner
s



you are their customer.







Information Security Administrator

(ISA):

The ISA is
usually
a departmental employee who
assists the Owner in performing

information security tasks, such as required IT risk assessments.

De
pending on
need
, some ISAs
have IT operational duties

within a department or function
;

others
serve more in
a

role of liaison between the Information Security Officer and the department to
exchange information and report incidents. Note that

Information

Security Administrator


is a
“role” not a job title.
ISAs may go by many titles. Whatever the person’s title, all

ISAs also serve in
the rol
e of Custodian because they assist with security related duties.


The Relationship between Owner and Information
Security Administrator:


The Owner typically
appoints the ISA.

In some
cases,

an Owner may choose to serve also in the ISA role.




Information Security Officer or Chief Information Security Officer

(ISO)
:

Each U. T. System
institution has a designated ind
ividual responsible for establishing and administering the institution’s
Information Security Program. This person oversees the Information Security Office, establishes
policies, monitors systems, investigates incidents, and performs a myriad of other duti
es related to
running an institution
-
wide information security program. The Information Security Officer
is an
important resource

for Owners
.
You

should confer with the ISO or
his/her
staff

about any questions
relating to
how to classify information and which security controls would be appropriate for various
situations.


The Relationship between Owner and the Information Security Officer:

The Information Security
Officer manages the institution’s information security p
rogram.
Owners are required to abide by
policies and procedures
of the program, report incidents, and cooperate with efforts to assess the
security state of the institution
.

On the flip side, the ISO and staff are
Owners’

greatest resource in
helping dete
rmine how best to secure the resources for
which they are responsible. You should
get
to know the ISO and
not shy
away
from asking for help and guidance in performing your security
responsibilities.


5

Know

Y
our Information Owner

Responsibilities

As Information Owner your general charge is to
classify data,
assess risk, specify controls, and ensure
agreed upon security strategies are implemented and continue in operation over time. This document
will provide guidance to help you with these tasks.

Your institution may have a policy that defines
the
Information Owner responsibilities

more precisely
. Check with your Information Security Officer.


The state of Texas assigns the following responsibilities to
an

Information Owner.



Approve access to dat
a
.

Within

institutional policy, the Owner
determines

by
whom and under
what conditions data under the Owner’s authority can be accessed and used.




Review Access Lists
.

The
Owner

periodically reviews access lists

to ensure only appropriate
people can access data, and in particular
to
verify
that
ex
-
employees

have been removed.
This

task
is
often
delegated,
but it
remains the

Owner’s responsibility to see
that
this
is done in accordance
with institutional policy

or

at least

annually if
no policy exists.



Assign custody of data
.

M
ost
often,

an
Information
Owner
is not the
person

who

handle
s

day
-
to
-
day
technical activities

involved in securing data
.

T
hose

tasks

are usually handled
by assigned
Custodians.


The Owner assigns the Custodian(s).
In some cases
,

Custodians are
established

by
institutional policy.



Classify data
. Based on institutional policy

and data classification standards
, the Owner
is
responsible for classifying
data under the Owner’s scope of

authority.



Specify data control
s
and convey them to Users and Custodians
. The Owner

determines
the
controls

to be used

to protect data and communicates this to Custodians and Users. Determining
appropriate controls is a task for which most Owners should consu
lt with staff from the Informati
on
Security Office.



Approve, justify, document, and be accountable for exceptions

to security controls.

There
may be times when a control
required by policy
is not appropriate for a given situation.

The Owner

must approve

any exceptions
. The Owner must also
justify and document
why the exception has
been granted.
The Owner is the ac
countable party for such
decisions.



Confirm that controls

are in place
.

This is perhaps the most important of all Information Owner
duties. Too often,
people assume that all necessary controls are in place

when in fact they are not.
The Owner must periodically
confirm
with Custodians
that controls are in place.






Lesson
s

Learned:




Do NOT assume controls are in place


periodically confirm it.
A frequent cause

for security
incidents is people believing
protections are in place when in fact they are not. There have
been instances when people
assumed

data
backups
existed
, only to learn
otherwise.

Ot her
i nci dent s have occurred
when
peopl e t hought
f i rewal l
s
or ant i
-
vi rus
sof t ware
were prot ect i ng
dat a but
l earned

ot herwi se
.





Tasks

t hat
are

measured
or on occasi on veri f i ed

are
more

l i kel y t o
be

attended to than
tasks
that are performed on good faith alone. The importance of
securing

your data warrants
periodic confirmation that controls that you believe to be in place are working as expected.



6

University of Texas System policy specifies
the following additional Owner responsibilities:




Designate an individual to serve as an
Information Security Administrator.



Perform an annual information security risk assessment.

In relation to the
risk
assessment
,

the
Owner also
identifies, recommends, and documents, acceptable risk levels for resources under
his/her control.



Understand

Types of Incidents and the Threat Landscape

An information security incident is any event that results in unauthorized access, disclosure, loss,
modification, disruption, or destruction of information resources whether this occurs deliberately or by
accid
ent.
Consider the following headlines:


Stolen Patient Records Cost University $ Millions

-

June, 2008: University of Utah backup
tapes containing 2.2 million patient records are stolen from a vehicle.

The incident occurred because
an employee of a vend
or who transports and stores backup tapes off
-
site in a secure storage facility,
made the decision to not deliver the tapes directly to the facility
. I
nstead
he went home and left the
tapes in his

automobile

from which they were stolen.
Cost of the stolen
media
was approximately $50,
but the remediation cost to the
University of Utah total
ed

$3.3 million.



Lessons Learned:




䙡il畲攠t漠數散et攠獭慬l 獥捵rity r敬慴敤at慳ks

捡渠桡v攠捯獴汹 捯c獥s略n捥献

It i猠criti捡c t桡t
摡d
-

-
摡y 獥捵rity 潰er慴楯湳⁢n

灥rf潲m敤 捯c獩獴敮tly.



A渠i湳瑩瑵ni潮 捡c湯t 桡v攠t潴慬 捯ctr潬 潶敲ew桡t
i湤ivi摵慬s

m慹a摯. T桥ref潲o,
it
i猠im灯rtant
t漠畳u 潴桥r pr敶敮tiv攠m敡獵牥s t桡t 潮攠捡c c潮tr潬. H慤

t
桥 扡ck異 t慰敳e扥敮 敮cry灴敤
t桥 im灡捴 of t桥 i湣n摥湴 w潵l搠桡d攠扥e
渠ni湩m慬.



Blackboard Access Used for Cheating

-

Spring, 2008: University of Texas at Brownsville
investigates cheating made possible because
of various access related failures
,

including

misuse of
assigned privileges, sharing of access credentials, and

inappropriate assignment of access privileges.



Lessons Learned:




Ow湥r猠m畳t 畮摥rst慮搠
慮搠數散ete 潮 t桥ir inf潲m慴楯渠獥捵rity
r敳eo湳n扩liti敳




Ow湥r猠m畳t
敳瑡扬i獨⁰潬i捹
r敬慴楮g t漠慣捥獳sa湤 畳u of 摡t愮



Ow湥r猠m畳t 畮摥rst慮搠慮搠f畬ly
畴楬ize

r潬e
-
扡獥s 獥捵rity 慮搠潴桥r
s散erity f敡t畲敳
慶慩l慢l攠
i渠n桥 捯m灵t敲 慰灬i捡瑩c湳⁵獥搠to 獵s灯rt 扵獩湥獳sf畮捴i潮献
.



Ow湥r猠m畳琠畮摥r獴慮搠t桥 t桲敡t 敮vir潮m敮t, 灯t敮ti慬 motiv慴楯湳n潦o慴a慣ker猬 慮搠獥rv攠慳
數慭灬e

t漠ot桥rs regardi湧
捯c捥牮
慢潵t inf潲m慴楯渠獥捵rity.



N潢潤y w慮t猠to 扥li敶e

慮 em灬潹敥

w潵l搠
mi獵獥 灲楶il敧敳e 扵t

it 桡p灥湳
; 扥 vigil慮t!



St畤敮t w潲oer猠w桯 畳u 敭慩l for 灥rf潲ming U湩v敲獩瑹 扵獩湥獳sm畳琠桡v攠
two

敭慩l 慣捯畮ts,
潮攠for
灥r獯s慬 畳u
, 慮搠慮潴桥r t
漠畳o 數捬畳u癥vy f潲
U湩v敲獩瑹
扵獩湥獳s


7

Criminals Hold Virginia Patient Data for Ransom

-

May, 2009: Criminals breach state of
Virginia computer systems, encrypt 8.3 million patient records, delete the state’s backups, and demand
a $10 million ransom

for the encryption key.
The root cause has not been made public, however, it is
speculated that there may have been inside assistance. Outcome?
The records were eventually
restored. Neither the state of Virginia nor FBI will comment on whether a ransom
was paid.



Lessons Learned:



Be aware of the “insider threat,” and to the extent possible implement
獥s慲慴i潮 of 摵ti敳ei渠摡ta
捥ct敲

潰敲eti潮献



䙯r mi獳s潮 c
riti捡c 摡ta, ke数 獯浥s扡ck異猠off
-
獩t攠i渠愠l潣oti潮 湯t 敬散瑲潮i捡cly 慣捥獳s扬攠
摩r散瑬e from t桥 primary 獴潲oge l潣oti潮.



R敱畩r攠two
-
fa捴or 慵t桥湴楣nti潮 for C畳瑯摩慮猠w桯 桡v攠敬ev慴敤a灲楶il敧敳e潮 摥vi捥猠桯獴in朠
Mi獳s潮 Criti捡c 潲oC潮fid敮t
i慬 inf潲m慴楯渮

(S敥
S散瑩e渠㌺ B敳e Pr慣ti捥c
)



Patients Warned of Potential Identify Theft

-

January, 2010: MedAssets, a Georgia
company assisting the University of Texas Medical Branch with insurance billing and collections informs
UTMB that a MedAs
sets employee with access to UTMB patient billing records had been arrested and
charged with identity theft.
Although a background check had been performed during the hiring
process, it failed to identify the applicant as a possible problem employee.
As
a precaution, UTMB
sends notification letters to some 1,200 individuals possibly affected.



Lessons Learned:




I渠
w潲o
獩t畡ti潮猠
t桡t i湶潬v攠獴潲慧e of

C潮fi摥湴楡l i湦ormati潮
,

it is 灡rti捵c慲汹 im灯rt慮t to
m慩湴慩渠汯g猠t
桡t 捡c tr慣欠a桯 慣捥獳敳 摡ta.



P敲楯摩捡cly m潮it潲 l潧s t漠
敮獵r攠慣捥獳 灲楶il敧敳⁡ee 湯t 慢畳ud.



E湳nr攠t桡t v敮摯r 捯ctr慣瑳a捯ct慩渠慰灲潰ri慴攠l慮g畡g攠t漠慤摲敳猠informati潮 獥捵rity
i獳略s

慮搠
r数orting
req畩reme湴猠f潲 t桥 v敮摯r i渠敶敮t of a 扲敡捨.



T桥
慢潶攠數慭灬敳

慲攠扵t f潵r of t桥 桵湤re摳dof i湣n摥湴猠t桡t 桡v攠潣捵rr敤 潶敲et桥 灡st f敷
y敡r
s
. Pr敳ent 摡y 獥捵rity i湣n摥湴猠f慬l i湴漠t桲h攠g敮er慬 捡瑥gori敳eof Err潲o 慮搠A捣c摥湴n, Att慣

of O灰ort畮ity, 慮搠Tar来t敤 Att慣ks.

Strategi敳 慲攠湥敤敤 t漠桥l瀠灲敶敮t 敡捨cty灥. S灥捩fi挠扥獴
灲慣pi捥c will 扥 i摥湴nfie搠楮 S散瑩e渠n of t桩猠g畩摥.


Errors and Accidents:

These are unintended events that result from someone making a mistake
,
failing to perform a task, or because of

equipment malfunction.
Examples include an event in which

a
University

employee inadvertently
sent

a document containing sensitive information
through email
to
the wrong mail group. In another example, a mechan
ical failure caused addresses on letters to be
misaligned resulting in exposure of confidential information through the windows of the envelopes.
8

These type of incidents are unfortunate, but inadvertent and involve no intent for harm. Errors will
occur,

but they can be reduced by focusing on operational quality controls.



Lessons Learned:




U獥⁥湣sy灴敤pem慩l w桥渠獥湤n湧 捯cfi摥nti慬 inf潲m慴楯渠t桲潵gh em慩l.



O灥rati潮猠t桡t i湶潬v攠捯efi摥湴楡l inf潲m慴楯n 獨潵l搠扥dt桯r潵g桬y t敳瑥d

扥for攠數散eti潮.



Attacks of Opportunity:

The most common example, and one often repeated, is
a

laptop

computer

being stolen

because it was left in view in an accessible location without proper physical controls such
as a cable lock. A thief may simply want a new computer, but if a stolen computer happens to also
contain confidential data, the data loss can be much more costly

to the
University

than the cost of the
computer itself. When a computer disappears, one does not know the motivation of the thief. The
institution must treat the event as if the intent had been to obtain any confidential information that may
reside on
the computer.




Lessons Learned:




U獥⁰桹獩捡c 捯ctr潬猠(獵捨⁡猠l潣k敤 摯潲猠慮d c慢l攠汯捫s) t漠獥捵re 捯m灵ter献



䱯獳sof 摡t愠潮 愠捯mp畴敲 畳u慬ly 灯獥猠m潲o ri獫 t漠t桥 i湳瑩t畴楯渠th慮 l潳猠潦 t桥 捯浰cter
it獥sf.
R敭潶e

畮湥捥獳慲s 摡ta

-

敳e散e慬l礠 捯cfi摥湴楡l 摡ta


from

l慰t潰
慮a

摥s歴op
捯浰畴ersK
ft 數灯獥猠t桥 i湳瑩瑵ni潮 t漠畮湥捥c獡特 ri獫s C桥捫 wit栠祯yr fpl f潲ot潯l猠t漠桥lp
y潵 i摥湴楦y t桩s 摡taK




If y潵 m畳琠
獴潲e

捯cfid敮ti慬 摡t愠潮a愠a
慰t潰 潲o摥獫s潰 捯浰ct敲, 敮捲y灴

it 畳u湧
t桥 獴慮摡rds
獵s灯rt敤 批 y潵r i湳瑩瑵ti潮.



A湯t桥r
捯cm潮
“opportunity” incident involves
the

hacker

who

simply
scans random
ly across the
Internet in search of

unprotected
computers
. The hacker may be looking for data to use for identify
theft or may want to take clandestine control of the computer to send
spam or attack others.



Lesson Learned:

Al l comput er s must be pr ot ect ed

f r om i nt r usi on


敶敮 t 桯獥s t 桡t 摯 湯t 桯l d
捯cf i 摥湴楡l 潲o 獥s獩t i v攠i nf 潲m慴楯渮n
A湹 湥t w潲o 慴t 慣a敤 捯浰ct 敲e 畮d敲e t 桥 捯ct r 潬 of 慮 慴a慣步r
捡c 扥 畳u搠t 漠獥s搠獰慭a 捯cl 散琠 摡t 愠
a 畳ur t y灥s

i 湴漠t 桥 捯浰畴ur I 潲o t 漠l 慵湣n at t 慣k 猠ag慩湳t
潴桥o c
潭灵t 敲献
f t i 猠i m灯r t 慮t t 漠or 敶敮t

r 湩v敲獩瑹

r 敳e畲捥猠f r om 扥i n朠畳敤g
ag慩湳t ot 桥r sK



Tar get ed At t acks:

A t ar get ed at t ack i s one i n whi c h t he at t ac k er has pr e
-
s el ec t ed t he i ns t i t ut i on,
depar t ment, pr ogr am, or i ndi vi dual t o
at t ack
. The mot i vat i on m
ay be t o puni s h t he i nt ended t ar get
per haps f or r eas ons of pol
i t i c al or per s onal vendet t a. Mor e

c ommonl y
,

t he i nt ent i s t o obt ai n dat a f or
pur pos es of
per s onal pr of i t

by s el l i ng i t or by us i ng i t di r ect l y f or i dent i t y t hef t
. The mot i ve may al s o be
t o gai n

ec onomi c

or mi l i t ar y advant age. Repor t s of t ar get ed at t ack s have bec ome mor e f r equent over
9

the past eighteen months or so. Universities are at risk of such attacks for
three

reason
s
. They store
financial data
, including
social security numbers
,

that ca
n be used to commit identity theft
;

they hold
vast stores of intellectual property including research data, scholarly wo
rks, lecture content, and tests;
and they are very complex organizations that rely heavily on interconnected computers and systems.

The more complex the environment the more difficult it is to secure, and the more important it is to have
automated processes in place to ensure the daily details of securing information are attended to.


A

hypothetical
example of
a

targeted attack is
a pe
rson purposefully obtaining
the

credentials

of an
employee
known to have access

to a course management system

for purposes of obtaining test data.

Another
example would be an attacker who
tr
ies

to
gain

access to
specific
restricted research data.



Lesson
s

Learned:




N敶敲

慳獵me 摡ta
桡h

littl攠e慬略 t漠ot桥r献
If


桡猠v慬略 t漠o潵
,

it lik敬y 桡猠v慬略 t漠ot桥rs.



Wher攠灯獳s扬攬e獩m灬ify 潰敲慴i潮献 C潭灬數it礠i猠t桥 敮敭e 潦 i湦orm慴楯渠獥捵rity, making it
桡r摥r t漠畮摥r獴慮搠慮搠灲潴散琠獹獴em献 Ta步k
t桥
i湩ti慴楶e t漠畮摥r獴慮搠桯w
y潵r
sy獴敭s
w潲o 慮d 捯cfirm t桡t pr潴散o
i潮s 慲a i渠灬慣a 慮搠dem慩渠獯 潶敲

tim攮



O灥rati潮慬 數捥cl敮捥ci猠of 灡r慭a畮t im灯rt慮捥℠
M慮y i湣i摥湴猠潣捵r 扥捡c獥s愠灲潣敤pre
w慳

湯n

f潬l潷敤,
潲o
l
潧猠 w敲攠 湯t m潮itore搬d 潲o 獹獴em猠 w敲攠 n潴o 灡t捨cd, or 摥vi捥c
捯cfigur慴楯湳n
w敲攠i湣nrr散t
, or 慮ti
-
vir畳u獯ftwar攠w慳a潵t 潦 摡te
.


T桥 li獴 g潥猠潮. E散etion
of
摡d
-

-
摡y 獥捵rity 潰敲慴i潮猠m畳t 扥 捯c獩st敮t 慮d 捯cti湵潵s.




Where

灯獳s扬攬e
慵t潭ot攠
潰敲eti潮慬 t慳ks
慮d 潶敲獩e桴 of t桯獥 task猠
t漠o敤畣u
敲r潲o.



Incidents
occurring
within University of Texas System institut
ions.

As an Owner, work with your Information
S
ecurity Office to ensure that strategies are in place to protect
against the full range of common threats
.
Following is a list of the most common security incidents that
occur within University of Texas
System institution
s:



Stolen or lost computers. Note that a lost computer must
be assumed to have been stolen and
treated as such in terms of reporting and mitigation.



Network and server attacks. These attacks typically are launched

from a distance, often appearing to
come from overseas.



Application attacks. These attacks also often appear to come from overseas.



Phishing attacks. Typically
,

such attacks
consist

of an email message or a link on a website. The
purpose is to trick th
e user into divulging confidential information (such as a password) that the
attacker can then use for other purposes.



Mal
-
ware attacks. Malware includes such things as

keyloggers


used for collecting confidential
information such as passwords and “bot
s” that are used by an attacker to remotely control an infected
computer for purposes of distributing spam

or

attacking other computers.



Misuse of authorizations.
Sometimes
a University employee or employee of

a
business partner
misuses his/her
authoriza
tions
.
.
The motivation may be
simple
curiosity (e.g. inappropriately viewing
the medical records of a patient),
to
steal information (e.g.
obtaining
information to commit identity
theft),
to modify information

(e.g. to change a person’s grades), or to des
troy information (e.g. a
disgruntled employee deleting information that is needed by the institution).

10

Know Your Computing and Work Environment

Owners must have a holistic understanding of the environment in which work is performed

and in which
their data is housed and processed. Become familiar with the following:



Know your Information Security Officer:
The institutional Information Security Officer is a great
resource for you. Do not fret over the technical controls required t
o protect your data assets


call
on your ISO to advise you. Information Security Office staff can assist you in determining the
classification of your data and can help you determine what controls are most appropriate for
protecting the data. Make an ap
pointment to talk about your data and security concerns.
Your call
will be welcomed.




Know your
D
ata:
All data must be classified. As Owner, you are responsible for this task. Also
you are responsible for c
omplying

with records retention requirements f
or the data based on its
purpose.

As part of understanding your data, it is important that you know w
hich

regulations, such
as HIPAA, FERPA, or PCI
-
DSS, your data is subject to.

Without a thorough understanding of your
data,
you do not have the informati
on needed to establish appropriate controls.





Know
w
here
y
our Data is
l
ocated:
Today’s
interconnected
computing environment is very
complex. Your data may reside within an institution’s data center, on a departmental server, on
employee workstations, l
aptops, home computers, or USB or other portable devices. If you
outsource, data may reside in a vendor’s computer center
that
could be

located

anywhere within the
country, or perhaps even overseas. It is imperative that you understand where your data is

located!


If you do not

know this
,

you cannot protect
it
.




Know
how y
our

Data
f
lows:

Data is mobile and has a life cycle. It is created, stored,
manipulated, moved, and used in many ways by multiple individuals and functions. And

eventually
it is archived or destroyed. For the data over which you are responsible it is

important that you
understand how
the
data flows. Who creates it
, access
es

it and uses it?

Where and when does it
move? What happens to it when its business pur
pose has been completed


is it destroyed or
archived?



Know your applications

and their capabilities:
You must have a basic understanding of the
business applications used to process your data, and you must understand the security capabilities


or lack th
ereof


of the applications. Understand that applications age
. As technologies change
applications that may function well from a
functional task

perspective may in fact pose grave
security risks if such applications are used to manage Confidential or Mi
ssion Critical Data. These
applications should be replaced.



Know y
our Custodians:

Owners assign custody of data to other individuals or organizations to
tend to different security functions. It is important that you know who the person or group is that is
taking care of such things as: Backing up data, securing servers on which your

data is processed
or stored, ensuring that laptops are encrypted
,

and that all computers that may have access to your
data are properly secured with up
-
to
-
date patches

and antivirus software. Often,
there
are

designated groups on campus to perform these
tasks, but as Owner you must verify that these

tasks are being addressed.



Know w
hich

c
ontrols are in
p
lace
protecting

your Data.

A good initial conversation to have with
your Custodians is to ask them how your data is being protected
. As you work through

this guide
and become familiar with best practices, you can verify that current protections are sufficient given
the classification and risk to your data.

11

Checklist for Section 1:

Things an Information Owner Must Know


T
he list below contains items abou
t which all Information Owners should be familiar in order to
execute security responsibilities effectively. Place a check by those that you have addressed.



Item


1.

I

know who serves in the role of Information Security Officer (ISO) for

the

institution.
(If not, call the
Help Desk
to

inquire.)


2.

I have determined whether the

institution has a policy or established procedure for formally designating
Information Owner
s.

(Check with the ISO)


3.

I have determined my status as an

Information Owner. (See page 1.
C
onfer with your ISO.)


4.

As an Owner,
I

know
if I am
in a “Shared Ownership” situation. (Check with your ISO)


5.

Answer only if you are in a “Shared Ownership” situation. I

have a clear understanding of who is
charged w
ith responsibility for ensuring that the various Owner responsibilities are addressed. (Confer
with the other Owners and decide who will perform various tasks (such as classifying data etc.)


6.

As an Owner,
I

know the responsibilities
associated with
and
my

relationship to each of the following
Information Security Roles: User, Custodian, Information Security Administrator, Information Security
Officer. (See “Know about the other Information Security Roles”.)


7.

I

know the individuals and/or organizations th
at serve in a Custodian role for the systems and data over
which
I

have Owner responsibility.


8.

I am

familiar with the responsibilities of an Information Owner. (See “Know your Information Owner
Responsibilities. Check with your ISO to determine if an institutional policy exists identifying Owner
responsibilities.)


9.

I know

whether
my

institution has a

“Data Classification Policy” and where to access the document.
(Check with your ISO)


10.

I

know which regulations
my

data is subject to
,

and
I am

familiar with the requirements? (Check with
your Compliance Officer or Legal Counsel.)


11.

I

know whether
I a
m

required to appoint an Information Security Administrator and/or the

identify of this
individual. (Check with your ISO)


12.

I

have a general understanding of the various types of threats to
my

data and the types of incidents that
can occur. (See “Underst
and Types of Incidents and the Threat Landscape.)


13.

I

know the characteristics of
my

Data and its classification(s). (See the institutional Data Classification
Policy. Check with the ISO)


14.

I
know where
my

data is stored. (Check with your Custodians)


15.

Answer only if you use vendors:

I

know what data
business partners hold

and the locations of their
data centers. (Check with your vendors. Check any contracts to ensure this conforms to contractual
requirements.)


16.

I
know where backups of
my

data are stored. (Check with your Custodians)


17.

I

understand the life cycle of
my

data, including its source(s) and the business rules that govern its flow
and eventual archival or destruction. (Check with colleagues including business analysts or syste
ms
analysts that maintain systems used to manage your data.)


18.

I

know who (which groups) has access to
my

data and the conditions under which
the

data is used.
(Check with the Custodian charged with oversight of access controls.)


19.

I understand the function
of

applications used within my business area and

know the security
features

of the applications.

(Check with the vendor or the
responsible IT group.)


20.

I

know
which

controls are in place to protect
my

data. (Check with your Cu
stodians and your ISO)

12

Section 2:
An Owner’s
Ten Step
Data Protection Plan


This section provides a step
-
by
-
step process

which
when completed
,
will put

you in good stead in term
s
of protecting your data and other information resourc
e
s.
If
you have not
already done so
, t
his would be
an excellent time
for you to
appoint an Information Security Administrator
to provide assistance
.


The
following
action plan is written
with an assumption

that no activities have been performed

to date
,
which is
v
er
y

unlikely
. Most
University of Texas System
institutions

already

have processes in place
for addressing many of these steps and
you have likely been performing
some, if not

all of these
activities. The purpose
is not for you to re
-
do
activities

already performed
.

If you have a mature
program, use this guide to help fill in any gaps between current and optimal practices.


Step 1:
Read

Section 1
: Things an Information Owner Must Know





Execution of the steps outlined in this plan presupposes that the reader is familiar with the
concepts and roles defined and explained in Section 1 of the guide. If you have not reviewed
those
materials,

it would be beneficial for you to do so before cont
inuing
.


Step 2:

Appoint an Information Security Administrator

(ISA
)

Lik
elihood is that your department
or functional area already has an appointed Information
Security Administrator, but if this is not the case, you should appoint one.
The ISA

will work

with staff from the

Information Security Office.
The
type of
individual you

should

appoint
depends
on the nature of
the

functional area. If you administer a technical function,
that
perhaps hosts

and support
s

its

own computers and systems, the ISA is likely to be a technical
employee. In
less technical areas
,
the ISA may have little technical background. In all cases,
you should appoint someone who you trust and
who
can be counted on to report breaches to
the In
formation Security Officer (ISO)
. This person may

serve as liaison for exchange of
information with the Information Security Office and will likely assist with completion of annual
risk assessments and other security related duties.



Lesson
s

Learned:





formati潮 S散erity A摭楮i獴rat潲猠 m畳t 扥 pr潰敲
ly tr慩湥搠 f潲 t桥ir f畮捴i潮.
T桥se
i湤ivi摵慬猠灥rf潲m 捲itic慬
獥捵rity
t慳as
, w桩捨 if 湯t 灥rform敤
捯rr散tly

捡c l敡搠to
捯獴汹 i湦orm慴楯渠獥捵物cy 扲敡捨b献




A

摥灡rtm敮t or f畮cti潮
畮慢l攠t漠灲潶id
攠潲o潢t慩渠慰灲潰物pt攠te捨ci捡c tr慩湩湧 f潲ot桥
ISA, 獨s畬搠 湯t 桯獴 d数慲am敮t慬 inf潲m慴楯n 獹獴敭猠 慮搠 摡t愮a 周潳o f畮捴i潮s
should be moved to the institution’s central IT organization or be outsourced to an
潲g慮iz慴楯渠
捡c慢l攠
of
灲潶i摩湧 灲pf敳獩潮慬
獥rvi捥猠楮 愠獥捵r攠敮eiro湭敮nK



13

Step 3:

Meet with Your Information Security Officer


Make an appointment for you and your ISA to meet with your institution’s Information Security
Officer
or a member of the Information Security

Office staff for an initial discussion

about your
area

s information security needs
.
There are three objectives

for this initial meeting.

First, you
want the ISO to
gain

a general

understanding of your
functional area including its missions
and business functions, and the data for which you are responsible.
The ISO will need this
understanding to

advise you about protective measures

appropriate for your area
.

Second
,
use th
e

meeting to inquire

about gen
eral security services
that the institution
may provide
centrally.

You do not want

to
spend ti
me and money acquiring services already

available
through services within the

institution.
Finally, t
his is an opportunity to build relationships with
the ISO a
nd
S
ecurity

Office

staff. When and if problems arise, it is
helpful

to know the
individuals you
will be calling
on
for assistance.
Get to know these individuals so you will be
comfortable calling with questions as you progress through the process of secu
ring your data.


Step 4:

Inventory your Information
Resources
Assets

Within
University of Texas System institutions
,

multiple
security incidents have occurred
involving

exposure of information contained in d
ata files that the Owner did not
know existed.
In at least one case
, exposure of

a

previously unknown file resulted in thousands of
notification letters
having to be
sent to affected individuals.

This costly
exposure

involved
a
file that was many years old and of no use to the institutio
n.

The file should have
been purged
years before.
I
n another case, a server
that

the organization did not know exist
ed was
successfully attacked. An inventory of resources is an important building block for
establishing a secure environment.



Lesson
s

Le
arned:




It i猠
數捥c摩湧ly 摩ffi捵ct

t漠pr潴散t 慳獥瑳

慮搠t桥 摡ta t桥y
m慹
桯ld



the

Ow湥r 摯es

湯t k湯w
t桥 摥vi捥猠潲 摡t愠數i獴献




In accordance with the institution’s records retention schedule, d
敳瑲潹 摡t愠t桡t i猠湯
l潮g敲 of 畳u to t桥
r湩癥牳楴v
K


Within

your scope of responsibility, m
aintain

inventories

of the following:



Data:

This consists of a list of the
data for which you are responsible, the classification of
the data, its location, and the Custodian(s)
assigned
to manage and pr
otect the data.

I
nclude

backup
and

test
files

if they exist
; these can pose as much risk to the institution as
the production files.
If
you permit
data to be
extracted
to be used

on desktops, laptops, or
other devices, include these
in

the inventory.




Lessons Learned:




D漠湯o
潶敲汯ok

灡灥r d潣om敮t献
T桥


慬獯 p潳o ris欮
U. T. Sy獴敭 i湳瑩瑵ni潮s 桡v攠
數灥ri敮捥c 獥s敲慬 獩gnifi捡ct i湣n摥湴n r敳elti湧 fr潭
l潳猠
or t桥ft of 灡p敲er散er摳.



Wor欠wit栠h潵r i湳tit畴楯n慬 R散er摳⁍慮慧er t漠o畲g攠
畮湥敤敤 灡灥p re捯c摳d


14




Applications:

This is a listing of computer applications for which your departme
nt or
function is responsible. Include the version number, vendor, maintenance renewal date,
and the Custodian responsible for maintaining the application.
M
any applications (email
for example)

are used by
multiple
departments.

Typically, shared applicati
ons are included
only on the inventory of the department responsible for payment of the licenses and
maintenance.



Servers:

Keep a list of any
server computers that are owned

by your department or
function. Document

the purpose
for

each server, its age a
nd maintenance renewal dates,
and the Custodian(s) responsible for maintaining and securing the device.



Other Computing Devices:

This would include desktop and laptop computers assigned
to departmental employees and any other networking or computing device
s for which your
area is responsible.



Custodians:

This consists
of
a list
of
individuals or organizations that you have assigned
responsibilities for managing or securing information assets
, or that have these
responsibilities because of institutional poli
cy
.

Include

any vendors with which you may
have contracted for services.

You can use this list to

record dates on which you or your
designee met with the Custodian to review security controls.



Contracts and Service Agreements:

This consists of a simple li
st of contracts, the
purpose of each, the parties, start date
s
, expiration date
s
.

Review the list periodically to
ensure that contracts are
renewed as needed well before expiration dates so

there are no
service disruption that
may
pose risk to the instit
ution.


All items noted above
have an
impact
on
the state of security.
You must know what

exists
in
the environment
in order to determine
appropriate
protections.
Contracts and service
agreements should be reviewed

to determine if proper security provisions are included.
If an
agreement doe
s

not contain proper protections
, it
should be revised

to include these
protections

at time of renewal or extension.
Some, if not
all,

of the suggested inventories
probably exis
t
because of
other state and University requirements
suc
h as annual inventory of
assets

and annual state required risk assessments for systems that are mission critical or
which contain confidential information.



Step 5:

Classify your Data

Informatio
n Owners are responsible for classifying data under their authority in accordance
with institutional
data
classification standards.
Obtain a copy of your institution’s
D
ata
C
lassification
P
olicy or standard
for guidance
. If you are unable to locate
a Data

Classification
Policy
, contact your Information Security Officer.


If
you determined

that
no such policy exists, you should
,

at minimum
,

identify data that is
Confidential which the state defines as, “
Information that must be protected from unauthorized
disclosure or public release based on state or federal law (e.g. the Texas Public Information
Act, and other constitutional, statutory, judicial, and legal agreement requirements).”

Classify
data as
“C
onfidential


(based on the above definition),
“sensit
ive”

which would include most
15

other data, or “public”
which
,

for this purpose
,

would be data intended for the public such as
data on the institution’s website.


Step 6:

Establish
Data
Access

Policies

Carefully consider who
(or which groups

or roles
)
is
to

be authorized to view data and who
is
to be

authorized to add, change, or delete da
ta, and under what conditions.

Define who
, if
anyone,
is

allowed to copy data for use on other computers and what uses are to be
permitted. Establish a policy that cod
ifies these requirements. The policy
establishes the
ground rules for how data is to

be accessed, modified, and used. The policy
is

needed for
training of Users
and

for working with Custodians to implement
access controls.


Note, whether a specific acces
s control policy is needed for your department or function
depends on the nature of the function. The institution may have an overarching Access
Control Policy that is sufficient to meet the needs of your unit. However,
if your department or
function cre
ates or stores data unique
to the

function there may be a need for a supplemental
policy. Also, if you allow data to be downloaded you should
specify who is to be allowed to
download,

the conditions under which
this is allowed, permitted uses of downloade
d data,

and
the disposition requirements for the downloaded data once its purpose has been served.


Step 7:

Specify Controls

and Identify
/Select

Custodians

Having classified your data
,
and with

inventories and access policies in hand,
you are ready to
meet with the ISO or

his/her staff

to decide on controls appropriate for your circumstances.

Use the
information

found in “Section 3: Best Practices” as a structured approach f
or
discussing

the
se

controls
.

Determine which controls
are provided by
the IS
O or the
Central IT organization
, which are to be provided by departmental employees, and which, if
any, are to

be
outsourced.
Select and m
eet with each Custodian (individual or organization)
to
ensure that it is clearly understood as to which services are

being provided and by whom.
Make sure that all desired protections have been assigned.
The Section 3 checklist can be
used to document
controls
.



Step 8:

Establish

Information Security

as a Value within Your Unit

Many tasks can be delegated
, but this one cannot.
As a
dministrative leader of your
department, research project, or other University unit,
you have tremendous swa
y over the
attitudes and
behavior of others.

Employees will tend to value and take information security
seriously to th
e extent that you are perceived to do so.

You are the message!


A
department
comprised of
employees who are security conscious

is

less likely to experience
a

security
i
ncident

than one
comprised of employees who pay little heed to security
.

16



Lessons
Learned:




A摭楮i獴r慴潲猠w桯 valu攠慮搠摥m潮獴rat攠t桯r潵g栠w潲搠慮搠慣瑩a渠t桡t i湦潲m慴楯n
獥捵rity i猠im灯rt慮t 桥lp

i湳瑩nl t桥獥 慴tit畤敳 i渠n桥ir 敭灬潹敥献



M慮y i湦潲oati潮 獥捵rity i湣n摥湴猠
r敳elt from

敭灬潹敥 敲e潲

慮搠 i渠 獯浥s 捡獥s
湥gl散e
. S畣u i湣n摥湴猠慲攠l敳猠lik敬y t漠潣捵r in 摥灡rtm敮t猠
i渠w桩捨cem灬潹
敥e

val略
慮搠慲e mi湤f畬 of inf潲m慴楯渠獥捵rity.



䙯llowi湧 慲攠 獴rategi敳 t桡t y潵 捡c 畳u t漠 c潮獩獴敮tly 摥m潮獴r慴a t桥 im灯rt慮捥c of
i湦ormati潮 獥捵rity to 獴aff i渠潲摥r to

扵il搠d 獥s畲楴u mi湤敤 捵ct畲u.



Est
ablish departmental (or function) access
control and data use policies.




Provide information security training for your employees that focuses on security issues
relevant to your area.



On occasion, i
nclude information security
as a topic
during department meetings
.



Invite staff from

the

Information Security Office to perform an assessment of physical
security in your area and address security weaknesses identified.



Invite the Information Security O
fficer to speak at a department meeting to discuss
information security issues relevant to your institution and area.



Send news articles concerning information security and breaches to staff.


Step 9:

Perform an Annual
Risk Assessment


For many years, state regulations have
required that a risk assessment of information
resources be conducted annually for high risk resources and every two years for all other
information resources. More importantly,
risk assessment is a required process
for
determining where to place protections and allocate resources security resources.

It is a
mistake to under
protect

your resources
,
but
it

is also

costly

and ineffective

to over
protect.


You have most likely already
performed an
IT risk assessment. If so, this step is simply a
continuation of your current practice. If you have not
previously
participated

in an annual risk
assessment
, contact your Information Security Officer and inquire about your institution’s
process

to ensure
your area is included in future assessments.

Use results from your risk
assessment
as another source for determining which security controls to
implement
.


If you learn that your institution does not have an established procedure for performing risk
asses
sment, ask when
one will be in place. If the time
-
frame does not meet your needs,
contact the U. T. System Office of Information Security Compliance at
ciso@utsystem.edu

for
assistance in performing an independent

assessment for your functional area that can be
used until the institution establishes a
formal
process.




17


Lessons Learned:




Following a breach
,

it is common to learn that no risk assessment had been performed
on the system or in the department in which

the breach occurred.

Ri sk assessment s
hel p i dent i f y vul ner abi l i t i es t hat can hel p pr event i nci dent s.



Par t i ci pat i on i n an annual r i sk assessment has pr oven
t o be an ef f ect i ve met hod f or

r ai si ng gener al awar eness about i nf or mat i on secur i t y concer ns wi t hi n
a depar t ment.



St ep 10
:

Confirm that Controls Remain in Place.

It is essential that you
periodically
confirm that the controls you have specified and delegated
to Custodians remain in effect over time.

An optimal timeframe for doing this w
ould be
twice
per year, but at

minimum you should
complete the following tasks
annually.




Review, or ask your ISA to review
,

the access rules for your systems and data
.
Review
access lists and c
onfirm that
access
groups
include the correct individuals and that

roles
are correctly defined
with

proper access rights assigned. Confirm that no former
employees
continue to have access to data.
Be

sure also
to

review
lists that identify the
individuals who

have remote access to information systems and data.



Meet w
ith each of your
Custodians and confirm that your
specified
controls
are still in
effect.
Ask for documentation that would in
dicate the state of the control

and ke
ep this
documentation on file.

Custodians are people also, and they can make errors.
Verification is in your best interest, and also the best interest of the Custodian.



Lesson Learned:

Do not assume
, simply on

reputation
,

that a Custodian has all
essential
controls in place.

It is

important to be vigilant and confirm controls.

As an

example,
the
state of Texas contracted with IBM


湯 獭慬l pl慹敲ein t桥 fq w潲汤
-

t漠t桥 獵洠of ␸SP
jilli潮 t漠捯c獯si摡t攠摡t愠c
敮ter猠慮d

獥捵re 慧敮捹 摡taK

e潷everI 愠獥rv敲e f慩l畲e
捡c獥s 湥e
搠 t漠 r敳瑯re 摡t愠 潮ly t漠 r敶e
慬 t桡t 灯潲o 扡ck異 灲潣敳獥猠 w
敲攠 i渠 灬慣a
r敳elti湧 i渠
tem灯rary
摡t愠l潳猠潦 j敤i捡牥cfr慵d inv敳瑩e慴楯渠inf潲m慴楯nK
p潭攠摡t愠w慳a
湥v敲er散ev敲敤e





18


Checklist for Section
2
:
An Owner’s Ten Step Data Protection Plan


Use this checklist to track execution of your Data Protection Plan.
Mark the
s
teps and
it
ems
as they are completed.




Action


Step 1:
I have read
“Section 1: Things an Information Owner Must Know
.”


Step 2:
An
Information Security Administrator (ISA) has been

appointed

for my area
.


Step 3: I

have met with the

Information Security Officer.


Step 4: All Inventories have been completed.




Data Inventory Exists.




Application Inventory Exists.




Server Inventory Exists.




Inventory of other Computing Devices Exists.




List of Custodians Exists.




Inventory of Contracts and Service Agreements Exists.


Step 5: Data under my Ownership has been Classified.


Step 6: Data Access Policy Exists.


Step 7: I have specified controls
and Identified/Selected Custodians to implement the controls.


Step 8: I am working to establish Information Security as a Value within my functional area.




I provided (or arranged for) information security training
regarding department issues.




I included information security as a topic in department meetings.




I had Information Security Office staff perform an
assessment of physical security.


The
Information Security Officer has spoken at a department meeting about security


issues relevant to the department and institution.



I have sent

news articles concerning information security and breaches to staff.


Step 9:

I

performed
a risk assessm
ent within the past year.


Step 10: Confirm that Controls Remain in Place.


I have conducted an initial review of access

control

lists to ens
u
re only appropriate
people are
authorized for access.


I have reviewed and confirmed with all Custodians that
inte
nded controls are in place and
functional.

19

Section
3
:
Best Practices



Lesson Learned:
To protect information resources, Owners should adopt best practices
.


Be careful
to not merely mimic common practices.
The information technology landscape changes

quickly
;

yesterday’s best solution is likely not today’s. For example, anti
-
virus software
, once a universally
accepted “best practice”

has lost much effectiveness given today’s zero
-
day malware threats. Confer
with your Information Security Officer an
d others who have special knowledge about information
security when determining the controls you will use.



Specifying

protective
controls
is an important Owner responsibility
.

Review with your Custodians the
controls that are currently in place,
your needs,
and
any changes

that you
believe

may be warranted
.

Custodians can provide insight and advice, but you

remain responsible for the business function that
will suffer in

event of a
n incident or

breach

involving your data
.

Therefore, it is importa
nt that you
understand
the existing controls and

their function, and determine if
controls need to be
removed
,
change
d
, or add
ed
.

In
this section
,

you are presented with
controls
that have proven to be effective
.
They

are

best practices
.

The purpose of each control is
given,

along with
other relevant comments
about its potential for use within University of Texas System
institutions.


As you review
recommended
practices
, keep in mind that this is
by no means an exhaustive list of best
pr
actices.
Th
is

list is
based on observations
and situations that have occurred or
are known to
exist
within the U. T. System that indicate need for adoption of improved practices

in some
areas
. Many of
these practices will likely already be in place at you
r institution.

However,
if gaps are iden
tified,
discuss
these with your Information Security Officer and any other Custodians
f
rom whom you receive services
to determine if there is need for changes to current practices.


K
eep in mind

that decisions
abou
t
controls to deploy
should be based on
assessment of risk
.

Protect
your systems and data

accord
ing

to the risk
that their exposure, loss,
destruction, or misuse poses to
your operations and

to

the University.

Also, understand that there may be alternative
methods for
addressing

risks. The mere fact that a control

listed in this guide

is not being used
,

does not in itself
indicate a security wea
kness. The control

may

not be needed because risk is very low, or
alternative
protections
may be
in place
. The point is that you
,

as an Information Owner
,

must
understand
how your
resources are being protected and
determine

if protections are adequate.


Control Types

Within the information security profession, controls a
re typically categorized as


M
anagement
C
ontrols”

(also referred to as
A
dministrative
C
ontrols),


P
hysical
C
ontrols,”
and


T
echnical
C
ontrols
.”
As an
O
wner, you will want to ensure that all three types of controls are used to secure your environment and
information resources.



20

Management Controls
:

These include

policies, procedures,
personnel practices,
and training that
the institution and you establi
sh to protect program resources. These define the rules and processes
for securing program resources.
Management

controls define who and under what conditions data may
be accessed and used and required training.


Physical Controls
:

I
nclude
d here are

dev
ices such as locks, cameras, etc.
used
to preserve the
physical security of computers and other computing devices and the data stored on those devices.
Physical security is not complex to understand, but diligence is required in order
for it
to be effecti
ve.


Technical Controls
:
Here
are the software and
hardware

devices

used

to

protect data

and monitor
the environment
. Anti
-
virus software
,

network firewalls
, and intrusion detection/prevention systems

are
examples of technical controls.



Lesson Learned:
It is not uncommon for an organization to focus too much on
a single

type of control



潦o敮
t桥
t散e湩捡c 捯湴n潬猬

at t桥 數灥湳n of ot桥r献

A渠eff散tiv攠
獥捵rity
灲潧牡m req畩re猠愠
桯li獴i挠慰灲潡捨⸠
A q散桮i捡c C潮tr潬

獵捨 慳arole
-
扡獥s 獥捵rity 捡c慢iliti敳⁢畩lt i湴漠
慮 慰灬i捡瑩cn
灲潶i摥

little

v慬略

if th攠灯licy 獴r畣瑵u攠i猠湯t i渠灬慣a t漠i摥湴楦y w桯 獨s畬搠扥 慳獩g湥搠v慲a潵猠
r潬敳e慮搠t桥 慣捥獳sl敶敬猠
t漠扥

慳獯捩慴敤awit栠敡捨cr潬攮e q桥 j慮慧敭敮e
C
潮tr
潬 i猠req畩re搠t漠
灲潶i摥 摩r散瑩e渠
潮 畳u of

t桥 q散e湩捡c C潮tr潬K Al獯I 湯
捯浰ct敲 firewall i猠捡c慢l攠of pr敶敮tin朠
an individual from walking in and stealing an unsecured computer off of someone’s desk.

m桹獩捡c
C潮t r 潬猠ar 攠e敲e i m灯rt 慮t K






21

Best Practices Matrix and Checklist


On the following page is a matrix of
best practices
identified as having been
relevant to incidents that have occurred within the University of
Texas System with which Information Owners should be concerned
.
Discuss the identified controls with your Custodians. In consultation
with Custodians, use the matrix initially to determine the controls to
be
used for protecting your function’s information resources and data.
Document controls that are already in pl
ace and identify those to be added. Add lines as necessary to document controls that are not pre
-
populated.


EXAMPLES:

In
place?



Control

Assigned

Custodian



Category



Control Type



Comments



Documentation of Custodian Discussion.

Date last
confirmed
in place.



Place servers
in secured, professionally run
data centers.

Central IT Group

Category:

Server Administration

Control Type:

Physical Control

Comments:

Servers need to be protected from
theft, vandalism, or breach.

Documentation: We decided to move all our servers to
the
Central IT server room.

2/5/2010



Conduct Annual 3
rd

Party Penetration Test

Information
Security Office

arranges for an
outside vendor to
perform the
assessment.

Category:

Network & Server Security

Control Type:

Technical Control

Comments:

This provi
des an unbiased outside
assessment to double check work of the institution and
to provide added credibility to the effectiveness of
security controls.

Documentation: All findings were addressed.


6/24/2010



Create and Adopt Access Control Policy for
Departmental Data

Information Owner
and Department
Staff

Category:

Access Control

Control Type:

Management Control

Comments:

Projected completion: 12/31/10

Documentation: The policy will identify and define roles,
and determine which access and modification rights are
assigned to these roles.


22



Best Practices Matrix and Checklist

In
place?

#

Control

Assig
ned

Custodian



Category



Control Type



Comments



Documentation of Custodian Discussion.

Date last
confirmed
in place.


1

Place servers in secured, professionally run,
data centers.


Category:

Server Administration

Control Type:

Physical Control

Comments:

Servers
must

be protected from theft,
and vandalism. They require

redundant power feeds
and environmental controls

for reliability. Ask your
Custodian: Where
are my servers and

data located?
What physical security controls are in place

to protect
them
?

Documentation:




2

Change default passwords on servers
following

initial installation
and periodically
c
hange

them afterwards.


Category:

Server Administration

Control Type:

Management and Technical
Control

Comments:

Default p
asswords are known by IT
professionals
making it easy

for an attacker to guess.
As
k your Custodian: Have default
passwords been
changed on the servers
hosting

my applications and
data?
What was the date on which the passwords were
last changed?

Documen
tation:



23


3

Server Configuration Management

Software


Category:

Server Administration

Control Type:

Technical Control

Comments:

Servers must be properly configured
and patched to be secure. This software allows the
Security Office to
confirm
the
security state of servers.

Ask your Custodian: How are server configuration
s

and
patche
s

managed? How do you verify that
servers

are
configured properly
? How do you verify that
configurations remain as desired over time? Does the
Security Office
have v
isibility into server configuration?
If not, how do they
confirm configuration and patch
status?

Documentation:




4

Log Monitoring


Category:

Server Administration

Control Type:

Management Control

Comments:

Logs identify successful and failed
access attempts and can be used to determine if
unauthorized access has occurred. Ask your Custodian:
to describe the

process for monitoring server logs.

Ask
if the l ogs being kept are capable of identif yi ng actual
ac
cess to data in addition to logon attempts.

Documentation:




5

Server Administrator Qualifications and
Training


Category:

Server Administration


Control Type:

Management Control

Comments:

Unqualified administrators can fail to
perform needed tasks and are more likely to
inadvertently mis
-
configure devices, leaving them
vulnerable to attack. Ask your Custodian: What
qualification and certifications do you require of server
administrators?

What training do you provide for them?
What “security” training do they receive?

Documentation:



24


6

Use formal Memorandums of Understanding
(MOU) or Service Level Agreements (SLA) to
clearly define

who is responsible for
performing server (and other) related security
tasks.


Category:

Server Administration

Control Type:

Management Control

Comments:

A MOU or SLA documents who is
responsible for performing tasks to ensure tha
t

all
security tasks are
assigned and known to the
responsible party.

Insist on execution of a SLA or MOU
that clearly assigns security tasks.

Documentation:




7

Require Two
-
Factor Authentication for
Administrat
or

Access to Servers


Category:

M
anagement and Technical Control

Control Type:

Access & Server Administration

Comments:

Two
-
Factor

authentication

requires use
of
an
ID and password plus a token or biometric (i
.
e
.

fingerprint etc.)

to gain access to the server
. It is
an
effective
means for preventing access by unauthori
zed
parties.
Ask: Do server administrators use Two
-
Factor
authentication?

Documentation:




8

Perform background checks on all
employees (including work
-
study students)

and Custodians

who will have access to
student records or other
Confidential

information.


Category:

Access


Control Type:

Management Control

Comments:

Custodians and employees who have
access to sensitive information are in positions of
special trust. Ask your Custodian: Do you conduct
background checks on all employees?

If

not, what
determines who does and does not receive a
background check?

Documentation:




9

Implement “Need to Know” Access Control
Policies that Define Roles and Privileges.


Category:

Access

Control Type:

Management Control

Comments:

To protect
security

of data

and privacy

of individuals
, data should be available only those who
need to use it to perform job duties.
For data that is
Confidential or sensitive, does policy appropriately
restrict access to those with a business need to know?

Documen
tation:



25


10

Issue and require use of separate credentials
and email account
s for student workers.
Require

all official business

-

and only official
business
-

be conducted using the employee
role credential.


Category:

Access

Control Type:

Management
Control

Comments:

To avoid FERPA and possibly other
regulatory violation, o
fficial business should not be
intermixed
with

a student
-
worker’s
personal email.
Documentation:




11

Configuration Management for desktop and
laptop computers.


Category:

End
-
point Security

Control Type:

Technical Control

Comments:

Desktop and laptop computers must be
configured properly and patched regularly to maintain a
secure state. Configuration management allows the
verification to be automated

and gives the ISO visibility
into the security state of devices across the enterprise.
Ask the ISO: Do you have visibility into the
configurations of the devices for which I am
responsible?

How do you verify that desktop and laptop
computers are config
ured
correctly?


Documentation:




12

Use
Whole Disk Encryption on laptop
computers and desktop computers that
process confidential information.


Category:

End
-
point Security

Control Type:

Technical Control

Comments:

As computers have become smaller

they
have become easier to steal.

If a stolen computer
storing

confidential information is encrypted with
verifiable whole disk encryption, the data is secure from
access and a serious data exposure has likely been
avoided.

A s k: A r e c o m p u t e r s t h a t h o l d
c o n f i d e n t i a l
i n f o r m a t i o n e n c r y p t e d u s i n g c e n t r a l l y m a n a g e d w h o l e
d i s k e n c r y p t i o n s o f t w a r e?

D o c u m e n t a t i o n:



26


13

Confidential Data Removal


Category:

End
-
point Security

Control Type:

Technical Control

Comments:

Computers often contain confidential
information
that the

User is unaware
exists. Often this
information is no longer of business use, but it
continues
to

pose risk of exposure. Exposures of such data
have

occurred in U. T. System institutions.

Note:
U.
T. Austin
makes availabl
e the SENF data discovery tool at

no
cost.

A s k t h e I S O i f
y o u r

i n s t i t u t i o n h a s a t o o l a n d
p r o c e s s f o r d i s c o v e r y a n d r e m o v a l o f u n
n e e d e d
c o n f i d e n t i a l i n f o r m a t i o n.

D o c u m e n t a t i o n:




14

Use
Application Whitelisting

to
p
rotect
servers, desktop, and laptop computers that
hold or process
C
onfidential information.


Category:

End
-
point Security

Control Type:

Technical Control

Comments:

With emergence of today’s
sophisticated zero
-
day attacks and stealth malware,
anti
-
virus software has lost
some

effectiveness. It
should be supplemented with whitelisting in areas in
which confidential data is processed

to prevent malware
that may find it
s way onto the computer from executing.

Ask your Custodian: How effective is the anti
-
virus
software being used on servers and desktops? What
additional
measures are in place to prevent execution of
malware?

Documentation:




15

Secure computers with
cable locks or other
physical devices (locked doors etc.) to
prevent theft.


Category:

End
-
point Security

Control Type:

Physical Control

Comments:

Many incidents are the result of simple
theft.

S i m p l e p h y s i c a l m e a s u r e s c a n b e e f f e c t i v e i n
p r e v e n t i n g c r i m e
s o f o p p o r t u n i t y t h a t m a y r e s u l t i n
c o n s i d e r a b l e c o s t t o t h e i n s t i t u t i o n.

D o c u m e n t a t i o n:



27


16

3
rd

Party
Penetration

Testing


Category:

Network Security

Control Type:

Technical Control

Comments:

Hire a qualified 3
rd

party to periodically
attempt to access server
s

from the Internet
. This can be
used as a means of double checking vulnerability testing
performed by the institution. A 3
rd

party confirmation of
controls adds credibility to the institution’s assertion of

being secure. Ask the ISO
the date of the last

3
rd

party
p
enetration

or vulnerability

t
est
.

Ask if

all identified
vulnerabilities that might affect
your

servers

were
addressed.

Documentation:




17

Communicate in writing with your Custodian
regarding
the data files, databases, etc. that
are to be backed up and the schedule for
those backups.


Category:

Data Backup

Control Type:

Management Control

Comments:

Failure to have a backup of data when
needed is a

relatively

common
error.
Ask your
Custodian: W
hich of my data is being backed up? How
often are these backups performed? How long are
backups

kept? Where are they located? How can this
be verified?

Documentation:




18

Encrypt backups that will be transported to
another site.


Category:

Data
Backup

Control Type:

Technical Control

Comments:

Lost backup media that contains
confidential information presents a considerable risk

because
,

in terms of regulatory response,
the media

must be treated as if it has been stolen. Ask:

A r e
b a c k u p t a p e s ( o r o t h e r m e d i a ) e n c r y p t e d?
D o c u m e n t a t i o n:



28


19

Application Scanning


Category:

Application Security

Control Type:

Technical Control

Comments:

Many breaches are result of
applications having not been written

with appropriate
security coding techniques. Ask: Have my applications
been scanned to identify security
weaknesses
? Do you
have a policy rel
ating to when applications are to
be
scanned
?


Documentation:




20

Contract Review for Security Provisions


Category:

Purchasing and Contracting

Control Type:

Management Control

Comments:

Older contracts most likely do not
contain adequate language to ensure protection of
University data. Review these at renewal. Ensure that
all
renewed and
new contracts contain appropriate
language.

Documentation:




21

Vendor Product/Service Risk Assessment


Category:

Purchasing and Contracting

Control Type:

Management Control

Comments:

When contracting with a vendor for
products or services that process

University data,
perform a risk assessment to determine if the product
has appropriate security controls. If data is being
hosted offsite, assess the s
ecurity practices of the
vendor to determine if appropriate protections are in
place.

Documentation:



29


22

Intrusion Prevention/Detection


Category:

Network
Security

Control Type:

Technical Control

Comments:

Processes need to be in place to
monitor network traffic and device behavior to determine
if an intrusion is being attempted

or has been successful
so that mitigation can be performed quickly. Ask: Are
my systems protected by IPS

or IDS? How are alerts
identified and addressed? Who receives the alerts and
within what timeframe
?

Documentation:




23

USE THE FOLLOWING ROWS TO ADD
CONTROLS THAT ARE CURRENTLY IN
PLACE OR THAT YOU AND YOUR
CUSTODIANS DETERMINE SHOULD BE
PUT INTO PLACE.

A D D R O W S A S
N E E D E D.


C a t e g o r y:

C o n t r o l T y p e:

C o m m e n t s:

D o c u m e n t a t i o n:




24



Category:

Control Type:

Comments:

Documentation:




25



Category:

Control Type:

Comments:

Documentation:




26



Category:

Control Type:

Comments:

Documentation:




27



Category:

Control Type:

Comments:

Documentation: