1 / 11

Encryption as a Preventive Countermeasure

Encryption as a Preventive Countermeasure. Sean Maher, Information Security Coordinator. The Cost of a Data Breach. Average total cost of a data breach: 2008 - $202 per record 2007 - $197 per record 2006 - $182 per record Breaches occurring in the healthcare industry cost $282 on average.

jorden-kirkland
Download Presentation

Encryption as a Preventive Countermeasure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Encryption as a Preventive Countermeasure Sean Maher, Information Security Coordinator

  2. The Cost of a Data Breach Average total cost of a data breach: • 2008 - $202 per record • 2007 - $197 per record • 2006 - $182 per record • Breaches occurring in the healthcare industry cost $282 on average. • Breaches involving a third-party are $52 higher than internal breaches.

  3. The Causes of a Data Breach

  4. Phase 1: Laptops • Laptops are the leading cause of data breaches, accounting for 35%. • In 2008, there were 18,650 employees and 16,149 students at UAB. • An estimated 20% of employees have a laptop available to them.

  5. Phase 1: Timeline • September 2007 – The campus PGP server was built. Only one installer was available (32-bit Windows XP & Vista). • October 2008 – The Mac PGP client was released. • March 2009 – A presidential letter was released mandating the encryption of portable devices. • Winter 2009 – A boot camp compatible Mac, Ubuntu and Red Hat versions are set for release.

  6. Phase 1 Status • Campus PGP: 2711 • 2482 Windows PCs • 229 Macs • HSIS PGP: 600 • SOPH PGP: 350

  7. What’s Next?

  8. Data Bearing Devices • Smart Phones • Blackberry • Palm • Windows Mobile • PDAs • Portable storage devices • External hard drives • USB thumb drives • Portable media players

  9. The Risk of Data Bearing Devices Smart Phones and PDAs • Nearly half of all cell phones discarded contained personal information, and 20% contained identifiable information. • Few users enable security features such as passwords and device locks. • When a device is lost or stolen, many users do not have the ability to remotely disable or wipe the device.

  10. The Risk of Data Bearing Devices Portable Storage Devices • Portable storage has become so common that many people own multiple devices. • The storage capacity of many portable devices has now matched the capacity of internal hard drives. • The act of using a portable device to illicitly download confidential data has been termed “pod slurping”.

  11. Phase 2: Data Bearing Devices http://www.hipaa.uab.edu/standards.htm • Use of portable devices • Workforce members shall not use personally owned portable devices for work-related purposes unless such use is specifically approved by senior management. If use of a personal portable device is approved by senior management, then the device must comply with all applicable policies and standards and must be made available to UAB/UABHS for routine or special analyses. In addition, the device must be set-up in English. • Portable devices storing email locally within the device (such as PDAs) shall have mechanisms that encrypt the email stored on the device, encryption of the email during transport and the ability to erase the device after a number of failed login attempts. • Portable devices such as PDAs, cell phones and portable storage that support the clearing of memory/storage after a number of failed login attempts shall erase their contents after a minimum of 5 failed login attempts.

More Related