Research Support Council (RSC) - What Data is Sensitive and How

Transcription

1 Research Support Council (RSC) - What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance Tuesday, May 14, :00 am 9:30 am Witherspoon Student Center John_Baines@ncsu.edu

2 Agenda worry? is sensitive data? to protect it? 5/14/2013 What data is sensitive and How to keep it private Slide 2

3 Privacy & security very public concerns Identity theft Personal safety University image and reputation Financial penalties can be high Much legislation Public concern Internet access to data 5/14/2013 What data is sensitive and How to keep it private Slide 3

4 Identity theft SSN Personal privacy Credit card numbers and bank accounts Personal safety e.g. stalking Confidentiality Personal use Student data - FERPA 5/14/2013 What data is sensitive and How to keep it private Slide 4

5 Two research case studies UNC-CH Medical School SSN breach Los Alamos Protect as Restricted Data 5/14/2013 What data is sensitive and How to keep it private Slide 5

6 UNC-CH SSN breach at Medical School Senior researcher UNC-CH medical school Carolina Mammography Registry, a 15-year project Kept research subjects database referenced by Social Security number (SSN) 114,000 subjects Also name, address and other personal information Most participants unaware Exploit Discovered in 2009, server infiltrated two years earlier. Not clear if any data exported Consequences Notified all 180,000 exposed Cost $250,000 Centralized IT security Loss of public trust and university reputation 5/14/2013 What data is sensitive and How to keep it private Slide 6

7 Sensitive But Unclassified (SBU) New category of Government data Affects Defense research contracts (and other Government data) Previously no classified data to protect Now SBU must be protected No such thing as unprotected in Defense research contracts? 5/14/2013 What data is sensitive and How to keep it private Slide 7

8 Protect as Restricted Data (PARD) DoE sensitive but unclassified data Dr. Wen Ho Lee's program code at Los Alamos National Laboratory Backed up to tape Government labeled as 'espionage' Felony charge - 'withholding' info related to the 'national defense' 5/14/2013 What data is sensitive and How to keep it private Slide 8

9 FERPA Considerations FERPA data is pervasive Do we need to protect the security of Education Records and Student Privacy? Absolutely Can we afford to protect them at the same level as social security numbers and credit card data? No Too expensive Access too difficult 5/14/2013 What data is sensitive and How to keep it private Slide 9

10 Air gapped systems In networks, air gap is a type of security where the network is secured by keeping it separate from other local networks and the Internet. While this provides security, it also limits access to the network by clients. 5/14/2013 What data is sensitive and How to keep it private Slide 10

11 licensed under a Creative Commons License. 10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 11

12 Last Truly Air-gapped System 5/14/2013 What data is sensitive and How to keep it private Slide 12

13 Sensitive data factors at NC State Legislation University revenues and expenses University image and reputation Confidentiality agreements / contracts Research Copyright and Intellectual Property Attorney/client privilege, police records Personal privacy 5/14/2013 What data is sensitive and How to keep it private Slide 13

14 Legislation Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act of 1996 (HIPAA) Gramm Leach Bliley Act (GLBA) Payment Card Industry (PCI) Data Security Standard (DSS) Red Flag Rule (FTC) North Carolina Identity Theft Protection Act of 2005 North Carolina Public Records Act North Carolina State Personnel Act 5/14/2013 What data is sensitive and How to keep it private Slide 14

15 Some sensitive data examples: Personally Identifiable Information (PII) Credit card information (PCI) Health data (HIPAA PHI & EHR) Research data (e.g. contractual & pre-patent) Public safety information Financial donor information Security controls such as: System access passwords and other credentials Information file encryption keys Information security records 5/14/2013 What data is sensitive and How to keep it private Slide 15

16 A framework for the availability and security of your data. 1. Data Management Procedures Regulation updates, including revised Data Classification Statement, 2. Data Sensitivity Framework table 3. List of IT controls for data stewards and application developers/sponsors 4. Data Stewards and Custodians List 5/14/2013 What data is sensitive and How to keep it private Slide 16

17 1. Data Classification Statement A. Ultra Very few data elements - SSN, credit card number, passwords B. High Large body personal privacy, financial, intellectual property, medical, research, private contributors, attorney/client privilege, police C. Moderate Simpler controls - Mostly FERPA D. Normal Not sensitive e.g. university Web pages, published articles E. Unclassified (Black) publically available data 5/14/2013 What data is sensitive and How to keep it private Slide 17

18 Data Classification Statement Matrix Classification Risk Criteria Level Risk Regulation Financial Reputation Business Other Ultra Two of Multiple Extreme Serious Serious Litigation High Two of Violation Significant Serious Serious Moderate One of Violation Some Some Adverse Normal No major Unclassified None Access control Publically available 5/14/2013 What data is sensitive and How to keep it private Slide 18

19 2. Data sensitivity framework table Lists all sensitive data elements (e..g. personal name, ssn, credit card #) Cross references Data elements to Legislation and Other concerns Provides default sensitivity for each data element Labels sensitivity level of data in context Authoritative list of university sensitive data 5/14/2013 What data is sensitive and How to keep it private Slide 19

20 3. Controls for Securing University Data Primary Audience for this document: Individuals making decisions about data classification & protection (management & technical) Document includes cross-reference table to connect controls to data Document not intended for End-users Seek approval or instruction from the respective Data Custodian / Data Steward 5/14/2013 What data is sensitive and How to keep it private Slide 20

21 Types of controls 1. Control Principles for Data Stewards and Application Sponsors 2. Administrative and procedural design controls 3. Technical controls computer server 4. Technical controls end-user devices 5/14/2013 What data is sensitive and How to keep it private Slide 21

22 More about controls Only really applies to sensitive information: Purple, red and yellow data Not green and unclassified data Cross-reference after each control: Control Data sensitivity levels Mandatory, Recommended, Optional, [Unnecessary] 5/14/2013 What data is sensitive and How to keep it private Slide 22

23 Where is it OK to store your data? Location Sensitive Not sensitive Most to least V Purple Red Yellow Green White University server Cloud service Encrypted Restricted Encrypted Restricted Yes Yes Yes Yes Restricted Restricted Yes NCSU Google Drive Encrypted Encrypted Yes Yes Yes File Only File Only Print Restricted Restricted Restricted Yes Yes Removable storage Never Encrypted Yes Yes Yes Yes Local PC Never Encrypted Yes Yes Yes Never Encrypted Some Yes Yes Mobile device Never No Yes Yes Yes Google Docs Never No Yes Yes Yes 5/14/2013 What data is sensitive and How to keep it private Slide 23

24 Next Steps with DSF Presentations to campus for Security Awareness Work with Campus IT Directors Develop documents specific to needs Best practices to apply to their use of the data Define, implement and test campus encryption solutions 5/14/2013 What data is sensitive and How to keep it private Slide 24

25 Encryption alternatives Full disk File level Database data element Backups Network drives 5/14/2013 What data is sensitive and How to keep it private Slide 25

26 Who s protecting your data & how? On your mobile device you are Removable storage you are On your desktop you and your sys admin On University servers - OIT or college/ dept IT staff (and/or you!) In the cloud the vendor (and you ) 5/14/2013 What data is sensitive and How to keep it private Slide 26

27 Google and sensitive information Best Practices for Data Security in Google NC State Google Drive and encrypted file sync Google contractually defined as a university FERPA official at NCSU Google docs OK for FERPA data may be more of a FERPA issue when transmitted outside Google 5/14/2013 What data is sensitive and How to keep it private Slide 27

28 Types & examples of cloud services File synchronization and distribution - Google Drive can save & sync files Services providing file manipulation Google Docs (and other Google Apps) Other more complex Cloud services (SaaS, Paas, IaaS) need investigation on a case by case basis 5/14/2013 What data is sensitive and How to keep it private Slide 28

29 Precautions with cloud vendors From CSA/ISACA study either Less than 100 staff or Many thousands Be careful if you have sensitive data Look at Cloud Security Alliance STAR IT Security staff can assess security of product and data being considered 5/14/2013 What data is sensitive and How to keep it private Slide 29

30 Questions 5/14/2013 What data is sensitive and How to keep it private Slide 30