Identity theft and data responsibilities

222 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
222
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Start with why I like to discuss topic. I like to debunk all the scare tactics, for instance the need to encrypt all email if one client lives in Mass.Security is a very technical subject, however the application of it at the practical level needs to be simple.Security can be very expensive if not applied correctly. Also can be disastrous. http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf
  • Examples of housing rental, utility deposit
  • Identity theft and data responsibilities

    1. 1. Identity Theft and Data Responsibilities November 16, 2010 ©2010 Clark Nuber. All rights reserved Page 0
    2. 2. Summary • • • • Understand the issues Evaluate your risks Protect your company React to a breach Identity Theft Data Protection Statements, Policies, Plans Page 1
    3. 3. Identity Theft • • • • • Credit cards Bank accounts New accounts Housing Utilities Page 2
    4. 4. Risk Based Approach The Program should take into consideration the size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security1. Page 3
    5. 5. Mandates, Guidelines, Obligations State of Washington3 State of Massachusetts1,2 Federal Trade CommissionRed Flags Clients, customers, constituents Employees Perceptions Page 4
    6. 6. Definitions Personal Information2 Financial Institution or Creditor4 Covered Accounts4 Page 5
    7. 7. Red Flags Rule An Identity Theft Prevention Program to detect the warning signs — or "red flags" — of identity theft in day-to-day operations4,5,6. Page 6
    8. 8. Information Security7 • • • • Confidentiality • Authenticity Authorization • Integrity Accountability • Authentication Non-repudiation Page 7
    9. 9. Confidentiality • Who should have access to the data? – Username and password – Encryption – Physical location of computer Page 8
    10. 10. User Accounts • Require passwords (pass phrases) • Block access after unsuccessful login attempts. • Restrict access to ―personal information‖ based on job duties. Page 9
    11. 11. Passwords • • • • Pass phrases No sharing Not written down Not transmitted in email Page 10
    12. 12. Vulnerabilities • • • • Targeted attacks Penetration Inside intentional Inside accidental • Email • Laptops • Desktops Page 11
    13. 13. Deterrents • Two factor authentication • Know where personal information is: • Inventories of laptops, desktops, servers, applicatio ns, data sets. Page 12
    14. 14. Testing and Assessment • • • • • • • External Penetration Internal inspection of infrastructure Network permissions Internal password cracking Policy inspection Software code inspection Training effectiveness Page 13
    15. 15. Security Classifications • • • • • Physical – Stolen laptops, locked server room Logical – usernames, passwords, two-factor Transmissions – email, file transfer Applications – especially custom written Social – impersonating tech. support Page 14
    16. 16. Policies, Procedures, Plans • For customers, clients, constituents – – – – Privacy and Confidentiality Policy8 Security Statement9 Security Overview10 Third Party provider summary11 Page 15
    17. 17. Policies, Procedures, Plans • For employees – Acceptable Use Policy – Professional Ethics & Standards Policy • For management – Security Policy – Data Breach Incident Response Plan12 Page 16
    18. 18. Training • Employees should know:1 – What information they have access to – What their responsibilities are regarding it • Document all training! Page 17
    19. 19. Information Security Policy13 Who is the audience? Why will they read it? What decisions will they make after reading? Purpose Assure management that information is safe from theft and loss. Page 18
    20. 20. Information Security Operations • • • • • Here is a list of our data. Here is its location. This is who has access to it. Here is what we do to protect it. Here is what we do if we lose it. Page 19
    21. 21. peterhenley@clarknuber.com Page 20

    ×