Secure IT 2005 Panel Discussion Felecia Vlahos, SDSU Sally Brainerd, UCSD Brooke Banks, CSU Chico.

Slides:



Advertisements
Similar presentations
1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.
Advertisements

Getting Legal: Building the ISO/Legal Counsel Relationship through GLB Dr. Dan Manson Cal Poly Pomona
HOW TO RESPOND TO A DATA BREACH: ITS NOT JUST ABOUT HIPAA ANYMORE The Fourteenth National HIPAA Summit March 29, 2007 Renee H. Martin, JD, RN, MSN Tsoules,
COMPLETING THE FREE APPLICATION FOR FEDERAL STUDENT AID (FAFSA) Presented by: Student Support Services and the Financial Aid Office at HCC 1.
Richmond House, Liverpool (1) 26 th January 2004.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Eight Strategies to Reduce Your Risk in the Event of A Data Breach Sheryl Falk December 10, 2013.
Sensitive Data Exposure Risks & Response at Indiana University
IAPP Seminar, June 11, CA Privacy Law: Resources & Protections Dana F. Winterrowd, Staff Counsel California Department of Consumer Affairs.
XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
FERPA (Oops, can I say that?) Online Tutoring Training Workshop The Learning Center The University of Louisiana-Lafayette.
FERPA Refresher Training Start. Page 2 of 11 Copyright © 2006 Arizona Board of Regents FERPA Refresher Training What is FERPA FERPA stands for Family.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.
A Summary of CS for House Bill 65 (Jud) – A Presentation to the HCCA Alaska Local Annual Conference Joan Wilson Asst Attorney General State of Alaska
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
Presented by: Roberta Ward CDHS Privacy Officer Phone: (916)
Identity Theft. MIS Training Institute, Inc.Section X - Slide 2CS1 053 ©Network Security Services, LLC Outline n Definitions n Methods used n Ways to.
Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.
Responding to a Data Security Breach
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
An Act Relative to Security Freezes and Notification of Data Breaches Chapter 82 of the Acts of 2007 Massachusetts Digital Government Summit Securing Private.
Data Classification & Privacy Inventory Workshop
PERSONAL INFORMATION SWEEP Juliana Luna-Freire, Graduate Assistant David Reamer, Graduate Assistant Justin LeBreck, Applications Systems Analyst.
Office of the Chief Information Officer Preparing for a Data Compromise: what to do when a security breach exposes sensitive data Charles R. Morrow-Jones.
What is personally identifiable information (PII)? KDE Employee Training Data Security Video Series 1 of 3 October 2014.
House Committee on Business and Industry House Bill Implementation of Closed Account Notification System Texas Department of Banking April 22, 2008.
Protecting Sensitive Information PA Turnpike Commission.
April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1.
Texas House of Representatives Committee on Criminal Jurisprudence Testimony of Randall S. James Banking Commissioner Texas Department of Banking August.
Free Application for Federal Student Aid (FAFSA)
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
Arkansas State Law Which Governs Sensitive Information…… Part 3B
Florida Information Protection Act of 2014 (FIPA).
IT Security/Online Loss Prevention Bill Finnerty Assistant Director of Information Technology Cumberland County.
Breach vs. Security Incident A security incident is an actual or suspected occurrence of: Damage, destruction, unauthorized access or disclosure of.
PKI Development Forum Jim Lowe, Campus Information Security Officer Brian Rust, Communications April 17, 2008.
What are the rules? Information technology is available to every student, faculty and staff member in support of the essential mission of the University.
Why Respect Privacy and Confidentiality? Access to Confidential Information (OP ) Protection and Security of Protected Health Information (OP.
Addressing Unauthorized Release of Personal Information at UC Davis August 12, 2003.
© Copyright 2010 Hemenway & Barnes LLP H&B
Data Breach: How to Get Your Campus on the Front Page of the Chronicle?
HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc
HOW TO RESPOND TO A DATA BREACH: IT’S NOT JUST ABOUT HIPAA ANYMORE The Thirteenth National HIPAA Summit  September 26, 2006 Renee H. Martin, JD, RN, MSN.
Data Security in the Cloud and Data Breaches: Lawyer’s Perspective Dino Tsibouris Mehmet Munur
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
Treat it like it’s yours: best practices for handling student transcript data Bob Hughes Application Support Manager North Orange County CCD CCCTran Steering.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Protecting PHI & PII 12/30/2017 6:45 AM
Protection of CONSUMER information
Florida Information Protection Act of 2014 (FIPA)
PENNSYLVANIA BAR ASSOCIATION PROFESSIONAL LIABILITY COMMITTEE
Data Compromises: A Tax Practitioners “Nightmare”
Florida Information Protection Act of 2014 (FIPA)
Red Flags Rule An Introduction County College of Morris
Alabama Data Breach Notification Act: What 911 Districts Need to Know
Data Breaches in Employee Benefits
Information Security Awareness
Alabama Data Breach Notification Act: What County Governments Need to Know Morgan Arrington, General Counsel Association of County Commissions of Alabama.
Where Does It Hurt? The Anatomy of a Data Breach wasp.
National HIPAA Audioconferences
Cyber Security: What the Head & Board Need to Know
Colorado “Protections For Consumer Data Privacy” Law
Presentation transcript:

Secure IT 2005 Panel Discussion Felecia Vlahos, SDSU Sally Brainerd, UCSD Brooke Banks, CSU Chico

Secure IT 2005 – Panel Discussion Agenda CCC Review SDSU Overview UCSD Overview CSU Chico Overview Common Questions Questions From Attendees

Secure IT 2005 – Panel Discussion California Civil Code AKA SB1386, California Database Notification Act (check civil code box, type ) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Secure IT 2005 – Panel Discussion Personal information : individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (last four SSN + DOB, TAX ID) (1) Social security number. (last four SSN + DOB, TAX ID) (2) Driver's license number or California Identification Card number. (2) Driver's license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit required security code, access code, or password that would permit access to an individual's financial account (ACH). access to an individual's financial account (ACH). Breach of the security of the system..Reasonably believed to have been: unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the agency.

California Civil Code …continued The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law Enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of The data system…

Secure IT 2005 – Panel Discussion Resident of California: Unencrypted: Most expedient time possible and without unreasonable delay: Needs of law Enforcement : will impede a criminal investigation….the law enforcement agency determines that it will not compromise the investigation Any measures necessary to determine the scope of the breach: Restore the reasonable integrity:

Secure IT 2005 – Panel Discussion SDSU Overview Felecia Vlahos, ISO Felecia Vlahos, ISO Feb 24/March Feb 24/March Financial aid file server+19 others Financial aid file server+19 others Unpatched faculty system/Internal password attack Unpatched faculty system/Internal password attack Sending spam and downloading music Sending spam and downloading music FAFSA applicants up to 10 years prior FAFSA applicants up to 10 years prior SSN/DOB SSN/DOB Managed by IT Security Office Managed by IT Security Office 206,876 notified 206,876 notified $187,254 $187,254

Secure IT 2005 – Panel Discussion UCSD Overview Sally Brainerd, Associate Controller Sally Brainerd, Associate Controller April 16 – 18, 2004 April 16 – 18, 2004 EFT (Financial Aid), 2 Scan Stations & a Check Process Station EFT (Financial Aid), 2 Scan Stations & a Check Process Station Non- encrypted files, stranded images and stored cached check data Non- encrypted files, stranded images and stored cached check data FTP Servers installed FTP Servers installed Students, applicants, staff, faculty, parents Students, applicants, staff, faculty, parents SSN, DL, Bank (Checking account) SSN, DL, Bank (Checking account) Office of the Controller/BFS Systems Office of the Controller/BFS Systems Announced 380k, actual 364k, notified 322k Announced 380k, actual 364k, notified 322k $204,000 $204,000

Secure IT 2005 – Panel Discussion CSU Chico Overview Brooke Banks, ISO Brooke Banks, ISO Feb 16/March Feb 16/March Housing office server Housing office server Web/File/Print server with unencrypted historical records Web/File/Print server with unencrypted historical records Root kit and FTP server installed, scans of other servers Root kit and FTP server installed, scans of other servers ID card file - faculty, staff and students (Name, SSN) ID card file - faculty, staff and students (Name, SSN) Housing database – prospective students, as well as residents for last 5 years (Name, SSN, contact information) Housing database – prospective students, as well as residents for last 5 years (Name, SSN, contact information) Managed by IT Security Office Managed by IT Security Office 59,268 notified via and/or postal mail 59,268 notified via and/or postal mail Cost TBD Cost TBD

Secure IT 2005 – Panel Discussion FAQ 1. What security measures were in place to prevent incident? What changed afterward?

Secure IT 2005 – Panel Discussion FAQ 2. Was law enforcement contacted? Able to identify hacker?

Secure IT 2005 – Panel Discussion FAQ 3. Discuss interpretation of CCC most expedient and process used to produce notifications (letters/web/ s)

Secure IT 2005 – Panel Discussion FAQ 4. Reaction from University staff/faculty/students?

Secure IT 2005 – Panel Discussion FAQ 5. What volume and types of calls/ s/letters/media received after notification?

Secure IT 2005 – Panel Discussion FAQ 6. What types and values of cost were incurred?

Secure IT 2005 – Panel Discussion Questions from Attendees