what data is sensitive and how do we keep it private? john l. baines, ad it policy & compliance,...
TRANSCRIPT
![Page 1: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/1.jpg)
What Data is Sensitive and How Do We Keep it Private?
John L. Baines, AD IT Policy & Compliance, OIT
Data Privacy Month 2013
Tuesday, January 28, 2013 12.00 PM - 1.00 PM
D.H.Hill 2304
[email protected] 919-513-7482
![Page 2: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/2.jpg)
Data Privacy Day• Data Privacy Day is held on January
28th every year. It is an effort to empower people to protect their privacy and control their digital footprint and escalate the protection of privacy and data as everyone’s priority.
• For more info visit Stay Safe On-line
1/29/2013 What data is sensitive and How to keep it private Slide 2
![Page 3: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/3.jpg)
Data Privacy Month at NCSU• All 12 p.m. to 1 p.m. D.H. Hill Room 2304• Monday, Jan. 28 Top
Tips to Protect Your Privacy and Data • Tuesday, Jan. 29 What Data is Sensitive and
How Do We Keep it Private? • Thursday, Jan. 31 Data Protection, Privacy
and the Law• To view other activities planned during January,
visit EDUCAUSE.
1/29/2013 What data is sensitive and How to keep it private Slide 3
![Page 4: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/4.jpg)
Agenda
Why worry?
What is “sensitive data”?
How to protect it?
1/29/2013 What data is sensitive and How to keep it private Slide 4
![Page 5: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/5.jpg)
• Privacy and security of personal info have become very public concerns– Identity theft– Personal protection– University image and reputation– Financial penalties can be high– Much legislation– Public concern– Internet access to data
Why?
1/29/2013 What data is sensitive and How to keep it private Slide 5
![Page 6: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/6.jpg)
UNC-CH SSN breach at Medical School
• Senior researcher– UNC-CH medical school– Carolina Mammography
Registry, a 15-year project– Kept research subjects
database referenced by Social Security number (SSN) – 114,000 subjects
– Also name, address and other personal information
– Most participants unaware
• Exploit
– Discovered in 2009, server infiltrated two years earlier.
– Not clear if any data exported
• Consequences
– Notified all 180,000 exposed
– Cost $250,000
– Centralized IT security
• Loss of public trust and university reputation
1/29/2013 What data is sensitive and How to keep it private Slide 6
![Page 7: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/7.jpg)
Sensitive But Unclassified (SBU)
• New category of Government data• Affects Defense research contracts
(and other Government data)• Previously no classified data to protect• Now SBU must be protected• No such thing as “unprotected” in
Defense research contracts?
1/29/2013 What data is sensitive and How to keep it private Slide 7
![Page 8: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/8.jpg)
Protect as Restricted Data (PARD)
• DoE “sensitive but unclassified” data • Dr. Wen Ho Lee's program codes at
Los Alamos National Laboratory• Backed up such PARD data to tape• Government labeled as 'espionage' • Felony charge - 'withholding' info
related to the 'national defense'
1/29/2013 What data is sensitive and How to keep it private Slide 8
![Page 9: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/9.jpg)
Credit Card Industry fines
• PCI DSS
– Prescriptive
– Detailed
– Difficult
– Enforced
• Fines can be as high as $500,000 per occurrence
• Other costs, e.g. notification
• Incident occurs - not compliant – pushed to highest audit level ($$$)
• Visa total PCI DSS fines
– 2006 - $4.6 million
– 2005 - $3.4 million
– New higher fines since…
• TJX spent $202 million on a PCI violation affecting 40 million cardholders. More than 20 lawsuits filed.
• Damage to university reputation worse than fine…
1/29/2013 What data is sensitive and How to keep it private Slide 9
![Page 10: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/10.jpg)
Personal privacy
• Identity theft– SSN– Credit card numbers and bank accounts
• Personal safety – e.g. stalking• Confidentiality
– Personal use– Student data - FERPA
1/29/2013 What data is sensitive and How to keep it private Slide 10
![Page 11: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/11.jpg)
Family Educational Rights & Privacy Act 1974
• FERPA or the Buckley Amendment, designed to:– Protect the privacy of
education records– Prevent schools having
policies abusive of student privacy
– Be subjected to various exceptions
– Provide the right to file a complaint with the U.S. Department of Education
• Require schools to provide parents and eligible students : – Access to their records– Correction of errors in the
record– Consent to disclosure to third
parties
1/29/2013 What data is sensitive and How to keep it private Slide 11
![Page 12: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/12.jpg)
FERPA data is pervasive
• Any record, with certain exceptions, maintained by an institution that is directly related to a student or students. This record can contain a student’s name(s) or information from which an individual student can be personally (individually) identified.
• These records include: files, documents, and materials in whatever medium (handwriting, print, tapes, disks, film, microfilm, microfiche) which contain information directly related to students and from which students can be personally (individually) identified.
1/29/2013 What data is sensitive and How to keep it private Slide 12
![Page 13: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/13.jpg)
FERPA enforcement• Weak and mostly
symbolic– Fire alarm model
– The consequences on a school for violating FERPA are either
• a memo requesting voluntary compliance
• a complete withdrawal of federal funding
• Works only at an institutional policy, not an individual level– Only 100 cases
contested 1990 – 2003– 2 cases made it to the
Supreme Court in 2001– Demonstrated that
individuals cannot file suit if they are injured by FERPA violations
1/29/2013 What data is sensitive and How to keep it private Slide 13
![Page 14: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/14.jpg)
FERPA conclusions
• FERPA data is held by most, if not all, academic and administrative offices of an institution– Do we need to protect the security of “Education
Records” and “Student Privacy”?
• Absolutely– Can we afford to protect them at the same level as
social security numbers and credit card data?
• No–Too expensive–Would make access too difficult
1/29/2013 What data is sensitive and How to keep it private Slide 14
![Page 15: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/15.jpg)
The Internet Cloud
From Wikipedia, the free encyclopedia
1/29/2013 What data is sensitive and How to keep it private Slide 15
Software-as-a-Service (SaaS)
![Page 16: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/16.jpg)
CSA/ISACA 2012 Cloud Computing Market Maturity Study
• 252 participants representing cloud users, providers, consultants and integrators
• 85% self-identified cloud users• Positions from C-level executives to staff• 15 different industry segments• 48 countries, most America or Europe
1/29/2013 What data is sensitive and How to keep it private Slide 16
![Page 17: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/17.jpg)
Overall findings on maturity• Cloud needs to transition from
technology solution to business resource
• Infrastructure and Platform offerings– Infancy– About 3 years to reach ‘established growth’
• Software as a Service (SaaS) offerings– Early growth– 2+ years to reach ‘established growth’
1/29/2013 What data is sensitive and How to keep it private Slide 17
![Page 18: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/18.jpg)
Cloud infancy
1/29/2013 What data is sensitive and How to keep it private Slide 18
![Page 19: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/19.jpg)
Sensitive data factors at NC State
• Legislation• University revenues and expenses• University image and reputation• Confidentiality agreements / contracts• Research • Copyright and Intellectual Property• Attorney/client privilege, police records• Personal privacy
1/29/2013 What data is sensitive and How to keep it private Slide 21
What?
![Page 20: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/20.jpg)
Some sensitive data examples:• Personally Identifiable Information (PII)
• Credit card information (PCI)
• Health data (HIPAA - PHI)
• Research data (e.g. contractual & pre-patent)
• Public safety information
• Financial donor information
• Security controls such as:
– System access passwords and other credentials
– Information file encryption keys
– Information security records
1/29/2013 What data is sensitive and How to keep it private Slide 22
![Page 21: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/21.jpg)
Legislation
1/29/2013 What data is sensitive and How to keep it private Slide 23
– Family Educational Rights and Privacy Act (FERPA) – Health Insurance Portability and Accountability Act of 1
996 (HIPAA)
– Gramm Leach Bliley Act (GLBA) – Payment Card Industry (PCI) Data Security Standard – Red Flag Rule (FTC) – North Carolina Identity Theft Protection Act of 2005 – North Carolina Public Records Act – North Carolina State Personnel Act
![Page 22: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/22.jpg)
A framework for the availability and security of your data.
1. Data Management Procedures Regulation updates including revised Data Classification Statement,
2. Data Sensitivity Framework table
3. List of IT controls for data stewards and application developers/sponsors
1/29/2013 What data is sensitive and How to keep it private Slide 24
How?
![Page 23: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/23.jpg)
1. Data Classification Statement
A. Ultra – Very few data elements - SSN, credit card number, bank accounts, passwords
B. High – Large body – personal privacy, financial, intellectual property, medical, research, private contributors, attorney/client privilege, police
C. Moderate – Simpler controls - Mostly FERPA
D. Normal – Not sensitive – e.g. university Web pages, published articles
E. Unclassified (Black) – publically available data
1/29/2013 What data is sensitive and How to keep it private Slide 25
![Page 24: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/24.jpg)
Data Classification Statement Matrix
1/29/2013 What data is sensitive and How to keep it private Slide 26
Classification Risk Criteria
Level Risk Regulation Financial Reputation Business Other
Ultra Two of Multiple Extreme Serious Serious Litigation
High Two of Violation Significant Serious Serious
Moderate One of Violation Some Some Adverse
Normal No major
Access control
Unclassified None Publically available
![Page 25: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/25.jpg)
2. Data sensitivity framework table• Lists all sensitive data elements (e..g. personal
name, ssn, credit card #) • Cross references
– Data elements to– Legislation and– Other concerns
• Provides default sensitivity for each data element• Labels sensitivity level of data in context• Authoritative list of university sensitive data
1/29/2013 What data is sensitive and How to keep it private Slide 27
![Page 26: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/26.jpg)
3. Controls for Securing University Data
• Primary Audience for this document:– Individuals making decisions about data classification
& protection (management & technical)– Document includes cross-reference table to connect
controls to data
• Document not intended for End-users– Seek approval or instruction from the respective Data
Custodian / Data Steward
1/29/2013 What data is sensitive and How to keep it private Slide 28
![Page 27: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/27.jpg)
Types of controls
1. Control Principles for Data Stewards and Application Sponsors
2. Administrative and procedural design controls
3. Technical controls – computer server
4. Technical controls – end-user devices
1/29/2013 What data is sensitive and How to keep it private Slide 29
![Page 28: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/28.jpg)
More about controls
• Only really applies to sensitive information:– Purple, red and yellow data– Not green and unclassified data
• Table cross-reference at end:– Control– Data sensitivity levels– Mandatory, Recommended, Optional,
[Unnecessary]
1/29/2013 What data is sensitive and How to keep it private Slide 30
![Page 29: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/29.jpg)
Where is it OK to store your data?
1/29/2013 What data is sensitive and How to keep it private Slide 31
Location Sensitive Not sensitiveMost to least V Purple Red Yellow Green White
University server Encrypted Restricted
Yes… Yes Yes Yes
Cloud service Encrypted Restricted
Restricted… Restricted… Yes… Yes
NCSU Google Drive Encrypted File Only
Encrypted File Only
Yes Yes Yes
Print Restricted Restricted Restricted Yes Yes
Removable storage Never Encrypted… Yes… Yes… Yes
Local PC Never Encrypted… Yes… Yes Yes
Email Never Encrypted Some… Yes Yes
Mobile device Never No… Yes Yes Yes
Google Docs Never No… Yes… Yes Yes
![Page 30: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/30.jpg)
Next Steps with DSF
1/29/2013 What data is sensitive and How to keep it private Slide 32
• Presentation to campus– “DSF - Where is it OK to store your data”– Develop documents specific to needs– Best practices to apply to their use of the data– Help from derived documents– Define, implement and test campus encryption
solutions
![Page 31: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/31.jpg)
Who’s protecting your data & how?
• On your mobile device – you are• Removable storage – you are• On your desktop – you and your sys
admin • On University servers - OIT or college/
dept IT staff (or you!)• In the cloud – the vendor (and you…)
1/29/2013 What data is sensitive and How to keep it private Slide 33
![Page 32: What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance, OIT Data Privacy Month 2013 Tuesday, January 28, 2013](https://reader038.vdocuments.us/reader038/viewer/2022110320/56649cc55503460f9498f2aa/html5/thumbnails/32.jpg)
Questions
1/29/2013 What data is sensitive and How to keep it private Slide 38