Student Visa - confidentiality and Reporting Requirements

Transcription

1 Information Security: Best Practices

2 Larry Carson Associate Director, Information Security Management, UBC

3 Agenda News-worthy Incidents Legislation Policy Passwords Training Who to call Scenarios Discussion 3

4 Recent News-worthy Security Incidents VGH Loss of 450 medical records via Resident laptop & USB drive Lost/stolen at Toronto airport (Late Sep 2011) UVic Loss of 11,845 employee records incl. banking info Stolen USB stick (Jan 7-8, 2012) SFU Loss of Personal information for 150 students Stolen via keylogger (Jan 10, 2012) McGillLeaks Posts confidential donor information Stolen and posted (Mar 3, 2012) UBC Laptop Loss & Recovery with 50,000 records Stolen from vehicle (Feb 16, 2012) CGA Leaks 4,600 student records containing Personal Information to 2,300 students accidentally incl. Excel file (Mar 13, 2012) BCIT 12,680 Student Medical records compromised Server breached: movie uploads/downloads (Jun 2012) 4

5 BC s Freedom of Information and Protection of Privacy Act (FIPPA) FIPPA legislates handling of Personally Identifiable Information (PII) for BC public bodies Section 30: A PUBLIC BODY MUST PROTECT PERSONAL INFORMATION IN ITS CUSTODY OR UNDER ITS CONTROL BY MAKING REASONABLE SECURITY ARRANGEMENTS AGAINST SUCH RISKS AS UNAUTHORIZED ACCESS, COLLECTION, USE, DISCLOSURE OR DISPOSAL. What is personal information? FIPPA Definition: recorded information about an identifiable individual, not including contact information. Contact information: information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address, business or business fax number of the individual.

6 FIPPA cont Roles: The Office of the Information and Privacy Commissioner (OIPC) BC CIO s Office How are Reasonable security arrangements defined in s.30? Investigative reports, pronouncements, guidelines, etc. Portable/Mobile = Encryption + Strong Passwords Less is best

7 UBC Policies 104, 106 and the UBC Information Security Manual #104 Responsible Use of Information Technology Facilities and Services #106 Access to and Security of Administrative Information Systems UBC Information Security Manual V2.0 3 Tables Pages 6, 7 & 8

8 Confidential Highest level of sensitivity Sensitive Moderate level of sensitivity Public Very low, but still requiring some protection Legal Requirements Protection of data where it is required by law (e.g. Freedom of Information and Protection of Privacy Act [FIPPA] legislation, which includes Personally Identifiable Information [PII] and Protected Health Information [PHI]) or by industry regulation (e.g. Payment Card Industry Data Security Standard [PCI-DSS] for protection of credit card data) or by University of British Columbia policy The institution has a contractual obligation to protect the data (e.g. Bibliographic citation data, bulk licensed software) None Reputation Risk High Medium Low Potential Impact of Loss Long-term loss of research funding from granting agencies Long-term loss of reputation Legal costs Individuals put at risk for identity theft Unauthorized tampering of research data Increased regulatory requirements Long-term loss of critical campus or departmental service Short-term loss of reputation Short-term loss of research funding Short-term loss of critical departmental service Unauthorized tampering of research data Individuals put at risk for identity theft Loss of use of individual workstation or laptop Public embarrassment

9 Employee Home contact info Dependants Medical/Health Research studies Patients Student What is Confidential Information (PII)?

10 Student PII Student or Prospective Student Name address, if it can identify an individual (Decision: Ontario Nov/11) E.g. vs. User account name, if it can identify an individual. E.g. ubc\greentree vs. ubc\jsmith

11 Student PII Student or Prospective Student Information Depends on Context Student ID number Courses taken if linked to the identity of an individual Enrolment status of a student. E.g. cannot inform student s parents if their child is enrolled at institution, without consent of student

12 Employee PII Payroll & other employee information Employee ID Home contact information E.g. Address and/or phone number Home address, if it can identify an individual (Decision: Ontario Nov/11) E.g. vs. Other people linked to the employee - personally Dependants. E.g. spouse, children, etc. Beneficiaries Emergency Contacts What Isn t PII?? Salary, title/position, expenses, name

13 Credit Card Processing (PCI-DSS) UBC is compliant with the Payment Card Industry Data Security Standard (PCI- DSS) If you process or outsource the processing of credit cards then you must be registered with the University UBC contracts a Qualified Security Assessor (QSA) to assist our merchants with achieving and maintaining PCI-DSS compliance UBC has a central service that is already PCI-DSS compliant: UBC epayment Contact: Raul Ramos

14 Confidential Highest level of sensitivity Sensitive Moderate level of sensitivity Public Very low, but still requiring some protection Access Protocol Access is limited to those personnel permitted under law, regulation and University of British Columbia policies, and those with a need to know. Access limited to those personnel with a need to know. Open Transmission It is strongly recommended that Confidential information transmitted through a network should use approved encryption. Third party services are not appropriate for transmitting Confidential information. Confidential data may be masked instead of encrypted. Approved encryption is recommended when transmitting information through a network. Third party services are discouraged for transmitting Sensitive information. Open Storage Location of Confidential information should be clearly identified and reported via the Prioritisation Tool. Approved encryption or masking is strongly recommended and may be required on computing equipment depending upon law or regulation. Approved encryption of Sensitive information is recommended. Level of required protection of Sensitive information is either pursuant to UBC policy or at the discretion of the owner or custodian of the information. If appropriate level of protection is not known, check before storing Sensitive information unencrypted. Encryption is not required. Protection Controls In accordance with law, regulation and University of British Columbia policies, procedures & standards. In accordance with University of British Columbia policies, procedures & standards. In accordance with University of British Columbia policies, procedures & standards.

15 Passwords No sharing Accountability IT personnel never need to know your password Phishing Change it annually Make it strong But How?

16

17 Training UBC Information Security Awareness Training CWL for access Employees & Graduate Students

18 Who to call IT support staff IT Service Centre

19 Scenarios - Tuition 1. A man calls and states that he is the father of David Smith; that he pays his son s tuition fees and wants to confirm that he is taking law courses as planned at UBC. How do you handle this?

20 Scenarios - Tuition 1. A man calls and states that he is the father of David Smith; that he pays his son s tuition fees and wants to confirm that he is taking law courses as planned at UBC. How do you handle this? A: Put the call on hold and check for a waiver from the student. Do not confirm or deny the attendance of the student at UBC without the waiver.

21 Scenarios - Scholarships 2. You are coordinating a review of potential students for scholarships and need to distribute information on the candidates to the committee. You decide USB sticks will be good for most members; however, two members are not local, so you decide to use for them. How do you do share the information safely?

22 Scenarios - Scholarships 2. You are coordinating a review of potential students for scholarships and need to distribute information on the candidates to the committee. You decide USB sticks will be good for most members; however, two members are not local, so you decide to use for them. How do you do share the information safely? A: USB sticks with encryption. Encrypt the data in a spreadsheet and phone the two people with the passphrase

23 Scenarios Your receive an stating that UBC has moved to a new system but to make sure your account still works, you will need to go to the following website and enter your username and password. The has UBC logos and looks authentic. What do you do?

24 Scenarios Your receive an stating that UBC has moved to a new system but to make sure your account still works, you will need to go to the following website and enter your username and password. The has UBC logos and looks authentic. What do you do? A: Contact IT support and validate that it is real.

25 Scenarios - Tablets 4. You have a new ipad and wish to work with it instead of carrying around the laptop provided to you by UBC. You ve connected it to FASmail and have put a 5 digit PIN on the device to protect it. Can you work on spreadsheets that contain confidential student information from the device?

26 Scenarios - Tablets 4. You have a new ipad and wish to work with it instead of carrying around the laptop provided to you by UBC. You ve connected it to FASmail and have put a 5 digit PIN on the device to protect it. Can you work on spreadsheets that contain confidential student information from the device? A: No, the tablet needs to have strong encryption along with a strong password/passphrase. The password/passphrase is weak and the encryption has not been validated as strong

27 Scenarios - Manager 5. You are the manager of a team. You are concerned that when a person is sick or on vacation important s may not receive attention. You decide that asking the staff for their usernames and passwords is appropriate and that you will keep the information locked in a safe just in case. Is this okay?

28 Scenarios - Manager 5. You are the manager of a team. You are concerned that when a person is sick or on vacation important s may not receive attention. You decide that asking the staff for their usernames and passwords is appropriate and that you will keep the information locked in a safe just in case. Is this okay? A: No, usernames and passwords should only be known to the individual. Sharing them removes accountability. Instead ask them to delegate access to their or setup a special account for shared communications.

29 Scenarios - Payroll 6. You need to backup payroll data as part of your unit s Business Continuity plans and decide that a USB stick stored in a safe would be a good idea. Will this be safe?

30 Scenarios - Payroll 6. You need to backup payroll data as part of your unit s Business Continuity plans and decide that a USB stick stored in a safe would be a good idea. Will this be safe? A: No, the USB stick must be fully encrypted, using strong encryption with a strong password see UVic s January data breach.

31 Scenarios - Telecommuting 7. You need to work from home and decide to borrow a laptop from the office pool. You transfer copies of your confidential employee records to the laptop. What are the problems with this and what options do you have to do this safely?

32 Scenarios - Telecommuting 7. You need to work from home and decide to borrow a laptop from the office pool. You transfer copies of your confidential employee records to the laptop. What are the problems with this and what options do you have to do this safely? A: The laptop must be encrypted prior to using it; this needs to be checked before transferring the records. Only the records needed should be copied not all records unless it is necessary. Options: 1. Use a VDI session to remotely access your desktop. The data will stay at UBC on its premises. 2. Use an encrypted USB stick and work only from the stick; the stick must have strong encryption & a strong password

33 Discussion