1. Allison Dolan Program Director, Protecting PII Monique Yeaton IT Security Awareness Consultant, IS&T Data Protection - We are all in this together!
2.
3.
4.
5.
6.
7.
8. Risk Management Framework Minimize # of people with access to sensitive data Minimize collection of sensitive data BUSINESS PROCESSES ROLES POLICY RESPONSIBILITIES Protect sensitive data in our custody Securely destroy sensitive data
9.
10. Processes with Sensitive Data • Undergrad and grad applications • Student loans • Ongoing services Student-oriented processes • Independent contractors • Reimbursements • Miscellaneous payments • Parking • Accident Insurance • State visits Financially-oriented processes Employee-oriented processes • HR systems & files • Payroll, paychecks, benefits • Employee certifications Miscellaneous processes
11.
12.
13.
14.
15. Questions/other followup? Feel free to contact: Allison Dolan [email_address] 617.252.1461 Monique Yeaton [email_address] 617.253.2715 If a machine has been compromised, or you otherwise suspect a breach, immediately contact [email_address] For additional training resources, including phishing quiz see: ist.mit.edu/security/educational_tools
16.
17.
18.
19.
Editor's Notes
Allison Secretary of Homeland Security just said ‘we are all in this together’ - interdependence etc.
Allison
Allison RE: local compliance, - vs some schools with strong central oversight - eg central scanning of all systems for SSN. IT should not be ‘driver’ but rather ‘enabler’ based on what business process owners want Some costs - but generally not huge and depts will have options - e.g. Buy IdentityFinder licenses or modify a Filemaker database.
Allison FERPA - says info not to be shared, but currently no notification requirement HIPAA - officially applies only to Medical; effective with HITECH act, notification is now requirement PCI DSS - if anyone is a merchant, they should be using CyberSource FACTA/Red Flag - not really an IT/info protection - more about info verification GLBA - not many areas impacted Mass reg - everyone/anyone at MIT with ‘personal info as defined by Mass. Law based almost 2 years ago. “ one of the most far-reaching information security requirements anywhere in the US” In addition to these policies, MIT also has IS&T Info Security web pages, and PCI compliance program WISP work built on foundation of the work PII program had been doing to identity where SSN was used at MIT
Monique Data falls into 3 levels at MIT. High risk data includes data that if exposed requires us by law to notify the persons affected. In the MA regs, the definition of personal information is: a resident’s name (first and last or first initial and last name) in combination with any one or more of the following data elements: SSN, drivers license or state issued ID card number, financial account or credit card number (with or without security code, access code, pin or password). At MIT we also include such info as health information, student information (including prospective students), date of birth, and donor info. Medium risk data covers items employees or non-employees have a business need to have access to, such as research details, library transactions, personnel information, contracts, facilities data, network logs. Low risk is information that is generally open to those with a need to know and whose protection is at the discretion of the data custodian.
Monique Accidents (which can also be termed as “unauthorized disclosure”) is by far #1 cause of breaches involving notification. Unauthorized disclosure is the exposure of data to those not authorized to view such data. This can happen through losing computers/hard drives containing data, weak passwords, social engineering. To be clear, this type of exposure is due to data owners not protecting the data in a manner that reduces its exposure. Protecting data by not having it eliminates trying to plug all the holes caused by malware, viruses, human error. The Adam Dodge report, states 49% of reported breaches (2008) by Univ. were due to unauthorized disclosure or data loss. That said, the highest number of records exposed is by far due to deliberate attacks. Attacks are listed in ESI as 51%. It includes items such as employee fraud, impersonation, penetration, and theft. Campana Report: 24% of breaches at Univ. were characterized as resulting from an attack (penetration) on info systems. [Discuss some statistics from this report.] QUESTION TO AUDIENCE: Do you know when breaches in higher ed most occur? Answer: finals weeks of fall and spring; fewest when students not around TALKING POINT: If there is a data breach: what do you do? Do you have a procedure to follow?
Monique I recently heard RISK described as the following equation (this came from a Wall St company): Risk = hazard + outrage. RISK of data exposure at MIT is primarily the name associated with breach, not really Identity theft. That said, there is a potential risk, depending on what type of data was exposed. MIT deals with many types of data, including health records, research data (some of it very classified information), credit card numbers and other identifying information. The combination of the types of data exposed will determine the level of risk to individuals whose data was exposed. Will MIT be deliberately attacked? Probably not. Value of data is falling - SSN now .50 => hacker really targeting the big data sources (Heartland). HOWEVER, if there is a small accidental spill, that may get MIT name in the paper. Within my team we hear of potential breaches all the time, often including SSNs, and occurring because of human error. We have yet to find an incident in the past few years of data falling into the hands of unauthorized persons, but with the types of incidents we’re seeing, it seems only a matter of time. STORIES: IVY league school, who lost a 7 figure donation after a breach. (president’s visit Fri) Husband of Susan Hockfield had to be notified his data was at risk recently, would you want to be the administrator who makes that call?
Allison Brief review web forms with SSN, authorization lists, securely destroying - eg secure delete on PC, [ask how many provide? If your customers came to you re: secure delete - what would you say?] protecting - eg PGP
Allison Emphasize - not IT responsibility, but IT can certainly contribute to a team effort,working with business owners to figure out where data exists, to provide the right kind of tools (e.g. PGP, secure delete, IdentityFinder), and processes, eg correct disposal of equipment.
Allison review - if you are working with any of these processes, keep antennae out for possible PII
Monique The message we’re hammering home in case you haven’t noticed is that if you don’t have an immediate business need to have the data locally or have access to it, don’t. NOT illegal to have SSN or other sensitive info, but there are legal consequences if lost. Get a handle on the data, by setting controls for sensitive and proprietary information. It’s impossible to do if you don’t know where the data is. If the controls aren’t in place, don’t keep the data. Ask folks what they are doing now re: secure delete on PCs.
Monique Updates: If you are not sure, check with IT personnel. These should be occurring automatically, without your intervention needed (besides perhaps accepting the updates as they occur). Passwords: For tips on strong passwords, see: the handout and the Security site. When was the last time you changed your passwords, or Kerberos password? Sharing sensitive data: Avoid sending sensitive data via email, instead put it onto a password protected shared server and remove it when it it is no longer needed, or use a VPN connection which encrypts traffic (check with IT if you need info on VPN). Email can be lost in transit, can be sniffed if going to a non-MIT address, and data can remain in emails long after you’ve deleted it from stored places or be forwarded to others (no control). Destroying data: there is some information online about both shredding paper and deleting files. Look in the handouts for all these resources.
Monique You shouldn’t be worried about asking for help from IT. Regardless of how IT people are often characterized on TV, they’re not all unhelpful and sarcastic (if you’ve ever seen the SNL skit). Ask for their help, that’s what they’re there for. It’s better to be safe than sorry. Focus on areas where risk of losing many records is high.
Monique Communicate with others on these items. Consult with Business Process Owners re: ‘purpose’ of sensitive info - don’t be afraid to ask Why? Again, have a business continuity plan in place in case you ever need to respond to or report a data breach. Know who to report to and who should be doing the reporting. Know the steps to take if you think a system was breached.