the uh information security policy & you jodi ito information security officer, its...
TRANSCRIPT
The UH Information Security Policy & YOU
Jodi ItoInformation Security Officer, ITS
Agenda
• Intellectual Property (IP) and Personal Information (PI) working definitions
• Need to Protect IP & PI• PI Hawaii State Laws • UH Executive Policy E2.214: Security &
Protection of Sensitive Information
Intellectual Property (IP)
• From the World Intellectual Property Organization (WIPO):
“Intellectual property refers to creations of the mind: inventions, literary and artistic works, and symbols, names, images, and designs used in commerce”
Need to Protect IP
• $$$$$$$!!• Industrial Espionage• Recent articles - spying by China
http://apnews.myway.com/article/20071115/D8SU6FE80.html
http://www.washingtonpost.com/wp-dyn/content/article/2007/11/15/AR2007111501099.html
The US-China Economic and Security Review Commission's annual report to Congress says:
"Chinese espionage activities in the US are so extensive that they comprise the single greatest risk to the security of American
technologies."
Personal Information
Hawaii State Law definition:"Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number; (2) Driver's license number or Hawaii identification card number; or (3) Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account.
PI or not PI?
• J. Smith: 555-66-777• J. Smith: (808) 999-8888• John Smith: 123 University Avenue• John S.: 555-66-7777
Misuse of Personal Information
• Financial Fraud & ID Theft• Open new credit accounts• Write counterfeit checks against your
accounts• Unauthorized credit card purchases via
phone or Internet• Commit other acts of financial fraud
Other Misuses of Your Information
• Obtain official identification in your name
• Get a job in your name• File fraudulent taxes in your name• Ruin your financial & credit record
Protecting Your Own Information
• Annual credit check: http://www.annualcreditreport.com
• Opt-out: 1-888-567-8688 http://www.optoutprescreen.com
• Use a cross-cut shredder to destroy personal information
• Use locking mailboxes / use US postal mailboxes for outgoing mail
• Ensure receipt of & review monthly statements
More Tips• Don’t respond to unsolicited requests for
personal information• Beware of scams• Change your passwords regularly• Online shopping: make sure shopping websites
are secured• Secure your computer• Securely erase personal information stored on
your computer• Beware of peer-to-peer applications
Hawaii State Laws
• 2006: new state laws regarding identity thefthttp://starbulletin.com/2006/05/26/news/story06.html
New State Laws
• Social Security Number Protection (HRS 487J) • Security Breach Notification (HRS 487N)• Destruction of Personal Information (HRS 487R)• Security Freeze (HRS 489P-1, 489P-2, 489P-3)• Reporting requirements
Social Security Number Protection
• Effective July 01, 2007• Restricts businesses and government
agencies from disclosing SSNs to the general public
• http://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487J/
Security Breach Notification
• Effective January 01, 2007• Businesses & government agencies
must notify individuals if their personal information has been compromised by unauthorized access/disclosure
• http://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/
Destruction of Personal Information Records
• Effective January 01, 2007• Businesses & government agencies
need to properly dispose of “personal information”
• http://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487R/
Security Freeze
• Victim of identity theft can place a “security freeze” on their credit information
• “Fraud Alert” vs. “Security Freeze”• http://www.capitol.hawaii.gov/
hrscurrent/Vol11_Ch0476-0490/HRS0489P/HRS_0489P-.HTM
Reporting Requirements
“A government agency shall submit a written report to the legislature within twenty days after the discovery of a material occurrence of unauthorized access to personal information records in connection with or after its disposal by or on behalf of the government agency.”
E2.214: The New UH Information Security Policy
Why the New Policy?
• Audit compliance & accountability• UH “breach” June 2005: http://www.hawaii.
edu/idalert/
• UH General Confidentiality Notice: http://www.hawaii.edu/ohr/docs/forms/uh92.pdf
UH Information Security Policy
• System-wide policy: E2.214: “Security & Protection of Sensitive Information”
• Signed by President McClain on November 21, 2007
• Encompasses handling of “sensitive” information
• Online at: http://www.hawaii.edu/apis/ep/e2/admin.html
Policy Overview
• Defines classifications of information: • Private• Sensitive
• Defines roles and responsibilities:• Steward• Custodian• User
Overview - continued
• Collection, access, & handling of information:• At rest• In transit• Disposal
• ITS recommendations for “tools”• Breach Notification (mandated by state law)
Data Classification
• Public• Sensitive (examples - not all encompassing)
• Student records (FERPA)• Health information (HIPAA)• Personal financial info • SSN• Date of Birth• Private home addresses & phone numbers• Driver’s license numbers & State ID numbers• Access codes, passwords, PINs, etc.• And more…
Roles & Responsibilities
• Information Resource Stewards• Data Custodians• User• Sign UH Confidentiality Notice
Information Resource Stewards
• Senior administrators responsible for functional operations
• Responsible for granting access to and classifying of data
• Responsible for minimizing use and exposure
• May also function as data custodians
Data Custodians
• Managers/administrators of systems or media on which sensitive information resides
• Responsible for implementing and administering controls over the resources in accordance to all policies
• Downloading of sensitive information by a user makes them a “custodian”
Users
• Individuals granted access to sensitive information as required by their professional responsibilities
• Responsible for understanding and complying with applicable UH policies, procedures and standards for dealing with sensitive information
Access
• Granted by Steward or Designee• Process by which access is requested• Should be on a “need-to-know” basis• Access must be terminated immediately
upon job change or resignation/termination
Transmission - Paper
• Delivered in sealed envelope• Clearly marked for the intended
recipient• Marked “CONFIDENTIAL”• Faxes must be promptly retrieved and
protected at both ends
Transmission - Electronic
• Sensitive information must not be sent “in the clear” including in email & attachments
• Use secure web servers when using web technologies to access sensitive information
• Use “encryption” when doing digital transmissions
Email Transmission
• Minimize use of email for sending of sensitive information
• Use special care to ensure only intended recipient gets the email
• Both sender and receiver should delete email as soon as possible
• Sender should include notice in email informing recipient that email contains sensitive information and requests appropriate handling
Email Notice
CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
Electronic Storage
• Sensitive information should be stored only when specifically required and on as few systems/media as possible
• Systems must comply with basic computer security standards
• Use encryption as much as possible• If stored unencrypted, systems must be in
physically secure and controlled environments
• De-coupling of data
Mobile Devices• Does it need to be stored on a mobile device??• ENCRYPT, Encrypt, encrypt!• Physically secure devices as much as possible• Examples of mobile devices:
• Laptops• CDs/DVDs• Flash drives• External portable drives• PDAs• Cell phones,• Mobile media players (iPods, MP3 players, etc.)• Magnetic tapes
Destruction
• Paper: use cross shredders or contract shredding companies w/ credentials
• Electronic: • Erasable: Secure deletion tools (see ITS
recommendations)• Unerasable: Physical destruction
Tools & Information• http://www.hawaii.edu/askus/729
“Information Security” section• Securing Your Desktop Computer:
http://www.hawaii.edu/askus/593
• UH Filedrop: http://www.hawaii.edu/askus/673• Encryption
• Windows: http://www.hawaii.edu/itsdocs/win/gswwindowsencryption.pdf
• Macs: http://www.hawaii.edu/askus/676
• Securely Deleting Electronic Information: http://www.hawaii.edu/askus/706• Windows: http://www.hawaii.edu/itsdocs/win/secureerasewin.pdf
Notification of Breaches• Must notify all affected individuals • Reported to the Legislature• Timely notice• Contents: clear & conspicuous and include:
• Description of incident• Type of information that was disclosed• Remediation and prevention actions taken• Telephone number and email address to call for further
information & assistance• General advice on protection against identity theft
• Example: www.hawaii.edu/idalert
Recommended System Configurations
• Do you REALLY need to keep that INFO?• Minimize physical access• Minimize technological access
• Password protected with “secure password”• Firewall, network IPS, host IPS, etc.• Private IP addresses
• Frequently & routinely update OS and applications (install patches on a regular basis)
• Check access logs daily
Backups
• Backup of sensitive information must be protected
• Transmission of backups of sensitive information must be protected