Presentation is loading. Please wait.

Presentation is loading. Please wait.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Published byBaldwin Eaton Modified over 8 years ago

Similar presentations

Presentation on theme: "Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts."— Presentation transcript:

1 Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts

2 2 Headlines Target 70 Million 2013 Credit Card Breach South Carolina DOR 3.6 million 2012 PII Breach TriCare 4.6 Million 2012 HIPAA breach Home Depot 56 Million 2014 Credit Card Breach Linkedln 6.5 Million 2012 Passwords Stolen Living Social 50 Million 2013 Password & PII Breach UPS Unknown 2014 Credit Card Breach Walgreens 100,000 2013 PHI breach Community Health Systems 4.5 Million 2014 HIPAA Breach

3 Total Number of Total Number Records Exposedof Data breaches Jan Through Sept 2, 2014 About 17.8 Million 521 Source : Identity Theft Resource Center

4 Georgia Department of Audits and Accounts4 First Things First Security Awareness Data Classification Risk Assessments

5 Georgia Department of Audits and Accounts5 Security Awareness Establish Policies Staff IT Policies Educate Staff Awareness Training Enforce Compliance Monitoring

6 Georgia Department of Audits and Accounts6 Security Awareness Staff are required to go through security awareness training every year Last year we purchased SANs training Securing the Human Prior years – IT Division has developed training and focused on: IT policies Current security events that have occurred in public

7 Georgia Department of Audits and Accounts7 Security Awareness Emphasis SecUrity is everyone's responsibility and "U" are at the center. Make sure U are not the weakest link

8 Georgia Department of Audits and Accounts8 Security Awareness Emphasis Be a good example to entities that you audit. We should be setting the example for good SecUrity

9 Georgia Department of Audits and Accounts9 Data Classification Once you have trained ~ need to make sure all Data is Classified. Data classification – classifying the data based on its level of sensitivity/confidentiality and the impact to our office in the event the data is disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data.

10 Georgia Department of Audits and Accounts10 Data Classification GA Department of Audits is in the process of classifying all our confidential data Developing a Department Catalog to identify datasets and business owners

11 Georgia Department of Audits and Accounts11 Data Classification Catalog

12 Georgia Department of Audits and Accounts12 Data Classification

13 Georgia Department of Audits and Accounts13 Questions to ask Where is my sensitive/confidential data? Can I manage all copies & versions of confidential data? Is all confidential data appropriately protected? Who can access confidential data? Is confidential data required for audit? Is confidential data being sent or transferred out (email and/or removable media) Are correct security processes being applied to confidential data? What about retention of confidential data?

14 What should be kept confidential?

15 Georgia Department of Audits and Accounts15 Risk Assessment After we do a Data Classification we will be doing a risk assessment Select a risk assessment methodology ( a repeatable process) Use data classification information Determine gaps in security Assess potential risks, threats and vulnerabilities Risk = Likelihood * Impact

16 Georgia Department of Audits and Accounts16 Risk Assessment If there was a Breach make sure you think about things such as: Reputation Credibility Cost to investigate Credit monitoring services for those affected

17 Georgia Department of Audits and Accounts17 GA State Law 50-6-29

18 Georgia Department of Audits and Accounts18 GA State Law 50-6-29 to compel the production, inspection, and copying of documentary evidence, including without limitation evidence in electronic form and documentary evidence that is confidential or not available to the general public,

19 Georgia Department of Audits and Accounts19 GA State Law 50-6-29 state auditor shall have access to inspect, compel production of, and copy confidential information in any form unless the law making such information confidential expressly refers to this Code section and qualifies or supersedes it

20 Georgia Department of Audits and Accounts20 GA State Law 50-6-29 shall redact, destroy, or return to the custodial agency all confidential information except that information which the state auditor determines is necessary to retain for audit purposes

21 Georgia Department of Audits and Accounts21 GA State Law 50-6-29 the state auditor may retain such confidential information in working papers as is minimally necessary to support findings and to comply with generally accepted governmental auditing standards.

22 Georgia Department of Audits and Accounts22 GA State Law 50-6-29 confidential information in the hands of the state auditor shall have the same confidential status as it does in the hands of the custodial entity, and the state auditor shall protect its confidentiality with at least the care and procedures by which it is protected by the custodial agency or substantially equivalent care and procedures.

23 Obtaining Confidential Data Georgia Department of Audits and Accounts23 Give DOAA Confidentiality Form to Entity Sometimes entity wants to modify form Especially in regard to how long we can keep data The entity’s lawyer usually wants to get involved Federal law supersedes State Law Data and system may be with 3 rd Party Try to get data well in advance of start of audit Entity stall Practices Too big Wrong format

24 Transmitting Confidential Data Georgia Department of Audits and Accounts24 For most transfers we use a product called Accellion Secure File Transfer If large Dataset will give the entity an encrypted drive to copy data to

25 Storing Confidential Data Georgia Department of Audits and Accounts25 Encryption In Oracle – work with business owner to make sure field level encryption is on datasets Laptops – use PGP to encrypt all laptops Flash Drives– for HIPAA data encrypt all Flash Drives with PGP Looking at BitLocker to start encrypting all DOAA Flash Drives and possibly laptops Backups are encrypted

26 Using Confidential Data Georgia Department of Audits and Accounts26 In Oracle DB – if have to decrypt data fields– email sent to IT and Manager of project to alert that data fields were decrypted DLP – Data Loss Prevention – use Cisco’s appliance – for email DLP violations Notification sent to ISO and IT Director if a DLP violation – make sure it is not false positive Employee’s Director notified of any DLP violation in order to guide employees’ behavior to be more security conscious

27 Destroying Confidential Data Georgia Department of Audits and Accounts27 Destruction of Data – auditor’s responsible for destroying confidential data at the end of audit or, if needed for work papers, at the end of the retention period of 5 years. Auditors are provided with software (PGP Shredder) that facilitates the destruction of confidential electronic data by overwriting the data with random text and repeats this process through multiple passes. Records managers in each Division ensure compliance

28 Additional tools Georgia Department of Audits and Accounts28 Evaluating a product called Sensitive Data Manager by Identity Finder

29 Final Thought Georgia Department of Audits and Accounts29 State of _________ Audit Department Breach

30 Questions Lynn Bolton (404) 657-9978 boltonln@audits.ga.gov Georgia Department of Audits and Accounts30

Download ppt "Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts."

Similar presentations

Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
BUS VIDEO RECORDINGS COLLECTION – PROCESSING - REDACTION - SHARING WHAT IS RIGHT FOR YOUR DISTRICT?

BUS VIDEO RECORDINGS COLLECTION – PROCESSING - REDACTION - SHARING WHAT IS RIGHT FOR YOUR DISTRICT?
Helping you protect your customers against fraud Division of Finance and Corporate Securities.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.
SIU School of Medicine Identity Protection Act and Associated SIU Policy.

SIU School of Medicine Identity Protection Act and Associated SIU Policy.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
MINNESOTA GOVERNMENT DATA PRACTICES ACT How the law affects University employees and recordkeeping Susan McKinney Records & Information Management.

MINNESOTA GOVERNMENT DATA PRACTICES ACT How the law affects University employees and recordkeeping Susan McKinney Records & Information Management.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
VITA [Virginia Information Technologies Agency]

VITA [Virginia Information Technologies Agency]
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:

Similar presentations

Ads by Google