Security and Privacy Training Guideline

UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data.  The recommendations below are provided as optional guidance for security and privacy training requirements.

Requirement

At least every two years, Resource Custodians, Resource Proprietors, Security Contacts, and End Users of covered data must complete privacy and security training appropriate for their role.

Description of Risk

Regardless of implemented controls, the actions of individuals can result in the compromise of covered data.

Recommendations

Resource proprietors, end users, application developers and infrastructure administrators should follow the table provided below to develop and implement security and privacy training appropriate for their role.  

Security ConceptsEnd UserApplication
Developer
Infrastructure
Administrator*
Resource
Proprietor
Data Security Essentials
  • Campus Data Classification Standard
  • Common Security Threats
  • Basic Information Security Hygiene
Data Privacy Essentials
  • FIPPS
Secure Coding Practices     A**
Critical Security Controls
  • MSSEI Controls
    A**
*Infrastructure administrators may include system administrators, network administrators, database administrators that actively support the technical infrastructure supporting covered devices.  
**The label "A" (Awareness) indicates security concepts where Resource Proprietor may not require operational hands-on proficiency, but should be aware of the security concepts' scope and impact to covered systems.

Data Security Essentials

The security concepts described in this section provide an overview of:

  • Campus data classification standard
  • Common security threats that could lead to loss of covered data
  • Basic information security hygiene steps to reduce the impact and likelihood of a data loss

Campus Data Classification Standard

Defending security threats starts with an understanding of what information is defined as sensitive according to the campus data classification standard.  Each data classification level is defined by the impact on campus when data at that level is accessed by unauthorized person(s), whether they are malicious hackers, opportunistic identity thieves or disgruntled employees.  The potential impact of data loss helps to determine the breadth of security controls that should be applied for each data classification level.   The article “What is my role in protecting campus data?” provides an introduction to the data classification standard.  

Resource proprietors should ensure that application users are aware of the classification level, and the potential impact to campus, of covered application and hosted data.  

Common Security Threats

Resource proprietors should ensure that applications users of covered data have a general understanding of how security threats materialize as a piece of malware (malicious software) that is delivered to end users' devices and adversely impact those devices.  

A security threat that could lead to loss of covered data is defined as a circumstance or event with the potential to adversely impact organizational operations through unauthorized access, destruction, disclosure, modification of data, and/or denial of service[1].  Security threats commonly consist of a malware (malicious software) delivered to end users via one of several ways.  Recent trends [2][3][4] have shown that malware is delivered to end users in one of many subtle ways that mimic routine activities performed by end users on a computer.  Along with increasing sophistication of the malware itself, these threats is increasingly capable of bypassing traditional security tools designed to automatically detect malicious activities.  In order to effectively defend against these security threats, end users are the last line of defense to detect and stop these threats in their tracks.  

Some common ways in which malware are being delivered include:

  • Phishing - emails that attempt to fraudulently acquire personal information, such as usernames, passwords, social security numbers, and credit card numbers, by masquerading as a trustworthy entity, such as a popular social website, financial site, or online payment processor; often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. [5] (Examples)  Note that perpetrators of phishing attacks have gained sophistication over the years to better imitate legitimate organizations, so it's no longer safe to assume a well written (i.e. free of grammar and spelling errors) email/website with real logos are trustworthy.  For additional information about how to detect a phishing scam, please see the Phishing FAQ.   
  • Spam - the use of electronic messaging systems to send unsolicited bulk messages (usually advertising or other irrelevant posts) to large lists of email addresses indiscriminately. [5]
  • Drive-By Download - a user’s web browsing is redirected to an infected website, often with little or no use of social engineering techniques. The infected website then attempts to exploit vulnerabilities on the user’s host and ultimately to install rootkits or other attacker tools onto the host, thus compromising the host. Although the website is infected, its malware does not infect the user’s host; rather, it functions as an attacker tool and installs other attacker tools on the host. It's also known as web-based malware. [6]

Blended into one of the above delivery methods are a growing list of malware that disrupts or damages a covered device's operation, gathers sensitive or private information, or gains access to private computer systems.  Below is a list of malware that campus computer users today are likely to encounter:

  • Adware - a type of malware that allows popup ads on a computer system, ultimately taking over a user’s Internet browsing. [5]
  • Ransomware - a type of malware that restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. [7]
  • Rootkit - a type of malware that opens a permanent “back door” into a computer system; once installed, a rootkit will allow more and more viruses to infect a computer as various hackers find the vulnerable computer exposed and attack.Spyware - a type of malware (malicious software) installed on computers that collects information about users without their knowledge; can collect Internet surfing habits, user logins and passwords, bank or credit account information, and other data entered into a computer; often difficult to remove, it can also change a computer’s configuration resulting in slow Internet connection speeds, a surge in pop-up advertisements, and un-authorized changes in browser settings or functionality of other software. [5]
  • Trojan - A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. [1]
  • Virus/worm - a software program that is designed to replicate itself, spread from one computer to another, and interfere with computer operation; a computer virus may corrupt or delete data on a user’s computer, use an email program to spread itself to other computers, or even erase everything on a user’s hard disk. Computer viruses can be spread by attachments in email messages or instant messaging messages; disguised as attachments of images, greeting cards, or audio and video files, and hidden in illicit software or programs that are downloaded to a computer. [5]

[1]  http://www.fismapedia.org/index.php
[2]  http://www.nytimes.com/2013/01/31/technology/chinese-hackers
[3]  https://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exploit/
[4]  http://www.sophos.com/en-us/medialibrary/PDFs/other/sophossecuritythreatreport2013.pdf
[5]  http://www.staysafeonline.org/teach-online-safety/glossary/
[6]  http://csrc.nist.gov/publications/drafts/800-83-rev1/draft_sp800-83-rev1.pdf
[7]  https://en.wikipedia.org/wiki/Ransomware_(malware)

Basic Information Security Hygiene

To protect against security threats that would lead to loss of covered data, resource proprietors should ensure that all applications users are trained in the information security practices by reviewing the campus Security Awareness guide.  For more training options, please see Additional Resources section.

Data Privacy Essentials

Fair Information Practice Principles (FIPPs) are five privacy principles set forth by the Federal Trade Commission (FTC) for protecting personal information.  Resource proprietors should ensure that application users are aware of these data privacy principles:

  • Transparency: ensures no secret data collection; provides information about the collection of personal data to allow users to make an informed choice
  • Choice: gives individuals a choice as to how their information will be used
  • Information Review and Correction: allows individuals the right to review and correct personal information
  • Information Protection: requires organizations to protect the quality and integrity of personal information
  • Accountability: holds organizations accountable for complying with FIPPs

For more information on FIPPS, please refer to campus FIPPs resources.   Campus IT Policy Office has also created a Privacy and Policy Fundamentals course on e-Learn that will provide overview of privacy and policy principles for resource proprietors and custodians.  To access the Privacy and Policy Fundatmentals course, please login to Blu Portal, go into e-Learn portal and search for "Policy Fundamentals". 

Secure Coding Practices

Application developers should refer to application security training guideline for specific training guidance regarding secure coding practices.  

Critical Security Controls

Infrastructure administrators should attend training to master specific, proven techniques and tools needed to implement and audit the MSSEIcontrols.  The following courses are examples of training that can be used by infrastructure administrators to learn about implementing and auditing MSSEI controls:

Additional Resources