0. Securing and Managing Data on the Desktop Issues and Problems Faced by Higher Education. SIGUCCS Spring Management Symposium March 31, 2009. Gale Fritsche. Lehigh University. Library and Technology Services. Lehigh Overview. 0.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
0 Securing and Managing Data on the Desktop Issues and Problems Faced by Higher Education SIGUCCS Spring Management Symposium March 31, 2009 Gale Fritsche Lehigh University Library and Technology Services
Lehigh Overview 0 • Founded in 1865. Private research university located 90 miles west of NYC • Ranked 35th in US News and World Report 2009 “Guide to America’s Best Colleges.” • Approx 4700 undergraduates, 1200 graduate students, 450 faculty and 1200 staff • Approx 80% Windows PCs, 15% Mac and 5% other (Linux etc.)
0 Library & Technology ServicesOrganizational Structure Vice Provost Library & Technology Client Services Administration & Advancement Library Systems & Collections Enterprise Systems Technology Management Distance Education & Faculty Development
Identifying Confidential Data Why be Concerned? Methods for Securing and Managing Data on the Desktop Issues Faced by Higher Education Planning, Policies and Procedures 0 Presentation Agenda
Identifying Confidential Data • Most Confidential Institution Data Falls In One Of These Categories: • FERPA (Family Educational Rights and Privacy Act) • Enacted 1974 • Protects the privacy of student education records • Grades • Financial Aid Information • Credit Card Numbers • Bank Account Numbers • Wire Transfer Information • Payment History • Student Tuition Bills
Identifying Confidential Data (cont.) • HIPPA (Health Insurance Portability and Accountability Act ) • Enacted 1996 • The HIPAA Privacy Rule regulates the use and disclosure of certain medical information • Patient Name • Street address, city, county, zip code • Birth date • Location or dates of treatment • Contact information: phone, fax, email, etc. • Social security number • Account/Medical record numbers • Health plan beneficiary numbers
Identifying Confidential Data (cont.) • Gramm-Leach-Bliley Act • Enacted 1999 • also known as the Gramm-Leach-Bliley Financial Services Modernization Act • In 2003, the Federal Trade Commission (FTC) confirmed that higher education institutions are considered financial institutions under this federal law. The Safeguards Rule of the GLB Act requires financial institutions to have a security plan to protect confidentiality and • integrity of personal information. • As of May 23, 2003, colleges and • universities must be in compliance.
Identifying Confidential Data (cont.) • Other Types of Confidential Data • Employee Performance Data (Performance Appraisals) • Employee Disciplinary Data • Staff Employment Data • Donor Information • Alumni Information • Department Business Data(Credit Card/Purchasing Cards) • Vendor Information (Bids etc.)
Identifying Confidential Data (cont.) • Any other piece of data that could lead to Identity Theft • Name • Date of Birth • Social Security Numbers • Credit Card Numbers • Drivers License Numbers • Passwords • Account Numbers
0 Why Be Concerned?Because it could happen to you! • A laptop computer was stolen from Southwestern Oregon Community College putting former and current students at risk. (January 16, 2009) • Broome Community College, sent out a mailing last week with a student’s Social Security number posted prominently on the back cover. The winter/spring 2009 alumni magazine was mailed to 28,000 people, it assumed that less than 14,000 copies had Social Security numbers on the magazine. (February 17, 2009) • University of West Georgia officials have notified nearly 1,300 students and faculty members that their personal information was on a laptop stolen from a professor traveling in Italy. The laptop was taken last summer, but university officials say they only recently learned that the computer contained sensitive information, including names, addresses, phone numbers and Social Security numbers. (March 18, 2009) Source: Privacy Rights Clearinghouse
Common Ways Thieves Access Personal Data • Equipment Theft • Spyware • System Hacking • Sniffing Network Traffic • Phishing E-mails
44 states with security breach laws (as of 12/18/2008) (Puerto Rico and District of Columbia also have laws) Consumers Union report as of 12/18/08 Reported breaches - 252,474,509people affected since 1/15/05 see: http://www.privacyrights.org/ar/ChronDataBreaches.htm
Growth in number of individuals affected by data breaches Source: Privacy Rights Clearinghouse 2009 Individuals (Millions)
Cost of Data Breaches Source: Ponemon Institute, LLC
Cost of Data Breaches (cont.) Source: Ponemon Institute, LLC Number of Data Records Lost
Methods for Securing and Managing Data on the Desktop In a perfect world • Have backup procedures and plan in place • Centrally managed backup solution (if possible) • Utilize Whole Disk Encryption of secure data on hard drives • PGP Whole Disk Encryption is what is in use at Lehigh • Use Terminal Services Whenever Possible • Lock ability to Cut and Paste • Reduce ability for users to download Sensitive Data to the desktop • Limit ability for data to be copied to unencrypted external device • Routinely use Identity threat software to determine threats • Password protect sensitive documents • Password Protect or Encrypt documents on Mobil devices
No Encryption Boot Process Boot Process Data Data Operating System Operating System File Encryption Encryption Whole Disk Encryption Boot Process Encryption Software Authentication Data Operating System How Whole Disk Encryption Works
PGP WDE – A closer look 0 • PGP Desktop • PGP Universal Server
Issues Faced by Higher Education • Higher Education Institutions based on the free exchange of information and ideas • Lack of Hardware Standardization • Multi-Platform support • Limited Financial Resources • Diverse User Populations • Administration (Standardized) • Faculty (Don’t want to be standardized) • Smart Curious Clients (students) in resident on the network
Planning, Policies and Procedures 0 Advisory Council for Information Services Advisory Council for Information Services – sets university wide information services policies Data Advisory Council Data Advisory Council – ensures data standards are maintained and enforced Data Encryption Sub Committee – Address the best way to encrypt PCs, Macs, PDAs and other portable devices, and backups Desktop Backup Sub Committee – Evaluate and Implement central backup methods and policies Data Standards Committee – standards for shared data elements in Banner E-Security Committee – examines and recommends implementation of security related practices and policies Data Standards Committee E-Security Committee Data Encryption Sub Committee Desktop Backup Sub Committee
Lehigh’s Procedure in Case of a Data Breach • Security Officer works with technical & legal staff to determine the extent of the problem and if it requires a legal response • Lehigh technical staff determines the extent of the problem & works to minimize damages – some action taken immediately • University Communications develops a communications plan – reviewed by risk management and legal counsel – prepare for media inquiries • Credit monitoring services offered to affected individuals for at least 12 months – cost start around $15 per month • PA breach law states – name combined with SSN, DLN, or credit card information constitutes a notifiable breach
Contact Information Gale Fritsche – firstname.lastname@example.org http://www.lehigh.edu/~gdf2