Security Is Everyone’s Responsibility October 22, 2014.

Slides:



Advertisements
Similar presentations
H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
Advertisements

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP
HIPAA In Relation to Other Federal Laws Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP Glasser LegalWorks/HIPAA Conference.
HIPAA AWARENESS TRAINING
University of Minnesota
IT Security Policy Framework
The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Banking Services AVAILABLE FOR A SMALL BUSINESS. BANKING SERVICES 2 Welcome 1. Agenda 2. Ground Rules 3. Introductions.
Understanding the benefits and the risks. Presented by Corey Nachreiner, CISSP BYOD - Bring Your Own Device or Bring Your Own Danger?
MOSS ADAMS LLP | 1 W HAT I S S ENSITIVE D ATA ? Whats the Risk and What Do We Do About It? Weston Nelson Steve Fineberg Steven Gin.
Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
EMS Checklist (ISO model)
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.
A Shared Responsibility
K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Data Security At Cornell Steve Schuster. Questions I’d like to Answer ► Why do we care about data security? ► What are our biggest challenges at Cornell?
Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Privacy and Security Risks in Higher Education
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
Electronic Records Management: What Management Needs to Know May 2009.
1 General Awareness Training Security Awareness Module 1 Overview and Requirements.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
ENCRYPTION Team 2.0 Pamela Dornan, Thomas Malone, David Kotar, Nayan Thakker, and Eddie Gallon.
Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
SPH Information Security Update September 10, 2010.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES 1 The Technical Services Stuff in IT Services A brief tour of the technical and service offering plethora.
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
Welcome….!!! CORPORATE COMPLIANCE PROGRAM Presented by The Office of Corporate Integrity 1.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.
Chapter 4: Laws, Regulations, and Compliance
Data Security in the Cloud and Data Breaches: Lawyer’s Perspective Dino Tsibouris Mehmet Munur
Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.
Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
What lessons can we learn from other data breaches? Target Sentry Insurance Dynacare Laboratories 1 INTRODUCTION.
An Update on FERPA and Student Privacy
Regulatory Compliance
E&O Risk Management: Meeting the Challenge of Change
Chapter 3: IRS and FTC Data Security Rules
Cyber Trends and Market Update
Disability Services Agencies Briefing On HIPAA
CompTIA Security+ Study Guide (SY0-401)
CIT 485: Advanced Cybersecurity
Anthem Data Breach Group 2: Jing Jiang, Dongjie Wang, Haitao Huang, Binju Gaire, Parneet Toor.
Colorado “Protections For Consumer Data Privacy” Law
Presentation transcript:

Security Is Everyone’s Responsibility October 22, 2014

Agenda Introduction – Scott Douglass Legal Issues – Laure Ergin Risk & Challenges - Kirk Die What IT is Seeing & Doing – Jason Cash Unit & Employee Responsibilities – Karl Hassler Sensitive Data – Karl Hassler Wrap Up / Discussion - Scott Douglass Resources 2

Introduction Today’s Reality –More Organizations are revealing they’ve been breached Public pressure Disclosure laws Why We’re Here –Begin a dialogue –Raise awareness –Educate –Provide resources 3

Legal Issues Which law applies depends on: –Location of institution –Type of information –Role of person storing the information –How the information was obtained? Privacy / Security –Privacy – the freedom from having information from being disclosed without one’s consent –Security – the mechanism(s) in place to protect the privacy of information

Applicable Laws Family Educational Rights & Privacy Act (FERPA) – protects student educational records Gramm Leach Bliley Act (GLBA) – protects financial information of customers Health Insurance Portability & Accountability Act Of 1996 (HIPAA) – protects patient information Payment Card Industry-Data Security Standard (PCI-DSS) – protects credit card information Delaware Breach Notification Law - Del. Code, Title 6, Sec. 12B-101 et seq. – requires breach notification in the event of a data breach The Jeanne Clery Disclosure of Campus Security Policy & Campus Crime Statistics Act (Clery Act) – requires reporting of crime statistics to general public and federal government Computer Fraud & Abuse Act – crimializes hacking into computers and computer networks Communications Decency Act – regulates obscenity in cyberspace Children’s Online Privacy Protection Act (COPPA) – regulates commercial operators that are directing services to children under 13 Communications Assistance for Law Enforcement Act (CALEA) – regulates assistance that must be provided to law enforcement for phone tapping purposes Federal Information Security Management Act (FISMA) – regulates how federal information and computers and networks are secured through contracts and possibly soon grant documents.

Types of Laws Some laws are about what we can and can’t do with information we have – focus is protecting information. Some laws are about information we have that we must share with individuals, our community and report to state and federal governments – focus is disclosure. Some laws are about what you can and can’t do on your computer or on the internet – focus is on regulating conduct and behavior through or on the internet Some laws go beyond securing information and want to make sure your information systems (computers and networks) are secure and protected.

Potential Risks Legal Compliance –Failure to comply with privacy laws and regulations can result in significant legal sanctions, liability, fines, and other unpleasant consequences. –Regulatory agencies are stepping up enforcement – meaning surveys are being sent out, questions are being posed, and ultimately on site audits are conducted. –State attorneys general have enforcement power for state privacy/security laws plus they can enforce certain federal laws, too (HIPAA, COPPA). Privacy and security laws are expanding in their coverage.

Other Potential Risks Reputational Injuries Damage to Student Well-Being Damage to Employee Well-Being Soured Relationships Financial Injuries Time and Resources 8

University Data Security Challenges Open Environment – many have access to records, control their own data Social Security number as a student identifier – resides on many systems Data Retention – tend to archive vs. delete Research – studies can use vast amounts of sensitive information Sharing – culturally much data is shared among colleagues

Target Rich Environment In General – need to allow less access Social Security number and other personal identifiers – retain in as few places as possible and only when needed Data Retention – less is better Research – separate initiative to secure research data Sharing – be more careful on what we share and how

What IT Is Seeing 171 UDELNET accounts compromised 20 machines disabled on average per week due to malware, etc. 11

What IT Is Doing Created: –IT Security & Compliance Office (modernize policies) –Technical Security Group Locate old data (SSNs) Protect current data (more than SSNs!) Detect intrusions FireEye, snort, NGFW, etc. 14

What does IT need? Process PII/SSNs scan results. Desktop and laptop PII scanning software coming soon. More SSNs. No, really. 16

Unit Responsibilities Some Action Items Follow UD Policies Develop Information Security Plan - Inventory data and devices (Know what you have) - Classify (Assess Sensitivity and Risk ) - Establish protocols to Manage, Access and Use (Playbook) - Protect Data - Limit Use + Retention - Evaluate Processes (Where + How is data at risk?) 18

Employee Responsibilities Some Action Items Unit Administrators - Inventory - Classify - Protect - Communicate Employees - Understand responsibilities and requirements - Ask questions! 19

Employee Responsibilities Some Action Items Perform periodic reviews -Encrypt Sensitive Regulated data that must be retained -Purge or Archive unneeded data -Management standards followed? -New control gaps? Report the loss or misuse of devices immediately 20

Types of Sensitive Data (1) Confidential PII (Personally Identifiable Information) –First Name or Initial and Last Name, along with: –Social Security Number; –Driver’s License Number or State-Issued ID Number; –Alien Registration or Government Passport Number; or –Financial Information: Account, credit or debit card number 21

Types of Sensitive Data (2) Student Data Health Information Financial Account Information, Credit Card #s Certain Employment Data Personally Identifiable Human Subject Research Data UDelNet account passwords 22

Discussion 23

Resources & Tools UD Policies – htmlhttp:// 15.html – htmlhttp:// 22.html Privacy & Confidentiality Security Reporting

Security Is Everyone’s Responsibility September 30, 2014

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.