Peeling Back the Layers of an Ogre (or for those who like boring titles – Where is Our Confidential Data Hiding?) Harvard Townsend IT Security Officer.

Slides:



Advertisements
Similar presentations
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Advertisements

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Gaucho Round-Up FAQ’s This presentation covers some of the FAQ’s about campus clean-up day. Presentation #4 2/3/
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
Springfield Technical Community College Security Awareness Training.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Oct 4, 2006Dept Security Contacts Training1 Managing Sensitive Data Harvard Townsend Interim University IT Security Officer College.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
Securing NPI Mary Schuster Mike Murphy.  Gramm-Leach-Bliley Act Enacted to control the ways that financial institutions deal with the private information.
Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
Data Ownership Responsibilities & Procedures
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Data Classification & Privacy Inventory Workshop
Security Controls – What Works
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
New Faculty Orientation to Privacy and Security at UF Susan Blair, Chief Privacy Officer Kathy Bergsma, Information Security.
Sensitive Data Accessibility Financial Management College of Education Michigan State University.
New Data Regulation Law 201 CMR TJX Video.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Protecting Sensitive Information PA Turnpike Commission.
Securing Information in the Higher Education Office.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Information Security Technological Security Implementation and Privacy Protection.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Electronic Records Management: What Management Needs to Know May 2009.
Sensitive Data Accessibility Financial Management College of Education Michigan State University.
PRIVACY AND INFORMATION SECURITY ESSENTIALS Information Security Policy Essentials Melissa Short, IT Specialist Office of Cyber Security- Policy.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
FTC RED FLAG RULE As many as nine million Americans have their identities stolen each year. Identity thieves may drain their accounts, damage their credit,
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
ENCRYPTION Team 2.0 Pamela Dornan, Thomas Malone, David Kotar, Nayan Thakker, and Eddie Gallon.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
The UH Information Security Policy & YOU Jodi Ito Information Security Officer, ITS
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
SPH Information Security Update September 10, 2010.
Information Asset Classification Community of Practicerev. 10/24/2007 Information Asset Classification What it means to employees.
Update on SSN Remediation and 1-Card December 8, 2005.
Data Breach: How to Get Your Campus on the Front Page of the Chronicle?
SCHOOLS FINANCE OFFICERS MEETINGS Records Management, “Paper-Lite” Environments and Procedures when a school closes Elizabeth Barber.
Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Data Security at Duke DECEMBER What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.
BUSINESS CLARITY ™ PCI – The Pathway to Compliance.
QIP Education Session INFORMATION SECURITY Joseph Zurba Information Security & IT Compliance Officer Harvard Medical School February 16, 2015.
Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.
Data Security Survival Skills for 21 st Century Evaluators Teresa Doksum & Sean Owen October 17, 2013.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.
Information Security and Privacy in HRIS
Payment Card Industry (PCI) Rules and Standards
Wednesday, November 7, 2012.
Payment Card Industry (PCI) Rules and Standards
Strategies in the Game of
Payment card industry data security standards
Data Security Policies
Information Security Seminar
Chapter 3: IRS and FTC Data Security Rules
Red Flags Rule An Introduction County College of Morris
CompTIA Security+ Study Guide (SY0-401)
Presentation transcript:

Peeling Back the Layers of an Ogre (or for those who like boring titles – Where is Our Confidential Data Hiding?) Harvard Townsend IT Security Officer October 31, 2007

2 Agenda Why should we care? What should we care about? What are the threats? What can we do about it?

3 Why Should We Care? 167,706,372 and counting… … the approximate number of records with personal identity information compromised due to security breaches since January In 2006, 3 million college students possible victims of identity theft (CDW-G study) Identity theft is the fastest growing crime

4 Why Should We Care? Handling a breach very expensive

5 Why Should We Care? Damage to institution’s reputation

6 Why Should We Care? Your reputation or job may be on the line

7 Why Should We Care? It is the law:  SB 196 Kansas Security Breach Law Protects personal identity information Mandates prompt investigation and notification  FERPA (student records)  HIPAA (medical records)  GLB (financial records)  ECPA (electronic communications)  Federal Rules of Civil Procedure (e-Discovery)

8 Because Visa Said So Payment Card Industry Data Security Standards (PCI DSS) Version 1.1 published in Sept “PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted.” Do you know who is handling credit card info on campus and how they are doing it?

9 Credit I’m not putting this info in the PowerPoint presentation!!

What Should We Care About? All data needs protection Particularly interested in confidential data  Highly sensitive data that can only be disclosed to individuals with explicit authorization  Protection required by law (FERPA, HIPAA)  Unauthorized disclosure harmful or catastrophic to individual, group, or institution  Examples: SSN. Credit card info, student grades, medical records 10

What Are the Threats? Ignorance Theft – external and internal Inadvertent disclosure Improper disposal Highly distributed IT services Backups Catastrophic failure or other disaster Mobility – laptops, wireless, USB thumb drives, SmartPhones 11

12 Fear Laptops!

13 What Can We Do About It? Know your data!  Its value  Its classification  Its location (of every copy)  Who is responsible for it  Who has access to it  The threats to it

14 What Can We Do About It? “Data Classification and Security Policy and Standards”  Classify data based on sensitivity  Specify security requirements for each classification  Define roles and responsibilities

15 Policy “All University Data must be classified according to the K-State Data Classification Schema and protected according to K-State Data Security Standards. Exceptions must be approved in writing by the Chief Data Stewards and the Vice Provost for IT Services.”

16 Data Classification Schema 4 categories:  Public  Internal  Confidential  Proprietary

17 Data Security Standards Access Controls Copying/Printing Network Security System Security Physical Security Remote Access Storage Transmission Backup/DR Media Sanitization Training Audit Schedule

Implementation Strategy 18 Focus on confidential data first  SSNs  Credit cards Serve as guideline for other data Eventually require classification of all data

Where is the data located? You would be surprised! Tools to help  “Spider” from Cornell  Sensitive Number Finder (SENF) from UT-Austin  Not ready for your average user 19

Where is the data located? Gradebooks, esp. old spreadsheets Course web pages Homework assignments Exams Travel authorization forms Applications for admission Personnel papers Backup tapes, CDs, floppies, USB drives Where have you found confidential data? 20

21 What Can We Do About It? Delete unnecessary copies Make sure it’s gone when deleted Know how to protect it  K-State Data Security Standards  K-State SSN Policy  PCI DSS for credit cards  K-State Mobile Device Security Guidelines  Encryption

What Can We Do About It? SSNs K-State Policy on “Collection, Use and Protection of Social Security Numbers” “Use of the SSN as an identifier will be discontinued, except where authorized for employment, IRS reporting, federal student financial aid processing, state and federal reporting requirements, and a limited number of other business transactions.” 22

What Can We Do About It? SSNs Appendix A lists approved uses:  Employment  Application and receipt of financial aid  Tuition remission  Benefits administration  Insurance  IRS reporting  Student information exchange (transcripts) 23

What Can We Do About It? SSNs Start transitioning to use of the Wildcat ID (WID)  iSIS a key component to this transition  Also the People Database  Departments are moving in that direction Where are the SSNs in your department?  Run Spider from Cornell to find them 24

What Can We Do About It? Credit Cards Must comply with the Payment Card Industry Data Security Standards (PCI DSS) no matter the merchant level (we’re level 2) Are strong requirements  12 major requirements in 6 categories  238 individual controls  Annual self-assessment questionnaire  Quarterly network security scan by an “approved scanning vendor” 25

What Can We Do About It? Credit Cards The plan  Internal Audit documented campus practices  Working group formed to develop strategy  Use central service or comply with DSS See for more informationhttp://  Data Security Standard v1.1  Self-assessment questionnaire  Network scanning procedure  Security audit procedure 26

What Can We Do About It? Mobility Don’t store confidential data on mobile devices! Mobile device security guidelines 27

What Can We Do About It? Encryption Stored data  Software encryption  Hardware encryption Transmitted data SIRT team working on a software recommendation  Laptops  Removable devices 28

What’s on your mind?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.