protecting vanderbilt information

18
Guarding Vanderbilt Information How can you protect sensitive data?

Upload: vanderbilt-university

Post on 02-Nov-2014

737 views

Category:

Technology


0 download

DESCRIPTION

Protecting personally identifiable information at Vanderbilt University

TRANSCRIPT

Page 1: Protecting Vanderbilt Information

Guarding Vanderbilt

Information

How can you protect sensitive data?

Page 2: Protecting Vanderbilt Information

2

Current state

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Vanderbilt is vitally concerned about the security of sensitive, personally identifiable information.

In managing core administrative process, Vanderbilt makes every effort to meet regulatory standards and compliance.

Sensitive data also lives outside core services.

What can you do to help protect sensitive data?

Page 3: Protecting Vanderbilt Information

3

In our custody

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Vanderbilt often stores, processes, and transmits personal information in pursuit of our mission:

Names Social Security numbers Dates of birth Academic records, profile, and patient data Credit cards

This data is essential in uniquely identifying students, faculty, staff, and patients

Page 4: Protecting Vanderbilt Information

4

What information must remain protected:

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Social Security numbers Passport data or government ID Export controlled data Intellectual property Driver’s license Confidential information Academic records Account numbers

Credit card Bank

Page 5: Protecting Vanderbilt Information

5

Criminals want what we have…

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Trade secrets or research

Personal information to sell on the black market Credit card with pin (~$0.50 USD) Credit card with change of billing address

(~$60.00) Full bank account access (~$1,000.00)

Page 6: Protecting Vanderbilt Information

6

Criminals Exploiting the Identity

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

With personally identifiable information, thieves can create:• A state driver’s license with the thief’s

picture and the victim’s name• A state identification card• Social Security card• Employer identification card• Credit cards • New bank accounts, credit accounts,

etc.

Page 7: Protecting Vanderbilt Information

7

Our obligations

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Protect the data with which we are entrusted

Comply with state and federal laws and regulations

Educate ourselves on how to avoid violating these important obligations

Page 8: Protecting Vanderbilt Information

8

Where is this data?

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Home computer (desktops and laptops) Work computer (desktops and laptops) Mobile device Internet service Backup service Thumb drive or external hard drive In transit On your desk In a filing cabinet In the dumpster In the mailbox

Page 9: Protecting Vanderbilt Information

9

What do I need to do?

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Take stock. Know what personal information you have in your files and on your computers.

Scale down. Keep only what you need for your business.

Lock it. Protect the information in your care.

Pitch it. Properly dispose of what you no longer need.

Plan ahead. Create a plan to respond to security incidents.

Source: U.S. Federal Trade Commission - http://www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/

Page 10: Protecting Vanderbilt Information

10

Personally Identifiable Information (PII)How do I protect it?

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Don’t keep it unless authorized to do so

Shred it!

Lock your computers when not using them

Lock your office and your file drawers

Practice safe computing (update your operating system, anti-virus and anti-malware software regularly)

Change passwords once a year and don’t share passwords with anyone (www.vanderbilt.edu/passwordchange)

If you must store sensitive data, encrypt using the Vanderbilt solution

FOR HELP: Contact your local technology support provider or ITS Information Security – [email protected]

Page 11: Protecting Vanderbilt Information

11

Protecting Yourself – Practice safe, secure computing

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Don’t send personal or financial information via email Be wary of “free software” Stop and think before you click - social networking

sites and Internet “red light districts” are a primary source of malware

Don’t perform financial transactions on the same computer as you surf the Internet.

Monitor your credit every year for free: Annual Credit Report

www.annualcreditreport.com – 877-322-8228Annual Credit Report, Request Service, PO Box 105281, Atlanta, GA 30348-

5281

Page 12: Protecting Vanderbilt Information

12

Deter

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Shred financial documents and paperwork with personal information before you discard them.

Protect your Social Security number. Don’t carry your Social Security card in your wallet or write your Social Security number on a check. Give it out only if absolutely necessary or ask to use another identifier.

Don’t give out personal information on the phone, through the mail, or over the Internet unless you have initiated the contact and know who you are dealing with.

Never click on links sent in unsolicited emails; instead, type in a Web address you know. Use firewalls, anti-spyware, and anti-virus software to protect your home computer; keep them up-to-date. Visit OnGuardOnline.gov for more information.

Don’t use an obvious password like your birth date, your mother’s maiden name, or the last four digits of your Social Security number.

Keep your personal information in a secure place at home, especially if you have roommates, employ outside help, or are having work done in your house.

Source: U.S. Federal Trade Commission – http://www.ftc.gov/bcp/edu/microsites/idtheft/

Page 13: Protecting Vanderbilt Information

13

Detect

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Be alert to signs that require immediate attention: Mail or bills that do not arrive as expected. Unexpected credit cards or account statements. Denials of credit for no apparent reason. Calls or letters about purchases you did not make.

Inspect: Your credit report. Credit reports have information about you,

including what accounts you have and your bill paying history. Your financial statements. Review financial accounts and billing

statements regularly, looking for charges you did not make. Order your credit report:

The law requires the major nationwide credit reporting companies – Equifax, Experian, and TransUnion – to give you a free copy of your credit report each year if you ask for it.

Visit www.AnnualCreditReport.com or call 1-877-322-8228, a service created by these three companies, to order your free credit reports each year.

You can download the form at www.ftc.gov/freereports. Source: U.S. Federal Trade Commission – http://www.ftc.gov/bcp/edu/microsites/idtheft/

Page 14: Protecting Vanderbilt Information

14

Defend

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Call one of the three nationwide credit reporting companies to place an initial 90‑day fraud alert. Placing a fraud alert entitles you to free copies of your credit reports. Review reports carefully. Equifax: 1-800-525-6285 Experian: 1-888-EXPERIAN (397-3742) TransUnion: 1-800-680-7289

Look for inquiries from companies you haven’t contacted, accounts you didn’t open, and debts you can’t explain.

Close any accounts that have been tampered with or established fraudulently. Call the security or fraud departments of each company if an account was

opened or changed without your okay. Follow up in writing with copies of supporting documents.

Use the Identity Theft Affidavit at ftc.gov/idtheft to support your written statement.

Ask for written verification that the disputed account has been closed and the fraudulent debts discharged.

Keep copies of documents and records of your conversations about the theft. File a report with law enforcement officials to help you with creditors who may

want proof of the crime. Report your complaint to the FTC. Your report helps law enforcement officials

across the country in their investigations. Online: ftc.gov/idtheft By phone: 1-877-ID-THEFT (438-4338) or TTY, 1-866-653-4261

Source: U.S. Federal Trade Commission – http://www.ftc.gov/bcp/edu/microsites/idtheft/

Page 15: Protecting Vanderbilt Information

15

Is it appropriate to ….

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Keep social security numbers ▪ on my PC?▪ In Gmail?▪ In a Microsoft Skydrive?▪ On a 3rd party backup site such as Mozy?

Send social security numbers▪ Via email?

Page 16: Protecting Vanderbilt Information

16

Where do I go for help @ work?

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Concerned you have PII data on your computers? Call your departmental IT support provider or ITS Information Security – [email protected]

They will.. work to obtain software to “shred” the PII data or

encrypt it if necessary using Vanderbilt solutions work with you to keep your operating system and

other software updated work with you and ITS to find solutions to your

problems

Page 17: Protecting Vanderbilt Information

17

Resources

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Privacy Rights: http://www.privacyrights.org

FTC Security: www.ftc.gov/infosecurity

FTC Privacy: www.ftc.gov/privacy

Education for Organizations: http://www.ftc.gov/bcp/edu/microsites/infosecurity/teach.html

Individuals: http://www.onguardonline.gov/

Crime Prevention: http://www.ncpc.org/training/powerpoint-trainings

Credit Report https://www.annualcreditreport.com/cra/index.jsp

Vanderbilt Identity Protection http://www.vanderbilt.edu/identityprotection

Vanderbilt Acceptable Use Policyhttp://www.vanderbilt.edu/aup

Page 18: Protecting Vanderbilt Information

18

More Resources

Vanderbilt I n f o r m a t i o n T e c h n o l o g y S e r v i c e s

Changing your e-password and/or your local computer password http://its.vanderbilt.edu/files/documents/epass/ChangingYourEpassword.pdf http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_password_change.

mspx?mfr=true Locking your computer (assumes you set a password)

http://support.microsoft.com/kb/294317 Sharing your credentials (e-password, computer password, etc)

http://its.vanderbilt.edu/password/sharing http://hr.vanderbilt.edu/policies/hr-025.pdf

Updating/upgrading your antivirus protection http://its.vanderbilt.edu/antivirus/downloads

Updating your operating system (At least XP SP3 with all updates) http://support.microsoft.com/kb/322389 http://www.microsoft.com/security/updates/mu.aspx

Removable media (thumb drives, etc) and laptop risks http://it.med.miami.edu/x1129.xml http://news.cnet.com/Getting-over-laptop-loss/2100-1044_3-6089921.html

PII and export compliance http://www.vanderbilt.edu/exportcompliance/index.php http://csrc.nist.gov/publications/drafts/800-122/Draft-SP800-122.pdf http://iase.disa.mil/eta/pii/pii_module/pii_module/index.html

A reminder of HIPAA and FERPA (People forget they exist) http://www.mc.vanderbilt.edu/root/vumc.php?site=InfoPrivacySecurity&doc=17070 http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr;sid=6b7e313020dfabb7caa0216830b2a7d8;rgn=div5;view

=text;node=34%3A1.1.1.1.34;idno=34;cc=ecfr