Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re:

From: "Peters, Kevin" <Kevin.Peters () OLC STATE OH US>
Date: Mon, 17 Dec 2007 15:06:13 -0500
The State of Ohio has established a State-wide program for data
protection, with direction coming from the Governor's office.  The
sub-committee working on this project selected Safeboot as the
application of choice for data storage devices of the mobile computing
variety.  (Tape backup encryption is varied upon the hardware being
used.)  Yes, there are other applications of equal capability; this is
just the one the sub-committee selected.  Within the sub-committee
conversations the first question asked was under what circumstances a
data storage device should be encrypted.  Second, why does the
individual have the data?  Reviewing resources such as NIST publications
800-53 and 800-53A and ISO 27000-series guidelines the State
sub-committee came to this conclusion:

 

- If the data at rest on a storage device is considered to be sensitive
(private) then the device will be encrypted.

- If the data is considered important (confidential) at the time, such
as an RFP document, then at a minimum the device should be password
protected, with encryption as a higher level option.

- If the data doesn't fall into either of those other two then neither
encryption or a password is required.

 

At what level to encrypt - entire hard-drive or just the folder is up to
the agency, however the State is indicating that full encryption is
suggested.  Safeboot allows for both levels of encryption, locking down
USB ports, and various other security features.  If the person is not
sure, then error on the safe side and encrypt.  What also needs to be
kept in mind by the user communities are the various laws and possible
outcomes of not protecting data that is considered sensitive.  At the
individual level, the person who loses the device could be subject to
various litigation and penalties.  At the institutional level
litigation, penalties, and mitigation are at stake.

 

As an example, in June, a backup tape was stolen from the State of Ohio
containing all of the SSNs for all State employees - over 64,000.  At
the individual level several people were "thrown under the bus" and
terminated for the incident.  At the institutional level it is estimated
that the State has over two million dollars invested in mitigation and
still counting.  The State is looking at years of mitigation associated
with this incident.  I know Ohio University had an incident back in 2006
that has had a significant "cost" to that institution.  (In addition to
the statutes mentioned, GLB I believe allows for civil recourse in
addition to criminal recourse.

 

At the Ohio State Lottery we also intend to perform mandatory user
awareness training and random audits for compliance, however bottom-line
the individual users must understand the significance and importance of
having sensitive or private data on storage devices, and protecting that
data.  Otherwise that person should not be allowed to have the data.  

 

Kevin Peters

IT Manager

The Ohio State Lottery

 

________________________________

From: Allan Williams [mailto:allan.williams () ANU EDU AU] 
Sent: Monday, December 17, 2007 12:46 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY]

 

G'day,

            I've learnt that you can't use the "M" word with some
academics - no matter how just your cause they will pull out some
extreme example.  In some sense you are playing the same game by stating
that this technology is needed to protect the data from disastrous
consequences. 

 

A few  of suggestions

1) Acknowledge that policy is attempting to mitigate the risk and state
that you would be happy to consider alternative solutions if they can be
shown to be effective - probably worth listing out the type of risks
your trying to prevent and invite them in for a one on one to discuss.  

 

2) Go over his head - depends where they sit in the food chain

 

3) Don't make it an IT policy - push it out to your research office/
grants/ ethics body and make it a condition of researching in this area
or have it tied to funding this type or research.

 

4) Ignore it, it's been approved and you can't please all the of the
people all of the time. Hopefully you managed to get an audit clause in
and in 6 months time he could come in for a "random" audit :)

 

Regards,

            Allan

 

 

On 18/12/2007, at 4:15 AM, Mclaughlin, Kevin (mclaugkl) wrote:





Hi All:

 

I am having a bit of a tussle with a faculty member who is on one of the
committees that already approved UC having a Full Disk Encryption
Policy.  I won't overload you with the verbose emails that have gone
back and forth but it seems that his concern is summed up in that he
doesn't want a policy for this as that makes it mandatory and he is
making some grandiose blanket statements about the impact to faculty if
we have a Full Disk Encryption policy in place. (see below)   The policy
basically says:  all PCs that store restricted data (FERPA, HIPAA, GLB,
PCI) will be encrypted with PGP's full disk encryption software at no
cost to the individual or department. This software will be supported,
as needed, by Central IT.   

 

 

Hi Kevin

Encouraging FDE (full disk encryption) is fine.  Mandating it - is not.


Regarding your comment that "My profession is all about Risk mgt and
mitigation".
That is the trouble with the policy.  Faculty teach, do research, etc.
The policy needs to strike a balance. In years past, we had similar
discussions about libraries.  To protect the books, libraries should
simply close their doors. A balance needs to found.

The goal of the policy should be to assist professors to follow the law
while they do their job. 




 

 

Here's my question:  I have talked about how transparent the tool is, my
team and I have used it for about 6 months now;  I have talked about how
as an adjunct I found it easy to use, and I have talked about how this
IS a tool that allows faculty to do their job and to safeguard
information at the same time.   I have also offered to let him try the
tool and he has not taken me up on that.  The net result I have had is
nill.  

 

Have any of you had success with a technique to overcome this type of
obstacle?   I have no doubt that the policy will be approved and moved
forward but I would also like to get this very vocal faculty member's
support if possible.

 

Thanks,

 

-Kevin

 

 

 

Kevin L. McLaughlin

CISM, CISSP, PMP, ITIL Master Certified

Director, Information Security

University of Cincinnati

513-556-9177 (w)

513-703-3211 (m)

513-558-ISEC (department)

 

 

 

 <image003.png>

 

CONFIDENTIALITY NOTICE: This e-mail message and its content is
confidential, intended solely for the addressee, and may be legally
privileged. Access to this message and its content by any individual or
entity other than those identified in this message is unauthorized. If
you are not the intended recipient, any disclosure, copying or
distribution of this e-mail may be unlawful. Any action taken or omitted
due to the content of this message is prohibited and may be unlawful.

 

 

<image003.png>

 

==================================

Allan Williams

Head Systems & Desktop Services 

Division of Information

R.G. Menzies Building

Building 2

The Australian National University

Canberra ACT 0200

 

T: +61 2 6125 8404

M: 0400 480 144

www.anu.edu.au

 

CRICOS Provider #00120C

==================================
Previous By Date Next
Previous By Thread Next

Current thread: