Legally Protected and Sensitive Data - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Legally Protected and Sensitive Data

Description:

The Most Disastrous E-Mail Mistakes http://pcworld.about.com/news ... IN GMU HACKING ... Keep in mind that computer attacks are crimes, and people ... – PowerPoint PPT presentation

Number of Views:63
Avg rating:3.0/5.0
Slides: 20
Provided by: itcVir
Category:

less

Transcript and Presenter's Notes

Title: Legally Protected and Sensitive Data


1
Legally Protected and Sensitive Data
  • Know Your Data

2
Embarrassed? Nah!
  • Doh! The Most Disastrous E-Mail Mistakes
    http//pcworld.about.com/news/Apr292002id93283.htm
  • Dumb and dumber moments in tech
    http//www.cnn.com/2004/TECH/ptech/02/05/bus2.feat
    .dumbest.moments/
  • Dumb business moments http//blog.seattlepi.nwsour
    ce.com/buzz/archives/004236.html
  • Where the Hell is My Laptop? http//www.business2.
    com/b2/web/articles/0,17863,513164,00.html

3
Bermuda Triangle
4
Information Flow in Your Workplace
  • Take off your techie hat
  • Put on your data hat
  • Start thinking about and listening to how
    information flows through your place of work

5
Lets talk about the data!
  • Do you need to have it?
  • Can the names be removed?
  • Is the information out of date? Can you purge
    it?

6
Are Universities Really Targets?
  • Confidential student, employee, donor and medical
    data have been stolen.
  • University computers have been used to launch
    attacks on businesses and the Federal government.
  • Research data have been compromised.
  • Networks and mail systems have been rendered
    useless for days.
  • University computers have been confiscated by FBI
    investigators.

7
Universities Really Are Targets
  • HACKER HITS CALIFORNIA UNIVERSITY Officials at
    the University of California, Berkeley, this week
    said that a hacker had compromised the
    university's computer system and gained access to
    records on 1.4 million individuals in research
    database. CNET, 19 October 2004
  • VITAL FILES EXPOSED IN GMU HACKING
  • A computer hacker apparently broke into a George
    Mason University database containing student and
    employee Social Security numbers, leaving 32,000
    people uncertain whether their finances or
    identities might be compromised. Washington Post,
    11 January 2005
  • DRUG RECORDS, CONFIDENTIAL DATA VULNERABLEThe
    confidential drug purchase histories of many
    Harvard students and employees have been
    available for months to any internet user, as
    have the e-mail addresses of high-profile
    undergraduates whose contact information the
    University legally must conceal, a Crimson
    investigation has found. Harvard Crimson, 21
    January 2005
  • HACKERS TARGET BOSTON COLLEGE ALUMNI DATABASE A
    computer at Boston College with access to an
    alumni database has been found to be infected
    with a virus that may have exposed personal
    information on more than 100,000 individuals.
    ZDNet, 17 March 2005
  • STOLEN A LAPTOP AND 100,000 IDENTITIESSomeone
    brazenly walked into the graduate division of the
    University of California at Berkeley two weeks
    ago and stole a laptop. The thief walked off not
    only with a nifty technological device but also
    key identifying information - including Social
    Security numbers of nearly 98,369 people who
    either were or applied to be graduate students at
    Berkeley between 1976 and last year. Inside
    Higher Ed, 29 March 2005
  • U. OF MISSISSIPPI WEB PAGE SHOWED PERSONAL DATA
    Officials at the University of Mississippi have
    removed files from their servers that included
    names and Social Security numbers for about 700
    students after being notified that the files were
    available to anyone on the Web. MSNBC, 6 April
    2005

8
How Might You Be Personally Affected?
  • You could lose access to the University's network
    and the Internet while a security breach is being
    investigated.
  • Keep in mind that computer attacks are crimes,
    and people can easily become unwilling
    accomplices just as they can be with other
    crimes. If your computer is used by someone else
    to commit a crime, you could find the FBI
    knocking on your door the next day. It happens,
    and it is serious business.

9
Types of Legally Protected DataHIPAA, FERPA,
GLBA
  • Health Insurance Portability and Accountability
    Act Security Rule Privacy Rule -
    http//www.itc.virginia.edu/security/riskmanagemen
    t/appendixD.html
  • Family Educational Rights and Privacy Act -
    http//www.itc.virginia.edu/security/riskmanagemen
    t/appendixF.html
  • Gramm-Leach-Bliley Act - http//www.itc.virginia.e
    du/security/riskmanagement/appendixE.html

10
HIPAA
  • Does your department handle medical information
    that is combined in any way with a personal
    health identifiers (PHI)?

11
PHI Personal Health Identifiers
  • Names
  • All geographic subdivisions smaller than a
    State
  • All elements of dates (except year) for dates
    directly related to an individual
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers,
    including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers, including finger and
    voice prints
  • Full face photographic images and any
    comparable images and
  • Any other unique identifying number,
    characteristic, or code

12
FERPA the protected list
  • Information such as grades, courses, days and
    times of course meetings, withdrawals,
    suspension, and month and day of birth, CANNOT be
    disclosed without the students permission. Such
    information needs to be protected not only from
    external release, but also protected from access
    by those within the University who do not have an
    authorized, job-related need to see it.

13
FERPA the allowed list
  • student name
  • home and school addresses, telephone numbers,
    e-mail address
  • year of birth
  • country of citizenship
  • major(s)
  • school of enrollment
  • full or part-time status
  • year in school
  • participation in officially-recognized activities
    and sports
  • dates of attendance
  • degrees, honors, scholarships, and awards
    received
  • most recent previous educational institution
    attended
  • names of parents or guardians
  • and weight and height of members of athletic
    teams.

14
Examples of legally protected data and actions to
take
  • Example A researcher in your department has
    recently received a grant to study foot injury
    induced by falling laptops. As a matter of
    course, NIH, who is funding the study, has given
    your researcher a record set containing names,
    social security numbers, patient numbers, types
    of injuries, and treatments. What should you do?

15
Examples of legally protected data and actions to
take
  • Recommendation Ask the researcher if she can
    remove the names from the records thus
    de-identifying data. If so, HIPAA regulations do
    not apply. If names must be there, then the full
    weight of the regulation applies. You will need
    to track this data. If you decide to keep it
    housed in your department, you must know where it
    resides and if the researcher has any plans to
    move or copy it for whatever reason. For example,
    if the data is moved/copied to laptop for a
    presentation, the laptop must be secure making
    sure the data is removed from the laptop when the
    presentation is over. Further, the researcher
    must log on to the laptop as a unique user. Also,
    this data must be backed up.

16
Examples of legally protected data and actions to
take
  • Example A professor has asked you to do some
    statistical analysis on the grades of his
    students. He gives you a thumb drive with the
    record sets which include name, social security
    number, course, day and time of class, and birth
    date. You take the drive and copy the contents on
    to your workstation and perform the analysis. You
    copy the analysis to the thumb drive and return
    it to the professor. What should you do?

17
Examples of legally protected data and actions to
take
  • Recommendation According to FERPA, grades,
    courses, days and times of course meetings,
    withdrawals, suspensions, and month and day of
    birth cannot be released without the student's
    permission. So, by the nature of the data, you
    have legally protected data. The professor's
    workstation, as does yours, needs to be protected
    with a strong password that is periodically
    changed. Even better if the professor is working
    off of a networked share on a server that you
    maintain. Your server must be located in a
    physically secure area. Any system that houses
    this data must be patched in a timely manner with
    software updates and new virus definitions. Any
    system that houses this data must require a
    unique identifier associated with one person. The
    thumb drive needs to have this data removed after
    the professor has finished using it. Also, when
    the thumb drive is at end of life, it must be
    disposed of properly. For more information about
    hardware disposal, see Electronic Data Removal
    Policy and Procedures.

18
You CAN Really Make a Difference
  • Become familiar with threats and safeguards
  • Take security awareness training
    (https//whois.virginia.edu/security)
  • Use safe computing practices
  • Follow ITCs Quick Tips (http//www.itc.security
    /checklistforPCs.phtml)
  • Take physical security precautions as well
  • Diligently safeguard sensitive data
  • Dont store sensitive data on laptop or desktop
    computer hard drives or removable media
  • If you must, encrypt it
  • Properly dispose of hard drives and removable
    media
  • Protect home computers as well
  • Understand each employees responsibility to
    abide by University computing policies and
    relevant laws and regulations. If unsure what
    this means, ask questions.

19
How is the University Responding?
  • Risk Management Program
  • IT Auditing Group
  • Inventory of Sensitive Data
  • Online Training Tool - https//whois.virginia.edu
    /cgi-ruby/itsaquiz
Write a Comment
User Comments (0)
About PowerShow.com