Presentation is loading. Please wait.

Presentation is loading. Please wait.

The UH Information Security Policy & YOU Jodi Ito Information Security Officer, ITS 956-2400.

Published byKerry Patterson Modified over 8 years ago

Similar presentations

Presentation on theme: "The UH Information Security Policy & YOU Jodi Ito Information Security Officer, ITS 956-2400."— Presentation transcript:

1

2 The UH Information Security Policy & YOU Jodi Ito Information Security Officer, ITS jodi@hawaii.edu 956-2400

3 Agenda Intellectual Property (IP) and Personal Information (PI) working definitions Need to Protect IP & PI PI Hawaii State Laws UH Executive Policy E2.214: Security & Protection of Sensitive Information

4 Intellectual Property (IP) From the World Intellectual Property Organization (WIPO): “Intellectual property refers to creations of the mind: inventions, literary and artistic works, and symbols, names, images, and designs used in commerce”

5 Need to Protect IP $$$$$$$!! Industrial Espionage Recent articles - spying by China http://apnews.myway.com/article/20071115/D8 SU6FE80.html http://www.washingtonpost.com/wp- dyn/content/article/2007/11/15/AR2007111501 099.html

6 The US-China Economic and Security Review Commission's annual report to Congress says: "Chinese espionage activities in the US are so extensive that they comprise the single greatest risk to the security of American technologies."

7 Personal Information Hawaii State Law definition: "Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number; (2) Driver's license number or Hawaii identification card number; or (3) Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account.

8 PI or not PI? J. Smith: 555-66-777 J. Smith: (808) 999-8888 John Smith: 123 University Avenue John S.: 555-66-7777

9 Misuse of Personal Information Financial Fraud & ID Theft Open new credit accounts Write counterfeit checks against your accounts Unauthorized credit card purchases via phone or Internet Commit other acts of financial fraud

10 Other Misuses of Your Information Obtain official identification in your name Get a job in your name File fraudulent taxes in your name Ruin your financial & credit record

11 Protecting Your Own Information Annual credit check: http://www.annualcreditreport.com Opt-out: 1-888-567-8688 http://www.optoutprescreen.com Use a cross-cut shredder to destroy personal information Use locking mailboxes / use US postal mailboxes for outgoing mail Ensure receipt of & review monthly statements

12 More Tips Don’t respond to unsolicited requests for personal information Beware of scams Change your passwords regularly Online shopping: make sure shopping websites are secured Secure your computer Securely erase personal information stored on your computer Beware of peer-to-peer applications

13 Hawaii State Laws 2006: new state laws regarding identity theft http://starbulletin.com/2006/05/26/news/story06.html

14 New State Laws Social Security Number Protection (HRS 487J) Security Breach Notification (HRS 487N) Destruction of Personal Information (HRS 487R) Security Freeze (HRS 489P-1, 489P-2, 489P-3) Reporting requirements

15 Social Security Number Protection Effective July 01, 2007 Restricts businesses and government agencies from disclosing SSNs to the general public http://www.capitol.hawaii.gov/hrscurrent /Vol11_Ch0476-0490/HRS0487J/

16 Security Breach Notification Effective January 01, 2007 Businesses & government agencies must notify individuals if their personal information has been compromised by unauthorized access/disclosure http://www.capitol.hawaii.gov/hrscurrent /Vol11_Ch0476-0490/HRS0487N/

17 Destruction of Personal Information Records Effective January 01, 2007 Businesses & government agencies need to properly dispose of “personal information” http://www.capitol.hawaii.gov/hrscurrent /Vol11_Ch0476-0490/HRS0487R/

18 Security Freeze Victim of identity theft can place a “security freeze” on their credit information “Fraud Alert” vs. “Security Freeze” http://www.capitol.hawaii.gov/hrscurrent /Vol11_Ch0476- 0490/HRS0489P/HRS_0489P-.HTM

19 Reporting Requirements “A government agency shall submit a written report to the legislature within twenty days after the discovery of a material occurrence of unauthorized access to personal information records in connection with or after its disposal by or on behalf of the government agency.”

20 E2.214: The New UH Information Security Policy

21 Why the New Policy? Audit compliance & accountability UH “breach” June 2005: http://www.hawaii.edu/idalert/ UH General Confidentiality Notice: http://www.hawaii.edu/ohr/docs/forms/uh92.pdf

22 UH Information Security Policy System-wide policy: E2.214: “Security & Protection of Sensitive Information” Signed by President McClain on November 21, 2007 Encompasses handling of “sensitive” information Online at: http://www.hawaii.edu/apis/ep/e2/admin.html

23 Policy Overview Defines classifications of information: Private Sensitive Defines roles and responsibilities: Steward Custodian User

24 Overview - continued Collection, access, & handling of information: At rest In transit Disposal ITS recommendations for “tools” Breach Notification (mandated by state law)

25 Data Classification Public Sensitive (examples - not all encompassing) Student records (FERPA) Health information (HIPAA) Personal financial info SSN Date of Birth Private home addresses & phone numbers Driver’s license numbers & State ID numbers Access codes, passwords, PINs, etc. And more…

26 Roles & Responsibilities Information Resource Stewards Data Custodians User Sign UH Confidentiality Notice

27 Information Resource Stewards Senior administrators responsible for functional operations Responsible for granting access to and classifying of data Responsible for minimizing use and exposure May also function as data custodians

28 Data Custodians Managers/administrators of systems or media on which sensitive information resides Responsible for implementing and administering controls over the resources in accordance to all policies Downloading of sensitive information by a user makes them a “custodian”

29 Users Individuals granted access to sensitive information as required by their professional responsibilities Responsible for understanding and complying with applicable UH policies, procedures and standards for dealing with sensitive information

30 Access Granted by Steward or Designee Process by which access is requested Should be on a “need-to-know” basis Access must be terminated immediately upon job change or resignation/termination

31 Transmission - Paper Delivered in sealed envelope Clearly marked for the intended recipient Marked “CONFIDENTIAL” Faxes must be promptly retrieved and protected at both ends

32 Transmission - Electronic Sensitive information must not be sent “in the clear” including in email & attachments Use secure web servers when using web technologies to access sensitive information Use “encryption” when doing digital transmissions

33 Email Transmission Minimize use of email for sending of sensitive information Use special care to ensure only intended recipient gets the email Both sender and receiver should delete email as soon as possible Sender should include notice in email informing recipient that email contains sensitive information and requests appropriate handling

34 Email Notice CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.

35 Electronic Storage Sensitive information should be stored only when specifically required and on as few systems/media as possible Systems must comply with basic computer security standards Use encryption as much as possible If stored unencrypted, systems must be in physically secure and controlled environments De-coupling of data

36 Mobile Devices Does it need to be stored on a mobile device?? ENCRYPT, Encrypt, encrypt! Physically secure devices as much as possible Examples of mobile devices: Laptops CDs/DVDs Flash drives External portable drives PDAs Cell phones, Mobile media players (iPods, MP3 players, etc.) Magnetic tapes

37 Destruction Paper: use cross shredders or contract shredding companies w/ credentials Electronic: Erasable: Secure deletion tools (see ITS recommendations) Unerasable: Physical destruction

38 Tools & Information http://www.hawaii.edu/askus/729 “Information Security” section Securing Your Desktop Computer: http://www.hawaii.edu/askus/593 UH Filedrop: http://www.hawaii.edu/askus/673 Encryption Windows: http://www.hawaii.edu/itsdocs/win/gswwindowsencryption.pdf Macs: http://www.hawaii.edu/askus/676 Securely Deleting Electronic Information: http://www.hawaii.edu/askus/706 Windows: http://www.hawaii.edu/itsdocs/win/secureerasewin.pdf

39 Notification of Breaches Must notify all affected individuals Reported to the Legislature Timely notice Contents: clear & conspicuous and include: Description of incident Type of information that was disclosed Remediation and prevention actions taken Telephone number and email address to call for further information & assistance General advice on protection against identity theft Example: www.hawaii.edu/idalert

40 Recommended System Configurations Do you REALLY need to keep that INFO? Minimize physical access Minimize technological access Password protected with “secure password” Firewall, network IPS, host IPS, etc. Private IP addresses Frequently & routinely update OS and applications (install patches on a regular basis) Check access logs daily

41 Backups Backup of sensitive information must be protected Transmission of backups of sensitive information must be protected

42 Questions? Jodi Ito Information Security Officer, ITS jodi@hawaii.edu 956-2400

Download ppt "The UH Information Security Policy & YOU Jodi Ito Information Security Officer, ITS 956-2400."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
Welcome to the SPH Information Security Learning Module.

Welcome to the SPH Information Security Learning Module.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.

FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
Identity Theft Solutions. ©SHRM 20082 Introduction Identification theft became the number one criminal activity issue in 2004 and has remained at the.

Identity Theft Solutions. ©SHRM Introduction Identification theft became the number one criminal activity issue in 2004 and has remained at the.
©2005 Qwest Communications International, Inc. NOTE: Qwest is providing the above information as a customer service for educational purposes only. Qwest.

©2005 Qwest Communications International, Inc. NOTE: Qwest is providing the above information as a customer service for educational purposes only. Qwest.
Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.

Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.
1.3.1.G1 © Family Economics & Financial Education – Revised October 2004 – Consumer Protection Unit – Identity Theft Funded by a grant from Take Charge.

1.3.1.G1 © Family Economics & Financial Education – Revised October 2004 – Consumer Protection Unit – Identity Theft Funded by a grant from Take Charge.
Critical Data Management Indiana University HR Summit April 24, 2014.

Critical Data Management Indiana University HR Summit April 24, 2014.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Similar presentations

Ads by Google