what data is sensitive and how do we keep it private? john l. baines, ad it policy & compliance,...
TRANSCRIPT
What Data is Sensitive and How Do We Keep it Private?
John L. Baines, AD IT Policy & Compliance, OIT
Data Privacy Month 2013
Tuesday, January 28, 2013 12.00 PM - 1.00 PM
D.H.Hill 2304
[email protected] 919-513-7482
Data Privacy Day• Data Privacy Day is held on January
28th every year. It is an effort to empower people to protect their privacy and control their digital footprint and escalate the protection of privacy and data as everyone’s priority.
• For more info visit Stay Safe On-line
1/29/2013 What data is sensitive and How to keep it private Slide 2
Data Privacy Month at NCSU• All 12 p.m. to 1 p.m. D.H. Hill Room 2304• Monday, Jan. 28 Top
Tips to Protect Your Privacy and Data • Tuesday, Jan. 29 What Data is Sensitive and
How Do We Keep it Private? • Thursday, Jan. 31 Data Protection, Privacy
and the Law• To view other activities planned during January,
visit EDUCAUSE.
1/29/2013 What data is sensitive and How to keep it private Slide 3
Agenda
Why worry?
What is “sensitive data”?
How to protect it?
1/29/2013 What data is sensitive and How to keep it private Slide 4
• Privacy and security of personal info have become very public concerns– Identity theft– Personal protection– University image and reputation– Financial penalties can be high– Much legislation– Public concern– Internet access to data
Why?
1/29/2013 What data is sensitive and How to keep it private Slide 5
UNC-CH SSN breach at Medical School
• Senior researcher– UNC-CH medical school– Carolina Mammography
Registry, a 15-year project– Kept research subjects
database referenced by Social Security number (SSN) – 114,000 subjects
– Also name, address and other personal information
– Most participants unaware
• Exploit
– Discovered in 2009, server infiltrated two years earlier.
– Not clear if any data exported
• Consequences
– Notified all 180,000 exposed
– Cost $250,000
– Centralized IT security
• Loss of public trust and university reputation
1/29/2013 What data is sensitive and How to keep it private Slide 6
Sensitive But Unclassified (SBU)
• New category of Government data• Affects Defense research contracts
(and other Government data)• Previously no classified data to protect• Now SBU must be protected• No such thing as “unprotected” in
Defense research contracts?
1/29/2013 What data is sensitive and How to keep it private Slide 7
Protect as Restricted Data (PARD)
• DoE “sensitive but unclassified” data • Dr. Wen Ho Lee's program codes at
Los Alamos National Laboratory• Backed up such PARD data to tape• Government labeled as 'espionage' • Felony charge - 'withholding' info
related to the 'national defense'
1/29/2013 What data is sensitive and How to keep it private Slide 8
Credit Card Industry fines
• PCI DSS
– Prescriptive
– Detailed
– Difficult
– Enforced
• Fines can be as high as $500,000 per occurrence
• Other costs, e.g. notification
• Incident occurs - not compliant – pushed to highest audit level ($$$)
• Visa total PCI DSS fines
– 2006 - $4.6 million
– 2005 - $3.4 million
– New higher fines since…
• TJX spent $202 million on a PCI violation affecting 40 million cardholders. More than 20 lawsuits filed.
• Damage to university reputation worse than fine…
1/29/2013 What data is sensitive and How to keep it private Slide 9
Personal privacy
• Identity theft– SSN– Credit card numbers and bank accounts
• Personal safety – e.g. stalking• Confidentiality
– Personal use– Student data - FERPA
1/29/2013 What data is sensitive and How to keep it private Slide 10
Family Educational Rights & Privacy Act 1974
• FERPA or the Buckley Amendment, designed to:– Protect the privacy of
education records– Prevent schools having
policies abusive of student privacy
– Be subjected to various exceptions
– Provide the right to file a complaint with the U.S. Department of Education
• Require schools to provide parents and eligible students : – Access to their records– Correction of errors in the
record– Consent to disclosure to third
parties
1/29/2013 What data is sensitive and How to keep it private Slide 11
FERPA data is pervasive
• Any record, with certain exceptions, maintained by an institution that is directly related to a student or students. This record can contain a student’s name(s) or information from which an individual student can be personally (individually) identified.
• These records include: files, documents, and materials in whatever medium (handwriting, print, tapes, disks, film, microfilm, microfiche) which contain information directly related to students and from which students can be personally (individually) identified.
1/29/2013 What data is sensitive and How to keep it private Slide 12
FERPA enforcement• Weak and mostly
symbolic– Fire alarm model
– The consequences on a school for violating FERPA are either
• a memo requesting voluntary compliance
• a complete withdrawal of federal funding
• Works only at an institutional policy, not an individual level– Only 100 cases
contested 1990 – 2003– 2 cases made it to the
Supreme Court in 2001– Demonstrated that
individuals cannot file suit if they are injured by FERPA violations
1/29/2013 What data is sensitive and How to keep it private Slide 13
FERPA conclusions
• FERPA data is held by most, if not all, academic and administrative offices of an institution– Do we need to protect the security of “Education
Records” and “Student Privacy”?
• Absolutely– Can we afford to protect them at the same level as
social security numbers and credit card data?
• No–Too expensive–Would make access too difficult
1/29/2013 What data is sensitive and How to keep it private Slide 14
The Internet Cloud
From Wikipedia, the free encyclopedia
1/29/2013 What data is sensitive and How to keep it private Slide 15
Software-as-a-Service (SaaS)
CSA/ISACA 2012 Cloud Computing Market Maturity Study
• 252 participants representing cloud users, providers, consultants and integrators
• 85% self-identified cloud users• Positions from C-level executives to staff• 15 different industry segments• 48 countries, most America or Europe
1/29/2013 What data is sensitive and How to keep it private Slide 16
Overall findings on maturity• Cloud needs to transition from
technology solution to business resource
• Infrastructure and Platform offerings– Infancy– About 3 years to reach ‘established growth’
• Software as a Service (SaaS) offerings– Early growth– 2+ years to reach ‘established growth’
1/29/2013 What data is sensitive and How to keep it private Slide 17
Cloud infancy
1/29/2013 What data is sensitive and How to keep it private Slide 18
Sensitive data factors at NC State
• Legislation• University revenues and expenses• University image and reputation• Confidentiality agreements / contracts• Research • Copyright and Intellectual Property• Attorney/client privilege, police records• Personal privacy
1/29/2013 What data is sensitive and How to keep it private Slide 21
What?
Some sensitive data examples:• Personally Identifiable Information (PII)
• Credit card information (PCI)
• Health data (HIPAA - PHI)
• Research data (e.g. contractual & pre-patent)
• Public safety information
• Financial donor information
• Security controls such as:
– System access passwords and other credentials
– Information file encryption keys
– Information security records
1/29/2013 What data is sensitive and How to keep it private Slide 22
Legislation
1/29/2013 What data is sensitive and How to keep it private Slide 23
– Family Educational Rights and Privacy Act (FERPA) – Health Insurance Portability and Accountability Act of 1
996 (HIPAA)
– Gramm Leach Bliley Act (GLBA) – Payment Card Industry (PCI) Data Security Standard – Red Flag Rule (FTC) – North Carolina Identity Theft Protection Act of 2005 – North Carolina Public Records Act – North Carolina State Personnel Act
A framework for the availability and security of your data.
1. Data Management Procedures Regulation updates including revised Data Classification Statement,
2. Data Sensitivity Framework table
3. List of IT controls for data stewards and application developers/sponsors
1/29/2013 What data is sensitive and How to keep it private Slide 24
How?
1. Data Classification Statement
A. Ultra – Very few data elements - SSN, credit card number, bank accounts, passwords
B. High – Large body – personal privacy, financial, intellectual property, medical, research, private contributors, attorney/client privilege, police
C. Moderate – Simpler controls - Mostly FERPA
D. Normal – Not sensitive – e.g. university Web pages, published articles
E. Unclassified (Black) – publically available data
1/29/2013 What data is sensitive and How to keep it private Slide 25
Data Classification Statement Matrix
1/29/2013 What data is sensitive and How to keep it private Slide 26
Classification Risk Criteria
Level Risk Regulation Financial Reputation Business Other
Ultra Two of Multiple Extreme Serious Serious Litigation
High Two of Violation Significant Serious Serious
Moderate One of Violation Some Some Adverse
Normal No major
Access control
Unclassified None Publically available
2. Data sensitivity framework table• Lists all sensitive data elements (e..g. personal
name, ssn, credit card #) • Cross references
– Data elements to– Legislation and– Other concerns
• Provides default sensitivity for each data element• Labels sensitivity level of data in context• Authoritative list of university sensitive data
1/29/2013 What data is sensitive and How to keep it private Slide 27
3. Controls for Securing University Data
• Primary Audience for this document:– Individuals making decisions about data classification
& protection (management & technical)– Document includes cross-reference table to connect
controls to data
• Document not intended for End-users– Seek approval or instruction from the respective Data
Custodian / Data Steward
1/29/2013 What data is sensitive and How to keep it private Slide 28
Types of controls
1. Control Principles for Data Stewards and Application Sponsors
2. Administrative and procedural design controls
3. Technical controls – computer server
4. Technical controls – end-user devices
1/29/2013 What data is sensitive and How to keep it private Slide 29
More about controls
• Only really applies to sensitive information:– Purple, red and yellow data– Not green and unclassified data
• Table cross-reference at end:– Control– Data sensitivity levels– Mandatory, Recommended, Optional,
[Unnecessary]
1/29/2013 What data is sensitive and How to keep it private Slide 30
Where is it OK to store your data?
1/29/2013 What data is sensitive and How to keep it private Slide 31
Location Sensitive Not sensitiveMost to least V Purple Red Yellow Green White
University server Encrypted Restricted
Yes… Yes Yes Yes
Cloud service Encrypted Restricted
Restricted… Restricted… Yes… Yes
NCSU Google Drive Encrypted File Only
Encrypted File Only
Yes Yes Yes
Print Restricted Restricted Restricted Yes Yes
Removable storage Never Encrypted… Yes… Yes… Yes
Local PC Never Encrypted… Yes… Yes Yes
Email Never Encrypted Some… Yes Yes
Mobile device Never No… Yes Yes Yes
Google Docs Never No… Yes… Yes Yes
Next Steps with DSF
1/29/2013 What data is sensitive and How to keep it private Slide 32
• Presentation to campus– “DSF - Where is it OK to store your data”– Develop documents specific to needs– Best practices to apply to their use of the data– Help from derived documents– Define, implement and test campus encryption
solutions
Who’s protecting your data & how?
• On your mobile device – you are• Removable storage – you are• On your desktop – you and your sys
admin • On University servers - OIT or college/
dept IT staff (or you!)• In the cloud – the vendor (and you…)
1/29/2013 What data is sensitive and How to keep it private Slide 33
Questions
1/29/2013 What data is sensitive and How to keep it private Slide 38