Oct 4, 2006Dept Security Contacts Training1 Managing Sensitive Data Harvard Townsend Interim University IT Security Officer 532-2985 College.

Slides:



Advertisements
Similar presentations
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Advertisements

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Gaucho Round-Up FAQ’s This presentation covers some of the FAQ’s about campus clean-up day. Presentation #4 2/3/
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
Springfield Technical Community College Security Awareness Training.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
Security Training Lunch ‘n Learn. Agenda  Threat Analysis  Legal Issues  Threat Mitigation  User Security  Mobile Security  Policy Enforcement.
Information Privacy and Compliance Training For All Brigham Young University– Idaho Employees.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
Critical Data Management Indiana University HR Summit April 24, 2014.
Data Ownership Responsibilities & Procedures
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Peeling Back the Layers of an Ogre (or for those who like boring titles – Where is Our Confidential Data Hiding?) Harvard Townsend IT Security Officer.
Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.
9/20/07 STLSecurity is Everyone's Responsibility 1 FHDA Technology Security Awareness.
Information Security Awareness:
Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
New Faculty Orientation to Privacy and Security at UF Susan Blair, Chief Privacy Officer Kathy Bergsma, Information Security.
Introduction to PCI DSS
Sensitive Data Accessibility Financial Management College of Education Michigan State University.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
New Data Regulation Law 201 CMR TJX Video.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Protecting Sensitive Information PA Turnpike Commission.
Data Access and Data Sharing KDE Employee Training Data Security Video Series 2 of 3 October 2014.
Securing Information in the Higher Education Office.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Ch15QQ 1. Hardware theft includes the theft of portable computers as well as desktop computers. 2. A surge suppressor can be used to protect a computer.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
General Awareness Training
CPS Acceptable Use Policy Day 2 – Technology Session.
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
Electronic Records Management: What Management Needs to Know May 2009.
Sensitive Data Accessibility Financial Management College of Education Michigan State University.
1.1 System Performance Security Module 1 Version 5.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Information Security & Compliance Financial Services Workshop February 10, 2010.
Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
SPH Information Security Update September 10, 2010.
Data Breach: How to Get Your Campus on the Front Page of the Chronicle?
When you request technical support Please remember to request it by ing or calling , Even if you .
® HHM Clean Desk Policy. 2 ® Clean Desk Policy : What Will You Learn Importance of Privacy and Security The kinds of information we protect Privacy Requirements.
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
Data Security at Duke DECEMBER What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.
2015Computer Services – Information Security| Information Security Training Budget Officers.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Information Security Awareness Training
Payment Card Industry (PCI) Rules and Standards
Protecting PHI & PII 12/30/2017 6:45 AM
E&O Risk Management: Meeting the Challenge of Change
Protection of CONSUMER information
Data Security Policies
Chapter 3: IRS and FTC Data Security Rules
Red Flags Rule An Introduction County College of Morris
School of Medicine Orientation Information Security Training
Presentation transcript:

Oct 4, 2006Dept Security Contacts Training1 Managing Sensitive Data Harvard Townsend Interim University IT Security Officer College Court 114

Oct 4, 2006Dept Security Contacts Training2 “…as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns - the ones we don't know we don't know.” Donald Rumsfeld, Secretary of Defense, 2002

Oct 4, 2006Dept Security Contacts Training3 Why Should We Care? 93,998,906 and counting… … the approximate number of records with personal identity information that have been compromised due to security breaches since February 15, 2005 Privacy Rights Clearing House

Oct 4, 2006Dept Security Contacts Training4 Why Should We Care? Data entrusted to our care Handling a breach very expensive Damage to institution’s reputation

Oct 4, 2006Dept Security Contacts Training5

Oct 4, 2006Dept Security Contacts Training6 Why Should We Care? It is the law: –SB 196 Kansas Security Breach Law takes effect Jan. 1, 2007 Protects personal identity information Mandates prompt investigation and notification –FERPA (student records) –HIPAA (medical records) –GLB (financial records) –ECPA (electronic communications)

Oct 4, 2006Dept Security Contacts Training7 Why Should We Care? It is K-State policy –PPM 3495 “Collection, Use, and Protection of Social Security Numbers” –PPM 3415 “Information Security Plan” (GLB) –PPM 7010, section.430 “Intellectual Property Rights” –PPM 7010, section.440 “Data Access and Retention” –PPM 3485 “Protecting Sensitive Data by Desktop Search Products” –PPM 3060 “Kansas Open Records Act” –PPM 3090 “Retention of Records” –PPM 3430 “Security for Information, Computing and Network Resources”

Oct 4, 2006Dept Security Contacts Training8

Oct 4, 2006Dept Security Contacts Training9

Oct 4, 2006Dept Security Contacts Training10 Spoofed Website Hosted on the server in China Legitimate Website

Oct 4, 2006Dept Security Contacts Training11 Hosted in Germany Source of Spam Harvested Data Victim Login from Romania

Oct 4, 2006Dept Security Contacts Training12 What is “Sensitive Data?” Sensitivity = level of protection against disclosure and abuse Criticality = level of importance to the institution Risk = measure of negative impact of a event and probability it will occur

Oct 4, 2006Dept Security Contacts Training13 Data Classification Public data Internal restricted data Confidential data National Security Interest data

Oct 4, 2006Dept Security Contacts Training14 Public Data Approved for distribution to the public No such thing as unauthorized disclosure Very low sensitivity Still needs protection Examples: –Course catalog –Campus maps –Online people directory –Extension publications –Press releases

Oct 4, 2006Dept Security Contacts Training15 Internal Restricted Data Intended for use only within K-State for University purposes Requires access controls Public disclosure could cause problems Moderate sensitivity Examples: –Departmental intranet –Transaction log files –Budget data –Purchase orders

Oct 4, 2006Dept Security Contacts Training16 Confidential Data Highly sensitive data that can only be disclosed to individuals with explicit authorization Protection required by law (FERPA, HIPAA) Unauthorized disclosure harmful or catastrophic to individual, group, or institution High sensitivity, thus requires highest level of protection Examples: SSN, credit card #s, personal identity data, student records, personnel records, medical records

Oct 4, 2006Dept Security Contacts Training17 National Security Interest Data Federal government classified data Restrictions determined by the source agency Moderate to high sensitivity, depending on federal classification Examples: –Biosecurity Research Institute data –DoD contracts –Homeland Security contracts

Oct 4, 2006Dept Security Contacts Training18 Managing Confidential Data General Guidelines Data owner must approve access Require strong authN/authZ for access Understand and secure all interfaces (“trust relationships”) Secure test and development systems Secure developers’ desktops Don’t use real data for test and development Control printing Encrypt stored data where feasible Fear wireless!

Oct 4, 2006Dept Security Contacts Training19 Managing Confidential Data General Guidelines Transmit securely (SFTP and SSH, not FTP and Telnet) Don’t send in Store on a secure server, not desktop or laptop Place systems behind firewall with restrictive ruleset Restrict physical access and remote access to server(s) Monitor 24x7x365 Secure, frequent, off-site backups Destroy data thoroughly upon disposal Perform security audit at least annually

Oct 4, 2006Dept Security Contacts Training20 Social Security Numbers See policy on the “Collection, Use, and Protection of Social Security Numbers” Removal from ID cards July 1, 2006 Replaced with Wildcat ID (WID) Available in K-State Online, KATS, DARS, eID e-profile Full conversion in new SIS

Oct 4, 2006Dept Security Contacts Training21 What Should You Do About SSNs? Read “Understanding K-State IDs” Communicate the issue with your department Identify uses of SSNs and compare to policy requirements Be paranoid! Watch IT Tuesday for more info

Oct 4, 2006Dept Security Contacts Training22 Credit Card Numbers Never store credit card numbers Use third party credit service company If you handle credit cards, review Payment Card Industry Data Security Standards (PCI DSS)PCI DSS K-State is currently level 3 merchantlevel 3 merchant Become level 1 if compromised

Oct 4, 2006Dept Security Contacts Training23 Mobile Devices Laptop or tablet PCs Smart phones like Blackberry, Palm Treo Personal Digital Assistants (PDAs) Portable media players (iPod) Storage media like USB flash drive, SD or CompactFlash cards

Oct 4, 2006Dept Security Contacts Training24 Preventing Theft Use tracking and recovery software like Computrace from Absolute Software ( Use lock cables Apply tamper-resistant asset tag or engrave cover Use a nondescript carrying case Don’t let it out of your sight when you travel Always take it in your carry-on luggage Don’t leave it in view in your car Lock it securely with a cable in your hotel room

Oct 4, 2006Dept Security Contacts Training25 Data on Mobile Devices DON’T store confidential data on mobile devices If you must, encrypt it Beware of managing encryption keys Keep the original file(s) on a secure server Diligently manage the security of the device (patches, antivirus software, firewalls, etc.)

Rumsfeldisms on IT Security On interrogating hackers: “I don't know what the facts are but somebody's certainly going to sit down with him and find out what he knows that they may not know, and make sure he knows what they know that he may not know.” On communicating with the media after a compromise: “I believe what I said yesterday. I don't know what I said, but I know what I think, and, well, I assume it's what I said.” “If I said yes, that would then suggest that that might be the only place where it might be done which would not be accurate, necessarily accurate. It might also not be inaccurate, but I'm disinclined to mislead anyone.” “Learn to say 'I don't know.' If used when appropriate, it will be often.” “I am not going to give you a number for it because it's not my business to do intelligent work.”

Oct 4, 2006Dept Security Contacts Training27 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.