pii / identity theft is your university an open market for id thieves? tacua 2011 carol rapps cia,...
TRANSCRIPT
PII / IDENTITY THEFTIs Your University an Open Market for ID Thieves?
TACUA 2011
Carol RappsCIA, CISA, CCSA, GLIT [email protected]
1
TACUA 2011 2
Academic Research – Tier 1Health CarePublicPrivateWhat do you know?
TACUA 2011 3
A CHANCE TO SHARE
VALUE◦ Take away one good concept/tool/story/laugh.
GAME --- WHERE’S THE PII?◦ Honesty counts! Don’t make me audit your score!
TIMELINE – keep us on track – time keeper◦ 2:35 - stop to tally the score
TACUA 2011 4
TACUA 2011 5
What is it?
Who are the thieves?
What do thieves do with it?
How is an identity stolen?
Who is at risk?
TACUA 2011 6
What is it?Where is it?Who keeps it?
◦Game…… You will need paper & pencil/pen
When do they collect it?Why do they collect/keep it?How do they store it?
TACUA 2011 7
TACUA 2011 8
2012??
2011Dept Ed
2010Red Flag
2009Massachusetts
2002California
1996Canada
1984UK
1980OECD 1978
France
1974Germany
1973Sweden
1968UN
1998ID Theft Act
FERPA HIPAA HITECH ACT GLBA RED FLAG STATE SECURITY BREACH LAWS
◦ National Conference of State Legislatures http://www.ncsl.org/default.aspx?tabid=13489
STATE DATA DISPOSAL LAWS STATE ENCRYPTION LAWS & IDENTITY THEFT STATUTES FEDERAL ID THEFT & ASSUMPTION DETERRENCE ACT OF
1998 PCI-DSS SEVP (Student & Exchange Visitor Program) FISMA FUTURE ---
TACUA 2011 9
Comply with Security/Privacy Laws & Regulations
Protect PII / PRIVACY
TACUA 2011 10
“The rights and obligation of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information.”
The American Institute of Certified Public Accountants (AICPA)/CICA 2005
Collection Limitation Data Quality Purpose Specification Use Limitation Security Safeguards Openness Individual Participation Accountability
TACUA 2011 11
“Privacy is the protection of personal data and is considered a fundamental human right”
OECD Guidelines 1980
ID Applicable Rules, Laws, Regulations
Conduct PII Discovery & Privacy Risk Assessments◦ Impact (# records) ◦ Likelihood
Audit Privacy Framework
Perform Law/Regulation Specific Compliance Audits (e.g. PCI)
Conduct General Security Audits
Conduct Data Retention & Disposal Audits
TACUA 2011 12
Train ALL Auditors Add Privacy Principal Audit Steps to ALL Audits PII Sampled in ALL Data Security Audit Steps Regulation Repository Document Location of PII Data & Controls
(Repository) Protect Your Own Information Participate In Incident Reporting Process Integrate Audit Processes into Fraud Root
Cause Analysis
TACUA 2011 13
Security Breaches At Universities In Past 2 Years ◦ Privacy Rights Clearinghouse◦ Jan 2009-Aug 2010: 122 Breaches for total of 1,653,065
records
Average Cost of Security Breaches◦ Accenture/Ponemon Institute Joint Project 2009◦ US - $204 Per Record◦ International: $232 Per Record◦ You Do The Math
Unpublished Breaches◦ I’ll Tell You Mine, You Tell Me Yours.
TACUA 2011 14
ADD TO LIST (ANYTHING NEW)
SCORING Honesty counts! Don’t make me audit your score!
TACUA 2011 15