”data protection in practice”
“With Data classification each one is able to distinguish critical information from public class information. Classification helps to optimize IT-system costs, controls the handling and is guide to good practice”
• Data classifications in Aalto• Handling of internal and confidential material
• On premises• “Cloud”• Sharing information• When traveling
Tomi Järvinen – IT-Security specialisthttps://twitter.com/tomppaj
Risk is not a question, it is a fact
Based on (Only US) http://www.privacyrights.org/data-breach
Organization Types: EDU, Years: 2010, 2012, 2013, 2014, 20157,279,775 Records in our database from.244 Breaches made public fitting this criteriahttp://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.htmlhttp://datalossdb.org/index/largest
July 2, 2015 Harvard UniversityMore Information: http://fortune.com/2015/07/02/harvard-data-breach/May 15, 2015 Penn State College of EngineeringMore Information: http://arstechnica.com/security/2015/05/penn-state-severs-engineering...April 10, 2015 University of California, Riverside Graduate Division officesMore Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-49300February 18, 2015 University of Mainehttp://umaine.edu/news/blog/2015/02/18/umaine-working-with-information-s... December 12, 2014 University of California BerkeleyMore Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47717October 1, 2014 Fort Hays State UniversityMore Information: http://ksn.com/2014/10/01/fort-hays-state-university-experiences-data-br...September 5, 2014 California State University, East BayMore Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-46513August 7, 2014 University California Santa BarbaraJuly 11, 2014 University of Illinois, ChicagoChicago, Illinois EDU HACK
Information Classification guideline• Is setting out the basis for classification in those situations
where it may be necessary to apply security classification in order to protect interests.
• Guideline includes labels and markings in case of transfer or archive documents
• defines the principles of IT-infrastructure design, detailed requirement specifications for IT-procurement
“classification at too low level may compromise university's information security and activity.
“The over-classification of information leads to unnecessary expenses and laborious handling processes. “
In practice
In everyday work, the material is in owner’s responsibility– the owner is responsible for the correct handling. (as law, university policies & agreements requires)
When materials are used in daily work for carrying out university activities, they are not classified. However, everyone must always
distinguish classified information!
Labels, Secrecy obligations(For example: Act of Openness, section 24,
paragraph 4)
Material is stored in an archive, case management system or forwarded, and/or the content includes confidential information, and/or the content includes
especially confidential information due to regulation, contractual conditions or for other reasons.
IF
Public Internal Condidential Secret
THEN
And only then!
X
YES
“Non documents” (work files, drafts)• Note, draft, • Internal guides• Notes from team meetings• Internal work documents• Internal training material• internal communication, internal message
YES
Does section 5 of the Act on Openness apply to my university document?Secrecy obligations (most cases section 24)• psychological testing or aptitude testing• person's state of health• business secrets• Unbublished research work• security arrangements • documents referring to civil protection and
preparedness for accidents or emergencies(full list in guideline documentation)
“University Document” (Legal definition)
Internal Information security labelling
Law or contract tends to require the protection of the information
• NDA – business secrets • Privacy data• Detailed security information
Confidentiality label, university documents
”CONTENT” of the document is confidential, internal or secret NO ”Public”
YES
Public and ”meant to be published” are not
the same
YESYES
Act of Openness: university's activities are public (by default) and there must be a particular reason for the non-disclosure of information
Confidentiality”Data classification”
Availability, how critical the service is to be available
Integrity, impact of the incorrect information
LowNo redundant hardware
Medium”Business hours”
High”24/7”Redundant
Standard/low”Optional”
Medium”recommended”
High”required”
Public Internal Confidential,ST IV, ST III
Information Security Classification – just one view ”C I A”
Confidentality +Integrity +Availability +------------------------= Good, Safe,
reliable system
http://www.nature.com/news/scientists-losing-data-at-a-rapid-rate-1.14416http://www.cnet.com/news/stolen-laptop-contains-cancer-cure-data/
On-premises, rules on the handling
:
https://inside.aalto.fi/display/arkistojakirjaamopalvelut/Ohjeistus+-+julkisuus+ja+tietojen+luokittelu(All guidelines are also in English)
Handle with extra care, if
Think about your work and information you are processing!
Checklist: • the data is classified confidential or secret• the data is related to a non-disclosure agreement• the data have requirements from third party• University (or you) would suffer reputational or financial
damage if the data leaks to external use• long term archiving requirement• value of data? what happens if the data is lost permanently• availability requirement, third party service might be down,
network problems,
9
so-called, “Public Cloud” –http://cloudinfo.aalto.fi
• ready to use• scalable• no IT help needed• service for almost any
possible use case• all possible bells and whistles• can be used anywhere• free of charge, (if your privacy
and personal life has no value)
500 Mb video, 20 minutes
• where is the data?• who gets it?• provider employees?• network traffic?• bottlenecks? • privacy policy? • Privacy Data
collection and destruction?
• terms of service?• investigation?
(in case of illegal content, data theft, copyright etc.)
• lock-in?
10
Cloud and web with care (1/2) • you cannot get anything “back”• services may claim ownership of the information• “free” services often collect and disclose information to third
parties such as advertisers or collaboration partners. • malicious links, think before clicking, (malwertising)• think where you buy from• "fakeware / scareware“, think before buying (snake oil
software)• be accurate, how and what you write• please do not comment on behalf of
the University, unless it belongs to the job description :)
https://inside.aalto.fi/display/encos/Recommendations+on+social+mediahttps://blog.malwarebytes.org/malvertising-2/2015/02/what-is-malvertising/
11
Cloud and web with care (2/2) • keep your password / username combination safe, if the worst happens
(serious illness or matters related to legislation) • material may be financially or for some other reason valuable
(university or relatives, e.g. script, photos, new Kalevala)• use different password and user id, mnemonic?, software like "KeePass“
http://keepass.info/ for password management• use "alias", Teemu courseX2012, etc... check if this is not against TOS.*• keep copies of everything on your own computer• do not accept all friend requests!• if necessary, clear the browser cache• only "Sure" way to store files securely is an encryption
* “Terms of Service; Didn't Read” https://tosdr.org/
12
Snowden, Prism, Patriot act …Think about your work, how much value your data have? How significant damage if data is lost or leaking to others?
http://projects.washingtonpost.com/top-secret-americahttp://www.worldpolicy.org/blog/2013/08/09/what-nsa-can-learn-swedenhttp://www.designbuild-network.com/projects/gchq/http://www.microsoft.com/online/legal/v2/en-us/MOS_PTC_Third_Parties.htm
A”Sweden, FRA 700 employees
UK GCHQ4000 employees
USA NSA40 000 employees483,000 subcontractor employees
Google, Microsoft, Amazon, and tens of their subcontractors
Some numbers for calculating risk:
File/Folder level encryption• Sophos SafeGuard PrivateCrypto
Aalto workstation software,
• Create Encrypted package, send by email or share with https://filesender.funet.fi/ , send password with SMS
• TrueCrypt, heavier tool, for example project use. https://www.grc.com/misc/truecrypt/truecrypt.htm
– Create ”container” to place where, every member have access
– Share password with secure wayhttp://bit.do/truecontainer
Encryption, secure way to share or save to external storage (for example cloud)
14
Keep safety when traveling
https://inside.aalto.fi/download/attachments/15370292/IT instructions Foreign travel _29052015_ENG.pdf
• Activate lock out functions for screen savers – Computers with confidential data should be configured to "lock out" after 20 minutes of inactivity. PC in sleep mode can be hacked easily
• Laptop hard drives should be encrypted, Ask for more information about from the IT Service Desk.
• With kiosk PCs, clear browser cache• Before, write down important contact details, ITS-service desk, “if device is
lost instructions” operator, credit card contact numbers• Use VPN, open WLAN is open• Change your password while abroad, your password will be valid for 180
days (approx. 6 months),• Take care of USB-sticks, don’t take USBs from unknown• Always transport your devices as hand luggage when traveling (e.g. train,
ship, bus)• Make sure that the PIN and protection code inquiry features of your mobile
phone are enabled.• Disable bluetooth if you really don’t need it• Be careful when (or avoid totally) printing and carrying confidential material
Top Related