Information security risks today Data classifications Information Security in daily work GDPR – The EU General Data Protection Regulation

1. Information security
and Research data
- and something about GDPR…
17.11.2016 – Aalto university
“With Data classification each one is able to distinguish critical information
from public class information. Classification helps to optimize IT-system
costs, controls the handling and is guidebook to good practices”
• Information security today
• Data classifications in Aalto
• Information Security in daily work
• GDPR – The EU General Data Protection Regulation
Tomi Järvinen – IT-Security specialist
https://twitter.com/tomppaj

2. Information security organization in Aalto
• Information Security Team
• Riitta Gröhn, Chief information Security Officer
• Timo Salin, Information Security Specialist
• Aalto IT virtual security team, 8-10 members (networks, servers..)
• Information security responsibles in schools and departments, ~120
• University legal team, close co-operation
Information Security Team tasks, e.g.
• development of Information security policies and instructions
• information security and data protection consulting
• information security training and seminars
• computer Security and Incident Response “CSIRT” (with special CSIRT
team)
http://inside.aalto.fi/display/ITServices/Information+Security
Aalto Information security organization

3. Information Security principles
covered by technical & process controls
3
• Confidentiality
• Technology, e.g. malware, encryption,
• Processes, Policies, guidelines,
• Integrity
• Data validationChecker,
Quality Assurance, Audit Logs
• Availability
• Monitoring, BCP/DRP Plans and Tests, Back-up, fault
tolerant storage, Sufficient Capacity
Ddos
Leak
Intrusion

4. Aalto wide Data survey 2014
Amount and type of classified data?
ei: 142
kyllä: 225
Classified data?
Data which is not public.
Classified to confidential or
internal security level. Legal
or contractual requirements
for data storage or
processing
39 %
61 % 61% Work with
confidential
information
33% of them on
daily basis
Typical classified data in
research?
Data of the study or technical
development, which can not
leak to third party (52.2%)

5. Todays risks
• ISF Security forum: 2016 - innovative and sophisticated attacks.
Targeted campaigns with 0-day vulnerabilities
• Targeted campaigns using emails & calls
• Fake login pages
• DOS(Ddos)
• Encrypting the organization
• Attacks on payment card data
• Future? Jailbreaking the cloud? (e.g. malware built to crack cloud-
based systems)
• IoT, light bulps, fridges, cameras,
stat.dyna.ultraweb.hu/saastopankki-login-..
palaceinn-ca.com/owa-login-...ed.html
multimpresoscba.com.ar/nordea-login-.html
donalbarnwell.co.uk/uniedu-owa...
(
5

6. Risk is not a question, it is a fact
Based on (Only US) http://www.privacyrights.org/data-breach
http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html
http://www.privacyrights.org/data-breach (USA only source)
Organization Type: EDU
Year(s) of Breach: 2016, 2015, 2014
Breaches made public fitting this criteria: 60
Records total: 1,130,158
Breach Type: PAYMENT CARD, HACK, INSIDER,
PHYSICAL, PORTABLE,
Organization Type: ALL
Year(s) of Breach: 2016, 2015
Breaches made public fitting this criteria: 636
Records total: 164,693,655
LA Hospital Servers Shut Down By Ransomware
Posted Feb 17, 2016 by John Biggs (@johnbiggs)

7. How security breaches occur?
7
12.06.2014

8. Attacker motivation
12.06.2014
8
Attacker Motivation Goal
Government Financial, influence Collecting
information
Criminals Financial Threats, blackmailing
Commercial
organizations
Financial Disturbance of the competitor.
Collection of information
Insider self-interest,
vengeance
Economic benefits
Damage to the organization's.
Revenge
Curious users
(external or
internal)
curious Pressing any buttons and see
what happens
Hactivism power Placing an opponent in a bad
light, collecting information

9. • Information security today
• Data classifications in Aalto
• Information Security in daily work
• GDPR – The EU General Data Protection Regulation

10. Aalto Information Classification guideline
University's information public by default, unless:
• legal grounds
• Section 24 of the Act on the Openness of Government
Activities (“julkisuuslaki”)
• Personal data act, e.g sensitive personal data
• Business secrets of private company (see more in guideline)
Aalto university Security classification guideline is based on
Decree on Information Security in Central Government,
(VAHTI 2010) same principles areused in other universities and CSC.
Due to shared functions , it is important that the information classified
to same level are marked with same labels and stored &
processed with same principles.
https://inside.aalto.fi/display/arkistojakirjaamopalvelut/Ohjeistus+-+julkisuus+ja+tietojen+luokittelu
http://www.2014.vm.fi/vm/en/04_publications_and_documents/01_publications/05_government_information_management/20101028Instru/name.jsp
http://www.oikeusministerio.fi/en/index/basicprovisions/legislation/actontheopennessofgovernmentactivities.html

11. Information Classification guideline
• Is setting out the basis for classification in those situations where
it may be necessary to apply security classification in order to
protect interests. (Classification policy)
• Guideline includes labels and markings in case of transfer or
archive documents (Rules on the handling)
• Defines the principles of IT-infrastructure design, detailed
requirement specifications for IT-procurement
(e.g. requirement spesifications, Inside help)
“classification at too low level
may compromise university's
information security and activity.
“The over-classification of information leads to
unnecessary expenses and laborious
handling processes. “

12. In practice
In everyday work, the material is in owner’s responsibility– the owner is responsible
for the correct handling. (as law, university policies & agreements requires)
When materials are used in daily work for carrying out university activities, they are
not formally classified. However, everyone must always
distinguish classified information!
Material is stored in an archive, classified as such or forwarded, and/or the
content includes classified information, and/or the content includes especially
confidential information due to regulation, contractual conditions or for other
reasons.
IF
Public Internal Condidential Secret
THEN
And only then!
Labels, Secrecy obligations
(e.g. legal grounds: Act of Openness, section 24, paragraph 4)

13. “Non documents” (work files, drafts)
• Notes, drafts,
• Internal guides
• Notes from team meetings
• Internal Internal training material, work documents
• internal communication, internal message
YES
Does section 5 of the Act on Openness
apply to my university document?
Secrecy obligations (most cases section 24)
• psychological testing or aptitude testing
• business secrets
• Unbublished patentable research work
• security arrangements
• Person health state
“University Document”
(Legal definition)
Internal Information security labelling
Law (Act of Openness, Personal Data act)
Or Contract
tends to require the protection of the data
Confidentiality label, university documents
”CONTENT” of the document is confidential, internal or secret? NO ”Public”
YES
Public and ”meant to
be published” are not
the same
YES
YES
Delivery
YES
Delivery
YES

14. Good poster
:
Back to basics, to help university users we created: “Examples of
classified data” (on your desks)
Table is indicative. User should evaluate the need for protection level.
According reasearch data the real value can be estimated only by the data
owner. If you are unsure, ask from legal team.

15. Classification in work
• Controlling the practical work and information processing
• Rules on the handling
• Identifying the underlying data
• Critical Information / internal information / public
information
• Examples of data table
• Defining the need for protection, how strong security
• Requirement specifications from IT
• Storage proposals, the options listed
• Rules on the handling
• Making labels - when it comes to the need to transfer, assign
or archive material
• Classification guideline
• Principles of planning IT environment
• Cloud.aalto.fi, Inside, Requirement specifications

16. System X for
co-operation
project
Rules on the handling
:
https://inside.aalto.fi/display/arkistojakirjaamopalvelut/Ohjeistus+-+julkisuus+ja+tietojen+luokittelu
(All guidelines are also in English)
Label ST IV (SL IV) in University of Eastern Finland
Label ST IV (SL IV) in Aalto university

17. Classification guideline, Rules on the
Handling- IT service matrix:

18. Handle with extra care, if
Think about your work and information you are processing!
If:
• the data is Aalto-university classified confidential or secret the
data is confidential under a non-disclosure agreement, project
agreement or other agreement containing confidentiality
obligations
• The data concerns a patentable invention or other non-
published research results
• the data have requirements from third party
• University (or you) would suffer reputational or financial damage
if the data leaks to external use
• long term archiving requirement
• value of data? what happens if the data is lost permanently
• availability requirement, what happens if there is no access to
data? third party service might be down, or network problems,

19. Confidentiality
”Data
classification”
Availability,
how critical
the service is
to be available
Integrity,
impact of the
incorrect
information
Low
No
redundant
hardware
Medium
”Business
hours”
High
”24/7”
Redundant
Standard
/low
”Optional”
Data
Replacable
Medium
”recommen
ded”
High
”required”
Public Internal Confidential,
ST IV, ST III
Information Security Classification – just one
view
http://www.nature.com/news/scientists-losing-data-at-a-rapid-rate-1.14416
http://www.cnet.com/news/stolen-laptop-contains-cancer-cure-data/
?

20. • Information security today
• Data classifications in Aalto
• Information Security in daily
work
• GDPR – The EU General Data Protection
Regulation

21. https://inside.aalto.fi/
https://wiki.aalto.fi/display/OPIT/Home
https://inside.aalto.fi/display/palveluluettelo/Kaikki+palvelut

22. 22
so-called, “Public Cloud” –
http://cloudinfo.aalto.fi
• ready to use
• scalable
• no IT help needed
• service for almost any
possible use case
• all possible bells and whistles
• can be used anywhere
• free of charge, (if your privacy
and personal life has no value)
500 Mb
video, 20
minutes
• where is the data?
• who gets it?
• provider employees?
• network traffic?
• bottlenecks?
• privacy policy?
• Privacy Data
collection and
destruction?
• terms of service?
• investigation?
(in case of illegal
content, data theft,
copyright etc.)
• lock-in?

23. 23
Security in work, (C-I-A)
• Take care of work material
• Make sure that your files are always backed up.
Dispose of confidential material in accordance with
instructions. Be sure to log out from software and systems
• Protect your equipment and the environment
• Make sure that your computer security software is working and updated. Use
the password-protected "screen saver". Lock your room and your
computer when you leave for a short time
• Be sure about source of information
• The message may contain malware or be forged. the name and address of
the sender does not guarantee anything, does not it. The programs should
not be installed unless you are sure that it is safe. The file which you are
not sure or do not know who it is, do not open. Be carefull with USB-Sticks
• Be accurate in your own work
• When you send something, please tell clearly what it is, do not send
attachments without first informing the recipient about coming files. Also
keep in mind the so-called Hidden Data (MS-Office meta-data). Be a always
little suspicious when someone asks for confidential information, verify persons
identity
http://www.digitalconfidence.com/Hidden-Data-and-Metadata-FAQ.html’

24. 24
Safety in web (SoMe, Cloud)
• you cannot get anything “back”
• services may claim ownership of the information
• “free” services often collect and disclose information to third
parties such as advertisers or collaboration partners.
• malicious links, think before clicking, (malwertising)
• think where you buy from
• "fakeware / scareware“, think before buying (snake oil
software)
• be accurate, how and what you write
• please do not comment on behalf of
the University, unless it belongs to the job
description :)
https://blog.malwarebytes.org/malvertising-2/2015/02/what-is-malvertising/
https://www.washingtonpost-personal-data-points-that-facebook-uses-to-target-ads-to-you/

25. 25
Safety in web (e.g. SoMe, Cloud)
• keep your password / username combination safe, if the worst happens
(serious illness or matters related to legislation)
• material may be financially or for some other reason valuable
(university or relatives, e.g. script, photos, new “Kalevala under work)
• use different password and user id, mnemonic?, software like "KeePass“
http://keepass.info/ for password management
• use "alias", account name e.g.”TeemuX2012”, etc... check if this is not
against TOS.*, in some cases anonymity might be good idea
• keep copies of everything on your own computer
• do not accept all friend requests
• if necessary, clear the browser cache
• only "Sure" way to store files securely is an encryption
* “Terms of Service; Didn't Read”
https://tosdr.org/

26. 26
Profitable tool for Criminals - Email
• At the moment, the biggest threat
• Aalto is an attractive target for criminals
• a lot of users
• in case of successful phishing -> huge capacity
• Malicious email:
– Spam (Spam), pharmacies, pornography, gambling.
(Might be legal, just hidden costs with small letters)
– Scams (Scam), financial or emotional benefits,
wide variety of frauds.
– Phishing
– Malware, malicious links to services
Cornell University 120 examples collected 2015:
http://www.it.cornell.edu/security/phishbowl.cfm
What
happened?
“urgency,
stress,
tiredness

27. 27
As a user, security in work

28. File/Folder level encryption
• Sophos SafeGuard PrivateCrypto
Aalto workstation software,
• Create Encrypted package, send by email or share
with https://filesender.funet.fi/ , send password with SMS
• VeraCrypt, heavier tool, for example project use.
https://veracrypt.codeplex.com/
– Create ”container” to place where,
every member have access
– Share password with secure way
Encryption, secure way to share or save
to external storage (for example cloud)

29. 29
The service uses
Adobe Acrobat PDF
files with strong AES-256 encryption. (Secured also in Cloud, like O365)
E-mails will be encrypted automatically by adding "AALTO-SECURE" (or
aalto-secure) to subject field.
like :
AALTO-SECURE: your real subject
• It is good practice to inform recipient in advance of an incoming
message
• outsiders can send encrypted message to Aalto by answering Aalto
user's encrypted message
Option, needs knowledge about PKI-infrastructure
•GnuPGP + Thunderbird combination
Aalto Email encryption
https://en.wikipedia.org/wiki/Public_key_infrastructure

30. 30
Keep safety when traveling
https://inside.aalto.fi/download/attachments/15370292/IT instructions Foreign travel _29052015_ENG.pdf
• Activate lock out functions for screen savers – Computers with confidential
data should be configured to "lock out" after 20 minutes of inactivity. PC in
sleep mode can be hacked easily
• Laptop hard drives should be encrypted, Ask for more information about from
the IT Service Desk.
• With kiosk PCs, clear browser cache
• Before, write down important contact details, ITS-service desk, “if device is
lost instructions” operator, credit card contact numbers
• Use VPN, open WLAN is open
• Change your password while abroad, your password will be valid for 180
days (approx. 6 months),
• Take care of USB-sticks, don’t take USBs from unknown
• Always transport your devices as hand luggage when traveling (e.g. train,
ship, bus)
• Make sure that the PIN and protection code inquiry features of your mobile
phone are enabled.
• Disable bluetooth if you really don’t need it
• Be careful when (or avoid totally) printing and carrying confidential material

31. 31
Case 1, European Research Council
Requirement, for example:
…
o Detailed information must be provided on the procedures that will be
implemented for data collection, storage, protection, retention and destruction
and confirmation that they comply with national and EU legislation
o In case of data not publicly available, relevant authorisation must be ..
Depending of confidential level, “normal NDA, level=confidential, one possible
solution is Eduuni, SLIDE 12 IT-Service Matrix
• Contact IT Account managers, E-Duuni admin will create workspace.
• If needed ask Eduuni Security Statement from Research and Innovation
Services or security@aalto.fi , add statement to research application
• When project starts, create workspace for your project

32. 32
Case 2, project with secret level data
Ask consultation from security@aalto.fi
(Some schools have already high security facilities)
Some typical requirements
• Rooms must have electronic locks with audit log, who, when
• Workstations with data disconnected from Web
• All access to Data must have audit control, who, when, what
• Data must be encrypted in shared drives or external devices, like
USB-backup (Slide 19)

33. • Information security today
• Data classifications in Aalto
• Information Security in daily work
• GDPR – The EU General Data
Protection Regulation

34. The EU General Data Protection Regulation
(GDPR) New thing?
• In 1980, the OECD “Guidelines on the Protection of Privacy and
TransborderFlows of Personal Data” that addressed 8 principles of
privacy: »Collection Limitation, Data Quality, Purpose Specification,
Use Limitation, Security Safeguards, Openness, Individual
Participation and Accountability
• basis of 1995 EU Directive 95/46 / 95/46 / 95/46 / 95/46 / 95/46 /
95/46 / EC, “Personal Data Directive”
• 2012 first GDPR draft out, preparations started in Aalto
• May 2016, GDPR approved (already in place)
• Transition period, may 2018 everyone must follow

35. Roles from legislation point of view
The data controller is the natural person, company, association or other entity that is
factually in control of the processing of personal data and is empowered to take the
essential decisions on the purposes and mechanisms of such processing including the
applicable security measures. “Who is responsible and owns Data Subjects information”.
A processor becomes a controller if he or she uses data for his or her own purposes, not
following the instructions of a controller (Think about Google and targeted advertising)”
Data Processor: Directive: “The natural or legal person, public authority, agency or any
other body, which processes personal data on behalf of the controller. Article 2(e) of the
Data Protection Directive” If an organization holds or processes personal data, but does
not exercise responsibility for or control over the personal data, then this organization is a
"processor." Examples of processors include payroll companies, accountants and market
research companies, call centres of telecom or financial companies, all of which could hold
or process personal information on behalf of someone else.
Data Subject: The natural person a personal data relates to. One individual person
(Directive goal, to give full control and knowledge about storing and handling his/hers
personal data)
35

36. Personal data
The definition is meant to be broad. "Personal data" : when
someone is able to link the information to individual person,
directly or indirectly.
Credit card number, bank statements, medical record (just
mention about rare disease), full name, photo, phone number,
birth date, e-mail address, car license plate, physical
characteristics…and IP address.
The definition is also technology neutral. It does not matter how
the personal data is stored – on paper, on an whatever IT system,
on a CCTV system, photographs, etc
23/11/2016
36
https://ico.org.uk/media/for-organisations/documents/1549/determining_what_is_personal_data_quick_reference_guide.pdf
EU Court of Justice ruled that IP addresses are protected personal data
https://www.quora.com/Is-IP-address-considered-to-be-personal-information-in-EU-in-general-and-in-Finland-in-particular

37. what does the GDPR say?
GDPR says “WHAT” , It doesn’t say “HOW”
Nothing about:
• specific tools to use
• specific processes to use
• specific standards to use
• examples or templates for solutions
• Best practices for development or guidelines
actual ”privacy engineering (privacy by default)”

38. GDPR interpretation, 4 difficult (total amount 85 Articles)
• Article 32 “Security of processing” “controller and the processor shall
implement appropriate technical and organisational measures to ensure a
level of security appropriate to the risk”
What is appropriate?
• Article 32 “Security of processing” continues “ongoing confidentiality, integrity,
availability and resilience of systems and services processing personal data”.
“data in a timely manner”.
How long is timely manner, next business day?
• Breach notification process (article 33), “The processor shall notify the
controller without undue delay after becoming aware of a personal data breach”
What should be time limit in vendor agreements?
• Article 20, ”Data protection by design and by default”
How you actually should implement that to application development?
38
Before you start implementing GDPR organization needs to do
interpretation about GDPR articles, instead of “WHAT”, you need
answer to question “How”.

39. The Fines
Check your security management against Article 83:
General conditions for imposing administrative fines
“When deciding whether to impose an
administrative fine and deciding on the amount of the administrative fine in
each individual case due regard shall be given to the following (11 issues):”
You are pretty safe if you can answer to supervisory authority
(“tietosuojavaltuutettu”) something to 11 topics, like:
• The number of data subjects affected?
• The categories of personal data affected by the infringement?
• Encryption…organisational and technical' measures that are in place?
My proposal: make a test, can you answer to those 11 issues if you do
breach exercise?
39

40. GDPR help from externals?
At the moment public guidelines are mostly at this level*
• “Proactive not Reactive; Preventative not Remedial”
• “Privacy as the Default Setting”
• “Privacy Embedded into Design”
• “End-to-End Security — Full Lifecycle Protection”
• “Respect for User Privacy — Keep it User-Centric”
1. Not so practical or useful for system owners or application developers.
2. External consultants in most cases have same story.
3. Be aware of Snake oil applications, it is not possible to buy GDPR tool.
4. Externals cannot do interpretation for organization
* Ann Cavoukian, Ph.D. Information & Privacy Commissioner Ontario, Canada
P r i v a c y b y D e s i g n guideline: https://www.ipc.on.ca/wp-content/uploads/Resources/pbd-primer.pdf
40

41. And now, something more about “how” :)
(organization)
41
• Setting up GDPR Project, top management participation and enough resources
• State of analysis, self audit about information security, continuity and personal data
management, set up development measures (framework ISO 27001, “VAHTI-2010
– System level P-I-A
– Organization level P-I-A
– Status of privacy policies, description of file, guidelines and policies review
• Inventory of contracts and sub-contractors (personal data flow diagram)
• Personal data inventory, check your systems containing personal data, (interpretation…)
• Management reporting practice, the annual clock
– Data protection status reports (amount of inquiries, incidents, close calls)
– The risk and impact assessments carried out as well as their most significant findings
• Establish awareness program, annual employee training, new employee package (register)
• Communication plans (about coming GDPR)
• Data subjects requests, procedures and plan, how to handle in required time
• Analyze ongoing development and procurement projects
• The development of risk management (formal, remember accountability)
• Ensure data security and business continuity (organizational and technical measures)

42. How - Privacy by design
42
I
https://www.enisa.europa.eu/topics/data-protection/privacy-enhancing-technologies (PET)
https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design
https://www.owasp.org/images/c/c6/OWASP_AppSec_Research_2010_Agile_Prod_Sec_Mgmt_by_Vaha-Sipila.pdf
• ”Privacy by Design” is today undefined
• Official privacy by design will be defined aftre precedent legal cases
Image: Based on PrivaOn material

43. Personal Data Flow – subcontractor management
43
Cloud based
storage in USAApplication
server in
Finland
Administration
and support in
India
Remote
connections to
systems
API
Data
analytics
HTTPS / SSL encryption
Finland
USA
EU India
API
Contractor
Vendor
Vendors
subsidiary
In all boxes, note:
• Data retention
(Right to erasure)
• Minimisation
• Agreements
Application
development
partner
Outside EU/ETA
End user device
Organization
(controller)
Data Subject
HTTPS / SSL encryption, EULA, Input forms

44. How – agreements and vendor management
44
Start with subcontractors inventory, list all of you subcontractors, find out
personal data related to contractor. Dataflow, to see where personal data moves
and under what legislation (e.g. subcontractor’s subcontractors (Azure/O365 ->
~80 subcontractors)
• Agreement (btw, controller, processor) e.g.
• Processing activities, data processing only for specific use
• Consent, transfer data outside EU, moving data to other processor
• Data location, Right to change subcontractor?
• The ability to restore the availability and access to “data in a timely manner”
• Portability, erasure, data retention time
• NDA – security agreement template, e.g.
• vulnerability management, back-ups
• Agree about breach notification process
• Subcontractor obligation to use employee NDA …(ask legal team)
• Requirement specifications, requirements related to security and
continuity (ask from IT account managers)
Me too!

45. How – data subject rights e.g.
45
– Right to be provided with information of his/hers data (Right of access
Article 15)
– Generally enhanced right to information and transparency, new e.g.
• retention period of the personal data,
• right to withdraw their consent at any moment,
– Consent (Article 6, Lawfullnes of processing)
• Cookie consent
• log that action for later purposes
• No pre-ticking, privacy by default
– Right to restriction, only restrict processing,
• data can still be stored
– Data portability, data to other processor
– Right to erasure, total erasure
Not absolute
rights, e.g.
”erasure”, article
shall not apply:
a,b,c,d and e: for
the
establishment,
exercise or
defence of legal
claims.

46. GDPR Links
Guide to the General Data Protection Regulation
http://ec.europa.eu/justice/data-
protection/files/factsheets/factsheet_data_protection_en.pdf
VAHTI-raportti 1/2016 EU-tietosuojan kokonaisuudistus
- Goog practical guideline for Finnish organizations
Excel-työkalu VAHTI tool
Excel-työkalu ilman riskienhallintaosiota
- Excellent PIA Tool for assesment workshops

47. Thank you!
All Information security related issues:
security@aalto.fi