Guarding Vanderbilt Information

How can you protect sensitive

data?

2

Current state

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Vanderbilt is vitally concerned about the security of sensitive, personally identifiable information.

In managing core administrative process, Vanderbilt makes every effort to meet regulatory standards and compliance.

Sensitive data also lives outside core services.

What can you do to help protect sensitive data?

3

In our custody

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Vanderbilt often stores, processes, and transmits personal information in pursuit of our mission:

Names Social Security numbers Dates of birth Academic records, profile, and patient data Credit cards

This data is essential in uniquely identifying students, faculty, staff, and patients

4

What information must remain protected:

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Social Security numbers Passport data or government ID Export controlled data Intellectual property Driver’s license Confidential information Academic records Account numbers

Credit card Bank

5

Criminals want what we have…

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Trade secrets or research

Personal information to sell on the black market Credit card with pin (~$0.50

USD) Credit card with change of

billing address (~$60.00) Full bank account access

(~$1,000.00)

6

Criminals Exploiting the Identity

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

With personally identifiable information, thieves can create:

• Driver’s license with the thief’s picture and the victim’s name

• A state identification card• Social Security card• Employer identification card• Credit cards • New bank accounts, credit

accounts, etc.

7

Our obligations

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Protect the data with which we are entrusted

Comply with state and federal laws and regulations

Educate ourselves on how to avoid violating these important obligations

8

Where is this data?

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Home computer (desktops and laptops)

Work computer (desktops and laptops)

Mobile device

Internet service

Backup service

Thumb drive or external hard drive

In transit

On your desk

In a filing cabinet

In the dumpster

In the mailbox

9

What do I need to do?

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Take stock. Know what personal information you have in your files and on your computers.

Scale down. Keep only what you need for your business.

Lock it. Protect the information in your care.

Pitch it. Properly dispose of what you no longer need.

Plan ahead. Create a plan to respond to security incidents.Source: U.S. Federal Trade Commission -

http://www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/

http://www.vanderbilt.edu/identityprotection

10

Personally Identifiable Information (PII)How do I protect it?

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Don’t keep it unless authorized to do so

Shred it!

Lock your computers when not using them

Lock your office and your file drawers

Practice safe computing (update your operating system, anti-virus and anti-malware software regularly)

Change passwords once a year and don’t share passwords with anyone (www.vanderbilt.edu/passwordchange)

If you must store sensitive data, encrypt using the Vanderbilt solution

FOR HELP: Contact your local technology support provider or ITS Information Security – sal.ortega@vanderbilt.edu

11

Protecting Yourself – Practice safe, secure computing

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Don’t send personal or financial information via email

Be wary of “free software”

Stop and think before you click - social networking sites and

Internet “red light districts” are a primary source of malware

Don’t perform financial transactions

on the same computer as you surf the Internet.

Monitor your credit every year for free:

Annual Credit Reportwww.annualcreditreport.com – 877-322-8228Annual Credit Report, Request Service, PO Box 105281, Atlanta,

GA 30348-5281

12

Deter

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Shred financial documents and paperwork with personal information before you discard them.

Protect your Social Security number. Don’t carry your Social Security card in your wallet or write your Social Security number on a check. Give it out only if absolutely necessary or ask to use another identifier.

Don’t give out personal information on the phone, through the mail, or over the Internet unless you have initiated the contact and know who you are dealing with.

Never click on links sent in unsolicited emails; instead, type in a Web address you know. Use firewalls, anti-spyware, and anti-virus software to protect your home computer; keep them up-to-date. Visit OnGuardOnline.gov for more information.

Don’t use an obvious password like your birth date, your mother’s maiden name, or the last four digits of your Social Security number.

Keep your personal information in a secure place at home, especially if you have roommates, employ outside help, or are having work done in your house.

Source: U.S. Federal Trade Commission – http://www.ftc.gov/bcp/edu/microsites/idtheft/

13

Detect

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Be alert to signs that require immediate attention: Mail or bills that do not arrive as expected. Unexpected credit cards or account statements. Denials of credit for no apparent reason. Calls or letters about purchases you did not make.

Inspect: Your credit report. Credit reports have information about you,

including what accounts you have and your bill paying history. Your financial statements. Review financial accounts and billing

statements regularly, looking for charges you did not make. Order your credit report:

The law requires the major nationwide credit reporting companies – Equifax, Experian, and TransUnion – to give you a free copy of your credit report each year if you ask for it.

Visit www.AnnualCreditReport.com or call 1-877-322-8228, a service created by these three companies, to order your free credit reports each year.

You can download the form at www.ftc.gov/freereports. Source: U.S. Federal Trade Commission – http://www.ftc.gov/bcp/edu/microsites/idtheft/

14

Defend

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Call one of the three nationwide credit reporting companies to place an initial 90‑day fraud alert. Placing a fraud alert entitles you to free copies of your credit reports. Review reports carefully. Equifax: 1-800-525-6285 Experian: 1-888-EXPERIAN (397-3742) TransUnion: 1-800-680-7289

Look for inquiries from companies you haven’t contacted, accounts you didn’t open, and debts you can’t explain.

Close any accounts that have been tampered with or established fraudulently.

Call the security or fraud departments of each company if an account was opened or changed without your okay. Follow up in writing with copies of supporting documents.

Use the Identity Theft Affidavit at ftc.gov/idtheft to support your written statement.

Ask for written verification that the disputed account has been closed and the fraudulent debts discharged.

Keep copies of documents and records of your conversations about the theft.

File a report with law enforcement to help you with creditors who need proof of the crime.

Report your complaint to the FTC. Your report helps law enforcement officials across the country in their investigations. Online: ftc.gov/idtheft By phone: 1-877-ID-THEFT (438-4338) or TTY, 1-866-653-4261

Source: U.S. Federal Trade Commission – http://www.ftc.gov/bcp/edu/microsites/idtheft/

15

Is it appropriate to ….

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Keep social security numbers ▪ on my PC?▪ In Gmail?▪ In Google Docs?▪ In a Microsoft Skydrive?▪ On a 3rd party backup site such as Mozy?

Send social security numbers▪ Via email?

16

Where do I go for help @ work?

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Concerned you have PII data on your computers?

Contact your Departmental IT support provider or ITS Information Security – sal.ortega@vanderbilt.edu

They will… work to obtain software to “shred” or encrypt the PII data if

necessary – using Vanderbilt solutions work with you to keep your operating system and other

software update to date work with you and ITS to find solutions to your problems!

17

Resources

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Privacy Rights: http://www.privacyrights.org

FTC Security: www.ftc.gov/infosecurity

FTC Privacy: www.ftc.gov/privacy

Education for Organizations: http://www.ftc.gov/bcp/edu/microsites/infosecurity/teach.html

Individuals: http://www.onguardonline.gov/

Crime Prevention: http://www.ncpc.org/training/powerpoint-trainings

Credit Report https://www.annualcreditreport.com/cra/index.jsp

Vanderbilt Identity Protection http://www.vanderbilt.edu/identityprotection

Vanderbilt Acceptable Use Policyhttp://www.vanderbilt.edu/aup

18

More Resources

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Changing your e-password and/or your local computer password http://its.vanderbilt.edu/files/documents/epass/ChangingYourEpassword.pdf http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_password_change.

mspx?mfr=true Locking your computer (assumes you set a password)

http://support.microsoft.com/kb/294317 Sharing your credentials (e-password, computer password, etc)

http://its.vanderbilt.edu/password/sharing http://hr.vanderbilt.edu/policies/hr-025.pdf

Updating/upgrading your antivirus protection http://its.vanderbilt.edu/antivirus/downloads

Updating your operating system (At least XP SP3 with all updates) http://support.microsoft.com/kb/322389 http://www.microsoft.com/security/updates/mu.aspx

Removable media (thumb drives, etc) and laptop risks http://it.med.miami.edu/x1129.xml http://news.cnet.com/Getting-over-laptop-loss/2100-1044_3-6089921.html

PII and export compliance http://www.vanderbilt.edu/exportcompliance/index.php http://csrc.nist.gov/publications/drafts/800-122/Draft-SP800-122.pdf http://iase.disa.mil/eta/pii/pii_module/pii_module/index.html

A reminder of HIPAA and FERPA (People forget they exist) http://www.mc.vanderbilt.edu/root/vumc.php?site=InfoPrivacySecurity&doc=17070 http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr;sid=6b7e313020dfabb7caa0216830b2a7d8;rgn=div5;view

=text;node=34%3A1.1.1.1.34;idno=34;cc=ecfr

19

Questions?

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s