Battle Against Sensitive Data Leakage

Security programs at universities and in most organizations concentrate on protecting sensitive data from external malicious attacks. Such protection relies heavily on technical controls that might include perimeter security, network/wireless security controls and monitoring, application and software security management and intrusion prevention and detection systems. Such technologies are needed and quite effective.

But we all must be equally concerned about those inadvertent data leaks, like a steady drip from a leaking faucet, that go unnoticed until a data security breach makes the headlines! Data leaks as a result of sensitive data that is e-mailed to users' home computers, downloaded to flash drives, copied to unencrypted laptops, stored in shadow databases on local computers or improperly destroyed or disposed when no longer needed.

To protect the universities' sensitive data, we must plan a data-centric approach to our security programs to protect against data leaks. We can never prevent all sensitive data leaks, but steps can be taken to minimize such leaks. This presentation discusses some of the steps taken at East Carolina University to minimize sensitive data leakage, our continual efforts in this battle and explore future options to address this issue.

1. Legal Liability
- Lawsuits, Copyright Infringement, Demand for Credit Monitoring and Restitutions
2. Regulatory Compliance
- FERPA, HIPAA, Identity Theft, GLBA, PCI, FISMA, etc.
3. Policies
4. Data Loss Prevention (DLP) Solutions
- Purchased Packages
- Vulnerability Scans
- Encryption Solutions
5. Political Framework
- How do You Handle Sensitive Data When Discovered
- Do You Block Transmission of Sensitive Data
- Do You Require Annual Security Training
6. Security Awareness
7. Industry Standards
8. Where Do We Go From Here
- What Have Other Campuses Implemented
- What Are Your Successes and Failures