Allison Secretary of Homeland Security just said ‘we are all in this together’ - interdependence etc.
Allison RE: local compliance, - vs some schools with strong central oversight - eg central scanning of all systems for SSN. IT should not be ‘driver’ but rather ‘enabler’ based on what business process owners want Some costs - but generally not huge and depts will have options - e.g. Buy IdentityFinder licenses or modify a Filemaker database.
Allison FERPA - says info not to be shared, but currently no notification requirement HIPAA - officially applies only to Medical; effective with HITECH act, notification is now requirement PCI DSS - if anyone is a merchant, they should be using CyberSource FACTA/Red Flag - not really an IT/info protection - more about info verification GLBA - not many areas impacted Mass reg - everyone/anyone at MIT with ‘personal info as defined by Mass. Law based almost 2 years ago. “ one of the most far-reaching information security requirements anywhere in the US” In addition to these policies, MIT also has IS&T Info Security web pages, and PCI compliance program WISP work built on foundation of the work PII program had been doing to identity where SSN was used at MIT
Monique Data falls into 3 levels at MIT. High risk data includes data that if exposed requires us by law to notify the persons affected. In the MA regs, the definition of personal information is: a resident’s name (first and last or first initial and last name) in combination with any one or more of the following data elements: SSN, drivers license or state issued ID card number, financial account or credit card number (with or without security code, access code, pin or password). At MIT we also include such info as health information, student information (including prospective students), date of birth, and donor info. Medium risk data covers items employees or non-employees have a business need to have access to, such as research details, library transactions, personnel information, contracts, facilities data, network logs. Low risk is information that is generally open to those with a need to know and whose protection is at the discretion of the data custodian.
Monique Accidents (which can also be termed as “unauthorized disclosure”) is by far #1 cause of breaches involving notification. Unauthorized disclosure is the exposure of data to those not authorized to view such data. This can happen through losing computers/hard drives containing data, weak passwords, social engineering. To be clear, this type of exposure is due to data owners not protecting the data in a manner that reduces its exposure. Protecting data by not having it eliminates trying to plug all the holes caused by malware, viruses, human error. The Adam Dodge report, states 49% of reported breaches (2008) by Univ. were due to unauthorized disclosure or data loss. That said, the highest number of records exposed is by far due to deliberate attacks. Attacks are listed in ESI as 51%. It includes items such as employee fraud, impersonation, penetration, and theft. Campana Report: 24% of breaches at Univ. were characterized as resulting from an attack (penetration) on info systems. [Discuss some statistics from this report.] QUESTION TO AUDIENCE: Do you know when breaches in higher ed most occur? Answer: finals weeks of fall and spring; fewest when students not around TALKING POINT: If there is a data breach: what do you do? Do you have a procedure to follow?
Monique I recently heard RISK described as the following equation (this came from a Wall St company): Risk = hazard + outrage. RISK of data exposure at MIT is primarily the name associated with breach, not really Identity theft. That said, there is a potential risk, depending on what type of data was exposed. MIT deals with many types of data, including health records, research data (some of it very classified information), credit card numbers and other identifying information. The combination of the types of data exposed will determine the level of risk to individuals whose data was exposed. Will MIT be deliberately attacked? Probably not. Value of data is falling - SSN now .50 => hacker really targeting the big data sources (Heartland). HOWEVER, if there is a small accidental spill, that may get MIT name in the paper. Within my team we hear of potential breaches all the time, often including SSNs, and occurring because of human error. We have yet to find an incident in the past few years of data falling into the hands of unauthorized persons, but with the types of incidents we’re seeing, it seems only a matter of time. STORIES: IVY league school, who lost a 7 figure donation after a breach. (president’s visit Fri) Husband of Susan Hockfield had to be notified his data was at risk recently, would you want to be the administrator who makes that call?
Allison Brief review web forms with SSN, authorization lists, securely destroying - eg secure delete on PC, [ask how many provide? If your customers came to you re: secure delete - what would you say?] protecting - eg PGP
Allison Emphasize - not IT responsibility, but IT can certainly contribute to a team effort,working with business owners to figure out where data exists, to provide the right kind of tools (e.g. PGP, secure delete, IdentityFinder), and processes, eg correct disposal of equipment.
Allison review - if you are working with any of these processes, keep antennae out for possible PII
Monique The message we’re hammering home in case you haven’t noticed is that if you don’t have an immediate business need to have the data locally or have access to it, don’t. NOT illegal to have SSN or other sensitive info, but there are legal consequences if lost. Get a handle on the data, by setting controls for sensitive and proprietary information. It’s impossible to do if you don’t know where the data is. If the controls aren’t in place, don’t keep the data. Ask folks what they are doing now re: secure delete on PCs.
Monique Updates: If you are not sure, check with IT personnel. These should be occurring automatically, without your intervention needed (besides perhaps accepting the updates as they occur). Passwords: For tips on strong passwords, see: the handout and the Security site. When was the last time you changed your passwords, or Kerberos password? Sharing sensitive data: Avoid sending sensitive data via email, instead put it onto a password protected shared server and remove it when it it is no longer needed, or use a VPN connection which encrypts traffic (check with IT if you need info on VPN). Email can be lost in transit, can be sniffed if going to a non-MIT address, and data can remain in emails long after you’ve deleted it from stored places or be forwarded to others (no control). Destroying data: there is some information online about both shredding paper and deleting files. Look in the handouts for all these resources.
Monique You shouldn’t be worried about asking for help from IT. Regardless of how IT people are often characterized on TV, they’re not all unhelpful and sarcastic (if you’ve ever seen the SNL skit). Ask for their help, that’s what they’re there for. It’s better to be safe than sorry. Focus on areas where risk of losing many records is high.
Monique Communicate with others on these items. Consult with Business Process Owners re: ‘purpose’ of sensitive info - don’t be afraid to ask Why? Again, have a business continuity plan in place in case you ever need to respond to or report a data breach. Know who to report to and who should be doing the reporting. Know the steps to take if you think a system was breached.
Allison Also talk through additional handout
Data Protection: We\'re In This Together
Allison Dolan Program Director, Protecting PII Monique Yeaton IT Security Awareness Consultant, IS&T Data Protection - We are all in this together!
<ul><li>Context, including new regulations </li></ul><ul><li>What data is at risk </li></ul><ul><li>How data is at risk </li></ul><ul><li>Steps individuals and departments should consider </li></ul>Presentation Overview
Key Take-Aways <ul><li>New state data protection regulations impact how sensitive data is handled - information security program required </li></ul><ul><li>Everyone is responsible for compliance </li></ul><ul><ul><li>Know what sensitive data you have </li></ul></ul><ul><ul><li>Develop “good hygiene” practices </li></ul></ul>
Laws & Regulations <ul><li>Existing federal regulations (FERPA, HIPAA, PCI-DSS, etc) </li></ul><ul><li>Massachusetts data breach law, regulations </li></ul><ul><ul><li>Definition of personal information </li></ul></ul><ul><ul><li>Obligation for notifications when exposed </li></ul></ul><ul><ul><li>Data destruction requirements </li></ul></ul><ul><ul><li>Requirement to have written information security program (WISP) </li></ul></ul><ul><li>MIT Policy </li></ul><ul><ul><li>11.0 Privacy and disclosure of information </li></ul></ul><ul><ul><li>13.0 Information policies </li></ul></ul>
Levels of Risky-ness <ul><li>High Risk </li></ul><ul><ul><li>Personal information requiring notification (PIRN) e.g. SSN, CCN, Bank numbers, medical information, etc. </li></ul></ul><ul><li>Medium Risk </li></ul><ul><ul><li>Research information </li></ul></ul><ul><ul><li>Contracts </li></ul></ul><ul><li>Low Risk </li></ul><ul><ul><li>Mailing addresses </li></ul></ul><ul><ul><li>Directory information </li></ul></ul>
How Data is Exposed <ul><li>Accidents – inadvertent exposure </li></ul><ul><li>Reduce risk by eliminating sensitive data from desktops, laptops, USB drives, departmental paper files, scanned images, etc. Use safe computing practices (strong passwords, using anti-virus, ignoring phishing emails). </li></ul><ul><li>Attacks – deliberate intent to capture data </li></ul><ul><li>Reduce risk by making organization less attractive to attacks from insiders and outsiders by encrypting data, logging access to sensitive data, physically securing files, etc. </li></ul>
What is at Risk? <ul><li>Reputation of the Institute </li></ul><ul><li>Donor contribution </li></ul><ul><li>Cost of forensics, notification and consumer services </li></ul><ul><li>Fines by federal, state, or other agencies </li></ul><ul><li>Inconvenience for for individual(s) affected </li></ul><ul><li>Potentially, your personal reputation </li></ul>
Risk Management Framework Minimize # of people with access to sensitive data Minimize collection of sensitive data BUSINESS PROCESSES ROLES POLICY RESPONSIBILITIES Protect sensitive data in our custody Securely destroy sensitive data
Where Does Data Hide? <ul><li>Central and distributed files/systems </li></ul><ul><li>Paper and electronic files </li></ul><ul><li>- Operational files </li></ul><ul><li>- Backup and archived data </li></ul><ul><li>- Email </li></ul><ul><li>Internal and 3rd party locations </li></ul><ul><li>Protected and unprotected spaces, with employee and non-employee access </li></ul><ul><li>Equipment queued up for redeployment </li></ul><ul><li>Other office equipment - printers, PDAs etc. </li></ul>
Processes with Sensitive Data • Undergrad and grad applications • Student loans • Ongoing services Student-oriented processes • Independent contractors • Reimbursements • Miscellaneous payments • Parking • Accident Insurance • State visits Financially-oriented processes Employee-oriented processes • HR systems & files • Payroll, paychecks, benefits • Employee certifications Miscellaneous processes
Key Message <ul><li>Avoid copying and keeping sensitive data locally (e.g. Email, Excel files, local databases, paper files) </li></ul><ul><ul><li>“ If you can’t protect it, don’t collect it” </li></ul></ul><ul><ul><li>“ You can’t lose what you don’t have” </li></ul></ul><ul><ul><li>“ You can’t protect what you don’t know you have.” </li></ul></ul>
You Can Do <ul><li>Apply Updates : OS, applications, and virus-protection software </li></ul><ul><li>Passwords : Strong and protected </li></ul><ul><li>Sharing Data : Use alternatives to email (VPN, shared server) </li></ul><ul><li>Destroying Data : Secure delete </li></ul><ul><ul><li>Shredding service for paper </li></ul></ul><ul><ul><li>More than ‘delete’ or ‘trash’ for electronic </li></ul></ul>
Talk to IT About <ul><li>Periodic health checks </li></ul><ul><li>A process for handling data breaches </li></ul><ul><li>Installing IdentityFinder </li></ul><ul><li>Installing PGP Whole Disk Encryption </li></ul><ul><li>Tools for securing transmissions or file sharing </li></ul><ul><li>Implementing ‘least privilege’ on PCs and laptops where possible </li></ul>
Departments Can Do <ul><li>Understand who has what sensitive data, and for what purpose </li></ul><ul><li>Ensure new hires are oriented to departmental data policies & practices </li></ul><ul><li>Review system authorizations annually; ensure access removed for employees, contractors and temp </li></ul><ul><li>Include appropriate language in any 3rd party contracts </li></ul>
Questions/other followup? Feel free to contact: Allison Dolan [email_address] 617.252.1461 Monique Yeaton [email_address] 617.253.2715 If a machine has been compromised, or you otherwise suspect a breach, immediately contact [email_address] For additional training resources, including phishing quiz see: ist.mit.edu/security/educational_tools
Places to look for sensitive data: Employee Processes <ul><li>Job Applications </li></ul><ul><li>Background checks </li></ul><ul><li>New hire paperwork - I-9, Federal/State tax withholding, direct deposit form, benefit enrollment, including 401(k) enrollment, intellectual property agreement, other new hire forms </li></ul><ul><li>Payroll, timecards, paychecks </li></ul><ul><li>Worker’s compensation, medical leave form </li></ul><ul><li>Employee loan programs </li></ul><ul><li>Specialized certifications (e.g., nurse, engineer) </li></ul><ul><li>Special requirements (e.g. top secret clearance) </li></ul><ul><li>Employee reporting (e.g. annual reviews) </li></ul>
Places to look for sensitive data: Student Processes <ul><li>Services that require student SSN - e.g., student loans </li></ul><ul><li>Products/services with check and/or credit card payments - e.g., university press, bookstore </li></ul><ul><li>Admissions related processes, e.g. test scores, transcripts </li></ul><ul><li>Service providers that require PIRN e.g., 401(k) administrators, benefit providers, Medicare, claim administrators </li></ul><ul><li>Services that may involve access to PIRN of others - e.g., backup service providers, shredding services, IT application developers and system admins, custodians </li></ul>
Places to look for sensitive data: Financial Processes <ul><li>Vendor files/vendor payments e.g., independent contractors </li></ul><ul><li>Employee reimbursements (look at form to request payment, as well as backup to request) </li></ul><ul><li>Honorarium </li></ul><ul><li>Employee awards </li></ul><ul><li>Other payments - e.g., payments to ‘one-off’ vendors, research subjects, casual labor </li></ul><ul><li>Taxes </li></ul>
Places to look for sensitive data: Miscellaneous Processes <ul><li>State visits </li></ul><ul><li>Any service/records that predates non-SSN organizational id (e.g. library, parking) </li></ul><ul><li>Insurance (beneficiaries) </li></ul><ul><li>Internal medical </li></ul><ul><li>Union workers </li></ul><ul><li>Legal </li></ul><ul><li>Audit </li></ul><ul><li>System backups </li></ul><ul><li>Archives </li></ul><ul><li>Printing/scanning devices </li></ul><ul><li>PC to be redeployed </li></ul><ul><li>Email </li></ul>