Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Security at Duke DECEMBER 2015. What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.

Published byBarry Sherman Modified over 8 years ago

Similar presentations

Presentation on theme: "Data Security at Duke DECEMBER 2015. What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems."— Presentation transcript:

1 Data Security at Duke DECEMBER 2015

2 What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems (e.g. social security numbers) have been exposed. … It is possible that Harvard login credentials (computer and email passwords, including Office 365) stored on the compromised FAS and Central Administration networks have been exposed.” – Harvard IT Security Impact: Faculty, staff and students affiliated with the eight affected organizations asked to change their passwords and update access across all devices synced to Harvard accounts. Harvard University Breach reported June 2015 Number of records: unknown

3 What happened: Penn State was notified in late 2014 of what turned out to be at least 2 cyberattacks carried out by a "threat actor" based in China and using a targeted attack utilizing malware designed to avoid detection to attack several large College of Engineering systems. Impact: College of Engineering's computer network taken offline while systems restored. Passwords were reset for all students, faculty and staff. Breach reported May 2015 Number of records: unknown

4 What happened: An unencrypted thumb drive containing patient information was stolen from a DUHS administrative office in July 2014. The thumb drive contained spreadsheets with patients' names, medical record numbers, physicians' names and some Duke University Hospital locations visited. The spreadsheets did not contain Social Security numbers or clinical and financial information. Impact: The breach resulted in an notifications being sent to affected individuals and an internal investigation. New security controls are being implemented to enforce the internal requirement for encryption of flash drives. Breach reported September 2014 Number of records: unknown

5 Data breaches Higher Ed All Sensitive data is a target!

6 Duke’s data security policy  Developed with data stewards across campus over past two years  Includes data classification, responsibility for data and reporting of potential security issues  Published November 2015 (along with FAQ): security.duke.edu -> Policies & Procedures  Applies to all Duke data, including data located on Duke-managed systems or on personally owned devices, in email or stored in a cloud service such as Box

7 You are responsible for:  Accessing only that data which you are authorized to access  Protecting the data  Knowing the appropriate places to store the data  Reporting a breach or compromise of sensitive data

8 Data classification at Duke Sensitive (High) SSN Credit Card Numbers ePHI (HIPAA) HR data Financial data Contract data Donor data Prospective student data Restricted (Medium) NDA data Library transactions Data restricted to specific individuals or groups Not Public or Sensitive Public (Low) Public websites Campus maps Faculty/staff directory data Public research data

9 Extra protections needed Student data (FERPA) SSNs Credit card data HIPAA (ePHI) data DFARS

10 Special issues for research  Research data may go through all classifications during the cycle of research. While a study is in progress, the data may be classified as sensitive, but after the study is closed and the data shared according to NIH or NSF guidelines, it may be public.  Research budgets are always sensitive, but federally funded research proposal are often public (as they may be requested from the funding agency with a FOIA request).

11 Who’s who? Data steward Determines sensitivity of data, who can access and how it should be protected FERPA data -> Registrar Research project -> PI Data manager Typically an IT administrator responsible for securing data according to the data steward's directives Should have good working knowledge of how to securely manage systems and applications Data users Individuals who have been approved by the data steward to access the data Responsible for their access to the data, including account security

12 Questions about data stewardship? Duke Registrar (FERPA) Duke EVP (SSNs, DukeCard data) Duke E- Commerce (credit card data) Duke Finance (financial data) Human Resources (employee data)

13 Questions to consider Storing Sensitive data and SSNs? Sharing data with collaborators? What are my options for encryption? How do I report a security incident? Disposal of systems with Sensitive data?

14 Questions? security@duke.edu security.duke.edu

Download ppt "Data Security at Duke DECEMBER 2015. What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.

K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.
Mr C Johnston ICT Teacher

Mr C Johnston ICT Teacher
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Am I authorized to disclose this information? What level of protection does this information require? Releasing and Publishing Information: 1 st Ask Yourself.

Am I authorized to disclose this information? What level of protection does this information require? Releasing and Publishing Information: 1 st Ask Yourself.
Peeling Back the Layers of an Ogre (or for those who like boring titles – Where is Our Confidential Data Hiding?) Harvard Townsend IT Security Officer.

Peeling Back the Layers of an Ogre (or for those who like boring titles – Where is Our Confidential Data Hiding?) Harvard Townsend IT Security Officer.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
New Faculty Orientation to Privacy and Security at UF Susan Blair, Chief Privacy Officer Kathy Bergsma, Information Security.

New Faculty Orientation to Privacy and Security at UF Susan Blair, Chief Privacy Officer Kathy Bergsma, Information Security.
Sensitive Data Accessibility Financial Management College of Education Michigan State University.

Sensitive Data Accessibility Financial Management College of Education Michigan State University.
Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.
Network security policy: best practices

Network security policy: best practices

Similar presentations

Ads by Google