Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Protection Practices 2008 NSAA IT Conference Nathan Abbott, TN Joe Moore, AZ Doug Peterson, NV.

Published byJohanne Ducksworth Modified over 9 years ago

Similar presentations

Presentation on theme: "Data Protection Practices 2008 NSAA IT Conference Nathan Abbott, TN Joe Moore, AZ Doug Peterson, NV."— Presentation transcript:

1 Data Protection Practices 2008 NSAA IT Conference Nathan Abbott, TN Joe Moore, AZ Doug Peterson, NV

2 Agenda Introduction Why? Our recent experiences What? Technology solutions How else? Questions

3 Introduction Format for presentation Individual introductions

4 Why has data protection become more important now?

5 Nevada

6 Why… Contractor with DMV: –Lost USB Flash drive –Contained names of 109 individuals University of Nevada, Reno professor lost a flash drive that contained the names and Social Security numbers of 16,000 incoming freshmen from 2001 to 2007current and former students

7 Why… DMV Audit –Prior to audit--Truck drives through front of DMV building and steals computer. Contained personal information on 8,700 Nevada residents. –Prior to audit--Planned to encrypt files and not store on computers –Audit found information on desktops, laptops, zip drives, USB drives. –Audit found process of removing personal information from computers didn’t always work as planned. Over 300 files, each with a person’s name, address, and SS#.

8 Arizona

9 Why… Arizona #1 in Identity Theft Newspaper publishes “public” information Audit responsibilities require sensitive data Agency requests for agreements –Encroachment on statutory authority Public relations nightmare

10 Tennessee

11 Why… Portable Media –Auditor was in car accident and lost their thumbdrive Nashville Davidson County Election Commission Office –The office was broken into

12 Why…

13 Nashville Davidson County Election Office Office was broken into on December 24, 2007 Break-in was not noticed until December 27, 2007 Two Laptops were some of the items that were missing

14 Why… It was standard practice for the office to tape to the machine user name and passwords. The laptops were using an access database that contained all register voters personal information including their SSN.

15 Why… The office was preparing for the primary election and was in the process of removing the SSN’s from the Access database. The street value of the stolen laptops was probably $600 total, but the incident is costing the city millions in Identity Theft Protection.

16 What solutions are we using?

17 Tennessee

18 Where Did We Start? 1.Researched available options 2.Evaluated software 3.Determined best option

19 TRUECRYPT VS ENTRUST TRUECRYPT –Partial disk encryption –Passwords do not sync –No vendor support –USB encryption –Encryption time 30- 40 minutes –Cost FREE ENTRUST –Full disk encryption –Passwords sync with operating system –Vendor Support – 1- 800 number –Removable media encryption –Encryption time 4-8 hours –Cost $130 per licence

20 Truecrypt Concerns File Restoration Key Management Administrative Support Removable Media Support Partial Disk Encryption

21 Why Did We Choose Truecrypt Strategic Plan –Our purpose is to serve the people of Tennessee by Enhancing effective public policy decisions at all levels of government 47-18-2107 TCA Release of personal consumer information –…Unauthorized acquisition of unencrypted computerized data…

22 Truecrypt Harddrive Setup

23

24 Truecrypt USB Setup

25

26 Arizona

27 What? Statutes Drive Crypt Plus Pack (DCCP) Ironkey VPN and Tokens Winzip

28 Statutes Provide broad access to information –Authorized to review confidential records without limitation –Agencies required to provide records Working papers and audit files are not public information Audit exclusions for other Acts, such as HIPPA, FERPA

29 DCPP Whole disk encryption (partition based) Boot protection Pre-Boot authentication Sector level protection Administrator / user specific rights Transparent to users Minimal administration and user training

30 DCPP

31

32

33

34

35

36

37

38 Ironkey Always-on military grade data encryption No software or drivers to install Easy to deploy and use Ability to create and manage enforceable policies Unique serial numbers

39 Ironkey

40

41

42

43

44

45

46

47

48

49 Remote Access via VPN and Tokens

50 WinZip

51 Nevada

52 What Technology We Use Truecrypt EFS (windows built in encryption) Lexar USB drives with encryption software Whole disk encryption on Dell laptops using Wave Embassy Security Center software and hard drive-based encryption

53 EFS Advantages: –Free –Easy to implement –256-bit AES –Easy to backup to network drive (registry tweak needed to decrypt data as it is copied to network drive) –Set and forget...sort of

54 EFS Disadvantages: –No additional password –Folder based. Auditors can save in unencrypted folders –256-bit AES not used in Pre-XP SP1 –Certificate expired and some auditors could not get access to data for a day

55 Windows Encryption File System (EFS)

56 Lexar Secure II Advantages: Free Known encryption (AES 256) Disadvantages: Not easy for auditors to remember setup Uses Vaults—auditors use unencrypted area

57 Secure II for USB Drives

58 Wave Embassy Whole Disk Encryption (hardware based on Dell Latitude, HP, Lenovo) Wave Embassy suite is the software front end to where the real work is done—hardware-based encryption Used in conjunction with TPM chip

59 Wave Embassy Advantages: 128-bit AES (not as strong as 256-bit key, but still strong) Multiple passwords (pre-boot authentication) Works with biometrics

60 Wave Embassy Disadvantages Complex to set up (including BIOS settings) Multiple passwords Need to have a Seagate Momentus FDE.2 HDD which runs at 5400 rpm

61 Wave Embassy Security Center

62 Wave Embassy

63

64

65

66 How else are we addressing it?

67 Nevada

68 Statutes and Policies Statutes –NRS 218.870 (“All working papers from an audit are confidential…”) Policies –Reinforce and support statutes –Detailed Extreme care to ensure confidentialy of information “gained” during audits (more than what is in workpapers) Careful with discussions

69 How…Guidance to Staff Training One on one with each person –Lexar –Wave Embassy Periodic staff training –Reinforce statutes –What is confidential, what is not –Examples shown Management meetings allow supervisors to reinforce policies and importance

70 Tennessee

71 How…Our Policies Backup Volume Header –Allows users to restore encryption to original installation. Create an Admin Password –This is to be used in the event someone forgets their password.

72 How…Our Policies (Cont.) Created standard passwords for users –This is used to ensure password complexity Created standard login procedures –This is used to help the auditors to be consistent when they login

73 How…Our Policies (Cont.) Removable Media –This policy is to make it clear that personal thumbdrives are not be used to store confidential data Storage of Files –This policy is to make it clear where you needed to store confidential data

74 How…Our Policies (Cont.) Enforcement –Once a year have security awareness training –Periodic emails to staff reminding them of the encryption policies –Unannounced Random Sample

75 How…Problems Auditors were confused about which password to use to log-on to their workstation Thumbdrives Auditors do not like using passwords for thumbdrives

76 Arizona

77 How… Policy Communicate to auditee/entity common information Statutory authority Security of confidential records Auditor General policies –Internet Use and Email acceptable use agreements –IT policy with address data security –Acknowledgement of state policy

78 How… Determine whether information is confidential or public (may be more restrictive than public records law) Confidential –Personal information Info which can identify a person –Sensitive information Info which may be harmful to the state and its citizens Public information

79 How… Then, ensure that appropriate security measures are applied based on classification of data Confidential –Encryption and/or restrictive physical and/or logical access rights Store on Office network or encrypted flash drives Return original data or store securely –Never copy confidential data to home computer

80 How… –If remote, use VPN and use remote sessions –Limit access rights on network drives –Use restricted views and coding techniques for data stored in databases –Determine whether or how much confidential information must be included in audit documentation

81 How… Use encryption when storing on external storage media (HDs, CDs) –Use secure passwords/phrases »Minimum of 8 characters »Upper/lower case »Special characters Store passwords/phrases securely Public Information No special security precautions Adhere to professional standards and Office policy Can be stored in shared directories

82 How? Document classification assessment and subsequent actions taken Archiving and Disposition –Keep only as long as necessary or required –Ensure confidential data is protected when archived –Let others involved know about the confidential nature of the data stored

83 Questions Nathan Abbott; Nathan.Abbott@state.tn.us Joe Moore; jmoore@azauditor.gov Doug Peterson; dpeterson@lcb.state.nv.us

Download ppt "Data Protection Practices 2008 NSAA IT Conference Nathan Abbott, TN Joe Moore, AZ Doug Peterson, NV."

Similar presentations

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Meganet Corporation VME Office 2004. Meganet Corporation Meganet Corporation is a leading worldwide provider of data security to Governments, Military,

Meganet Corporation VME Office Meganet Corporation Meganet Corporation is a leading worldwide provider of data security to Governments, Military,
Encryption – First line of defense Plamen Martinov Director of Systems and Security.

Encryption – First line of defense Plamen Martinov Director of Systems and Security.
BUS VIDEO RECORDINGS COLLECTION – PROCESSING - REDACTION - SHARING WHAT IS RIGHT FOR YOUR DISTRICT?

BUS VIDEO RECORDINGS COLLECTION – PROCESSING - REDACTION - SHARING WHAT IS RIGHT FOR YOUR DISTRICT?
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
Data Storage and Security Best Practices for storing and securing your data The goal of data storage is to ensure that your research data are in a safe.

Data Storage and Security Best Practices for storing and securing your data The goal of data storage is to ensure that your research data are in a safe.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.

Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
5-9/12/2005 CPE 101 1 How to format your computer and re-install Windows XP.

5-9/12/2005 CPE How to format your computer and re-install Windows XP.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
Data Encryption Overview South Seas Corporation Jared Owensby.

Data Encryption Overview South Seas Corporation Jared Owensby.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
Secure Your Future Now ….. Logical Access Control and Data Security Brought to you by Support & Maintenance by DCS Global Info.

Secure Your Future Now ….. Logical Access Control and Data Security Brought to you by Support & Maintenance by DCS Global Info.
COMPUTER BACKUP A disaster will happen to you one day…an accidentally deleted file, a new program that caused problems or a virus that wreaked havoc, wiping.

COMPUTER BACKUP A disaster will happen to you one day…an accidentally deleted file, a new program that caused problems or a virus that wreaked havoc, wiping.

Similar presentations

Ads by Google