280 likes | 421 Views
Data Security Staff Education. ELCA Data Security Committee Background. Audit Data Security Committee. The Problem!. Firewall. Email/portable devices/reports. Hacking Techniques. What they are after: Money! €€€€ Looking for personal Information for financial gain
E N D
Data Security Staff Education
ELCA Data Security Committee Background • Audit • Data Security Committee
The Problem! Firewall Email/portable devices/reports
Hacking Techniques What they are after: • Money! €€€€ • Looking for personal Information for financial gain • Becoming more organized and business-like • Common revenue channels • Phishing (not just financial services) • Spam distribution • Botnet hire • Extortion ££££ $$$$ ¥¥¥¥
Data Classification Systems and data is classified into three sensitivity classifications with separate handling requirements: PUBLIC RESTRICTED CONFIDENTIAL
Case Briefs Little Rock:Insider Intrusion of Acxiom Corp, $7 million loss, 8 subjects convicted. A former Pfizer employee: class action lawsuit against the company over personal data that was exposed on the Internet. The data made their way to the Internet through a file-sharing program that had been installed on a Pfizer-owned laptop by an employee's spouse. Phoenix: Intrusion of state information system, resulted in 3 deleted databases. Subject traced to Denmark. Oklahoma City: Intrusion of a local bank, resulted in stolen customer IDs. New Haven: Phishing case with International ties. - Over $150,000 loss to victims. Ohio: Theft of a data storage device that holds personally identifiable information of more than one million Ohio residents. The device was stolen from the car of an department worker. The report also notes that a February 2007 audit indicated that sensitive data were accessible on a shared drive on the facility’s intranet, but no steps were taken to mitigate that problem.
Personal Identity Information (PII) Used by Staff Data with names and addresses Data with Social Security information Data with credit card information Data with any financial/contractual information Other unit specific information
Set systems access Reinforce Review access Temporary access Guidelines for Managing PII What management can do: Review access profiles on a monthly basis to ensure all terminated employees have been removed and all active employee access is appropriate Set systems access profile at the minimum required for employee to carry out job duties If temporary access is required, ensure it is revoked in a timely manner Reinforce that passwords are not to be shared under any circumstances
Use Caution Password Policy Protect the data Know the policy Guidelines for Managing PII What you can do: If you are logged into your desktop, set your screen to default to require a sign in after three minutes or sooner. Never leave any reports containing PII or confidential data on your desk or viewable on your monitor when you are away from your desk. Do not down-load any PII or confidential information unless it is absolutely necessary for the execution of your job responsibilities. Passwords are not to be shared or posted under any circumstances
PII & Your Computer Desktop C- Drive Confidential data residing on the “C Drive” is not protected by backup procedures and, as a result, no PII should be stored on this drive Do not disable any passwords needed to access your laptop. Use hard to guess passwords for your personal login. Laptop C-Drive Laptop users should use passwords on all documents containing PII Laptop users If you need access to PII and create many documents containing PII, please contact IT for assistance with security Security Assistance
PII & Confidential Data Shared Drives If your unit has PII residing on shared folders, ensure that only authorized staff have access to that folder. Limit write capability to that folder. Contact IT about other security measures such as passwords or encryption for confidential information.
PII & Confidential Data What You can do: Excel Spreadsheet Word Documents Email • Be aware that documents can include PII. If not essential to the purpose of the report, do not include this information. If PII is required for the report, do not email PII or confidential data to any source, internal or external. Consider adding a password to electronic documents. • When distributing Word or Excel documents internally, distribute on a “need to know” basis. • Note that documents containing this information are confidential and should be kept in a locked filing cabinet and shredded when no longer needed.
Secure Transmission Tips • “Secure connection” = • no third-party eavesdropping • https = A secure web connection • Look for the “s” in the URL of a website. • Typically, also the icon of a closed padlock • Doesn’t mean the site can be trusted, only that the connection to it is secure (encrypted) • VPN = Virtual Private Network • A secure (encrypted) connection to a trusted network, using special software on your computer
Laptop Security Procedures • If leaving a laptop unattended, log out or turn laptop off. Use your cable lock to attach the laptop to a table or desk. • Never leave your laptop in your car. Lock it in the trunk and using your cable lock to secure it to a permanent vehicle mount. • Do not keep documents with PII beyond the date of use. • If owned by the ELCA, FO, Women of the ELCA or MIF, the laptop must have an asset tag. • If a laptop is lost or stolen, report it IT and OS immediately. • Assure that you are getting regular updates to the antivirus software. • Use a complex password – include upper and lower case letters and numbers. Don’t write passwords down and store them with your laptop. • Don’t share passwords with others.
Educate Reinforce Review access Temporary access Remote Access What management can do: Ensure that the employee needs remote access to perform or enhance job related duties, that the Remote Access form is completed with all requested information Ensure staff is educated about the ELCA’s remote access policy. Review access profiles as requested to ensure all terminated employees have been removed and all active employee access is appropriate If temporary access is required, ensure it is revoked in a timely manner
Submit form When using Inform Remote Access What employees can do: Fully outline the need for remote access. Follow all the duties, requirements and restrictions outlined in the ELCA’s Remote Access policy. Inform your supervisor immediately when remote access is no longer needed.
ELCA PolicyDownloading Information Portable Media Devices • Downloading ELCA information to portable devices such as laptops, memory sticks, PDAs should be done only on an as needed basis. • Employees using a laptop must be aware of the documents in their folders that include confidential or restricted information and protect them from theft.
PII & Confidential Data Data Residing On Portable Media Devices What Employees can do: • Identify the information to be downloaded • Inform your manager of your intentions and obtain permission • Inform IT to ensure all the downloaded data is properly protected by passwords or encrypted devises • Eliminate all downloaded data when no longer needed. “Never download confidential or PII data onto a portable media device unless it is absolutely necessary to perform your job related duties.”
Policy - PII or Confidential data in paper form What management Can do: What employees Should do: • Do not print anything containing PII or confidential information unless it is absolutely necessary • If a report containing PII or confidential information needs to be distributed, ensure that it is distributed on a “need to know” basis – remind the recipient of the confidential nature and policy for storage and destruction • If it is necessary to print anything containing PII or confidential data, ensure it is never left unattended, is stored in a locked file cabinet when not being used and is shredded when no longer needed. • Ensure staff is informed that all print-outs containing PII or confidential data are handled in accordance with ELCA policy (being developed). This policy will require all paper documentation containing PII or confidential data to be stored in a locked file cabinet and shredded after no longer needed • Periodically “walk” the department to ensure that no PII or confidential information is left exposed.
Practices – Requesting Reports What Management Can do: What Employees Can do: Ensure staff is instructed to be very specific in requesting reports from IT or unit staff to ensure any preformatted PII or confidential information not needed is excluded from the report. Be very specific when requesting reports from IT or creating your own. Many preformatted reports contain excess information (including PII and confidential data) that may not be needed.
Records Retention –PII & Confidential Data What management Can do: What employees Can do: Ensure all documentation sent to records retention is shredded in the presence of a staff member when it is no longer needed by record retention rules. Ensure all data that is no longer needed on site, but must be retained for a period of time, is sent to the records retention in a timely manner
PII or Confidential Data Shared with a third party Assure that a confidentiality agreement exists between the third party and the ELCA. Ensureonly necessary information is included in the shared data. Ensure that the data is handled as stated in the agreement. Contact the Office of the Secretary for assistance with this aggreement.
Physical Security Access to the building & Data Center What Management can do: • Ensure only staff members requiring such access in the performance of their job responsibilities are granted access to the specific floors with the correct security time zone and/or the Data Center; • Review building and data center access list on a monthly basis to ensure all terminated employees have been removed and all current employees have the appropriate level of access; and • Ensure all vendors and consultants have appropriate access and are accompanied by an employee at all times when in a restricted or sensitive area.
Physical Security What Management & Employees Can do: Challenge any employee, contractor or vendor if they are in a restricted area without the proper access credentials.
Evaluate Data Review Determine Control Documents Management Unit next steps Evaluate data that staff members create or access Determine that the access levels are correct Control documents created by staff that contain PII or Confidential information Review processes quarterly
For More Information • ELCA Data Security Team (call Michael McKillip at 2768) • •Governing for Enterprise Security (http://www.cert.org/governance/ges.html) • •Enterprise Security Management (http://www.cert.org/nav/index_green.html) • •CERT web site (http://www.cert.org); • ITPI web site (http://www.itpi.org); SEI