PII / IDENTITY THEFTIs Your University an Open Market for ID Thieves?

TACUA 2011

Carol RappsCIA, CISA, CCSA, GLIT carol.rapps@utsa.edu210-458-4679

srapps@sbcglobal.net210-693-3277

1

TACUA 2011 2

Academic Research – Tier 1Health CarePublicPrivateWhat do you know?

TACUA 2011 3

A CHANCE TO SHARE

VALUE◦ Take away one good concept/tool/story/laugh.

GAME --- WHERE’S THE PII?◦ Honesty counts! Don’t make me audit your score!

TIMELINE – keep us on track – time keeper◦ 2:35 - stop to tally the score

TACUA 2011 4

TACUA 2011 5

What is it?

Who are the thieves?

What do thieves do with it?

How is an identity stolen?

Who is at risk?

TACUA 2011 6

What is it?Where is it?Who keeps it?

◦Game…… You will need paper & pencil/pen

When do they collect it?Why do they collect/keep it?How do they store it?

TACUA 2011 7

TACUA 2011 8

2012??

2011Dept Ed

2010Red Flag

2009Massachusetts

2002California

1996Canada

1984UK

1980OECD 1978

France

1974Germany

1973Sweden

1968UN

1998ID Theft Act

FERPA HIPAA HITECH ACT GLBA RED FLAG STATE SECURITY BREACH LAWS

◦ National Conference of State Legislatures http://www.ncsl.org/default.aspx?tabid=13489

STATE DATA DISPOSAL LAWS STATE ENCRYPTION LAWS & IDENTITY THEFT STATUTES FEDERAL ID THEFT & ASSUMPTION DETERRENCE ACT OF

1998 PCI-DSS SEVP (Student & Exchange Visitor Program) FISMA FUTURE ---

TACUA 2011 9

Comply with Security/Privacy Laws & Regulations

Protect PII / PRIVACY

TACUA 2011 10

“The rights and obligation of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information.”

The American Institute of Certified Public Accountants (AICPA)/CICA 2005

Collection Limitation Data Quality Purpose Specification Use Limitation Security Safeguards Openness Individual Participation Accountability

TACUA 2011 11

“Privacy is the protection of personal data and is considered a fundamental human right”

OECD Guidelines 1980

ID Applicable Rules, Laws, Regulations

Conduct PII Discovery & Privacy Risk Assessments◦ Impact (# records) ◦ Likelihood

Audit Privacy Framework

Perform Law/Regulation Specific Compliance Audits (e.g. PCI)

Conduct General Security Audits

Conduct Data Retention & Disposal Audits

TACUA 2011 12

Train ALL Auditors Add Privacy Principal Audit Steps to ALL Audits PII Sampled in ALL Data Security Audit Steps Regulation Repository Document Location of PII Data & Controls

(Repository) Protect Your Own Information Participate In Incident Reporting Process Integrate Audit Processes into Fraud Root

Cause Analysis

TACUA 2011 13

Security Breaches At Universities In Past 2 Years ◦ Privacy Rights Clearinghouse◦ Jan 2009-Aug 2010: 122 Breaches for total of 1,653,065

records

Average Cost of Security Breaches◦ Accenture/Ponemon Institute Joint Project 2009◦ US - $204 Per Record◦ International: $232 Per Record◦ You Do The Math

Unpublished Breaches◦ I’ll Tell You Mine, You Tell Me Yours.

TACUA 2011 14

ADD TO LIST (ANYTHING NEW)

SCORING Honesty counts! Don’t make me audit your score!

TACUA 2011 15