Presentation is loading. Please wait.

Presentation is loading. Please wait.

PII / IDENTITY THEFT Is Your University an Open Market for ID Thieves? TACUA 2011 Carol Rapps CIA, CISA, CCSA, GLIT 210-458-4679.

Published byKenneth Freeman Modified over 9 years ago

Similar presentations

Presentation on theme: "PII / IDENTITY THEFT Is Your University an Open Market for ID Thieves? TACUA 2011 Carol Rapps CIA, CISA, CCSA, GLIT 210-458-4679."— Presentation transcript:

1

2 PII / IDENTITY THEFT Is Your University an Open Market for ID Thieves? TACUA 2011 Carol Rapps CIA, CISA, CCSA, GLIT carol.rapps@utsa.edu 210-458-4679 srapps@sbcglobal.net 210-693-3277 1

3 TACUA 20112

4  Academic  Research – Tier 1  Health Care  Public  Private  What do you know? TACUA 20113

5  A CHANCE TO SHARE  VALUE ◦ Take away one good concept/tool/story/laugh.  GAME --- WHERE’S THE PII? ◦ Honesty counts! Don’t make me audit your score!  TIMELINE – keep us on track – time keeper ◦ 2:35 - stop to tally the score TACUA 20114

6 5

7  What is it?  Who are the thieves?  What do thieves do with it?  How is an identity stolen?  Who is at risk? TACUA 20116

8  What is it?  Where is it?  Who keeps it? ◦ Game…… You will need paper & pencil/pen  When do they collect it?  Why do they collect/keep it?  How do they store it? TACUA 20117

9 8 2012?? 2011 Dept Ed 2010 Red Flag 2009 Massachusetts 2002 California 1996 Canada 1984 UK 1980 OECD 1978 France 1974 Germany 1973 Sweden 1968 UN 1998 ID Theft Act

10  FERPA  HIPAA  HITECH ACT  GLBA  RED FLAG  STATE SECURITY BREACH LAWS ◦ National Conference of State Legislatures http://www.ncsl.org/default.aspx?tabid=13489 http://www.ncsl.org/default.aspx?tabid=13489  STATE DATA DISPOSAL LAWS  STATE ENCRYPTION LAWS & IDENTITY THEFT STATUTES  FEDERAL ID THEFT & ASSUMPTION DETERRENCE ACT OF 1998  PCI-DSS  SEVP (Student & Exchange Visitor Program)  FISMA  FUTURE --- TACUA 20119

11  Comply with Security/Privacy Laws & Regulations  Protect PII / PRIVACY TACUA 201110 “The rights and obligation of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information.” The American Institute of Certified Public Accountants (AICPA)/CICA 2005

12  Collection Limitation  Data Quality  Purpose Specification  Use Limitation  Security Safeguards  Openness  Individual Participation  Accountability TACUA 201111 “Privacy is the protection of personal data and is considered a fundamental human right” OECD Guidelines 1980

13  ID Applicable Rules, Laws, Regulations  Conduct PII Discovery & Privacy Risk Assessments ◦ Impact (# records) ◦ Likelihood  Audit Privacy Framework  Perform Law/Regulation Specific Compliance Audits (e.g. PCI)  Conduct General Security Audits  Conduct Data Retention & Disposal Audits TACUA 201112

14  Train ALL Auditors  Add Privacy Principal Audit Steps to ALL Audits  PII Sampled in ALL Data Security Audit Steps  Regulation Repository  Document Location of PII Data & Controls (Repository)  Protect Your Own Information  Participate In Incident Reporting Process  Integrate Audit Processes into Fraud Root Cause Analysis TACUA 201113

15  Security Breaches At Universities In Past 2 Years ◦ Privacy Rights Clearinghouse ◦ Jan 2009-Aug 2010: 122 Breaches for total of 1,653,065 records  Average Cost of Security Breaches ◦ Accenture/Ponemon Institute Joint Project 2009 ◦ US - $204 Per Record ◦ International: $232 Per Record ◦ You Do The Math  Unpublished Breaches ◦ I’ll Tell You Mine, You Tell Me Yours. TACUA 201114

16 ADD TO LIST (ANYTHING NEW) SCORING Honesty counts! Don’t make me audit your score! TACUA 201115

Download ppt "PII / IDENTITY THEFT Is Your University an Open Market for ID Thieves? TACUA 2011 Carol Rapps CIA, CISA, CCSA, GLIT 210-458-4679."

Similar presentations

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP www.ScottandScottllp.com.

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,

Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
1 1 Risk Management: How to Comply with Everything July 11, 2013.

1 1 Risk Management: How to Comply with Everything July 11, 2013.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
KDE Employee Training. What IS a Data Breach? Unauthorized release (loss or theft) of Sensitive or Confidential Data, such as PII, PHI, etc. On site or.

KDE Employee Training. What IS a Data Breach? Unauthorized release (loss or theft) of Sensitive or Confidential Data, such as PII, PHI, etc. On site or.
Information & Communication Technologies 08 2014 NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
HEAVEN’S HANDS COMMUNITY SERVICE H.I.P.A.A. What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed.

HEAVEN’S HANDS COMMUNITY SERVICE H.I.P.A.A. What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed.
Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.

Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
Security Controls – What Works

Security Controls – What Works
E-Commerce: Legal and Practical Issues Legal Issues: Security – December 2, 2005 Stephen M. Foxman Philadelphia.

E-Commerce: Legal and Practical Issues Legal Issues: Security – December 2, 2005 Stephen M. Foxman Philadelphia.
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Information Management – Access and Privacy Monday, April 20, 2015 Nanaimo, BC Julie Luckevich, MLIS, CIAPP-P Eclaire Solutions Inc.

Information Management – Access and Privacy Monday, April 20, 2015 Nanaimo, BC Julie Luckevich, MLIS, CIAPP-P Eclaire Solutions Inc.

Similar presentations

Ads by Google