1 / 25

Evaluating PII Presence in a Government Environment

Evaluating PII Presence in a Government Environment. Jonathan Homer. NLIT 2009. Courtesy of Alcatel-Lucent. Background. Laptop Loss is Cheap Data Loss is Expensive Publicity due to data loss DOES NOT attract new business! Data protection is more than just policy

mariam-luna
Download Presentation

Evaluating PII Presence in a Government Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Evaluating PII Presence in a Government Environment Jonathan Homer NLIT 2009

  2. Courtesy of Alcatel-Lucent

  3. Background • Laptop Loss is Cheap • Data Loss is Expensive • Publicity due to data loss DOES NOT attract new business! • Data protection is more than just policy • Data protection is more than just encryption

  4. 3-Minute Discussion What actions are we taking today to protect our at-risk data? What types of data do we have in our environment?

  5. Courtesy of Alcatel-Lucent

  6. The Risk FIREDRILL: • Random Employee • Random Laptop • No Advanced Warning • Without contacting the employee • Who is actually using the laptop? • What data has potentially been compromised? • What security measures were in place on the laptop? • Encryption • Password Strength • Remote Tracking • What security risks were potentially compromised? • VPN access program and information • VPN token compromised as well? • Stored Certificates and Credentials • What was the patching and update status of the laptop?

  7. Steps To Risk-Based PII Protection • Identifying the Potential Risks (Policy) • Collecting, Storing and Maintaining Information • Auditing and Assessing Process And Practice • Protecting the Data • Damage Control

  8. Collecting, Storing and Maintaining Information about Devices • Important to know • Who is the owner/user? • What is being stored? • Where is the device and where does it go? • Why is the device? • IT visibility is limited • On-Network • Technical Data Only • Need For Validation

  9. 565.06 – Hardware Registration Form • Data validation is comprehensive of all IT devices • Identifies owners AND users • Tells IT: • WHO uses it • WHY they use it • WHERE the device is located • WHAT data is stored on the device

  10. HRF – List of IT Property

  11. HRF – Property and Hostname

  12. HRF – Security

  13. HRF – Updating 565.06

  14. 3. Audit and Assess: Process and Practice • Every step has human involvement and fallibility • It is more convenient for humans NOT to follow the rules

  15. 3. Audit and Assess: Process and Practice AT THE INL • Self Assessments Quarterly • Internal Audits Annually (conducted by Audits Team) • External Audits as requested by HQ and Corporate • General Public - Hopefully Never!

  16. How We Assess • Integrated into operations (Field Techs, etc) • Behind-The-Scenes Investigation (Management Tools) • Quarterly Self Assessment Team (On-site Visits) Tools: We chose to build our own application

  17. PII Search Script • Script Requirements • Windows, Mac, Linux • Portable • Secure (Encrypted Results) • No Local Install • Networked and Off-Network • Under 10 minutes

  18. PII Search Script - Keywords • Social Security • Identifiable • Birth • Place of Birth • Employee • Maiden • Fingerprints • DNA • Medical • Criminal • Employment • Resume • Financial • Clearance • Badge • SNumber • Middle Name • SSN • PII • Official • Private • Cleared • Military

  19. PII Search Script • How We Pull It Off • Location: Common locations only • File Types: .txt .doc .xls .ppt … • Keywords: Keywords from INL definition of PII and CUI • 10 min limit: If we’re not finished, we stop the scan (5% of the time) • Hand evaluation of the results – not worth the artificial intelligence • NEW IN 2008: Pen Drives (oh yeah!)

  20. PII Search Script • What To Expect: • High # of false positives • Most computers don’t have any PII and CUI on them • Users tend to err of the side of caution • 50% of found instances don’t properly identifyCUI • Other 50% “were getting around to updating the form” • User education will resolve the issue much more effectively than technical controls

  21. What We Have Learned • Cached Files (Windows “Offline files”) • Theoretically could store network data on local drive • Unable to replicate scenario • Mitigated by Encryption • #1 forms of PII and CUI found: Resumes with SSN, Performance Reviews • Medical history is extremely hard to detect when in database and/or spreadsheet format • Before you begin – ensure management is specific on what is and what isn’t PII

  22. What We Have Learned (cont) • Pen Drives • Low Detection Rates • Usually not labeled correctly • Encryption prevents easy assessing • Overall Program • Relatively Inexpensive compared to ROI • Low Impact on Users

  23. Courtesy of Alcatel-Lucent

  24. Contact Info Jonathan Homer 208.526.9660 Jonathan.Homer@inl.gov

More Related