Guarding Vanderbilt Information How can you protect sensitive data?
Current state VanderbiltI n f o r m a t i o n T e c h n o l o g y S e r v i c e s 2 Vanderbilt is vitally concerned about the security of sensitive, personally identifiable information. In managing core administrative process, Vanderbilt makes every effort to meet regulatory standards and compliance. Sensitive data also lives outside core services. What can you do to help protect sensitive data?
In our custody VanderbiltI n f o r m a t i o n T e c h n o l o g y S e r v i c e s 3 Vanderbilt often stores, processes, and transmits personal information in pursuit of our mission: Names Social Security numbers Dates of birth Academic records, profile, and patient data Credit cards This data is essential in uniquely identifying students, faculty, staff, and patients
What information must remain protected: VanderbiltI n f o r m a t i o n T e c h n o l o g y S e r v i c e s 4 Social Security numbers Passport data or government ID Export controlled data Intellectual property Driver’s license Confidential information Academic records Account numbers Credit card Bank
Criminals want what we have… VanderbiltI n f o r m a t i o n T e c h n o l o g y S e r v i c e s 5 Trade secrets or research Personal information to sell on the black market Credit card with pin (~$0.50 USD) Credit card with change of billing address (~$60.00) Full bank account access (~$1,000.00)
Criminals Exploiting the Identity VanderbiltI n f o r m a t i o n T e c h n o l o g y S e r v i c e s 6 With personally identifiable information, thieves can create:
Driver’s license with the thief’s picture and the victim’s name
A state identification card
Social Security card
Employer identification card
New bank accounts, credit accounts, etc.
Our obligations VanderbiltI n f o r m a t i o n T e c h n o l o g y S e r v i c e s 7 Protectthe data with which we are entrusted Comply with state and federal laws and regulations Educate ourselves on how to avoid violating these important obligations
Where is this data? VanderbiltI n f o r m a t i o n T e c h n o l o g y S e r v i c e s 8 Home computer (desktops and laptops) Work computer (desktops and laptops) Mobile device Internet service Backup service Thumb drive or external hard drive In transit On your desk In a filing cabinet In the dumpster In the mailbox
What do I need to do? VanderbiltI n f o r m a t i o n T e c h n o l o g y S e r v i c e s 9 http://www.vanderbilt.edu/identityprotection Take stock. Know what personal informationyou have in your files and on your computers. Scale down. Keep only what you need for your business. Lock it. Protect the information in your care. Pitch it. Properly dispose of what you no longer need. Plan ahead. Create a plan to respond to security incidents. Source: U.S. Federal Trade Commission - http://www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/
Personally Identifiable Information (PII)How do I protect it? VanderbiltI n f o r m a t i o n T e c h n o l o g y S e r v i c e s 10 Don’t keep it unless authorized to do so Shred it! Lock your computers when not using them Lock your office and your file drawers Practice safe computing (update your operating system, anti-virus and anti-malware software regularly) Change passwords once a year and don’t share passwords with anyone (www.vanderbilt.edu/passwordchange) If you must store sensitive data, encrypt using the Vanderbilt solution FOR HELP: Contact your local technology support provider or ITS Information Security – firstname.lastname@example.org
Protecting Yourself – Practice safe, secure computing VanderbiltI n f o r m a t i o n T e c h n o l o g y S e r v i c e s 11 Don’t send personal or financial information via email Be wary of “free software” Stop and think before you click - social networking sites and Internet “red light districts” are a primary source of malware Don’t perform financial transactionson the same computer as you surf the Internet. Monitor your credit every year for free: Annual Credit Report www.annualcreditreport.com – 877-322-8228 Annual Credit Report, Request Service, PO Box 105281, Atlanta, GA 30348-5281
Deter VanderbiltI n f o r m a t i o n T e c h n o l o g y S e r v i c e s 12 Shred financial documents and paperwork with personal information before you discard them. Protect your Social Security number. Don’t carry your Social Security card in your wallet or write your Social Security number on a check. Give it out only if absolutely necessary or ask to use another identifier. Don’t give out personal information on the phone, through the mail, or over the Internet unless you have initiated the contact and know who you are dealing with. Never click on links sent in unsolicited emails; instead, type in a Web address you know. Use firewalls, anti-spyware, and anti-virus software to protect your home computer; keep them up-to-date. Visit OnGuardOnline.gov for more information. Don’t use an obvious password like your birth date, your mother’s maiden name, or the last four digits of your Social Security number. Keep your personal information in a secure place at home, especially if you have roommates, employ outside help, or are having work done in your house. Source: U.S. Federal Trade Commission – http://www.ftc.gov/bcp/edu/microsites/idtheft/
Detect VanderbiltI n f o r m a t i o n T e c h n o l o g y S e r v i c e s 13 Be alert to signs that require immediate attention: Mail or bills that do not arrive as expected. Unexpected credit cards or account statements. Denials of credit for no apparent reason. Calls or letters about purchases you did not make. Inspect: Your credit report. Credit reports have information about you, including what accounts you have and your bill paying history. Your financial statements. Review financial accounts and billing statements regularly, looking for charges you did not make. Order your credit report: The law requires the major nationwide credit reporting companies – Equifax, Experian, and TransUnion – to give you a free copy of your credit report each year if you ask for it. Visit www.AnnualCreditReport.com or call 1-877-322-8228, a service created by these three companies, to order your free credit reports each year. You can download the form at www.ftc.gov/freereports. Source: U.S. Federal Trade Commission – http://www.ftc.gov/bcp/edu/microsites/idtheft/
Defend VanderbiltI n f o r m a t i o n T e c h n o l o g y S e r v i c e s 14 Call one of the three nationwide credit reporting companies to place an initial 90‑day fraud alert. Placing a fraud alert entitles you to free copies of your credit reports. Review reports carefully. Equifax: 1-800-525-6285 Experian: 1-888-EXPERIAN (397-3742) TransUnion: 1-800-680-7289 Look for inquiries from companies you haven’t contacted, accounts you didn’t open, and debts you can’t explain. Close any accounts that have been tampered with or established fraudulently. Call the security or fraud departments of each company if an account was opened or changed without your okay. Follow up in writing with copies of supporting documents. Use the Identity Theft Affidavit at ftc.gov/idtheft to support your written statement. Ask for written verification that the disputed account has been closed and the fraudulent debts discharged. Keep copies of documents and records of your conversations about the theft. File a report with law enforcement to help you with creditors who need proof of the crime. Report your complaint to the FTC. Your report helps law enforcement officials across the country in their investigations. Online: ftc.gov/idtheft By phone: 1-877-ID-THEFT (438-4338) or TTY, 1-866-653-4261 Source: U.S. Federal Trade Commission – http://www.ftc.gov/bcp/edu/microsites/idtheft/
Is it appropriate to …. VanderbiltI n f o r m a t i o n T e c h n o l o g y S e r v i c e s 15 Keep social security numbers on my PC? In Gmail? In Google Docs? In a Microsoft Skydrive? On a 3rd party backup site such as Mozy? Send social security numbers Via email?
Where do I go for help @ work? VanderbiltI n f o r m a t i o n T e c h n o l o g y S e r v i c e s 16 Concerned you have PII data on your computers? Contact your Departmental IT support provider or ITS Information Security – email@example.com They will… work to obtain software to “shred” or encrypt the PII data if necessary – using Vanderbilt solutions work with you to keep your operating system and other software update to date work with you and ITS to find solutions to your problems!
Resources VanderbiltI n f o r m a t i o n T e c h n o l o g y S e r v i c e s 17 Privacy Rights: http://www.privacyrights.org FTC Security: www.ftc.gov/infosecurity FTC Privacy: www.ftc.gov/privacy Education for Organizations: http://www.ftc.gov/bcp/edu/microsites/infosecurity/teach.html Individuals: http://www.onguardonline.gov/ Crime Prevention: http://www.ncpc.org/training/powerpoint-trainings Credit Report https://www.annualcreditreport.com/cra/index.jsp Vanderbilt Identity Protection http://www.vanderbilt.edu/identityprotection Vanderbilt Acceptable Use Policy http://www.vanderbilt.edu/aup
More Resources VanderbiltI n f o r m a t i o n T e c h n o l o g y S e r v i c e s 18 Changing your e-password and/or your local computer password http://its.vanderbilt.edu/files/documents/epass/ChangingYourEpassword.pdf http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_password_change.mspx?mfr=true Locking your computer (assumes you set a password) http://support.microsoft.com/kb/294317 Sharing your credentials (e-password, computer password, etc) http://its.vanderbilt.edu/password/sharing http://hr.vanderbilt.edu/policies/hr-025.pdf Updating/upgrading your antivirus protection http://its.vanderbilt.edu/antivirus/downloads Updating your operating system (At least XP SP3 with all updates) http://support.microsoft.com/kb/322389 http://www.microsoft.com/security/updates/mu.aspx Removable media (thumb drives, etc) and laptop risks http://it.med.miami.edu/x1129.xml http://news.cnet.com/Getting-over-laptop-loss/2100-1044_3-6089921.html PII and export compliance http://www.vanderbilt.edu/exportcompliance/index.php http://csrc.nist.gov/publications/drafts/800-122/Draft-SP800-122.pdf http://iase.disa.mil/eta/pii/pii_module/pii_module/index.html A reminder of HIPAA and FERPA (People forget they exist) http://www.mc.vanderbilt.edu/root/vumc.php?site=InfoPrivacySecurity&doc=17070 http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr;sid=6b7e313020dfabb7caa0216830b2a7d8;rgn=div5;view=text;node=34%3A220.127.116.11.34;idno=34;cc=ecfr
Questions? VanderbiltI n f o r m a t i o n T e c h n o l o g y S e r v i c e s 19