”data protection in practice”

“With Data classification each one is able to distinguish critical information from public class information. Classification helps to optimize IT-system costs, controls the handling and is guide to good practice”

• Data classifications in Aalto• Handling of internal and confidential material

• On premises• “Cloud”• Sharing information• When traveling

Tomi Järvinen – IT-Security specialisthttps://twitter.com/tomppaj

Risk is not a question, it is a fact

Based on (Only US) http://www.privacyrights.org/data-breach

Organization Types: EDU, Years: 2010, 2012, 2013, 2014, 20157,279,775 Records in our database from.244 Breaches made public fitting this criteriahttp://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.htmlhttp://datalossdb.org/index/largest

July 2, 2015 Harvard UniversityMore Information: http://fortune.com/2015/07/02/harvard-data-breach/May 15, 2015 Penn State College of EngineeringMore Information: http://arstechnica.com/security/2015/05/penn-state-severs-engineering...April 10, 2015 University of California, Riverside Graduate Division officesMore Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-49300February 18, 2015 University of Mainehttp://umaine.edu/news/blog/2015/02/18/umaine-working-with-information-s... December 12, 2014 University of California BerkeleyMore Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47717October 1, 2014 Fort Hays State UniversityMore Information: http://ksn.com/2014/10/01/fort-hays-state-university-experiences-data-br...September 5, 2014 California State University, East BayMore Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-46513August 7, 2014 University California Santa BarbaraJuly 11, 2014 University of Illinois, ChicagoChicago, Illinois EDU HACK

Information Classification guideline• Is setting out the basis for classification in those situations

where it may be necessary to apply security classification in order to protect interests.

• Guideline includes labels and markings in case of transfer or archive documents

• defines the principles of IT-infrastructure design, detailed requirement specifications for IT-procurement

“classification at too low level may compromise university's information security and activity.

“The over-classification of information leads to unnecessary expenses and laborious handling processes. “

In practice

In everyday work, the material is in owner’s responsibility– the owner is responsible for the correct handling. (as law, university policies & agreements requires)

When materials are used in daily work for carrying out university activities, they are not classified. However, everyone must always

distinguish classified information!

Labels, Secrecy obligations(For example: Act of Openness, section 24,

paragraph 4)

Material is stored in an archive, case management system or forwarded, and/or the content includes confidential information, and/or the content includes

especially confidential information due to regulation, contractual conditions or for other reasons.

IF

Public Internal Condidential Secret

THEN

And only then!

X

YES

“Non documents” (work files, drafts)• Note, draft, • Internal guides• Notes from team meetings• Internal work documents• Internal training material• internal communication, internal message

YES

Does section 5 of the Act on Openness apply to my university document?Secrecy obligations (most cases section 24)• psychological testing or aptitude testing• person's state of health• business secrets• Unbublished research work• security arrangements • documents referring to civil protection and

preparedness for accidents or emergencies(full list in guideline documentation)

“University Document” (Legal definition)

Internal Information security labelling

Law or contract tends to require the protection of the information

• NDA – business secrets • Privacy data• Detailed security information

Confidentiality label, university documents

”CONTENT” of the document is confidential, internal or secret NO ”Public”

YES

Public and ”meant to be published” are not

the same

YESYES

Act of Openness: university's activities are public (by default) and there must be a particular reason for the non-disclosure of information

Confidentiality”Data classification”

Availability, how critical the service is to be available

Integrity, impact of the incorrect information

LowNo redundant hardware

Medium”Business hours”

High”24/7”Redundant

Standard/low”Optional”

Medium”recommended”

High”required”

Public Internal Confidential,ST IV, ST III

Information Security Classification – just one view ”C I A”

Confidentality +Integrity +Availability +------------------------= Good, Safe,

reliable system

http://www.nature.com/news/scientists-losing-data-at-a-rapid-rate-1.14416http://www.cnet.com/news/stolen-laptop-contains-cancer-cure-data/

On-premises, rules on the handling

:

https://inside.aalto.fi/display/arkistojakirjaamopalvelut/Ohjeistus+-+julkisuus+ja+tietojen+luokittelu(All guidelines are also in English)

Handle with extra care, if

Think about your work and information you are processing!

Checklist: • the data is classified confidential or secret• the data is related to a non-disclosure agreement• the data have requirements from third party• University (or you) would suffer reputational or financial

damage if the data leaks to external use• long term archiving requirement• value of data? what happens if the data is lost permanently• availability requirement, third party service might be down,

network problems,

9

so-called, “Public Cloud” –http://cloudinfo.aalto.fi

• ready to use• scalable• no IT help needed• service for almost any

possible use case• all possible bells and whistles• can be used anywhere• free of charge, (if your privacy

and personal life has no value)

500 Mb video, 20 minutes

• where is the data?• who gets it?• provider employees?• network traffic?• bottlenecks? • privacy policy? • Privacy Data

collection and destruction?

• terms of service?• investigation?

(in case of illegal content, data theft, copyright etc.)

• lock-in?

10

Cloud and web with care (1/2) • you cannot get anything “back”• services may claim ownership of the information• “free” services often collect and disclose information to third

parties such as advertisers or collaboration partners. • malicious links, think before clicking, (malwertising)• think where you buy from• "fakeware / scareware“, think before buying (snake oil

software)• be accurate, how and what you write• please do not comment on behalf of

the University, unless it belongs to the job description :)

https://inside.aalto.fi/display/encos/Recommendations+on+social+mediahttps://blog.malwarebytes.org/malvertising-2/2015/02/what-is-malvertising/

11

Cloud and web with care (2/2) • keep your password / username combination safe, if the worst happens

(serious illness or matters related to legislation) • material may be financially or for some other reason valuable

(university or relatives, e.g. script, photos, new Kalevala)• use different password and user id, mnemonic?, software like "KeePass“

http://keepass.info/ for password management• use "alias", Teemu courseX2012, etc... check if this is not against TOS.*• keep copies of everything on your own computer• do not accept all friend requests!• if necessary, clear the browser cache• only "Sure" way to store files securely is an encryption

* “Terms of Service; Didn't Read” https://tosdr.org/

12

Snowden, Prism, Patriot act …Think about your work, how much value your data have? How significant damage if data is lost or leaking to others?

http://projects.washingtonpost.com/top-secret-americahttp://www.worldpolicy.org/blog/2013/08/09/what-nsa-can-learn-swedenhttp://www.designbuild-network.com/projects/gchq/http://www.microsoft.com/online/legal/v2/en-us/MOS_PTC_Third_Parties.htm

A”Sweden, FRA 700 employees

UK GCHQ4000 employees

USA NSA40 000 employees483,000 subcontractor employees

Google, Microsoft, Amazon, and tens of their subcontractors

Some numbers for calculating risk:

File/Folder level encryption• Sophos SafeGuard PrivateCrypto

Aalto workstation software,

• Create Encrypted package, send by email or share with https://filesender.funet.fi/ , send password with SMS

• TrueCrypt, heavier tool, for example project use. https://www.grc.com/misc/truecrypt/truecrypt.htm

– Create ”container” to place where, every member have access

– Share password with secure wayhttp://bit.do/truecontainer

Encryption, secure way to share or save to external storage (for example cloud)

14

Keep safety when traveling

https://inside.aalto.fi/download/attachments/15370292/IT instructions Foreign travel _29052015_ENG.pdf

• Activate lock out functions for screen savers – Computers with confidential data should be configured to "lock out" after 20 minutes of inactivity. PC in sleep mode can be hacked easily

• Laptop hard drives should be encrypted, Ask for more information about from the IT Service Desk.

• With kiosk PCs, clear browser cache• Before, write down important contact details, ITS-service desk, “if device is

lost instructions” operator, credit card contact numbers• Use VPN, open WLAN is open• Change your password while abroad, your password will be valid for 180

days (approx. 6 months),• Take care of USB-sticks, don’t take USBs from unknown• Always transport your devices as hand luggage when traveling (e.g. train,

ship, bus)• Make sure that the PIN and protection code inquiry features of your mobile

phone are enabled.• Disable bluetooth if you really don’t need it• Be careful when (or avoid totally) printing and carrying confidential material