Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Is Everyone’s Responsibility October 22, 2014.

Published byParker Willy Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Is Everyone’s Responsibility October 22, 2014."— Presentation transcript:

1 Security Is Everyone’s Responsibility October 22, 2014

2 Agenda Introduction – Scott Douglass Legal Issues – Laure Ergin Risk & Challenges - Kirk Die What IT is Seeing & Doing – Jason Cash Unit & Employee Responsibilities – Karl Hassler Sensitive Data – Karl Hassler Wrap Up / Discussion - Scott Douglass Resources 2

3 Introduction Today’s Reality –More Organizations are revealing they’ve been breached Public pressure Disclosure laws Why We’re Here –Begin a dialogue –Raise awareness –Educate –Provide resources 3

4 Legal Issues Which law applies depends on: –Location of institution –Type of information –Role of person storing the information –How the information was obtained? Privacy / Security –Privacy – the freedom from having information from being disclosed without one’s consent –Security – the mechanism(s) in place to protect the privacy of information

5 Applicable Laws Family Educational Rights & Privacy Act (FERPA) – protects student educational records Gramm Leach Bliley Act (GLBA) – protects financial information of customers Health Insurance Portability & Accountability Act Of 1996 (HIPAA) – protects patient information Payment Card Industry-Data Security Standard (PCI-DSS) – protects credit card information Delaware Breach Notification Law - Del. Code, Title 6, Sec. 12B-101 et seq. – requires breach notification in the event of a data breach The Jeanne Clery Disclosure of Campus Security Policy & Campus Crime Statistics Act (Clery Act) – requires reporting of crime statistics to general public and federal government Computer Fraud & Abuse Act – crimializes hacking into computers and computer networks Communications Decency Act – regulates obscenity in cyberspace Children’s Online Privacy Protection Act (COPPA) – regulates commercial operators that are directing services to children under 13 Communications Assistance for Law Enforcement Act (CALEA) – regulates assistance that must be provided to law enforcement for phone tapping purposes Federal Information Security Management Act (FISMA) – regulates how federal information and computers and networks are secured through contracts and possibly soon grant documents.

6 Types of Laws Some laws are about what we can and can’t do with information we have – focus is protecting information. Some laws are about information we have that we must share with individuals, our community and report to state and federal governments – focus is disclosure. Some laws are about what you can and can’t do on your computer or on the internet – focus is on regulating conduct and behavior through or on the internet Some laws go beyond securing information and want to make sure your information systems (computers and networks) are secure and protected.

7 Potential Risks Legal Compliance –Failure to comply with privacy laws and regulations can result in significant legal sanctions, liability, fines, and other unpleasant consequences. –Regulatory agencies are stepping up enforcement – meaning surveys are being sent out, questions are being posed, and ultimately on site audits are conducted. –State attorneys general have enforcement power for state privacy/security laws plus they can enforce certain federal laws, too (HIPAA, COPPA). Privacy and security laws are expanding in their coverage.

8 Other Potential Risks Reputational Injuries Damage to Student Well-Being Damage to Employee Well-Being Soured Relationships Financial Injuries Time and Resources 8

9 University Data Security Challenges Open Environment – many have access to records, control their own data Social Security number as a student identifier – resides on many systems Data Retention – tend to archive vs. delete Research – studies can use vast amounts of sensitive information Sharing – culturally much data is shared among colleagues

10 Target Rich Environment In General – need to allow less access Social Security number and other personal identifiers – retain in as few places as possible and only when needed Data Retention – less is better Research – separate initiative to secure research data Sharing – be more careful on what we share and how

11 What IT Is Seeing 171 UDELNET accounts compromised 20 machines disabled on average per week due to malware, etc. 11

12 http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/

13 http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

14 What IT Is Doing Created: –IT Security & Compliance Office (modernize policies) –Technical Security Group Locate old data (SSNs) Protect current data (more than SSNs!) Detect intrusions FireEye, snort, NGFW, etc. 14

15

16 What does IT need? Process PII/SSNs scan results. Desktop and laptop PII scanning software coming soon. More SSNs. No, really. 16

17

18 Unit Responsibilities Some Action Items Follow UD Policies Develop Information Security Plan - Inventory data and devices (Know what you have) - Classify (Assess Sensitivity and Risk ) - Establish protocols to Manage, Access and Use (Playbook) - Protect Data - Limit Use + Retention - Evaluate Processes (Where + How is data at risk?) 18

19 Employee Responsibilities Some Action Items Unit Administrators - Inventory - Classify - Protect - Communicate Employees - Understand responsibilities and requirements - Ask questions! 19

20 Employee Responsibilities Some Action Items Perform periodic reviews -Encrypt Sensitive Regulated data that must be retained -Purge or Archive unneeded data -Management standards followed? -New control gaps? Report the loss or misuse of devices immediately 20

21 Types of Sensitive Data (1) Confidential PII (Personally Identifiable Information) –First Name or Initial and Last Name, along with: –Social Security Number; –Driver’s License Number or State-Issued ID Number; –Alien Registration or Government Passport Number; or –Financial Information: Account, credit or debit card number 21

22 Types of Sensitive Data (2) Student Data Health Information Financial Account Information, Credit Card #s Certain Employment Data Personally Identifiable Human Subject Research Data UDelNet account passwords 22

23 Discussion 23

24 Resources & Tools UD Policies –1-15 - http://www.udel.edu/ExecVP/policies/administrative/1- 15.htmlhttp://www.udel.edu/ExecVP/policies/administrative/1- 15.html –1-22 - http://www.udel.edu/ExecVP/policies/administrative/1- 22.htmlhttp://www.udel.edu/ExecVP/policies/administrative/1- 22.html Privacy & Confidentiality - http://www.udel.edu/it/security/policies/employees/privacy.html http://www.udel.edu/it/security/policies/employees/privacy.html Security Reporting - http://www.udel.edu/it/security/secreporting.html http://www.udel.edu/it/security/secreporting.html 24

25 Security Is Everyone’s Responsibility September 30, 2014

Download ppt "Security Is Everyone’s Responsibility October 22, 2014."

Similar presentations

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP www.ScottandScottllp.com.

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP
HIPAA In Relation to Other Federal Laws Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP Glasser LegalWorks/HIPAA Conference.

HIPAA In Relation to Other Federal Laws Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP Glasser LegalWorks/HIPAA Conference.
HIPAA AWARENESS TRAINING

HIPAA AWARENESS TRAINING
University of Minnesota

University of Minnesota
IT Security Policy Framework

IT Security Policy Framework
The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Banking Services AVAILABLE FOR A SMALL BUSINESS. BANKING SERVICES 2 Welcome 1. Agenda 2. Ground Rules 3. Introductions.

Banking Services AVAILABLE FOR A SMALL BUSINESS. BANKING SERVICES 2 Welcome 1. Agenda 2. Ground Rules 3. Introductions.
Understanding the benefits and the risks. Presented by Corey Nachreiner, CISSP BYOD - Bring Your Own Device or Bring Your Own Danger?

Understanding the benefits and the risks. Presented by Corey Nachreiner, CISSP BYOD - Bring Your Own Device or Bring Your Own Danger?
MOSS ADAMS LLP | 1 W HAT I S S ENSITIVE D ATA ? Whats the Risk and What Do We Do About It? Weston Nelson Steve Fineberg Steven Gin.

MOSS ADAMS LLP | 1 W HAT I S S ENSITIVE D ATA ? Whats the Risk and What Do We Do About It? Weston Nelson Steve Fineberg Steven Gin.
Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
EMS Checklist (ISO model)

EMS Checklist (ISO model)
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.

Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.
A Shared Responsibility

A Shared Responsibility
K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.

K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.

© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Similar presentations

Ads by Google