Presentation is loading. Please wait.

Presentation is loading. Please wait.

What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013.

Similar presentations


Presentation on theme: "What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013."— Presentation transcript:

1 What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, PM PM D.H.Hill

2 Data Privacy Day Data Privacy Day is held on January 28th every year. It is an effort to empower people to protect their privacy and control their digital footprint and escalate the protection of privacy and data as everyone’s priority. For more info visit Stay Safe On-lineStay Safe On-line 1/29/2013What data is sensitive and How to keep it privateSlide 2

3 Data Privacy MonthData Privacy Month at NCSU All 12 p.m. to 1 p.m. D.H. Hill Room 2304 Monday, Jan. 28 Top Tips to Protect Your Privacy and DataTop Tips to Protect Your Privacy and Data Tuesday, Jan. 29 What Data is Sensitive and How Do We Keep it Private? Thursday, Jan. 31 Data Protection, Privacy and the Law To view other activities planned during January, visit EDUCAUSE.EDUCAUSE 1/29/2013What data is sensitive and How to keep it privateSlide 3

4 Agenda 1/29/2013What data is sensitive and How to keep it privateSlide 4

5 Privacy and security of personal info have become very public concerns –Identity theft –Personal protection –University image and reputation –Financial penalties can be high –Much legislation –Public concern –Internet access to data 1/29/2013What data is sensitive and How to keep it privateSlide 5

6 UNC-CH SSN breach at Medical School Senior researcher –UNC-CH medical school –Carolina Mammography Registry, a 15-year project –Kept research subjects database referenced by Social Security number (SSN) – 114,000 subjects –Also name, address and other personal information –Most participants unaware Exploit – Discovered in 2009, server infiltrated two years earlier. – Not clear if any data exported Consequences – Notified all 180,000 exposed – Cost $250,000 – Centralized IT security Loss of public trust and university reputation 1/29/2013What data is sensitive and How to keep it privateSlide 6

7 Sensitive But Unclassified (SBU) New category of Government data Affects Defense research contracts (and other Government data) Previously no classified data to protect Now SBU must be protected No such thing as “unprotected” in Defense research contracts? 1/29/2013What data is sensitive and How to keep it privateSlide 7

8 Protect as Restricted Data (PARD) DoE “sensitive but unclassified” data Dr. Wen Ho Lee's program codes at Los Alamos National Laboratory Backed up such PARD data to tape Government labeled as 'espionage' Felony charge - 'withholding' info related to the 'national defense' 1/29/2013What data is sensitive and How to keep it privateSlide 8

9 Credit Card Industry fines PCI DSS –Prescriptive –Detailed –Difficult –Enforced Fines can be as high as $500,000 per occurrence Other costs, e.g. notification Incident occurs - not compliant – pushed to highest audit level ($$$) Visa total PCI DSS fines – $4.6 million – $3.4 million – New higher fines since… TJX spent $202 million on a PCI violation affecting 40 million cardholders. More than 20 lawsuits filed. Damage to university reputation worse than fine… 1/29/2013What data is sensitive and How to keep it privateSlide 9

10 Personal privacy Identity theft –SSN –Credit card numbers and bank accounts Personal safety – e.g. stalking Confidentiality –Personal use –Student data - FERPA 1/29/2013What data is sensitive and How to keep it privateSlide 10

11 Family Educational Rights & Privacy Act 1974 FERPA or the Buckley Amendment, designed to: –Protect the privacy of education records –Prevent schools having policies abusive of student privacy –Be subjected to various exceptions –Provide the right to file a complaint with the U.S. Department of Education Require schools to provide parents and eligible students : – Access to their records – Correction of errors in the record – Consent to disclosure to third parties 1/29/2013What data is sensitive and How to keep it privateSlide 11

12 FERPA data is pervasive Any record, with certain exceptions, maintained by an institution that is directly related to a student or students. This record can contain a student’s name(s) or information from which an individual student can be personally (individually) identified. These records include: files, documents, and materials in whatever medium (handwriting, print, tapes, disks, film, microfilm, microfiche) which contain information directly related to students and from which students can be personally (individually) identified. 1/29/2013What data is sensitive and How to keep it privateSlide 12

13 FERPA enforcement Weak and mostly symbolic –Fire alarm model –The consequences on a school for violating FERPA are either a memo requesting voluntary compliance a complete withdrawal of federal funding Works only at an institutional policy, not an individual level – Only 100 cases contested 1990 – 2003 – 2 cases made it to the Supreme Court in 2001 – Demonstrated that individuals cannot file suit if they are injured by FERPA violations 1/29/2013What data is sensitive and How to keep it privateSlide 13

14 FERPA conclusions FERPA data is held by most, if not all, academic and administrative offices of an institution –Do we need to protect the security of “Education Records” and “Student Privacy”? Absolutely –Can we afford to protect them at the same level as social security numbers and credit card data? No –Too expensive –Would make access too difficult 1/29/2013What data is sensitive and How to keep it privateSlide 14

15 The Internet Cloud From Wikipedia, the free encyclopedia 1/29/2013What data is sensitive and How to keep it privateSlide 15 Software-as-a-Service (SaaS)

16 CSA/ISACA 2012 Cloud Computing Market Maturity Study 252 participants representing cloud users, providers, consultants and integrators 85% self-identified cloud users Positions from C-level executives to staff 15 different industry segments 48 countries, most America or Europe 1/29/2013What data is sensitive and How to keep it privateSlide 16

17 Overall findings on maturity Cloud needs to transition from technology solution to business resource Infrastructure and Platform offerings –Infancy –About 3 years to reach ‘established growth’ Software as a Service (SaaS) offerings –Early growth –2+ years to reach ‘established growth’ 1/29/2013What data is sensitive and How to keep it privateSlide 17

18 Cloud infancy 1/29/2013What data is sensitive and How to keep it privateSlide 18

19 Positive Influence Factors 1.Agility 2.Time to market 3.Business unit demand 4.New technology 1. Cost management 2. Efficiency 3. Productivity 4. Resilience 1/29/2013What data is sensitive and How to keep it private Slide 19 CSA/ISACA 2012 Cloud Computing Market Maturity Study Survey Business Growth InfluenceProcess Enablement

20 Negative Influences on Cloud Adoption and Innovation 1.Information security 2.Data ownership/ custodian responsibilities 3.Regulatory compliance 4.Legal and contractual issues 5.Information assurance 6. Contract lock-in 7. Longevity of suppliers 8. Disaster recovery/ business continuity 9. Performance standards 10. Performance monitoring 11. Technology stability CSA/ISACA 2012 Cloud Computing Market Maturity Study Survey 1/29/2013What data is sensitive and How to keep it privateSlide 20

21 Sensitive data factors at NC State Legislation University revenues and expenses University image and reputation Confidentiality agreements / contracts Research Copyright and Intellectual Property Attorney/client privilege, police records Personal privacy 1/29/2013What data is sensitive and How to keep it privateSlide 21

22 Some sensitive data examples: Personally Identifiable Information (PII) Credit card information (PCI) Health data (HIPAA - PHI) Research data (e.g. contractual & pre-patent) Public safety information Financial donor information Security controls such as: –System access passwords and other credentials –Information file encryption keys –Information security records 1/29/2013What data is sensitive and How to keep it privateSlide 22

23 Legislation 1/29/2013What data is sensitive and How to keep it privateSlide 23 –Family Educational Rights and Privacy Act (FERPA)Family Educational Rights and Privacy Act (FERPA) –Health Insurance Portability and Accountability Act of 1996 (HIPAA)Health Insurance Portability and Accountability Act of 1996 (HIPAA) –Gramm Leach Bliley Act (GLBA)Gramm Leach Bliley Act (GLBA) –Payment Card Industry (PCI) Data Security StandardPayment Card Industry (PCI) Data Security Standard –Red Flag Rule (FTC)Red Flag Rule (FTC) –North Carolina Identity Theft Protection Act of 2005North Carolina Identity Theft Protection Act of 2005 –North Carolina Public Records ActNorth Carolina Public Records Act –North Carolina State Personnel ActNorth Carolina State Personnel Act

24 A framework for the availability and security of your data. 1.Data Management Procedures Regulation updates including revised Data Classification Statement, 2.Data Sensitivity Framework table 3.List of IT controls for data stewards and application developers/sponsors 1/29/2013What data is sensitive and How to keep it privateSlide 24

25 1. Data Classification Statement A.Ultra – Very few data elements - SSN, credit card number, bank accounts, passwords B.High – Large body – personal privacy, financial, intellectual property, medical, research, private contributors, attorney/client privilege, police C.Moderate – Simpler controls - Mostly FERPA D.Normal – Not sensitive – e.g. university Web pages, published articles E.Unclassified (Black) – publically available data 1/29/2013What data is sensitive and How to keep it privateSlide 25

26 Data Classification Statement Matrix 1/29/2013What data is sensitive and How to keep it privateSlide 26 ClassificationRisk Criteria LevelRiskRegulationFinancialReputationBusinessOther UltraTwo ofMultipleExtremeSerious Litigation HighTwo ofViolationSignificantSerious ModerateOne ofViolationSome Adverse NormalNo major Access control UnclassifiedNonePublically available

27 2. Data sensitivity framework table Data sensitivity framework Lists all sensitive data elements (e..g. personal name, ssn, credit card #) Cross references –Data elements to –Legislation and –Other concerns Provides default sensitivity for each data element Labels sensitivity level of data in context Authoritative list of university sensitive data 1/29/2013What data is sensitive and How to keep it privateSlide 27

28 3. Controls for Securing University DataControls for Securing University Data Primary Audience for this document: –Individuals making decisions about data classification & protection (management & technical) –Document includes cross-reference table to connect controls to data Document not intended for End-usersDocument –Seek approval or instruction from the respective Data Custodian / Data Steward 1/29/2013What data is sensitive and How to keep it privateSlide 28

29 Types of controls 1.Control Principles for Data Stewards and Application Sponsors 2.Administrative and procedural design controls 3.Technical controls – computer server 4.Technical controls – end-user devices 1/29/2013What data is sensitive and How to keep it privateSlide 29

30 More about controls Only really applies to sensitive information: –Purple, red and yellow data –Not green and unclassified data Table cross-reference at end: –Control –Data sensitivity levels –Mandatory, Recommended, Optional, [Unnecessary] 1/29/2013What data is sensitive and How to keep it privateSlide 30

31 Where is it OK to store your data? 1/29/2013What data is sensitive and How to keep it privateSlide 31 LocationSensitiveNot sensitive Most to least VPurpleRedYellowGreenWhite University serverEncrypted Restricted Yes…Yes Cloud serviceEncrypted Restricted Restricted… Yes…Yes NCSU Google DriveEncrypted File Only Yes PrintRestricted Yes Removable storageNeverEncrypted…Yes… Yes Local PCNeverEncrypted…Yes…Yes NeverEncryptedSome…Yes Mobile deviceNeverNo…Yes Google DocsNeverNo…Yes…Yes

32 Next Steps with DSF 1/29/2013What data is sensitive and How to keep it privateSlide 32 Presentation to campus –“DSF - Where is it OK to store your data” –Develop documents specific to needs –Best practices to apply to their use of the data –Help from derived documents –Define, implement and test campus encryption solutions

33 Who’s protecting your data & how? On your mobile device – you are Removable storage – you are On your desktop – you and your sys admin On University servers - OIT or college/ dept IT staff (or you!) In the cloud – the vendor (and you…) 1/29/2013What data is sensitive and How to keep it privateSlide 33

34 Google and sensitive information Best Practices for Data Security in Google NC StateBest Practices for Data Security in Google NC State Google Drive and encrypted file sync Google contractually defined as a university FERPA official at NCSU Google docs OK for FERPA data may be more of a FERPA issue – when transmitted outside Google 1/29/2013What data is sensitive and How to keep it privateSlide 34

35 Types & examples of cloud services File synchronization and distribution - Google Drive can save & sync files Services providing file manipulation – Google Docs (and other Google Apps) Other more complex Cloud services (SaaS, Paas, IaaS) need investigation on a case by case basis 1/29/2013What data is sensitive and How to keep it privateSlide 35

36 SaaS Black Box Simple interface Complexities o Hidden o Layers o Orders of magnitude more You have to be able to trust the implementation! 1/29/2013What data is sensitive and How to keep it privateSlide 36

37 Precautions with cloud vendors From CSA/ISACA study either –Less than 100 staff or –Many thousands Be careful if you have sensitive data Look at Cloud Security Alliance STARSTAR IT Security staff can assess security of product and data being considered 1/29/2013What data is sensitive and How to keep it privateSlide 37

38 Questions 1/29/2013What data is sensitive and How to keep it privateSlide 38


Download ppt "What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013."

Similar presentations


Ads by Google