Awareness - Protecting our Data

Slides:



Advertisements
Similar presentations
Surfing the net: Ways to protect yourself. Internet Safety Look into safeguarding programs or options your online service provider might offer. Look into.
Advertisements

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
HIPAA Security.
CONFIDENTIALITY / PRIVACY. Federal Laws Privacy Act of 1974 PII (Personally Identifiable Information)….Protection of social security numbers……….
COMPLYING WITH PRIVACY AND SECURITY REGULATIONS Overview MHC Privacy and Security Committee Revised 1/17/11.
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
Welcome to the SPH Information Security Learning Module.
Top 10 Checklist to Protect Your Personal Privacy Online Teens 1.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
 Privacy Act of 1974 PII (Personally Identifiable Information)….Protection of social security numbers……….
WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Springfield Technical Community College Security Awareness Training.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
Information Privacy and Compliance Training For All Brigham Young University– Idaho Employees.
1.3.1.G1 © Family Economics & Financial Education – Revised October 2004 – Consumer Protection Unit – Identity Theft Funded by a grant from Take Charge.
Critical Data Management Indiana University HR Summit April 24, 2014.
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
Information Security Awareness:
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
10 Essential Security Measures PA Turnpike Commission.
Joel Garmon, Director, Information Security Mike Rollins, Security Architect Jeff Teague, Security Analyst, Senior 1
New Data Regulation Law 201 CMR TJX Video.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Protecting Sensitive Information PA Turnpike Commission.
Securing Information in the Higher Education Office.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.
CPS Acceptable Use Policy Day 2 – Technology Session.
Security Awareness ITS SECURITY TRAINING. Why am I here ? Isn’t security an IT problem ?  Technology can address only a small fraction of security risks.
ESCCO Data Security Training David Dixon September 2014.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Arkansas State Law Which Governs Sensitive Information…… Part 3B
Privacy and Information Management ICT Guidelines.
Information Security Awareness Training. Why Information Security? Information is a valuable asset for all kinds of business More and more information.
Incident Security & Confidentiality Integrity Availability.
Data Breach: How to Get Your Campus on the Front Page of the Chronicle?
Incident Security & Confidentiality Integrity Availability.
® HHM Clean Desk Policy. 2 ® Clean Desk Policy : What Will You Learn Importance of Privacy and Security The kinds of information we protect Privacy Requirements.
Western Asset Protection
Government Agency’s Name April  At the end of this course, the learner will be able to: ◦ Define personally identifiable information ◦ List examples.
Government Agency’s Name April Identity Theft is when someone steals your personal information and uses it as their own, usually for some financial.
Introduction: Introduction: As technology advances, we have cheaper and easier ways to stay connected to the world around us. We are able to order almost.
ANNUAL HIPAA AND INFORMATION SECURITY EDUCATION. KEY TERMS  HIPAA - Health Insurance Portability and Accountability Act. The primary goal of the law.
OCTOBER IS CYBER SECURITY AWARENESS MONTH. October is Cyber Security Awareness Month  Our Cyber Security Awareness Campaign focuses on topics such as.
Ticket Training Tuesday Properly Safeguarding Personally Identifiable Information (PII)
Information Management and the Departing Employee.
Computer Security Sample security policy Dr Alexei Vernitski.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
Yes, it’s the holidays... A time of joy, a time of good cheer, a time of celebration... From the Office of the Chief Human Capital Officer (CHCO ) Privacy.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
Information Security Awareness Training
Overview to Student Data Privacy in Illinois
HIPAA Privacy and Security
Protecting PHI & PII 12/30/2017 6:45 AM
Staying Austin College
Overview to Student Data Privacy in Illinois
Welcome to the SPH Information Security Learning Module
Protecting Your Credit Identity
HIPAA & PHI TRAINING & AWARENESS
Handling Information Securely
Protecting Student Data
School of Medicine Orientation Information Security Training
Presentation transcript:

Awareness - Protecting our Data Personally Identifiable Information (PII)

Learning Goals: Ability to Identify Personally Identifiable Information (PII). Determine the difference between Non-Sensitive PII and Sensitive PII. Why we need to protect PII. Know What PII we have and Where PII exists. Individual actions to protect PII. Sensitive PII you always need to protect Rules of Thumb Situations

Learning Goals: Goal 1 Ability to Identify Personally Identifiable Information (PII). Determine the difference between Non-Sensitive PII and Sensitive PII. Why we need to protect PII. Know What PII we have and Where PII exists. Individual actions to protect PII. Sensitive PII you always need to protect Rules of Thumb Situations

Personally Identifiable Information (PII) Basic Definition Information used to identify who an individual is. Can you think of what kind of PII you may have on yourself right now? Possibly a … Business Card Driver’s License Credit/Debit Card Medical Insurance Card

Definition of PII - Distinguish and Trace Any information that can be used to Distinguish or Trace an individual, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records (fingerprints, retina scan, image etc.). Distinguish - is to identify an individual. Trace - is to process sufficient information to make a determination about a specific aspect of an individual‘s activities or status. Just like how a detective can identify someone by clues.

Definition of PII -Linked and Linkable Information that identifies a person through combining data is called Linked or Linkable, such as medical, educational, financial, and employment information. Linked Linkable Individual information that is logically associated with other data to the individual. Example: Combining information from the same application database i.e. linking student address information with student test score information by student number. Information collected from many unrelated sources. Example: Combining enough information collected from a spreadsheet, public website and application database to determine an individual student.

Learning Goals: Goal 2 Ability to Identify Personally Identifiable Information (PII). Determine the difference between Non-Sensitive PII and Sensitive PII. Why we need to protect PII. Know What PII we have and Where PII exists. Individual actions to protect PII. Sensitive PII you always need to protect Rules of Thumb Situations

Types of PII Some Not all Personally Identifiable Information should be treated the same. Some personal information if lost, compromised, or disclosed without authorization can be used to cause harm by: Embarrassment, identity theft or blackmail to the individual. Financial losses, opportunity loss, or loss of public reputation for an organization.

Non-Sensitive PII Personally Identifiable Information that can be shared without concern is considered non-sensitive and can be shared publically. Examples: Directory Information listed on a public website Your Business Card Public Phone Book Name Tag

Sensitive PII (SPII) Personally Identifiable Information that can cause harm to an individual or organization is sensitive information and cannot be shared or viewed with anyone unless the person receiving the information has a legitimate purpose to know. Examples: Social Security Number Bank Account Number Passport Number Drivers License or State Id

Personally Identifiable Information (PII) – Context Some PII can be considered non-sensitive or sensitive based on the context of how the data is used or reported. For example: In both situations below, we have PII of a student’s first name and last name. Depending on how the data is used or reported the data will be either non-sensitive or sensitive. Sensitive Non-sensitive A student directory on a public website. A report listing students with a disability.

Learning Goals: Goal 3 Ability to Identify Personally Identifiable Information (PII). Determine the difference between Non-Sensitive PII and Sensitive PII. Why we need to protect PII. Know What PII we have and Where PII exists. Individual actions to protect PII. Sensitive PII you always need to protect Rules of Thumb Situations

Why we Protect PII Okay, I know there is PII around our workplace, but why should I care? Federal Laws – Student Records - FERPA, Health Records - HIPAA, Individuals with Disabilities - IDEA, National School Lunch Act. Wisconsin State Statutes – General Duties of Public Officials – Personal Information Practices Chapter 19 subchapter IV, Cooperative research on education programs; statewide student data system s. 115.297, Teachers Certificates and Licenses s. 118.19(1) and (10), Public School Pupil Records s. 118.125, s.118.126, s.118.127, s118.169.

Why we Protect PII Continued … 3. Department of Public Instruction Policy – Employee Work Rules and Code of Ethics 3.105, Medical Information 3.205, Acceptable Use of Technology 4.105, Student Data Access 4.300, Confidentiality of Individual Pupil Data and Data Redaction (Screening) 4.315. 4. Ethically. When you possess other individual’s personal information you are obligated to handle the information as it is your own so you will not cause harm to the individual or the organization you work for.

Learning Goals: Goal 4 Ability to Identify Personally Identifiable Information (PII). Determine the difference between Non-Sensitive PII and Sensitive PII. Why we need to protect PII. Know What PII we have and Where PII exists. Individual actions to protect PII. Sensitive PII you always need to protect Rules of Thumb Situations

PII In our Work Now that we understand . . . The definition of Personally Identifiable Information (PII). The different types of PII (sensitive and non-sensitive). Our duty to handle PII safely. What kind of PII and SPII do we have? Where can we find PII and SPII in my work?

PII In our Work PII and Sensitive PII are used everyday as we perform our work activities. Can you think of what PII and SPII is in your work environment? Can you think of where PII and SPII is located in your work environment?

What kind of PII do we find in our Workplace? Financial Bank Account Numbers Tax Ids Credit / Debit Card Educator Social Security Number License Number Fingerprints Student Wisconsin Student Number Economically Disadvantaged Status Primary Disability Human Resources Health Information Applications State ID Badge

PII In our Workplace Where can we find PII and Sensitive PII (SPII) in our workplace? Common Use Areas Copiers Fax Machines Network Printers Phone Meetings (formal or informal) Projectors Filing Cabinets Break Room Work Area Computer Applications PC, Laptop, Tablet, PDA Network file server Email and Instant Messages Meetings Phone (cell or landline) Filing Cabinets and File Folders Media (flash drive, disk, etc) On top of desk

PII Outside Our Workplace Sometimes work PII and Sensitive PII (SPII) is taken outside our work place. Places where work PII and Sensitive PII can be found outside work. At Home, Conference, Hotel, Meeting Room Vehicle, Bus, Taxi or Plane Briefcase, Purse, Backpack Laptop, Tablet, PDA, Phone Removable Media

Learning Goals: Goal 5a Ability to Identify Personally Identifiable Information (PII). Determine the difference between Non-Sensitive PII and Sensitive PII. Why we need to protect PII. Know What PII we have and Where PII exists. Individual actions to protect PII. Sensitive PII you always need to protect Rules of Thumb Situations

List of PII that always is Sensitive Student Data Wisconsin Student Number (WSN) Attendance Habitual Truancy Suspension Expulsion Dropout Course-Taking Retention Test Results (WKCE, AP, ACT, AA-SwD, ACCESS, etc.) Primary Disability Category Migrant Status Homeless Status English Language Proficiency Level Educational Environment Free and Reduced Lunch Eligibility Status General Data Social Security Number Driver’s License or State ID Card Passport Number DNA Profile Biometric Identifiers (x-ray, retinal scan fingerprints, etc.) Medical Information Authentication Information (passwords and information to re-enable passwords) Financial Information (bank account, credit / debit card, etc.) Sensitive context where PII data is used (queried or reported)

Learning Goals: Goal 5b Ability to Identify Personally Identifiable Information (PII). Determine the difference between Non-Sensitive PII and Sensitive PII. Drivers to why we need to protect PII. Know where PII exists. Individual actions to protect PII. Sensitive PII you always need to protect Rules of Thumb Situations

Protecting PII – Rules of Thumb It is everyone’s responsibility to protect Sensitive Personally Identifiable Information of others. Listed on the next few slides are “Rules of Thumb” with actions bolded each of us need to take. Apply the “Golden Rule” - Treat other individual’s Sensitive PII as if it is your own. Example: You probably would not put your personal Debit Card and Social Security Card on your desk and leave for the day. If you identify a data breach of Sensitive PII, report it to your Supervisor and Help Desk immediately. When reporting a data breach do not send the breached information in email. This will only proliferate the breach.

Protecting PII – Rules of Thumb Continued . . . Whenever possible, minimize the duplication and dissemination of electronic files and papers containing Sensitive PII. As a best practice, every request you make for Sensitive PII outside the organization should be accompanied by a reminder of how to properly secure the information. This will limit unnecessary dissemination of individual’s personal data, and will also allow the sender to be aware of what information is being collected, and purpose for collecting the information. A sample accompanying note is listed below: “The information I have requested has Sensitive Personally Identifiable Information. To properly secure this information, please send it in an encrypted format and delivered in a secure manner.”

Protecting PII – Rules of Thumb Continued . . . If you receive Sensitive PII in an unsecured format, do not forward or copy until you have safely secured the information. Destroy all Sensitive PII once the need for the information is no longer needed. Ensure your departmental processes and procedures account for handling the various types of Sensitive PII. Contact the Help Desk if you need a mobile hotspot, encrypted removable media (USB drive, CD), encrypt your disk drive, or create a secured shared network drive. Limit the use of Sensitive PII and only access or use Sensitive PII when you have a “need to know” reason to perform your job. If you are unsure the Sensitive PII relates to your official duties, ask your supervisor.

Learning Goals: Goal 5c Ability to Identify Personally Identifiable Information (PII). Determine the difference between Non-Sensitive PII and Sensitive PII. Why we need to protect PII. Know What PII we have and Where PII exists. Individual actions to protect PII. Sensitive PII you always need to protect Rules of Thumb Situations

How to Protect Sensitive PII In my Office . . . Never leave Sensitive PII unattended on a desk, network printer, fax machine, or copier. Delete files and/or shred hard copy Sensitive PII when no longer needed. Physically secure Sensitive PII (e.g., in a locked drawer, cabinet, desk, or safe) when not in use or not otherwise under the control of a person with a need to know. If your office is open and unsecured, avoid discussing Sensitive PII in person or over the telephone when you’re within earshot of anyone who does not need to know the information. If you must discuss Sensitive PII using a speakerphone, phone bridge or video teleconference, do so only if you are in a location where those without a need to know cannot overhear.

How to Protect Sensitive PII In my Office (continued). . . Be alert to social engineering or phishing scams to any phone calls or emails from individuals claiming to be employees and attempting to get personal or non-public information or asking to verify such information about you. Legitimate operations procedures will not ask you to verify or confirm your account login, password, or personal information by email or over the phone.

How to Protect Sensitive PII On my Electronic Devices . . . All Personal Electronic Devices and Laptops should have encryption software to store the data. Always store Sensitive PII on a shared secure drive rather than your computer hard drive or shared unsecured drive. Lock your computer screen when away from your computer by pressing “CTRL + ALT + DEL” then “Lock this Computer”. Do not have your computer remember passwords. Do not share account information, especially logins or passwords, with anyone. Do not have login or password information accessible to others (e.g., on a sticky note on your computer). When using Sensitive PII in a website or web application make sure the URL starts with HTTPS://. Lock your laptop to your secured docking station at your desk.

How to Protect Sensitive PII When sharing SPII with others . . . Ensure the individual(s) you are sharing the data with has a legitimate need to know. If you are sharing sensitive data outside DPI, contact the Pupil Data Policy Officer to verify a Memo of Understanding (MOU) or contract was created with the outside party. Before sharing verify if the data requested can be accommodated by using DPI Public tools (i.e. WINSS or WISEdash Public) --OR-- removing Sensitive PII by summarization, redacting, anatomizing, or obfuscation. Secure FTP or a secured application is used to transfer data between two servers. Email attachments with SPII should always be password protected. Emailing SPII outside of DPI should be encrypted and the password should be shared via a separate email or given to the individual in person or over the phone. DPI uses a software package called Accellion for sending and receiving sensitive data, contact the DPI Help Desk if you need to use this software.

How to Protect Sensitive PII When sharing SPII with others (continued) . . . Avoid faxing Sensitive PII if at all possible. If you must use a fax to transmit Sensitive PII, use a secured fax line, if available. Alert the recipient prior to faxing so they can retrieve it as it is received by the machine. After sending the fax, verify that the recipient received the fax. Seal Sensitive PII in an opaque envelope or container, and mail using First Class or Priority Mail, or a traceable commercial delivery service (e.g., UPS or FedEx). Encrypt Sensitive PII stored on CDs, DVDs, hard drives, USB flash drives, floppy disks, or other removable media prior to mailing or sharing.

How to Protect Sensitive PII While traveling . . . If you must leave SPII in a car, lock it in the trunk so that it is out of sight. Do not leave your briefcase, laptop or Personal Electronic Device (PED) in a car overnight. Do not store a briefcase, laptop or PED in an airport, a train or bus station, or any public locker. Avoid leaving a briefcase, laptop or PED in a hotel room. If you must leave it in a hotel room, lock it inside an in-room safe or a piece of luggage. At airport security, place your briefcase, laptop or PED on the conveyor belt only after the belongings of the person ahead of you have cleared the scanner. If you are delayed, keep your eye on it until you can pick it up. Never place a PED in checked luggage. If your briefcase, laptop or PED is lost or stolen, report it immediately to your supervisor and the Help Desk.

How to Protect Sensitive PII While traveling (continued) . . . If you plan to use a laptop or Personal Electronic Device (PED) in a public setting and want to connect to a network, check out a DPI mobile hotspot from the DPI Help Desk to ensure you have a secure connection. DO NOT connect your laptop or PED that has Sensitive PII to public wireless access found in coffee shops, airports or other public places. These public connections are unsecured.

How to Protect Sensitive PII While working remote . . . DO NOT store or email Sensitive PII to your personal laptop or personal electronic device. Use a secured shared drive, Google Drive or encrypted media to access documents. Use only secured network connections to access your work authorized applications. Make sure you secure Sensitive PII data when not in use. Limit the Sensitive PII taken outside the office. Take only the Sensitive PII you need to do your job. Ensure other individuals do not have access to see Sensitive PII at your remote location. Do not print Sensitive PII on your home or hotel printer. Make sure your phone conversations about Sensitive PII are private and not overheard.

PII – Information Overload Do you feel you heard enough about PII and Sensitive PII?

Additional PII Reference Material Refer to the following documents for additional PII examples and quick reference: PII Safeguard Quick Reference http://wise.dpi.wi.gov/files/wise/pdf/PII%20Safeguard%20Quick%20Reference.pdf Additional Examples of PII http://wise.dpi.wi.gov/files/wise/pdf/PII%20list%20of%20Examples.pdf

PII – Questions? If you have any questions on Personally Identifiable Information? Ask your Supervisor.

Personally Identifiable Information (PII) – Credits Information contained in this presentation are from: Wisconsin Department of Public Instruction http://dpi.wi.gov/ United States Department of Homeland Security http://www.dhs.gov/ United States Department of Commerce - National Institute of Standards and Technology http://www.nist.gov/information-technology-portal.cfm

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.