Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2010 K2Share, LCC. I thought it would never happen to me! H OW TO SAFEGUARD THE P RIVACY OF M IGRANT C HILDREN AND YOUR OWN ? NYS Migrant Education.

Published byAmelia Erica Bishop Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2010 K2Share, LCC. I thought it would never happen to me! H OW TO SAFEGUARD THE P RIVACY OF M IGRANT C HILDREN AND YOUR OWN ? NYS Migrant Education."— Presentation transcript:

1 Copyright © 2010 K2Share, LCC. I thought it would never happen to me! H OW TO SAFEGUARD THE P RIVACY OF M IGRANT C HILDREN AND YOUR OWN ? NYS Migrant Education

2 About the Presenters Julio Rodriguez, CISSP OME Technical Lead Email: Julio.Rodriguez@ed.gov (202) 260-1473 Will Messier Director ID/R-MIS2000-MSIX Email: wmessier@nysmigrant.org (202) 260-1394 Rob Hillman Information Systems Assistant Email: rhillman@nysmigrant.org Odilia Coffta Data Training Coordinator Email: ocoffta@nysmigrant.org 2016 National Migrant Education Conference

3 Objectives Participants will be familiarized with the concept of cybersecurity and the impact of cyber-attacks Participants will review the process in which NYS embarked this past year in order to implement the data security expectations from national and NYS standards Participants will be able to identify PII and understand the risks and responsibilities associated with handling it Identify the impact and consequences of improper disclosure of information and inadequate protection of computer resources Identify, report, respond, and prevent Cybersecurity incidents and PII breaches 2016 National Migrant Education Conference

4 Cybersecurity and Cyber-Attacks 2016 National Migrant Education Conference

5 What is Cybersecurity? Cyberspace – global domain within the information environment consisting of the interdependent networks and systems Cyber-attack – disrupting, disabling, destroying, or maliciously controlling a computing environment; or destroying the integrity of the data or stealing controlled information Cybersecurity – ability to protect or defend the use of cyberspace from cyber attacks 2016 National Migrant Education Conference

6 What is the Impact of a Cyber-Attack? Incidents have surged 38% since 2014 Cyber-attacks cost $300 B to $ 1 Trillion a year Data breaches average $154 per record Cost per data breach up to $3.79 M Attackers are often undetected for more than 200 days Top 3 attack patterns: social engineering, malware, and advanced persistent threat (APT) 2016 National Migrant Education Conference

7 Who are the Victims of Cyber-Attacks? Government: Office of Personnel Management (OPM) - 21 million victims CIA Director - Attackers used social engineering to compromise his personal AOL account Internal Revenue Service (IRS) - More than 300,000 taxpayer accounts −Hackers came armed with information they had gathered from other sources to circumvent identity verification Pentagon - Intruders use phishing and malware to attack the email system used by the Joint Chiefs of Staff 2016 National Migrant Education Conference

8 Who are the Victims of Cyber-Attacks? Cybersecurity Industry Juniper Networks - Attackers installed two backdoors embedded in the software’s source code Gemalto - Attackers targeted the company’s cache of cryptographic keys (AT&T, T-Mobile, Verizon, Sprint) Kaspersky Lab - Attackers were looking for information about attacks Kaspersky was investigating and to learn how Kaspersky’s detection software worked to bypass it 2016 National Migrant Education Conference

9 Who are the Victims of Cyber-Attacks? 2016 National Migrant Education Conference

10 What is happening in the Education Industry? Security Incidents: 165 Confirmed Data Loss: 65 Distributed Denial-of-Service (DDoS): 10 Average Malware Events: 2,332 Verizon’s “2015 Data Breach Investigations Report” 2016 National Migrant Education Conference

11 What is the Federal Government doing to Address Cyber Threats? Federal Information Security Modernization Act (FISMA) −Requires agencies to assess risk to information systems and provide security protections and commensurate −Integrate information security into capital planning OMB Circulars A-130, Appendix III: Security of Federal Automated Information Resources −Requires controls that are consistent with NIST guidance National Institute of Standards and Technology (NIST) −Develops standards, guidelines, and associated methods and techniques for information systems 2016 National Migrant Education Conference

12 Personally Identifiable Information 2016 National Migrant Education Conference

13 Personally Identifiable Information (PII) Any information about an individual maintained by an organization, including −any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records −any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information As a MEP employee or contractor, you are responsible for protecting this data 2016 National Migrant Education Conference

14 Examples of PII and SPII PII Full Name Email Address Home Address Business Card 14 Combining pieces of non-sensitive information could result in a set of information that is sensitive E.g. Answer to security questions 2016 National Migrant Education Conference Sensitive PII  Social Security  Drivers License  Passport Number  Date of Birth  Mother’s Maiden Name  Financial Account Numbers  Medical Records  Passwords

15 Migrant Student Information Migrant student information collected through the Certificate of Eligibility (COE) includes Sensitive PII Collection, transmission, and storage of this information must be protected Only access the necessary data to perform your job duties (e.g. official purposes related to providing services) 2016 National Migrant Education Conference

16 Family Educational Rights and Privacy Act (FERPA) Protects the disclosure of PII and educational records of students Governs who has access to this data FERPA Exceptions (34 CFR § 99.31) School officials with legitimate educational interest Other schools to which a student is transferring Specified officials for audit or evaluation purposes Appropriate parties in connection with financial aid to a student Organizations conducting certain studies for, or on behalf of, the school Accrediting organizations To comply with a judicial order or lawfully issued subpoena Appropriate officials in cases of health and safety emergencies State and local authorities within a juvenile justice system pursuant to specific state law 2016 National Migrant Education Conference

17 Discussion Questions Who should have access to student’s PII? How can it be shared? 2016 National Migrant Education Conference

18 NYS Experience 2016 National Migrant Education Conference

19 Data Security Checklist  Data Security Policy  Secure devices  Secure transfer/communication  Training staff 2016 National Migrant Education Conference

20 Creating a Data Security Policy Review current policies from your governing institutions Learn current, relevant and applicable laws Create sound and easy to follow policies Define a process in case of breaches of information 2016 National Migrant Education Conference

21 Example Data Security Policy Rules of Behavior: −Ensure only authorized employees have access to private information −Ensure NYS Migrant Education information is not released without consent User Credentials or Password Policy: −Never share your account passwords with anyone else. You are responsible for all actions taken with your credentials −Staff should create STRONG passwords that use a combination of uppercase letters, lowercase letters, numbers, and symbols, and are changed regularly 2016 National Migrant Education Conference

22 Example Data Security Policy (Cont.) Data Protection: −Physical documents containing PII should be kept in an area accessible only to staff that can be locked during non-business hours −Unattended computers should be locked (e.g. using the keystroke [Windows] + [L]) or logged off −Proper destruction methods should be observed when disposing of physical or electronic media Incidence Response: −Can be a simple mistake, such as sending an email with PII to the wrong recipient −Can be the result of a computer virus infection −Better safe than sorry- report any warning signs 2016 National Migrant Education Conference

23 What is a Data Breach? PII that is lost, stolen, disclosed, or otherwise exposed to unauthorized people and/or for unauthorized purposes May be caused by improper:  Storage – Saving COEs or other documents with student data on unencrypted hard drives or on removable media without encryption  Transmission – Sending sensitive, combination of non- sensitive information or documents without encryption  Processing – Reviewing student records in public areas or using public Wi-Fi 2016 National Migrant Education Conference

24 What to do after a Data Breach?  Step 1 : Contain the breach  Step 2 : Contact immediate supervisor  Step 3 : Contact the ID&R / MIS2000 Director  Step 4 : Document the breach On many occasions, the ID&R / MIS2000 Director might request that you participate in a detailed evaluation of the events leading to the breach for official records, prevention, and other uses 2016 National Migrant Education Conference

25 Risks of Improper PII Handling and Breaches Risks to Migrant Children and Families  Identity theft, financial loss, and/or credit damage  Emotional distress  Loss of confidence in the government 2016 National Migrant Education Conference Risks to MEP Employees  Disciplinary action resulting in: loss of clearance, loss of access to PII, or loss of employment  Penalties under the Family Educational Rights and Privacy Act Privacy Act  Diminished reputation Risks to the MEP  Diminished reputation  Costs of mitigation and/or litigation  Impact on agency processes  Loss of the public trust

26 Secure Devices 2016 National Migrant Education Conference

27 Securing your Devices: All computers containing PII should be encrypted Protected with a strong password Up-to-date antivirus Keep your inventory updated When transporting your laptop or mobile device: −If you must leave it in a car, lock it in the trunk −Do not leave it in a car overnight −Do not store in an airport, a train or bus station, or any public locker −Avoid leaving it in a hotel room or lock it inside an in- room safe −At the airport, never place it in checked luggage. 2016 National Migrant Education Conference

28 Secure Transfer/Communication 2016 National Migrant Education Conference

29 Secure Transfer of Data MSIX: −Vendor MOU −Review MSIX policies with staff −Encryption over the internet (e.g. email, password protected files) −Separation of mediums (passwords over the phone, etc.) 2016 National Migrant Education Conference

30 Protecting PII in Communications Email the SPII within an encrypted attachment with the password provided separately (e.g., phone, another email, or in person) Refer to your State policies and procedures for the authorized encryption mechanism The Federal Government requires the use of Federal Information Processing Standard (FIPS) 140-2, or approved encryption mechanism Other Password-protected encryption mechanism include: −Microsoft Office - Encrypt with password −PDF - Password Security −WINZIP - Encrypt zip/7-ZIP - Encryption 2016 National Migrant Education Conference

31 Training Staff 2016 National Migrant Education Conference

32 Training your Staff: Explain in detail the Data Security Policy Never include PII/SPII in presentations, training materials, MSIX notifications Demonstrate policy by example Make the new policy easily accessible Tailor your training and resources according to different positions on MEP (principle of least privilege) Be patient Practice, Practice, Practice Make it personal 2016 National Migrant Education Conference

33 Shoulder Surfing & Social Engineering Be aware of individuals around you who can see your keyboard as you type in passwords Be aware of social engineering and scams. These include phony calls from help desks claiming to offer support for a problem you were not aware of, or suspicious emails asking you to click a link and enter your credentials 2016 National Migrant Education Conference

34 Shoulder Surfing & Social Engineering Cont. Emails: −Attachments should be scanned with antivirus software, and suspicious attachments should not be downloaded −PII should NEVER be put in the body of an email, and should instead be sent as an encrypted attachment using appropriate encryption software −Passwords to encrypted documents should be sent through alternative means outside of the email −Only refer to a migrant student or individual with a Unique ID number that is assigned to them, such as those assigned by MSIX or MIS2000 −Include a confidentiality notice at the bottom of emails containing such attachments or information 2016 National Migrant Education Conference

35 Example confidentiality notice "This electronic message is intended to be for the use only of the named recipient, and may contain information from the [organization] that is confidential or privileged, or protected FERPA. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately, either by contacting the sender at the electronic mail address noted above or calling the [organization] at [phone number], and delete and destroy all copies of this message. Thank you" 2016 National Migrant Education Conference

36 Finally… Always, always check with your governing institutions Be patient Be proactive Understand that this is an ever-evolving field 2016 National Migrant Education Conference

37 Frequently asked questions: “Can’t I just send the password to an attached file in a second email?” “Do I HAVE to use the MSIX number to refer to the student in an email?” “What do I do if a teacher sends me an email about a migrant student containing PII information?” 2016 National Migrant Education Conference

38 If You Suspect a PII Breach Notify: −Your State or MEP designated information security personnel as soon as possible. − MSIX Help Desk at 1-866-878-9525 or email MSIXSupport@Deloitte.com MEPs must report a breach within 1 hour of discovery (actual or potential breach) so time is of the essence 2016 National Migrant Education Conference

Download ppt "Copyright © 2010 K2Share, LCC. I thought it would never happen to me! H OW TO SAFEGUARD THE P RIVACY OF M IGRANT C HILDREN AND YOUR OWN ? NYS Migrant Education."

Similar presentations

Protect Our Students Protect Ourselves

Protect Our Students Protect Ourselves
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Privacy and Information Security Training (2006-07) VUMC Privacy Website www.mc.vanderbilt.edu/privacy.

Privacy and Information Security Training ( ) VUMC Privacy Website
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Critical Data Management Indiana University HR Summit April 24, 2014.

Critical Data Management Indiana University HR Summit April 24, 2014.
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.

SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
The Privacy Office U.S. Department of Homeland Security Washington, DC 20528 t: 703-235-0780; f: 703-235-0442 Safeguarding.

The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.
9/20/07 STLSecurity is Everyone's Responsibility 1 FHDA Technology Security Awareness.

9/20/07 STLSecurity is Everyone's Responsibility 1 FHDA Technology Security Awareness.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.

DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.

Similar presentations

Ads by Google