Presentation on theme: "Information Security Office"— Presentation transcript:
1 Information Security Office Riverside County Information Security Office
2 Laptop Theft: How Serious? More than 600,000 laptop thefts occur annually, totaling an estimated $720 million in hardware losses and $5.4 billion in theft of proprietary information. Safeware Insurance, 2003According to Gartner, the chances of a laptop being stolen this year are 1 in 10. Gartner Group, 2002Gartner estimates approximately 70% of all laptop thefts are internal. Gartner Group, 2002Laptop theft has been attributed to 59% of computer attacks in government agencies, corporations, and universities during Baseline, 200480% of those surveyed acknowledged financial losses due to computer breeches. CSI/FBI Computer Crime and Security Survey, 200297% of stolen computers are never recovered. FBINearly 40 percent of victims do not report computer intrusions. CSI/FBI Computer Crime and Security Survey, 200581% of companies surveyed “reported the loss of one or more laptops containing sensitive information during the past 12 months.” “Data Loss Common for US Firms” PC World, August 17th, 2006
3 Data Theft: How Serious? 67.7% of respondents report the estimated value of proprietary data on their stolen computing device at $25,000 or less; 9.2% estimated the value at $1, or more and 2.3% estimated the value at more than $10,000,000.The value of proprietary data on respondents stolen Computers averaged $690, per stolen Computer.45.6% of respondents report other items were stolen at the time of the Computer theft, with removable media (including spare disks, stored files on CDs, removable media and spare hard drives) accounting for 21.8% of the additional stolen items.Average total replacement cost of stolen computing devices was $14, per device. This does not include the cost of the data on the computing device BSI Computer Theft Survey
5 What’s an Identity Worth? 208 Identity Incidents this yearSeptember, 2006:Telesource – 11 SEP 06 (Social Security numbers and other personal information found in dumpster)Cleveland Clinic (Florida) – 8 SEP 06 (Social Security numbers, dates of birth, addresses and other details of 1,100 patients stolen)University of Minnesota – 8 SEPT 06 (Personal information of 13,084, including 603 Social Security numbers, on stolen computers)Linden Lab / Second Life – 8 SEP 06 (Names, address, and payment information of almost 650,000 on hacked server)BMO Bank of Montreal – 8 SEP 06 (Stolen laptop contains personal data for about 900 clients)Florida National Guard – 7 SEP 06 (Social Security numbers of up to 100 soldiers on stolen laptop)Chase Card Services – 7 SEP 06 (Tapes with information on over 2.5 million Circuit City cardholders thrown in trash)Transportation Security Administration – 6 SEP 06 (Social Security numbers and birth dates of 1,195 mailed to wrong addresses)Wells Fargo – 1 SEP 06 (Social Security numbers and names of Wells Fargo employees on stolen laptop)City of Chicago / Nationwide Retirement Solutions – 1 SEP 06 (38,443 names, addresses, Social Security numbers, and dates of birth on stolen laptop)Virginia Commonwealth University – 1 SEP 06 (Names, Social Security numbers, and addresses of 2,100 exposed online)3,206,922 – Just in September.
6 ISO Policy “Hardware & Software Control” ...[A]ll hardware and software shall be obtained from or authorized by the department head or their designated agent.This includes equipment such as Servers, PCs, Laptops, Printers, Cell Phones, Radios, PDAs, Telephones, portable media such as USB drives, CD-ROMs, CDRWs, DVDs, DVRs, [and] Software.Department heads or their designated approving agent will authorize the adding of any networked component that is connected either directly to the County’s Wide-Area-Network, indirectly connected via a Local-Area-Network segment, or attached to an existing system.
7 Board Policy H-26 Board Policy H-26: “As a minimum, departments will track laptop computers, and high-end cell phones, PDA’s and GPS receivers.”“Any device used to store sensitive data or connect to the county’s network will be tracked […]”
8 But what is Sensitive Data? HIPAA, Privacy Act, Personnel DataCalifornia Public Records Act California Government CodeWhat about data that’s not covered?
9 Data Classification Policy ISO Proposed Board PolicyCategorizes Public vs. Sensitive DataDefines categories of Sensitive DataRestricted DataPrivateProtectedIntellectual PropertyDefines who decides what’s public and what’s sensitive.Defines who owns the dataStill in work; under review by County Counsel
10 Theft or Loss PolicyMany departments have no policy or procedures on the theft of loss of IT equipment or the data it may containISO Proposed Board PolicyIn the event of theft or loss, the employee must immediately notify the:Applicable Law Enforcement Agency (in the case of theft).Department ITOIn all cases, Department must notify:Information Security OfficeAuditor-Controller’s OfficeStill in work; under review by CISO
11 What about Personally Owned Devices? Personally owned devices expand and blur the County’s information bordersIntroduces new entry points for hackers, viruses, and other dangers.In general, use of personally owned devices should be prohibitedIf a county employee needs a tool for a job, the county should provide it.Most uses of personally owned devices is for the users convenience – not the good of the County
12 What if a Department wants to allow Personally Owned Devices? See last slide – don’t!Department head is ultimately responsible for permitting use of Personally Owned DevicesAuthorization in writingList all required safeguardsList any limits to it’s useRecord specific acknowledgement that any county related information on the device belongs to the County