Your SlideShare is downloading. ×
Umphrey hutcherson-ecu-cause2010-rev5
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Umphrey hutcherson-ecu-cause2010-rev5

209
views

Published on

Data leaks as a result of sensitive data that is e-mailed to users’ home computers, downloaded to flash drives, copied to unencrypted laptops, stored in shadow databases on local computers or …

Data leaks as a result of sensitive data that is e-mailed to users’ home computers, downloaded to flash drives, copied to unencrypted laptops, stored in shadow databases on local computers or improperly destroyed or disposed when no longer needed.

To protect the universities’ sensitive data, we must plan a data-centric approach to our security programs to protect against data leaks. We can never prevent all sensitive data leaks, but steps can be taken to minimize such leaks. This presentation discusses some of the steps taken at East Carolina University to minimize sensitive data leakage, our continual efforts in this battle and explores future options to address this issue.

Published in: Education, Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
209
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • industry comparisons: 01/13/09
    breach incidents by industry:
    business - 311 incidents:
    includes retail and financial institutions.
    education - 281 incidents;
    government - 245 incidents; and
    healthcare - 108 incidents.
    records compromised by industry:
    business - 77% of compromised records;
    government - 19%;
    education - 2%;
    healthcare - 2%.
  • Transcript

    • 1. Battle Against Sensitive Data Leakage Margaret Umphrey Director IT Security – East Carolina University streeterm@ecu.edu (252) 328-9187 Paula Hutcherson User Account Manager – East Carolina University hutchersonp@ecu.edu (252) 328-9186
    • 2. Sensitive Data Leaks o What are Sensitive Data Leaks? o Why Should Data Leaks Concern Us? o How Can We Slow Data Leaks? o Discussion of Strategies You Use
    • 3. Sensitive Data Leaks Data leakage: Unauthorized transmission of data (information) to an external source.1 o Electronic o Physical (paper) o Human 1© SANS Institute 2007
    • 4. Sensitive Data Leaks Sensitive data leaks loom over us like storm clouds; coming from every direction
    • 5. Why are Universities More Susceptible? Decentralized IT staff with own IT policies and practices Huge amount of data handled Students accessing with limited training and supervision
    • 6. Why are Universities More Susceptible? Open nature of the university physical and technical environment Early adoption of mobile devices, social networking, cloud computing, etc. Numerous databases maintained outside of the centrally managed databases
    • 7. Why are Universities More Susceptible? Business partners or research sponsors failure to protect data Non-enforced data-security practices Budget constraints
    • 8. Why Should we be Concerned? oUniversity of Hawaii at Manoa suffered a major data breach that exposed the confidential records of more than 40,000 former students. A faculty member accidentally uploaded the files that contained personal student records to an unencrypted Web server2 oEight cabinets full of tax records were stolen from a residence. The records belonged to a deceased tax preparer2 2PHIPrivacy.net
    • 9. Why Should we be Concerned? oA flash drive containing over 280,000 patient names, addresses, and personal health information was lost or stolen by Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan in Philadelphia, Pennsylvania2 oA portable point of care device was stolen from an employee of HomeCall Inc. Rockville, Maryland. Client names, addresses, Social Security Numbers, medical record numbers, diagnoses and treatment information were on the unencrypted device2 2PHIPrivacy.net
    • 10. Why Should we be Concerned? oThe full names, driver's license numbers and Social Security Numbers of 2,484 full and part-time employees of Arkansas State University were accidentally emailed to university emails2 oRite Aid paid one million dollars to settle HIPAA privacy violations; Rite Aid also agreed to update corporate policies and procedures so that patient medical information would be properly disposed, employees would be properly trained in disposal of patient information, and employees would be held accountable if they did not dispose of patient information properly2 2PHIPrivacy.net
    • 11. Data Breach Costs
    • 12. Regulatory FERPA NC Identity Theft GLBA PCI Red Flag HIPAA Compliance Requirements
    • 13. How Can We Slow the Leaks? oIdentify Location of all Confidential Data Conduct External DLP Assessment Purchase and Implement DLP Solution Conduct Internal Sensitive Data Scans  Integrate Data Security into Data Ownership  Integrate Security Awareness and Training into Culture oEliminate Duplicate Data Don’t Download from Centralized Systems Remove Copies of Confidential Data De-identify Personally Identifiable Data Don’t Create Shadow Systems
    • 14. How Can We Slow the Leaks? oProtect Confidential Data Implement Appropriate Security Controls Encrypt Data at Rest •Database, Server, Desktop, Laptop, Mobile Device Encrypt Data in Motion •Email, File Transfer, Remote Access, Data Entry Securely Dispose of Data •Paper, Hard Drives, Video, FAX, Printers, Medical Devices, etc. oImplement Polices, Standards and Procedures Data Ownership and Classification Data Security Standards Required Security Awareness and Training Integrate Security into Design Phase Incorporate Security into Governance
    • 15. Challenges oImplementing Encryption Standard oImplementing DLP Solutions oImplementing Required Training oLimited Resources oIT Security Incorporated into Governance
    • 16. Challenges oIntegrating Data Security into Data Ownership oCentralizing IT Operations and Standards oIntegrating Security into Research Protocols oIntegrating Security into Purchase of Medical Devices oEnforcing Non-compliance Sanctions
    • 17. Where Do We Go From Here? oHow Does Your University Manage Sensitive Data Leaks? oShare Your Success oWhat have You Found as the Top Challenges? oWhat Recommendations can You Provide?
    • 18. Battle Against Sensitive Data Leakage Margaret Umphrey Director IT Security – East Carolina University streeterm@ecu.edu (252) 328-9187 Paula Hutcherson User Account Manager – East Carolina University hutchersonp@ecu.edu (252) 328-9186
    • 19. References o A Comprehensive Study of Retail Data Security Breaches in the United States - Kevin Prince - Perimeter eSecurity o http://www.privacyrights.org/data-breach/new o http://www.nymity.com/Free_Privacy_Resources o http://www.sans.org/critical-security-controls/ o http://www.darkreading.com/insiderthreat/index.jhtml o http://www.educause.edu/CybersecurityInitiative/Resources/1225