web icons template
DESCRIPTION
TRANSCRIPT
![Page 1: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/1.jpg)
Data Protection Practices
2008 NSAA IT ConferenceNathan Abbott, TN
Joe Moore, AZ
Doug Peterson, NV
![Page 2: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/2.jpg)
Agenda
• Introduction• Why? Our recent experiences• What? Technology solutions• How else?• Questions
![Page 3: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/3.jpg)
Introduction
• Format for presentation• Individual introductions
![Page 4: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/4.jpg)
Why has data protection become more important now?
![Page 5: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/5.jpg)
Nevada
![Page 6: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/6.jpg)
Why…
• Contractor with DMV:– Lost USB Flash drive– Contained names of 109 individuals
• University of Nevada, Reno professor lost a flash drive that contained the names and Social Security numbers of 16,000 incoming freshmen from 2001 to 2007current and former students
![Page 7: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/7.jpg)
Why…
• DMV Audit– Prior to audit--Truck drives through front
of DMV building and steals computer. Contained personal information on 8,700 Nevada residents.
– Prior to audit--Planned to encrypt files and not store on computers
– Audit found information on desktops, laptops, zip drives, USB drives.
– Audit found process of removing personal information from computers didn’t always work as planned. Over 300 files, each with a person’s name, address, and SS#.
![Page 8: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/8.jpg)
Arizona
![Page 9: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/9.jpg)
Why…
• Arizona #1 in Identity Theft• Newspaper publishes “public”
information• Audit responsibilities require sensitive
data• Agency requests for agreements
– Encroachment on statutory authority
• Public relations nightmare
![Page 10: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/10.jpg)
Tennessee
![Page 11: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/11.jpg)
Why…
• Portable Media– Auditor was in car accident and lost their
thumbdrive
• Nashville Davidson County Election Commission Office– The office was broken into
![Page 12: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/12.jpg)
Why…
![Page 13: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/13.jpg)
Why…
• Nashville Davidson County Election Office• Office was broken into on
December 24, 2007• Break-in was not noticed until
December 27, 2007• Two Laptops were some of the
items that were missing
![Page 14: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/14.jpg)
Why…
• It was standard practice for the office to tape to the machine user name and passwords.
• The laptops were using an access database that contained all register voters personal information including their SSN.
![Page 15: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/15.jpg)
Why…
• The office was preparing for the primary election and was in the process of removing the SSN’s from the Access database.
• The street value of the stolen laptops was probably $600 total, but the incident is costing the city millions in Identity Theft Protection.
![Page 16: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/16.jpg)
What solutions are we using?
![Page 17: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/17.jpg)
Tennessee
![Page 18: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/18.jpg)
Where Did We Start?
1. Researched available options
2. Evaluated software
3. Determined best option
![Page 19: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/19.jpg)
TRUECRYPT VS ENTRUST
• TRUECRYPT– Partial disk
encryption– Passwords do not
sync– No vendor support– USB encryption– Encryption time 30-
40 minutes– Cost FREE
• ENTRUST– Full disk encryption– Passwords sync
with operating system
– Vendor Support – 1-800 number
– Removable media encryption
– Encryption time 4-8 hours
– Cost $130 per licence
![Page 20: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/20.jpg)
Truecrypt Concerns
• File Restoration
• Key Management
• Administrative Support
• Removable Media Support
• Partial Disk Encryption
![Page 21: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/21.jpg)
Why Did We Choose Truecrypt
• Strategic Plan– Our purpose is to serve the people of
Tennessee by Enhancing effective public policy decisions at all levels of government
• 47-18-2107 TCA Release of personal consumer information– …Unauthorized acquisition of
unencrypted computerized data…
![Page 22: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/22.jpg)
Truecrypt Harddrive Setup
![Page 23: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/23.jpg)
Truecrypt Harddrive Setup
![Page 24: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/24.jpg)
Truecrypt USB Setup
![Page 25: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/25.jpg)
Truecrypt USB Setup
![Page 26: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/26.jpg)
Arizona
![Page 27: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/27.jpg)
What?
• Statutes• Drive Crypt Plus Pack
(DCCP)• Ironkey• VPN and Tokens• Winzip
![Page 28: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/28.jpg)
Statutes
• Provide broad access to information– Authorized to review confidential records
without limitation– Agencies required to provide records
• Working papers and audit files are not public information
• Audit exclusions for other Acts, such as HIPPA, FERPA
![Page 29: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/29.jpg)
DCPP
• Whole disk encryption (partition based)
• Boot protection• Pre-Boot authentication• Sector level protection• Administrator / user specific rights• Transparent to users• Minimal administration and user
training
![Page 30: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/30.jpg)
DCPP
![Page 31: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/31.jpg)
DCPP
![Page 32: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/32.jpg)
DCPP
![Page 33: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/33.jpg)
DCPP
![Page 34: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/34.jpg)
DCPP
![Page 35: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/35.jpg)
DCPP
![Page 36: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/36.jpg)
DCPP
![Page 37: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/37.jpg)
DCPP
![Page 38: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/38.jpg)
Ironkey
• Always-on military grade data encryption
• No software or drivers to install
• Easy to deploy and use
• Ability to create and manage enforceable policies
• Unique serial numbers
![Page 39: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/39.jpg)
Ironkey
![Page 40: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/40.jpg)
Ironkey
![Page 41: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/41.jpg)
Ironkey
![Page 42: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/42.jpg)
Ironkey
![Page 43: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/43.jpg)
Ironkey
![Page 44: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/44.jpg)
Ironkey
![Page 45: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/45.jpg)
Ironkey
![Page 46: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/46.jpg)
Ironkey
![Page 47: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/47.jpg)
Ironkey
![Page 48: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/48.jpg)
Ironkey
![Page 49: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/49.jpg)
Remote Access via VPN and Tokens
![Page 50: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/50.jpg)
WinZip
![Page 51: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/51.jpg)
Nevada
![Page 52: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/52.jpg)
What Technology We Use
• Truecrypt• EFS (windows built in encryption)• Lexar USB drives with encryption
software• Whole disk encryption on Dell laptops
using Wave Embassy Security Center software and hard drive-based encryption
![Page 53: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/53.jpg)
EFS
Advantages:– Free– Easy to implement– 256-bit AES– Easy to backup to network drive (registry
tweak needed to decrypt data as it is copied to network drive)
– Set and forget...sort of
![Page 54: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/54.jpg)
EFS
Disadvantages:– No additional password– Folder based. Auditors can save in
unencrypted folders– 256-bit AES not used in Pre-XP SP1– Certificate expired and some auditors
could not get access to data for a day
![Page 55: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/55.jpg)
Windows Encryption File System (EFS)
![Page 56: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/56.jpg)
Lexar Secure II
Advantages:• Free• Known encryption (AES 256)
Disadvantages:• Not easy for auditors to remember
setup• Uses Vaults—auditors use
unencrypted area
![Page 57: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/57.jpg)
Secure II for USB Drives
![Page 58: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/58.jpg)
Wave Embassy
• Whole Disk Encryption (hardware based on Dell Latitude, HP, Lenovo)
• Wave Embassy suite is the software front end to where the real work is done—hardware-based encryption
• Used in conjunction with TPM chip
![Page 59: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/59.jpg)
Wave Embassy
Advantages:• 128-bit AES (not as strong as 256-bit
key, but still strong)• Multiple passwords (pre-boot
authentication)• Works with biometrics
![Page 60: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/60.jpg)
Wave Embassy
Disadvantages• Complex to set up (including BIOS
settings)• Multiple passwords• Need to have a Seagate Momentus
FDE.2 HDD which runs at 5400 rpm
![Page 61: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/61.jpg)
Wave Embassy Security Center
![Page 62: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/62.jpg)
Wave Embassy
![Page 63: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/63.jpg)
Wave Embassy
![Page 64: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/64.jpg)
Wave Embassy
![Page 65: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/65.jpg)
Wave Embassy
![Page 66: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/66.jpg)
How else are we addressing it?
![Page 67: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/67.jpg)
Nevada
![Page 68: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/68.jpg)
Statutes and Policies• Statutes
– NRS 218.870 (“All working papers from an audit are confidential…”)
• Policies– Reinforce and support statutes– Detailed
• Extreme care to ensure confidentialy of information “gained” during audits (more than what is in workpapers)
• Careful with discussions
![Page 69: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/69.jpg)
How…Guidance to Staff
Training• One on one with each person
– Lexar– Wave Embassy
• Periodic staff training– Reinforce statutes– What is confidential, what is not– Examples shown
• Management meetings allow supervisors to reinforce policies and importance
![Page 70: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/70.jpg)
Tennessee
![Page 71: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/71.jpg)
How…Our Policies
• Backup Volume Header– Allows users to restore encryption to
original installation.
• Create an Admin Password– This is to be used in the event someone
forgets their password.
![Page 72: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/72.jpg)
How…Our Policies (Cont.)
• Created standard passwords for users– This is used to ensure password
complexity
• Created standard login procedures– This is used to help the auditors to be
consistent when they login
![Page 73: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/73.jpg)
How…Our Policies (Cont.)
• Removable Media– This policy is to make it clear that
personal thumbdrives are not be used to store confidential data
• Storage of Files– This policy is to make it clear where you
needed to store confidential data
![Page 74: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/74.jpg)
How…Our Policies (Cont.)
• Enforcement– Once a year have security awareness
training– Periodic emails to staff reminding them of
the encryption policies– Unannounced Random Sample
![Page 75: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/75.jpg)
How…Problems
• Auditors were confused about which password to use to log-on to their workstation
• Thumbdrives
• Auditors do not like using passwords for thumbdrives
![Page 76: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/76.jpg)
Arizona
![Page 77: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/77.jpg)
How…
• Policy• Communicate to auditee/entity
common information• Statutory authority• Security of confidential records• Auditor General policies
– Internet Use and Email acceptable use agreements
– IT policy with address data security– Acknowledgement of state policy
![Page 78: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/78.jpg)
How…
• Determine whether information is confidential or public (may be more restrictive than public records law)
• Confidential– Personal information
• Info which can identify a person
– Sensitive information• Info which may be harmful to the state and its
citizens
• Public information
![Page 79: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/79.jpg)
How…
• Then, ensure that appropriate security measures are applied based on classification of data
• Confidential– Encryption and/or restrictive physical
and/or logical access rights• Store on Office network or encrypted flash
drives• Return original data or store securely
– Never copy confidential data to home computer
![Page 80: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/80.jpg)
How…
– If remote, use VPN and use remote sessions
– Limit access rights on network drives– Use restricted views and coding
techniques for data stored in databases– Determine whether or how much
confidential information must be included in audit documentation
![Page 81: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/81.jpg)
How…
• Use encryption when storing on external storage media (HDs, CDs)– Use secure passwords/phrases
» Minimum of 8 characters» Upper/lower case» Special characters
• Store passwords/phrases securely
• Public Information• No special security precautions• Adhere to professional standards and Office
policy• Can be stored in shared directories
![Page 82: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/82.jpg)
How?
• Document classification assessment and subsequent actions taken
• Archiving and Disposition– Keep only as long as necessary or
required– Ensure confidential data is protected
when archived– Let others involved know about the
confidential nature of the data stored
![Page 83: Web Icons Template](https://reader033.vdocument.in/reader033/viewer/2022051314/54b701bd4a7959aa2a8b4704/html5/thumbnails/83.jpg)
Questions
Nathan Abbott; [email protected]
Joe Moore; [email protected]
Doug Peterson; [email protected]