1 / 25

Obtaining, Storing and Using Confidential Data

Obtaining, Storing and Using Confidential Data. October 2, 2014. Georgia Department of Audits and Accounts. Headlines. UPS Unknown 2014 Credit Card Breach. Target 70 Million 2013 Credit Card Breach. Linkedln 6.5 Million 2012 Passwords Stolen. Living Social 50 Million 2013

toni
Download Presentation

Obtaining, Storing and Using Confidential Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts

  2. Headlines UPS Unknown 2014 Credit Card Breach Target 70 Million 2013 Credit Card Breach Linkedln 6.5 Million 2012 Passwords Stolen Living Social 50 Million 2013 Password & PII Breach Walgreens 100,000 2013 PHI breach Home Depot 56 Million 2014 Credit Card Breach Community Health Systems 4.5 Million 2014 HIPAA Breach South Carolina DOR 3.6 million 2012 PII Breach TriCare 4.6 Million 2012 HIPAA breach Georgia Department of Audits and Accounts

  3. Data Breaches in 2014 Total Number of Total Number Records Exposed of Data breaches Jan Through Sept 2, 2014 About 17.8 Million 521 Source : Identity Theft Resource Center

  4. First Things First • Security Awareness • Data Classification • Risk Assessments Georgia Department of Audits and Accounts

  5. Security Awareness Georgia Department of Audits and Accounts

  6. Security Awareness • Staff are required to go through security awareness training every year • Last year we purchased SANs training Securing the Human • Prior years – IT Division has developed training and focused on: • IT policies • Current security events that have occurred in public Georgia Department of Audits and Accounts

  7. Security Awareness Emphasis SecUrityis everyone's responsibility and "U" are at the center. Make sure U are not the weakest link Georgia Department of Audits and Accounts

  8. Security Awareness Emphasis Be a good example to entities that you audit. We should be setting the example for good SecUrity Georgia Department of Audits and Accounts

  9. Data Classification • Once you have trained ~ need to make sure all Data is Classified. • Data classification– classifying the data based on its level of sensitivity/confidentiality and the impact to our office in the event the data is disclosed, altered or destroyed without authorization. • The classification of data helps determine what baseline security controls are appropriate for safeguarding that data.   Georgia Department of Audits and Accounts

  10. Data Classification • GA Department of Audits is in the process of classifying all our confidential data • Developing a Department Catalog to identify datasets and business owners Georgia Department of Audits and Accounts

  11. Data Classification Catalog Georgia Department of Audits and Accounts

  12. Data Classification Georgia Department of Audits and Accounts

  13. Questions to ask • Where is my sensitive/confidential data? • Can I manage all copies & versions of confidential data? • Is all confidential data appropriately protected? • Who can access confidential data? • Is confidential data required for audit? • Is confidential data being sent or transferred out (email and/or removable media) • Are correct security processes being applied to confidential data? • What about retention of confidential data? Georgia Department of Audits and Accounts

  14. Confidential Information What should be kept confidential? Credit Cards Health Care Personally Identifiable Information SSN’s Student Records

  15. Risk Assessment • After we do a Data Classification we will be doing a risk assessment • Select a risk assessment methodology ( a repeatable process) • Use data classification information • Determine gaps in security • Assess potential risks, threats and vulnerabilities Risk = Likelihood * Impact Georgia Department of Audits and Accounts

  16. Risk Assessment If there was a Breach make sure you think about things such as: • Reputation • Credibility • Cost to investigate • Credit monitoring services for those affected Georgia Department of Audits and Accounts

  17. GA State Law 50-6-29 Georgia Department of Audits and Accounts

  18. Obtaining Confidential Data • Give DOAA Confidentiality Form to Entity • Sometimes entity wants to modify form • Especially in regard to how long we can keep data • The entity’s lawyer usually wants to get involved • Federal law supersedes State Law • Data and system may be with 3rd Party • Try to get data well in advance of start of audit • Entity stall Practices • Too big • Wrong format Georgia Department of Audits and Accounts

  19. Transmitting Confidential Data • For most transfers we use a product called Accellion Secure File Transfer • If large Dataset will give the entity an encrypted drive to copy data to Georgia Department of Audits and Accounts

  20. Storing Confidential Data • Encryption • In Oracle – work with business owner to make sure field level encryption is on datasets • Laptops – use PGP to encrypt all laptops • Flash Drives– for HIPAA data encrypt all Flash Drives with PGP • Looking at BitLocker to start encrypting all DOAA Flash Drives and possibly laptops • Backups are encrypted Georgia Department of Audits and Accounts

  21. Using Confidential Data • In Oracle DB – if have to decrypt data fields– email sent to IT and Manager of project to alert that data fields were decrypted • DLP – Data Loss Prevention – use Cisco’s appliance – for email DLP violations • Notification sent to ISO and IT Director if a DLP violation – make sure it is not false positive • Employee’s Director notified of any DLP violation in order to guide employees’ behavior to be more security conscious Georgia Department of Audits and Accounts

  22. Destroying Confidential Data • Destruction of Data – auditor’s responsible for destroying confidential data at the end of audit or, if needed for work papers, at the end of the retention period of 5 years. • Auditors are provided with software (PGP Shredder) that facilitates the destruction of confidential electronic data by overwriting the data with random text and repeats this process through multiple passes. • Records managers in each Division ensure compliance Georgia Department of Audits and Accounts

  23. Additional tools • Evaluating a product called Sensitive Data Manager by Identity Finder Georgia Department of Audits and Accounts

  24. Final Thought State of _________ Audit Department Breach Georgia Department of Audits and Accounts

  25. Questions Lynn Bolton (404) 657-9978 boltonln@audits.ga.gov Georgia Department of Audits and Accounts

More Related