Slide1: Gale Fritsche Lehigh University Library and Technology Services Securing Sensitive Information Across Campus ACM SIGUCCS
Computer Services Management Symposium
April 9, 2006
Tim Foley 0
Slide2: Founded in 1865. Private research university located 90 miles west of NYC
Ranks 32th out of 248 national universities in US News and World Report’s annual survey
Approx 4700 undergraduates, 1200 graduate students, 450 faculty and 1200 staff
Approx 90% Windows PCs, 5% Mac and 5% other (Linux etc.)
0 Lehigh Overview
Library & Technology ServicesOrganizational Structure: Library andamp; Technology Services Organizational Structure 0
Presentation Agenda: Presentation Agenda The Problem
Lehigh’s Committee Structure
Process andamp; Recommendation
Issues and Concerns
Other Data Security Initiatives
0
Why do you need secure information?: Why do you need secure information?
Stolen Cal Berkeley laptop exposes personal data of nearly 100,000 (AP March 29, 2005)
A laptop with personal information of students and applicants was stolen from the Cleveland State University admissions office (WKYC-TV, June 3, 05)
Two laptops were stolen from UW Medical Center office with the personal data of about 1,600 patients (Seattle Post-Intelligencer, Jan 24, 2006)
6000 affected at the University of Northern Iowa when laptop computer holding W-2 forms of student employees and faculty was illegally accessed (AP Feb 18, 2006)
0
Slide6: 23 states with security breach laws Reported breaches - 53,533,214 people affected since 2/15/05 see: http://www.privacyrights.org/ar/ChronDataBreaches.htm Consumers Union report as of 11/30/05
Slide7: Identity Mgmt
Sub Committee Firewall
Sub Committee Account Opening
Sub Committee Data Encryption
Sub Committee Data Standards
Committee E-Security
Committee Data Advisory
Council Advisory Council for
Information Services 0 Committee Structure
Slide8: Systems Analysts
Security and Policy Officer
Computing Consultants
Database Manager
Enterprise Information Consultant
Client Services Team Leaders
Data Encryption
Sub Committee Examine current encryption technologies to address the best way to encrypt PCs, Macs, PDAs and other portable devices, and LTS backups to comply with the Lehigh University security plan Members Committee Charge 0
Slide9: Basic file access to LTS shares
Removable media
PDAs (Palms and Pocket PCs)
Desktop PC encryption (Windows and Macs)
Backups (Windows and Enterprise)
Encryption of Unix, and Oracle
Encryption of network traffic
Microsoft SQL Server security
Encryption keys
End user training Subgroups Formed 0
Slide10: Process andamp; Recommendations Off campus visits
Web research
Software testing
EFS encryption, Truecrypt, WinMagic
Encryption webpage development
Data security seminars
Various meetings with clients
Data security blog for staff
Identified University apps needing compliance with FERPA and HIPAA
0
Slide11: Final Recommendations Whole disk encryption for PCs
Encrypted disk images for Macintosh
Folder encryption using Windows EFS encryption
Truecrypt for Pocket PCs and removable media
Good.com software for Treos (Investigating)
Password protect Palm devices or Pocket PCs
Backup encryption (EFS Encryption and MS Backup)
Restricting local logins (XP local security policies) for users with Banner reporting roles
Enterprise backups are secure in machine room and transit. Still examining options for enterprise backup
Terminal Server for FERPA and HIPAA applications (Police Database, Counseling Services)
0
Slide12: Issues and Concerns Cost of software
Recovering data on drives using whole disk encryption
Management of encryption keys
Privileges to download banner/access reports to PCs
Other places sensitive data reside on a hard drive
The recycle bin, temporary internet files
Laptop sleep mode (writes desktop to temporary files)
Management of shared encrypted resources 0
Slide13: Other Data Security Initiatives Campus firewall
Secure wireless implementation
Procedures for wiping computer hard drives prior to disposal
Campus Police registration database
Windows Vista testing (Bit Blocker Encryption)
0
Do you have file encryption requirements at your College or University ? If so, what do you encrypt?: Do you have file encryption requirements at your College or University ? If so, what do you encrypt? Desktop PCs
PDAs
Backups
All of the Above Discussion Questions
Have you implemented a Identity Management System? If so, what vendor did you use?: Have you implemented a Identity Management System? If so, what vendor did you use? IBM
Computer Associates
Microsoft
Novell
SUN
Other
How many of you have implemented a firewall for your campus network?: How many of you have implemented a firewall for your campus network? Yes
No
How many of you have experienced a recent security breach (Stolen Laptop, Hacker)?: How many of you have experienced a recent security breach (Stolen Laptop, Hacker)? Yes
No
What type of Information do you feel need to be the most secure?: What type of Information do you feel need to be the most secure? Employee SSNs
Student Medical Info
Alumni Donor Info
Athlete Recruiting Info