PII / IDENTITY THEFT Is Your University an Open Market for ID Thieves? TACUA 2011 Carol Rapps CIA, CISA, CCSA, GLIT 210-458-4679.

Slides:

Advertisements

Similar presentations

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP

Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

1 1 Risk Management: How to Comply with Everything July 11, 2013.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

KDE Employee Training. What IS a Data Breach? Unauthorized release (loss or theft) of Sensitive or Confidential Data, such as PII, PHI, etc. On site or.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

HEAVEN’S HANDS COMMUNITY SERVICE H.I.P.A.A. What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed.

Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.

Data Classification & Privacy Inventory Workshop

Security Controls – What Works

E-Commerce: Legal and Practical Issues Legal Issues: Security – December 2, 2005 Stephen M. Foxman Philadelphia.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Developing a Records & Information Retention & Disposition Program:

Information Management – Access and Privacy Monday, April 20, 2015 Nanaimo, BC Julie Luckevich, MLIS, CIAPP-P Eclaire Solutions Inc.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

“Privacy Implications of RFID Technology in Health Care Settings” Marc Rotenberg President EPIC Dept. of Health & Human Services Washington, DC 11 January.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.

Securing Information in the Higher Education Office.

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Electronic Records Management: What Management Needs to Know May 2009.

Code of Conduct University of New England. Employment at the University carries with it an obligation to act in the public interest. All staff members.

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP

The 2009 HIMSS Security Survey: Insights into the Status of Healthcare Security Implementation sponsored by Symantec Meeting of the HIT Standards Committee,

R ed F lag R ule Training for the Veterinary Industry © Chery F. Kendrick & Kendrick Technical Services.

R ed F lag R ule Training for the Medical Industry © Chery F. Kendrick & Kendrick Technical Services.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Eliza de Guzman HTM 520 Health Information Exchange.

HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.

HIPAA BASIC TRAINING MODULE 1C – Overview (For staff who do not generally create Protected Health Information) Anderson Health Information Systems, Inc.

Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Working with HIT Systems

Managing your Institution-Specific HIPAA Compliance Policies and Procedures Cutting Edge Issues Thursday, December 13, 2007.

FERPA AND HIPAA COMPLIANCE AS COMMUNITY PARTNERS Written and presented by Nicole M. Thompson School Board Attorney, School Board of the City of Richmond.

Welcome….!!! CORPORATE COMPLIANCE PROGRAM Presented by The Office of Corporate Integrity 1.

1 PARCC Data Privacy & Security Policy December 2013.

Approved for Public Release. Distribution Unlimited. 1 Government Privacy Rick Newbold, JD, MBA, CIPP/G Futures Branch 28.

Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

Privacy Advisory Services … … A Best Practices, Integrated Approach Insert Firm Name Here.

Chapter 4: Laws, Regulations, and Compliance

Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.

Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.

Data Security Survival Skills for 21 st Century Evaluators Teresa Doksum & Sean Owen October 17, 2013.

Pioneers in secure data storage devices. Users have become more accustomed to using multiple devices, are increasingly mobile, and are now used to storing.

Data Protection Regulation

An Information Security Management System

Strategies in the Game of

Regulatory Compliance

Introducing GDPR: How the General Data Protection Regulation transforms the world Laura Mudd November 2016.

Introduction to GDPR 09/11/2018.

Institutional Privacy Challenges

General Counsel and Chief Privacy Officer

American Health Information Management Association

MBUG 2018 Session Title: NIST in Higher Education

Canadian Auditing Standards (CAS)

Evaluation and assessment

PERSONALLY IDENTIFIABLE INFORMATION: AUDIT CONSIDERATIONS

Protecting Student Data

Office of Audit, Compliance & Privacy

Presentation transcript:

PII / IDENTITY THEFT Is Your University an Open Market for ID Thieves? TACUA 2011 Carol Rapps CIA, CISA, CCSA, GLIT

TACUA 20112

 Academic  Research – Tier 1  Health Care  Public  Private  What do you know? TACUA 20113

 A CHANCE TO SHARE  VALUE ◦ Take away one good concept/tool/story/laugh.  GAME --- WHERE’S THE PII? ◦ Honesty counts! Don’t make me audit your score!  TIMELINE – keep us on track – time keeper ◦ 2:35 - stop to tally the score TACUA 20114

5

 What is it?  Who are the thieves?  What do thieves do with it?  How is an identity stolen?  Who is at risk? TACUA 20116

 What is it?  Where is it?  Who keeps it? ◦ Game…… You will need paper & pencil/pen  When do they collect it?  Why do they collect/keep it?  How do they store it? TACUA 20117

8 2012?? 2011 Dept Ed 2010 Red Flag 2009 Massachusetts 2002 California 1996 Canada 1984 UK 1980 OECD 1978 France 1974 Germany 1973 Sweden 1968 UN 1998 ID Theft Act

 FERPA  HIPAA  HITECH ACT  GLBA  RED FLAG  STATE SECURITY BREACH LAWS ◦ National Conference of State Legislatures  STATE DATA DISPOSAL LAWS  STATE ENCRYPTION LAWS & IDENTITY THEFT STATUTES  FEDERAL ID THEFT & ASSUMPTION DETERRENCE ACT OF 1998  PCI-DSS  SEVP (Student & Exchange Visitor Program)  FISMA  FUTURE --- TACUA 20119

 Comply with Security/Privacy Laws & Regulations  Protect PII / PRIVACY TACUA “The rights and obligation of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information.” The American Institute of Certified Public Accountants (AICPA)/CICA 2005

 Collection Limitation  Data Quality  Purpose Specification  Use Limitation  Security Safeguards  Openness  Individual Participation  Accountability TACUA “Privacy is the protection of personal data and is considered a fundamental human right” OECD Guidelines 1980

 ID Applicable Rules, Laws, Regulations  Conduct PII Discovery & Privacy Risk Assessments ◦ Impact (# records) ◦ Likelihood  Audit Privacy Framework  Perform Law/Regulation Specific Compliance Audits (e.g. PCI)  Conduct General Security Audits  Conduct Data Retention & Disposal Audits TACUA

 Train ALL Auditors  Add Privacy Principal Audit Steps to ALL Audits  PII Sampled in ALL Data Security Audit Steps  Regulation Repository  Document Location of PII Data & Controls (Repository)  Protect Your Own Information  Participate In Incident Reporting Process  Integrate Audit Processes into Fraud Root Cause Analysis TACUA

 Security Breaches At Universities In Past 2 Years ◦ Privacy Rights Clearinghouse ◦ Jan 2009-Aug 2010: 122 Breaches for total of 1,653,065 records  Average Cost of Security Breaches ◦ Accenture/Ponemon Institute Joint Project 2009 ◦ US - $204 Per Record ◦ International: $232 Per Record ◦ You Do The Math  Unpublished Breaches ◦ I’ll Tell You Mine, You Tell Me Yours. TACUA

ADD TO LIST (ANYTHING NEW) SCORING Honesty counts! Don’t make me audit your score! TACUA