1 / 15

PII / IDENTITY THEFT Is Your University an Open Market for ID Thieves?

PII / IDENTITY THEFT Is Your University an Open Market for ID Thieves? . Carol Rapps CIA, CISA, CCSA, GLIT carol.rapps@utsa.edu 210-458-4679 srapps@sbcglobal.net 210-693-3277 . WHO AM I? . WHO ARE YOU?. Academic Research – Tier 1 Health Care Public Private

bette
Download Presentation

PII / IDENTITY THEFT Is Your University an Open Market for ID Thieves?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PII / IDENTITY THEFT Is Your University an Open Market for ID Thieves? Carol Rapps CIA, CISA, CCSA, GLIT carol.rapps@utsa.edu 210-458-4679 srapps@sbcglobal.net 210-693-3277 TACUA 2011

  2. WHO AM I? TACUA 2011

  3. WHO ARE YOU? • Academic • Research – Tier 1 • Health Care • Public • Private • What do you know? TACUA 2011

  4. TODAY • A CHANCE TO SHARE • VALUE • Take away one good concept/tool/story/laugh. • GAME --- WHERE’S THE PII? • Honesty counts! Don’t make me audit your score!  • TIMELINE – keep us on track – time keeper • 2:35 - stop to tally the score TACUA 2011

  5. A Quick Look at the Headlines TACUA 2011

  6. IDENTITY THEFT • What is it? • Who are the thieves? • What do thieves do with it? • How is an identity stolen? • Who is at risk? TACUA 2011

  7. PII • What is it? • Where is it? • Who keeps it? • Game…… You will need paper & pencil/pen • When do they collect it? • Why do they collect/keep it? • How do they store it? TACUA 2011

  8. PRIVACY HISTORY (A Global Issue) 1984 UK 2011 Dept Ed 1968 UN 1973 Sweden 2010 Red Flag 1996 Canada 2012?? 1980 OECD 1998 ID Theft Act 1978 France 1974 Germany 2009 Massachusetts 2002 California TACUA 2011

  9. LAWS, RULES, REGULATIONS • FERPA • HIPAA • HITECH ACT • GLBA • RED FLAG • STATE SECURITY BREACH LAWS • National Conference of State Legislatures http://www.ncsl.org/default.aspx?tabid=13489 • STATE DATA DISPOSAL LAWS • STATE ENCRYPTION LAWS & IDENTITY THEFT STATUTES • FEDERAL ID THEFT & ASSUMPTION DETERRENCE ACT OF 1998 • PCI-DSS • SEVP (Student & Exchange Visitor Program) • FISMA • FUTURE --- TACUA 2011

  10. UNIVERSITY OBLIGATION • Comply with Security/Privacy Laws & Regulations • Protect PII / PRIVACY “The rights and obligation of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information.” The American Institute of Certified Public Accountants (AICPA)/CICA 2005 TACUA 2011

  11. PRIVACY PRINCIPLES (OECD) “Privacy is the protection of personal data and is considered a fundamental human right” OECD Guidelines 1980 • Collection Limitation • Data Quality • Purpose Specification • Use Limitation • Security Safeguards • Openness • Individual Participation • Accountability TACUA 2011

  12. AUDITORS ROLE – FORMAL • ID Applicable Rules, Laws, Regulations • Conduct PII Discovery & Privacy Risk Assessments • Impact (# records) • Likelihood • Audit Privacy Framework • Perform Law/Regulation Specific Compliance Audits (e.g. PCI) • Conduct General Security Audits • Conduct Data Retention & Disposal Audits TACUA 2011

  13. ADDING REAL VALUE! • Train ALL Auditors • Add Privacy Principal Audit Steps to ALL Audits • PII Sampled in ALL Data Security Audit Steps • Regulation Repository • Document Location of PII Data & Controls (Repository) • Protect Your Own Information • Participate In Incident Reporting Process • Integrate Audit Processes into Fraud Root Cause Analysis TACUA 2011

  14. LET’S TALK • Security Breaches At Universities In Past 2 Years • Privacy Rights Clearinghouse • Jan 2009-Aug 2010: 122 Breaches for total of 1,653,065 records • Average Cost of Security Breaches • Accenture/Ponemon Institute Joint Project 2009 • US - $204 Per Record • International: $232 Per Record • You Do The Math • Unpublished Breaches • I’ll Tell You Mine, You Tell Me Yours. TACUA 2011

  15. WHERE’S THE PII ADD TO LIST (ANYTHING NEW) SCORING Honesty counts! Don’t make me audit your score!  TACUA 2011

More Related