Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Privacy IU Financial Transactions Sterling George Director, Financial Systems Administration and Records Management.

Similar presentations

Presentation on theme: "Data Privacy IU Financial Transactions Sterling George Director, Financial Systems Administration and Records Management."— Presentation transcript:

1 Data Privacy IU Financial Transactions Sterling George Director, Financial Systems Administration and Records Management

2 Presentation Topics Principles related to privacy of financial transactions Importance of a measured, proactive approach Use of Identity Finder and other security measures to safeguard information

3 Principles for Privacy Protection Collect only the information needed to achieve the identified business purposes in support of the universitys mission Use and keep the individuals information only as long as necessary to fulfill the stated purpose

4 Attachments and Collection Limitation Redact sensitive information from Disbursement Voucher attachments sent for imaging Personally identifiable information for prescription or health care re-imbursements Credit card information for membership re- imbursements Banking information for copies of cleared checks How much do we redact? Full credit card number, routing and account numbers, SSNs and individual names (HIPPA)

5 Limit Your Paper, Limit Your Exposure Dont retain un-necessary copies of documents within your department – Payroll: W-4, WH-4 and direct deposit sign-up information – IRS Forms: W-8, W-9 – Employment Verification: I-9 – Personal information: copies of drivers licenses, SSN card, passports, credit card numbers for hotel reservations Process information, not paper

6 Proper use of Designated Fields Bank Account information should not be added to EPIC notes for requisitions, Purchase Orders, Payment Requests nor should they be added to EPIC Vendor Note records Significant time and resources can be expended tracking down and removing personally identifiable information from common use fields like descriptions, reference fields and notes

7 Payment Card Industry Data Security Standards REMEMBER: It is against University Policy VI-110 to store credit card numbers on any computer, server, or database Applies to all members, merchants, and service providers that process or transmit cardholder data Use central systems or run approved specialty system in the PCI DSS network If you process credit card numbers, please contact IMMEDIATELY for an assessment

8 PCI DSS Goals and Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data (electronic and paper data) 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security

9 2009 Breach Statistics Gathered from the Identity Theft Resource Center ( Educational – # of Breaches: 78 – # of Records: 803,667 – % of Breaches: 15.7 – % of Records: 0.4% Totals for All Categories – # of Breaches: 498 – # of Records: 222,477,043 – % of Breaches: 100.0% – % of Records: 100.0%

10 Compliance Pays Breaches happen You are safer to work at a steady pace, find and fix problems, and remain vigilant Exhibiting a pattern of compliance can ease consequences Receive Safe Harbor from card associations

11 Identity Finder It can search for, protect, and dispose of personal information stored on your computer, file shares, or external media Credit card numbers, bank account numbers, social security numbers, birthdates, passwords, driver's license numbers, addresses, passports, employee identification numbers, maiden names, or other data you determine To learn more: Or visit and select Security under Software Categories

12 Scanning and Results Prior notification – have written permission from the individual, or – have given prior written notification to the individuals that this tool will be used, by whom, for what purpose, and how the resulting information will be used Send the names of the files found to the owner of the account/system where the files were stored, and direct the owner to review the files and take appropriate action Most of the time people had forgotten what was stored on the CPU Some applications were storing sensitive data in internet cache and temporary files Group Policy to remove internet cache, temporary files and cookies (clear IE cache on close, all else on log out, and force Secure Delete each night)

13 Additional Security Measures Encrypt data transmissions – check printing – retirement contributions – unemployment/new hire reports – tax transmissions to 3rd party vendors Kuali Financial System provides field level encryption Removal of System Admin rights – Principle of Least Privilege Installation of only the required software Up to date virus scans, push our Windows updates/patches, run current software Periodic reminders of policies Monthly ITSO scans to detect vulnerabilities from outside attacks DBAN to securely wipe hard drives – shred hard drives Secunia Personal Software Inspector Never store critically sensitive data on personal storage devices

Download ppt "Data Privacy IU Financial Transactions Sterling George Director, Financial Systems Administration and Records Management."

Similar presentations

Ads by Google