data breach: how to get your campus on the front page of the chronicle?

Data Breach:How to Get Your Campus on the Front Page of the Chronicle?

CCCU Tech Conference

May 30, 2006 – June 2, 2006

Cedarville University

David W. TindallAssistant Vice President

for Technology Services

Seattle Pacific University


Agenda:

• Part I - Tabletop exercise in reviewing and assessing issues about data breaches.

• Part II - Identify next steps and understand the legal and practical implications.

• Part III - Summary of recommendations.


Part I• “you was hacked…”


Part II• Did we have a data breach? How do we know?• Have we stopped the exposure?• Can we assess the level of data loss?• What’s the appropriate level of university involvement (VP’s, President,

legal counsel, Board members)?• Should we call the police/FBI?• What is required to preserve evidence?• What are the legal implications?• What should be done to restore the web server?• How should we deal with the press and/or news media? Do you have a

Emergency response plan?• What level of notification is required?• What do you tell others at the campus?


Part III - A• Sensitive Personal Information (SPI) as defined by federal and local laws

Names, addresses or phone numbers – combined with any of the following– SSN or taxpayer ID#– Credit Card #– Driver’s License #– Date of birth– Financial/salary data

• Medical or health information protected under HIPAA• Student information protected under FERPA• Information under Gramm-Leach-Bliley and Sarbanes-Oxley• Access codes, usernames or passwords that would permit access to

systems or resources with SPI• Other legal records


Part III - B• Centralized Server, Centralized data• Distributed Servers, decentralized data• Awareness, discussion and training

– Computer use policies– FERPA training before access is granted– Audit current systems and applications

• Scrub/data mine systems, central storage, etc…• Look at email messages• Faculty grade books• Budget planning documents/worksheets

• Assess areas of risk– Hacking, exploits, unpatched systems– Worms, spam, phishing, spyware/malware– Theft of equipment– Insufficient controls and access policies for SPI– Failure on the part of 3rd parties– Disgruntled employee or student– Inadequate or poor design and implementation of software and systems– Follow the data!!– Greater control of desktop and laptop systems (encryption, etc…)


Part III - CRecommendations from CCISC• Electronic storage and disposal

– Don’t store SPI data on a PDA, laptop, desktop, floppy, USB– Don’t extract SPI data from the ERP– Don’t transmit without encryption– Discard data and media quickly and in a safe manner

• Day-to-day use– Don’t print it out unless required– Don’t take SPI data home– Shred paper when no longer needed

• Security– Lock computer when not in use– Don’t share username or passwords– Lock offices and file cabinet– Eliminate forms that ask for SPI whenever possible– Don’t print SPI on mailing labels, ID cards or other distributions


Questions or comments

Thank You!!

data breach: how to get your campus on the front page of the chronicle?

Documents