data breach: how to get your campus on the front page of the chronicle?
TRANSCRIPT
Data Breach:How to Get Your Campus on the Front Page of the Chronicle?
CCCU Tech Conference
May 30, 2006 – June 2, 2006
Cedarville University
David W. TindallAssistant Vice President
for Technology Services
Seattle Pacific University
CCCU Tech Conference
Agenda:
• Part I - Tabletop exercise in reviewing and assessing issues about data breaches.
• Part II - Identify next steps and understand the legal and practical implications.
• Part III - Summary of recommendations.
CCCU Tech Conference
Part I• “you was hacked…”
CCCU Tech Conference
Part II• Did we have a data breach? How do we know?• Have we stopped the exposure?• Can we assess the level of data loss?• What’s the appropriate level of university involvement (VP’s, President,
legal counsel, Board members)?• Should we call the police/FBI?• What is required to preserve evidence?• What are the legal implications?• What should be done to restore the web server?• How should we deal with the press and/or news media? Do you have a
Emergency response plan?• What level of notification is required?• What do you tell others at the campus?
CCCU Tech Conference
Part III - A• Sensitive Personal Information (SPI) as defined by federal and local laws
Names, addresses or phone numbers – combined with any of the following– SSN or taxpayer ID#– Credit Card #– Driver’s License #– Date of birth– Financial/salary data
• Medical or health information protected under HIPAA• Student information protected under FERPA• Information under Gramm-Leach-Bliley and Sarbanes-Oxley• Access codes, usernames or passwords that would permit access to
systems or resources with SPI• Other legal records
CCCU Tech Conference
Part III - B• Centralized Server, Centralized data• Distributed Servers, decentralized data• Awareness, discussion and training
– Computer use policies– FERPA training before access is granted– Audit current systems and applications
• Scrub/data mine systems, central storage, etc…• Look at email messages• Faculty grade books• Budget planning documents/worksheets
• Assess areas of risk– Hacking, exploits, unpatched systems– Worms, spam, phishing, spyware/malware– Theft of equipment– Insufficient controls and access policies for SPI– Failure on the part of 3rd parties– Disgruntled employee or student– Inadequate or poor design and implementation of software and systems– Follow the data!!– Greater control of desktop and laptop systems (encryption, etc…)
CCCU Tech Conference
Part III - CRecommendations from CCISC• Electronic storage and disposal
– Don’t store SPI data on a PDA, laptop, desktop, floppy, USB– Don’t extract SPI data from the ERP– Don’t transmit without encryption– Discard data and media quickly and in a safe manner
• Day-to-day use– Don’t print it out unless required– Don’t take SPI data home– Shred paper when no longer needed
• Security– Lock computer when not in use– Don’t share username or passwords– Lock offices and file cabinet– Eliminate forms that ask for SPI whenever possible– Don’t print SPI on mailing labels, ID cards or other distributions
CCCU Tech Conference
Questions or comments
Thank You!!