Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University
What IR practitioners can do Legal consequences of data loss Resources
Don’t take work home If you must access student or other sensitive data from home, use a secure connection like Remote Desktop in Windows XP Use a VPN connection Wireless access –Create a closed network –Rename network –Encrypt –Update software regularly –Set adminstrator password –Disable file sharing
At Work Store student data files on a secure server, not on your personal computer Turn your computer off at night if you can be backed up during the day Strip identifying student information from data files when you work on them (ssn, address, name)
Securing your computer Run an anti-virus program daily Enable file autoprotect (Symantec Anti-Virus) Use complex passwords (test with password tester) Activate Windows Firewall Run Spybot, Windows Defender and Ad-Aware frequently Secure Delete
Secure your computer (cont) Turn off file sharing on your computer Turn off guest accounts Don’t use the administrator account on your computer for routine work Turn on a password protected screen saver for when you are away from your computer Lock your office Monitor your network traffic and usage Turn off FTP if you are not using it
Secure your computer (cont) Clear out your web browser cache Set Windows to automatic update Be sure that your anti-virus software is updated frequently
When traveling with a laptop Use an encrypted flash (thumb) drive Keep close physical possession of your computer and data Remove sensitive data from the laptop before travel If you need sensitive data, store it on a separate device like a CD and store it separately from the laptop Use full disk encryption
Sharing data Zip and password protect before sending Try not to send files via Cornell has the registrars drop box. Files are encrypted during transport over SSL ( using strong encryption only.
New York Information Security Breach and Notification Act Any NYS resident whose private information was acquired by a person without valid authorization must be notified You must notify the NYS attorney general, NYS consumer protection board, NYS office of cybersecurity Other states, including California, are passing similar laws
What to do if data security is breached Notify security office –Scan –Traffic analysis –Image –System (log) analysis IT security may report to data loss team (audit, police, counsel, communications, risk management, IT, representatives from unit)
Resources Securing your web browser EDUCAUSE Using wireless technology securely cert.gov/reading_room/Wireless-Security.pdf Procedures for dealing with security breach loss-prepare.html