Data Security Overview ORSP Staff AT Desktop Service Team November 18th, 2014

2 Objectives ORSP staff will be able to: Recognize confidential data Understand the risks of exposing confidential data Facilitate a dialog within ORSP for increasing security of confidential data

3 Why Data Security?

4 What Is Confidential Data? Passwords, credentials, or PIN’s Social Security Number and Name Birth date + four digits of SSN and Name Credit Card Numbers Tax ID + Name Driver’s License, State ID, Passport Health Insurance Information Medical or Psychological Counseling Records Bank Account or Debit Card + access code More….

5 What Does It Look Like? Budget Spreadsheets (pre-2009) Scanned ID for Travel Invoices (Tax ID)

6 Why Bother? Ethical: we care about the privacy of the records we handle on behalf of faculty, staff, and students Trust and Prestige: the University is entrusted with personal information; ORSP granting authority Disruption: when data is lost, lots of paperwork must be completed, processes changed Financial: security Breaches are calculated as a cost per record (sample cost = $64 per record) Think about the institutions you transact with (banking, medical, etc.). How do you want your personal data handled?

7 ORSP and Risk Liability 763,000 Social Security Numbers 4,000 are Credit Card Numbers 200 passwords (unanalyzed findings from sensitive data scan) Example cost: 50,000 SSN’s X $64 = $3,200,000

8 ORSP and Confidential Data If you’ve worked for ORSP for more than five years, you have confidential data in your file storage. Payroll: SSN’s for faculty, staff, student employees, contractors, etc. Fiscal: Vendor payment vouchers include Tax ID and business name Travel: Passports, CaDL, State ID Passwords: spreadsheets or text files with passwords to University system (or personal systems)

9 How Can I Protect My Work at ORSP? Recognize confidential data Remove unused/inactive confidential data files Stop using confidential data files Secure workstation, network, storage (AT Desktop) Be cautious of phishing Do not leave workstation unattended while logged into sensitive systems

11

12 ORSP Next Steps 1.Reduce the amount of old or unneeded data in ORSP storage (and by proxy, reducing the amount of confidential data) 2.Identify where ORSP uses confidential data in its workflow (where it currently uses it, where it can cease to use it)

13 Reduce Inactive Data Review existing share folders to identify non-active folders/files and those that are no longer needed

14 Where Does We Use Confidential Data? What ORSP work processes generated the confidential data? Are those processes still required?

15 More Resources… CSU Skillport Training (will be replacing former ESIP training) 1.Visit 2.Select "San Francisco" 3.Login with your SF State ID and password 4.Select "My Plan" For FERPA training: * Find "FERPA" and click "Launch" For Data Security & Privacy Training * Find "Data Security & Privacy" and click "Launch"

16 For Questions, Contact: AT Desktop Service Phone: Ticket: