Scaling API-first – The story of a global engineering organization
Data Protection for Higher Education
1. Data Protection for Higher Education
Kate Carruthers
UNSW Sydney
August 2021
Edutech 2021
2. Agenda
• Data protection issues
• Some tips on where to start
• The need for teamwork
7 September, 2021 UNSW Sydney | Data Protection for Higher Education 1
3. 7 September, 2021 UNSW Sydney | Data Protection for Higher Education 2
Higher Education Context
4. Higher Education Context
Teaching
Research
Administration
7 September, 2021 UNSW Sydney | Data Protection for Higher Education 3
Increasing amounts of student and
staff interaction data
Huge volumes of data – anything from
patient clinical data to climate data and
everything in between.
Large amounts of PII for staff and
students: TFNs, Bank accounts, etc.
5. 7 September, 2021 UNSW Sydney | Data Protection for Higher Education 4
Data governance is a key foundation for cyber &
information security
Cyber security, information security, data
governance, and enterprise risk management
are a key focus
6. 7 September, 2021 UNSW Sydney | Data Protection for Higher Education 5
7. 7 September, 2021 UNSW Sydney | Data Protection for Higher Education 6
8. 7 September, 2021 UNSW Sydney | Data Protection for Higher Education 7
Some definitions
9. Data
Governance
"Data governance is the
organization and
implementation of policies,
procedures, structure, roles,
and responsibilities which
outline and enforce rules of
engagement, decision rights,
and accountabilities for the
effective management of
information assets."
(John Ladley, Data Governance: How to Design, Deploy and Sustain an Effective Data Governance Program, 2012)
7 September, 2021 UNSW Sydney | Data Protection for Higher Education 8
11. Cyber
Security
7 September, 2021 UNSW Sydney | Data Protection for Higher Education 10
“The ability to protect
or defend the use of
cyberspace from cyber
attacks.”
Source: NIST Computer Security Resource Center - CNSSI-4009-2015
12. Information
Security
7 September, 2021 UNSW Sydney | Data Protection for Higher Education 11
“The protection of information and
information systems from
unauthorized access, use, disclosure,
disruption, modification, or
destruction in order to provide
confidentiality, integrity, and
availability.”
Source(s): NIST Computer Security Resource Center - FIPS 199 (44 U.S.C., Sec. 3542)
14. 7 September, 2021 UNSW Sydney | Data Protection for Higher Education 13
Threat landscape
15. Threat landscape “Threat landscape maps
Malware standing strong as
#1 Cyber Threat in the EU,
with an increase in Phishing,
Identity Theft, Ransomware;
Monetisation holding its place
as cyber criminals’ top
motivation; and the COVID-19
environment fuelling attacks
on homes, businesses,
governments and critical
infrastructure.”
7 September, 2021 UNSW Sydney | Data Protection for Higher Education 14
Source ENISA Threat Landscape 2020: Cyber Attacks Becoming More Sophisticated, Targeted, Widespread and Undetected:
https://www.enisa.europa.eu/news/enisa-news/enisa-threat-landscape-2020
16. Impact of cybercrime in Australia
7 September, 2021 UNSW Sydney | Data Protection for Higher Education 15
Source: Cyber Security and Australian Small Businesses Results from the Australian Cyber Security Centre Small Business Survey, Nov 2020. Small Business Survey Results | Cyber.gov.au
17. Top threats
1. Malware
2. Web-based Attacks
3. Phishing
4. Web Application Attacks
5. SPAM
6. Distributed Denial of Service
(DDoS)
7. Identity Theft
8. Data Breach
9. Insider Threat
10. Botnets
11. Physical Manipulation,
Damage, Theft and Loss
12. Information Leakage
13. Ransomware
14. Cyber Espionage
15. Crypto-jacking
7 September, 2021 UNSW Sydney | Data Protection for Higher Education 16
https://www.enisa.europa.eu/news/enisa-news/enisa-threat-landscape-2020
18. Top threats
1. Malware
2. Web-based Attacks
3. Phishing
4. Web Application Attacks
5. SPAM
6. Distributed Denial of Service
(DDoS)
7. Identity Theft
8. Data Breach
9. Insider Threat
10. Botnets
11. Physical Manipulation,
Damage, Theft and Loss
12. Information Leakage
13. Ransomware
14. Cyber Espionage
15. Crypto-jacking
7 September, 2021 UNSW Sydney | Data Protection for Higher Education 17
https://www.enisa.europa.eu/news/enisa-news/enisa-threat-landscape-2020
19. The perimeter has shifted
7 September, 2021 UNSW Sydney | Data Protection for Higher Education 18
20. The perimeter is everywhere now
7 September, 2021 UNSW Sydney | Data Protection for Higher Education 19
https://www.isaca.org/resources/isaca-journal/issues/2020/volume-6/harnessing-zero-trust-security
21. 7 September, 2021 UNSW Sydney | Data Protection for Higher Education 20
This means that we need to
evolve our practices.
We can’t hide behind our
firewalls any more.
22. Data security is not just one thing
7 September, 2021 UNSW Sydney | Data Protection for Higher Education 21
Data & Information Governance Cyber & Information Security
Privacy
Data Management practices
Policies & Procedures
People & culture
Risk Management
23. 7 September, 2021 UNSW Sydney | Data Protection for Higher Education 22
Practices
24. 7 September, 2021 UNSW Sydney | Data Protection for Higher Education 23
Source: http://beyondplm.com/2014/07/22/plm-implementations-nuts-and-bolts-of-data-silos/
27. How Data
Governance
helps with
defence in
depth
Identify data at risk
Locate sensitive data
Enables sensitive data to be stored
& managed properly
Identify sensitive data users
Ensure consistent data access
processes
Ensure safer access to sensitive
data
7 September, 2021 UNSW Sydney | Data Protection for Higher Education 26
28. Identify data
at risk
Who is using sensitive data
Location of data
Map data flows through the enterprise
Organisational data stewardship with
business
Data access management
Mitigate people risk to data
7 September, 2021 UNSW Sydney | Data Protection for Higher Education 27
31. 7 September, 2021 UNSW Sydney | Data Protection for Higher Education 30
32. 10 practices to secure your data
1. Know which data assets need protection
2. Encrypt important data
3. Undertake user awareness training
4. Only store necessary data
5. Close un-necessary open ports
7 September, 2021 UNSW Sydney | Data Protection for Higher Education 31
Confidentiality
Prevent unauthorised
disclosure
Integrity
Data cannot be
modified in an
unauthorised
manner
Availability
Information should
be available for
authorised users
33. 10 practices to secure your data
6. Implement MFA
7. Review network segmentation
8. Improve email security:
oSender Policy Framework (SPF)
oDomainKeys Identified Mail (DKIM)
oDomain-based Message Authentication,
Reporting, & Conformance (DMARC)
9. Establish regular user access reviews
10.Establish a patching schedule
7 September, 2021 UNSW Sydney | Data Protection for Higher Education 32
Confidentiality
Prevent unauthorised
disclosure
Integrity
Data cannot be
modified in an
unauthorised
manner
Availability
Information should
be available for
authorised users
34. 7 September, 2021 UNSW Sydney | Data Protection for Higher Education 33
Team work
35. 7 September, 2021 UNSW Sydney | Data Protection for Higher Education 34
“Cybersecurity [and
information security] should
be managed as a risk
discipline across the three
lines of defense — ownership,
oversight and assurance.”
Source: The Convergence of Operational Risk and Cyber Security. Accenture.
The Convergence of Operational Risk and Cyber Security (accenture.com)
36. Traditional 3
lines of
defence
model
7 September, 2021 35
1st line of defence – functions that
own and manage risk
2nd line of defence – functions that
specialise in risk management and
compliance
3rd line of defence – functions that
provide independent assurance and
internal audit
37. 7 September, 2021 UNSW Sydney | Data Protection for Higher Education 36
Cyber security
Information Security
Privacy
Data & Information Governance
Management
controls
Internal control
measures
Internal audit
Financial Control
Security
Risk Management
Quality
Inspection
Compliance
SENIOR MANGEMENT
GOVERNING BODY, AUDIT COMMITTEE
First line of defence Second line of defence Third line of defence
External
audit
Regulator
38. 7 September, 2021 UNSW Sydney | Data Protection for Higher Education 37
https://www.accenture.com/us-en/blogs/blogs-new-data-ethics-guidelines-organizations-digital-trust
39. The essential team
7 September, 2021 UNSW Sydney | Data Protection for Higher Education 38
Privacy
Cyber & Information Security
Risk Management
Ethics
Data & Information Governance
40. What we’ve
learned so far
• Methodically build up defensive
layers
• Every day do one thing better
• Data is an asset and should be
managed
• Data security is a team effort, and it
needs everyone to work
collaboratively
• It is a journey not a destination
7 September, 2021 UNSW Sydney | Data Protection for Higher Education 39
41. Data security is
a team effort
7 September, 2021 UNSW Sydney | Data Protection for Higher Education 40
42. 7 September, 2021 41
Thank you
k.carruthers@unsw.edu.au
UNSW Sydney | Data Protection for Higher Education