Jeffh.net

I have been asked many times, “What are reasonable security controls?” This is a hard question to answer, as what I consider to be reasonable isn’t what others would. As an information security officer, I tend to be very risk-averse.

After all, information security is what I refer to as a “weak link” problem. What I mean by that is it only takes one weak link for an attacker to be able to gain a foothold into a network.

Until recently, there were no California-specific regulations or legal opinions to be able to point to about how to prevent network attacks. There are of course the California data security breach notification laws—the first of their kind in the nation—that explain what an institution has to do after a breach occurs. However, there was nothing that said how you should be protecting the data that you are collecting in the first place.

That finally changed this year when the State Attorney General of California published the 2016 California Data Breach Report. In the report, Attorney General Kamala Harris gives a set of five recommendations to prevent the most common breaches, thus finally giving us a legal definition of “reasonable security controls.”

First Line Of Cyber Defense

The attorney general’s first recommendation is to implement the Center for Information Security’s Controls for Effective Cyber Defense, also known as the CIS Critical Controls. The CIS Critical Controls consist of 20 control categories, each with a subset of controls. They are very straightforward and easy to follow. I would encourage everyone to download and read them.

These controls really do work and this should now be the standard that you are working on implementing at your college. The controls are prioritized in order of importance, and if you are implementing them you should start with number one and work your way down.

You will quickly realize that, to be able to implement these controls properly and still maintain the openness of a college campus, you may need to do some re-architecting. Take for example the first control, “Inventory of Authorized and Unauthorized Devices”: If you look at a typical college campus, there are many hundreds if not thousands of devices that come and go in a single day. It is nearly impossible to be able to know what every device is and who is using it.

However, if your network is properly segmented into different trust levels then the problem becomes a lot easier to tackle. You should be able to securely configure your network to disable free access in the most secure segments, where each device needs to be registered and tightly controlled, and block access to outside devices.

New Legal Security Standard

There could also be added liability if your institution isn’t at the very least working toward implementing the CIS Critical Controls. This will now become the gold security standard for the state of California, and in effect becomes the de facto civil law of California, until such time as the state legislature decides to formally weigh in on this subject.

If the California Data Security Breach Reporting law is any indication, other states attorneys general may follow suit and release similar opinions on data breach prevention. So if your institution is breached in the future and the CIS Controls are not in place, a resulting lawsuit could bring the possibility of increased civil fines. The judge may see the lack of implementing the CIS controls as negligent. I do not claim to be a lawyer and you should ask your district’s general counsel for their take on the liability aspect of not implementing the attorney general’s recommendations.