Data SecurityData SecurityNavigating Though Laws, Policies, and Procedures

to Protect Physical and Electronic Records

Jon Ostendorf, The Hotchkiss SchoolMichael Haney, FishNet Security

Andrew Speyer, Choate Rosemary Hall

Navigating Though Laws, Policies, and Proceduresto Protect Physical and Electronic Records

Jon Ostendorf, The Hotchkiss SchoolMichael Haney, FishNet Security

Andrew Speyer, Choate Rosemary Hall

Agenda11:30 - 12:15 Part 1: Where is the Data and What do I Have to Do With it?

12:15 - 1:00 Lunch

1:00 - 1:45 Part 2: Data Security Charter and Policies.

1:45 - 2:30 Part 3: Implementing Data Security at a School.

2:30 -3:00 Questions, Answers, and Discussion

Guest Wireless

FInd the wireless access SID “Guest” not “Choate”.

Launch web page -- should be redirected to log-in page

Username: guest (lower case)

Password: patron (lower case)

Binghamton Security Breach

http://www.youtube.com/watch?v=lRH_Pr8y-e0

Question: Has your school ever had a data security breach? Would you know if there was a breach?

A typical school (Choate)

Data Lives in Various Databases

PowerCAMPUS - Student Information System

Millennium

Great Plains/FRX

Admissions

Great Plains/FRX

Intranet - Course Management

Data exists on paper

Alumni and Development

Registrar

Health Center

Financial

Dean of Students

Summer School

Data Lives in Email•1500 mailboxes•1500 voicemail boxes•No archiving of email•No rules about email retention•Faculty consider correspondence private

Data Lives on the Web

Data Moves Across the Network

Data Can Be Saved Locally

Data Needs to be Backed-Up

E-DiscoveryElectronic discovery (also called e-discovery or ediscovery) refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. E-discovery can be carried out offline on a particular computer or it can be done in a network. Court-ordered or government sanctioned hacking for the purpose of obtaining critical evidence is also a type of e-discovery.

The nature of digital data makes it extremely well-suited to investigation. For one thing, digital data can be electronically searched with ease, whereas paper documents must be scrutinized manually. Furthermore, digital data is difficult or impossible to completely destroy, particularly if it gets into a network. This is because the data appears on multiple hard drives and because digital files, even if deleted, can be undeleted. In fact, the only reliable way to destroy a computer file is to physically destroy every hard drive where the file has been stored.

In the process of electronic discovery, data of all types can serve as evidence. This can include text, images, calendar files, databases, spreadsheets, audio files, animation, Web sites and computer programs. Even malware such as viruses, Trojans and spyware can be secured and investigated. Email can be an especially valuable source of evidence in civil or criminal litigation, because people are often less careful in these exchanges than in hard copy correspondence such as written memos and postal letters.

Computer forensics, also called cyberforensics, is a specialized form of e-discovery in which an investigation is carried out on the contents of the hard drive of a specific computer. After physically isolating the computer, investigators make a digital copy of the hard drive. Then the original computer is locked in a secure facility to maintain its pristine condition. All investigation is done on the digital copy.

E-discovery is an evolving field that goes far beyond mere technology. It gives rise to multiple legal, constitutional, political, security and personal privacy issues, many of which have yet to be resolved.

PCIThe Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.

Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organization is handling, but regardless of the size of the organization, compliance must be assessed annually. Organizations handling large volumes of transactions must have their compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of self-certification via a Self-Assessment Questionnaire (SAQ). In some regions these SAQs still require signoff by a QSA for submission.

Enforcement of compliance is done by the bodies holding relationships with the in-scope organizations. Thus, for organizations processing Visa or Mastercard transactions, compliance is enforced by the organization's acquirer, while organizations handling American Express transactions will deal directly with American Express for the purposes of compliance. In the case of third party suppliers such as hosting companies who have business relationships with in-scope organizations, enforcement of compliance falls to the in-scope company, as neither the acquirers nor the card brands will have appropriate contractual relationships in place to mandate compliance. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined.

FERPAThe Family Educational Rights and Privacy Act of 1974 (FERPA or the Buckley Amendment) is a United States federal law codified at 20 U.S.C. § 1232g, with implementing regulations in title 34, part 99 of the Code of Federal Regulations. The regulations provide that educational agencies and institutions that receive funding under a program administered by the U. S. Department of Education must provide students with access to their education records, an opportunity to seek to have the records amended, and some control over the disclosure of information from the records. With several exceptions, schools must have a student's consent prior to the disclosure of education records. Examples of situations affected by FERPA include school employees divulging information to anyone other than the student about the student's grades or behavior, and school work posted on a bulletin board with a grade.This privacy policy also governs how state agencies transmit testing data to federal agencies. For example see Education Data Network.

The law allows students who apply to an educational institution such as graduate school permission to view recommendations submitted by others as part of the application. However, on standard application forms, students are given the option to waive this right.

FERPA specifically excludes employees of an educational institution if they are not students.

The act is also referred to as the Buckley Amendment, named for one of its proponents, Senator James L. Buckley of New York.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. This is intended to help people keep their information private, though in practice it is normal for providers and health insurance plans to require the waiver of HIPAA rights as a condition of service.

The Administration Simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.

CALEAThe Communications Assistance for Law Enforcement Act (CALEA) is a United States wiretapping law passed in 1994, during the presidency of Bill Clinton (Pub. L. No. 103-414, 108 Stat. 4279, codified at 47 USC 1001-1010). In its own words, the purpose of CALEA is: To amend title 18, United States Code, to make clear a telecommunications carrier's duty to cooperate in the interception of communications for Law Enforcement purposes, and for other purposes.

CALEA's purpose is to enhance the ability of law enforcement and intelligence agencies to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband internet, and VoIP traffic in real-time.

The original reason for adopting CALEA was the FBI's worry that increasing use of digital telephone exchange switches would make tapping phones at the phone company's central office harder and slower to execute, or in some cases impossible. Since the original requirement to add CALEA-compliant interfaces required phone companies to modify or replace hardware and software in their systems, U.S. Congress included funding for a limited time period to cover such network upgrades. CALEA was passed into law on October 25, 1994 and came into force on January 1, 1995.

In the years since CALEA was passed it has been greatly expanded to include all VoIP and broadband internet traffic. From 2004 to 2007 there was a 62 percent growth in the number of wiretaps performed under CALEA -- and more than 3,000 percent growth in interception of internet data such as email.[1]

By 2007, the FBI had spent $39 million on its DCSNet system, which collects, stores, indexes, and analyzes communications data.[1]

Red Flag RulesRed Flags Rule was created by the Federal Trade Commission, along with other government agencies such as the NCUA, to help prevent identity theft. This act was passed in January 2008, and was to be in place by November 1, 2008. But due to push backs by opposition; the new deadline is August 1, 2009.How the Red Flags Rule was CreatedThe Red Flags Rule was based on section 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 [1]. The F.A.C.T.A. was put in place to help Identity Theft Prevention and Credit History Restoration, Improvements in Use of and Consumer Access to Credit Information, Enhancing the Accuracy of Consumer Report Information, Limiting the Use and Sharing of Medical Information in the Financial System, Financial Literacy and Education Improvement, Protecting Employee Misconduct Investigations, and Relation to State Laws.[2]There are two different groups that this rule applies to: Financial Institutions and Creditors[3]. Financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer [4]. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services [5]Just because you think you are a creditor, does not mean that you don’t apply. For example, if you are a law firm or an accounting firm, and you receive payment after your service is completed. Then you are considered a creditor. Another example is if you are a utility company. You provide the utilities and receive payment for your services rendered at the end of the month, rendering you a creditor.There are many different companies that this rule applies to, this list includes, but not limited to: finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies, medical practices, hospitals, and law firms; or any other such company that performs a service, then receives payment once the work is complete.

Massachusetts 201.CMR 17

The Massachusetts General Law Chapter 93H and its new regulations 201 CMR 17.00 require that any companies or persons who store or use personal information (PI) about a Massachusetts resident develop a written, regularly audited plan to protect personal information. Both electronic and paper records will need to comply with the new law. The regulations go into effect on March 1, 2010. The law was originally supposed to go into effect on January 1, 2009, but then was pushed to May 1 and then January 1, 2010 and then to March 1, 2010 due to the state of the economy and confusion about the law.[1]

Identity theft and fraud are the major concerns at the core of the implementation of the 201 CMR 17.00. For example, if a Massachusetts resident's information is leaked or captured, there could be serious consequences for the business that allowed the breach and for the individual whose information was leaked. Therefore, making changes to keep residents' information secure will be required to avoiding security breach and fines.

According to the regulations, companies will need a written security plan to safeguard their contacts' and/or employees personal information. It will need to be illustrative of policies that demonstrate technical, physical, and administrative protection for residents’ information. The plan will need to be written to meet industry standards. Companies will have to designate employees to oversee and manage security procedures in the workplace, as well as continuously monitor and address security hazards. Policies addressing employee access to and transportation of personal information will need to be developed, as well as disciplinary measures for employees who do not conform to the new regulations. Limiting the collection of data to the minimum that is needed for the purpose it will be used for is also part of the new regulations.

Massachusetts 201.CMR 17

http://www.youtube.com/watch?v=SQ_jGmZk3bQ

What to Do?

CMR Check List Exercise

Question: If asked to implement a data security program, what are the top three issues that your school would have to address?

Eight Schools Association

Hire a Consultant - FishNETThe Eight Schools Association is currently engaged in a joint project to address both physical and computer data security. As an association, we have hired FishNet Consulting Services for information security policy development as it relates to ongoing business operations. This effort involves the heads of each school, chief financial officers, and directors of information technology of each school within the Eight School Association. Seven of the eight schools are working on this joint project. (Northfield-Mount Hermon elected not to participate at this time.)

A charter statement and set of individual policies are will be adopted by the Eight Schools Association to create a uniform approach towards data security.

Our school business practices include preparation, management and oversight of sensitive, confidential, and private personal and business records on prospective and current students, parents, alumni/ae, donors, employees, retirees and their families. In addition, payroll information, as well as millions of dollars worth of financial transactions every year in support of vendor relationships, are processed.

The Eight Schools Assocation are guided by varied and sometimes conflicting regulations related to document retention, data security, and compliance with State and Federal Laws, including such new ones as e- discovery, PCI, FERPA, CALEA, and Massachusetts 201.CMR17.

Data Security Charter