The UH Information Security Policy & YOU Jodi Ito Information Security Officer, ITS

Agenda Intellectual Property (IP) and Personal Information (PI) working definitions Need to Protect IP & PI PI Hawaii State Laws UH Executive Policy E2.214: Security & Protection of Sensitive Information

Intellectual Property (IP) From the World Intellectual Property Organization (WIPO): “Intellectual property refers to creations of the mind: inventions, literary and artistic works, and symbols, names, images, and designs used in commerce”

Need to Protect IP $$$$$$$!! Industrial Espionage Recent articles - spying by China SU6FE80.html dyn/content/article/2007/11/15/AR html

The US-China Economic and Security Review Commission's annual report to Congress says: "Chinese espionage activities in the US are so extensive that they comprise the single greatest risk to the security of American technologies."

Personal Information Hawaii State Law definition: "Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number; (2) Driver's license number or Hawaii identification card number; or (3) Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account.

PI or not PI? J. Smith: J. Smith: (808) John Smith: 123 University Avenue John S.:

Misuse of Personal Information Financial Fraud & ID Theft Open new credit accounts Write counterfeit checks against your accounts Unauthorized credit card purchases via phone or Internet Commit other acts of financial fraud

Other Misuses of Your Information Obtain official identification in your name Get a job in your name File fraudulent taxes in your name Ruin your financial & credit record

Protecting Your Own Information Annual credit check: Opt-out: Use a cross-cut shredder to destroy personal information Use locking mailboxes / use US postal mailboxes for outgoing mail Ensure receipt of & review monthly statements

More Tips Don’t respond to unsolicited requests for personal information Beware of scams Change your passwords regularly Online shopping: make sure shopping websites are secured Secure your computer Securely erase personal information stored on your computer Beware of peer-to-peer applications

Hawaii State Laws 2006: new state laws regarding identity theft

New State Laws Social Security Number Protection (HRS 487J) Security Breach Notification (HRS 487N) Destruction of Personal Information (HRS 487R) Security Freeze (HRS 489P-1, 489P-2, 489P-3) Reporting requirements

Social Security Number Protection Effective July 01, 2007 Restricts businesses and government agencies from disclosing SSNs to the general public /Vol11_Ch /HRS0487J/

Security Breach Notification Effective January 01, 2007 Businesses & government agencies must notify individuals if their personal information has been compromised by unauthorized access/disclosure /Vol11_Ch /HRS0487N/

Destruction of Personal Information Records Effective January 01, 2007 Businesses & government agencies need to properly dispose of “personal information” /Vol11_Ch /HRS0487R/

Security Freeze Victim of identity theft can place a “security freeze” on their credit information “Fraud Alert” vs. “Security Freeze” /Vol11_Ch /HRS0489P/HRS_0489P-.HTM

Reporting Requirements “A government agency shall submit a written report to the legislature within twenty days after the discovery of a material occurrence of unauthorized access to personal information records in connection with or after its disposal by or on behalf of the government agency.”

E2.214: The New UH Information Security Policy

Why the New Policy? Audit compliance & accountability UH “breach” June 2005: UH General Confidentiality Notice:

UH Information Security Policy System-wide policy: E2.214: “Security & Protection of Sensitive Information” Signed by President McClain on November 21, 2007 Encompasses handling of “sensitive” information Online at:

Policy Overview Defines classifications of information: Private Sensitive Defines roles and responsibilities: Steward Custodian User

Overview - continued Collection, access, & handling of information: At rest In transit Disposal ITS recommendations for “tools” Breach Notification (mandated by state law)

Data Classification Public Sensitive (examples - not all encompassing) Student records (FERPA) Health information (HIPAA) Personal financial info SSN Date of Birth Private home addresses & phone numbers Driver’s license numbers & State ID numbers Access codes, passwords, PINs, etc. And more…

Roles & Responsibilities Information Resource Stewards Data Custodians User Sign UH Confidentiality Notice

Information Resource Stewards Senior administrators responsible for functional operations Responsible for granting access to and classifying of data Responsible for minimizing use and exposure May also function as data custodians

Data Custodians Managers/administrators of systems or media on which sensitive information resides Responsible for implementing and administering controls over the resources in accordance to all policies Downloading of sensitive information by a user makes them a “custodian”

Users Individuals granted access to sensitive information as required by their professional responsibilities Responsible for understanding and complying with applicable UH policies, procedures and standards for dealing with sensitive information

Access Granted by Steward or Designee Process by which access is requested Should be on a “need-to-know” basis Access must be terminated immediately upon job change or resignation/termination

Transmission - Paper Delivered in sealed envelope Clearly marked for the intended recipient Marked “CONFIDENTIAL” Faxes must be promptly retrieved and protected at both ends

Transmission - Electronic Sensitive information must not be sent “in the clear” including in & attachments Use secure web servers when using web technologies to access sensitive information Use “encryption” when doing digital transmissions

Transmission Minimize use of for sending of sensitive information Use special care to ensure only intended recipient gets the Both sender and receiver should delete as soon as possible Sender should include notice in informing recipient that contains sensitive information and requests appropriate handling

Notice CONFIDENTIALITY NOTICE: The contents of this message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.

Electronic Storage Sensitive information should be stored only when specifically required and on as few systems/media as possible Systems must comply with basic computer security standards Use encryption as much as possible If stored unencrypted, systems must be in physically secure and controlled environments De-coupling of data

Mobile Devices Does it need to be stored on a mobile device?? ENCRYPT, Encrypt, encrypt! Physically secure devices as much as possible Examples of mobile devices: Laptops CDs/DVDs Flash drives External portable drives PDAs Cell phones, Mobile media players (iPods, MP3 players, etc.) Magnetic tapes

Destruction Paper: use cross shredders or contract shredding companies w/ credentials Electronic: Erasable: Secure deletion tools (see ITS recommendations) Unerasable: Physical destruction

Tools & Information “Information Security” section Securing Your Desktop Computer: UH Filedrop: Encryption Windows: Macs: Securely Deleting Electronic Information: Windows:

Notification of Breaches Must notify all affected individuals Reported to the Legislature Timely notice Contents: clear & conspicuous and include: Description of incident Type of information that was disclosed Remediation and prevention actions taken Telephone number and address to call for further information & assistance General advice on protection against identity theft Example:

Recommended System Configurations Do you REALLY need to keep that INFO? Minimize physical access Minimize technological access Password protected with “secure password” Firewall, network IPS, host IPS, etc. Private IP addresses Frequently & routinely update OS and applications (install patches on a regular basis) Check access logs daily

Backups Backup of sensitive information must be protected Transmission of backups of sensitive information must be protected

Questions? Jodi Ito Information Security Officer, ITS