Data Security and WNYRIC Services. From Risky Business to Best Practice

Transcription

1 Data Security and WNYRIC Services From Risky Business to Best Practice

2 Presenters Joann Lukasiewicz Lynn Reed Dave Scalzo Paul Spahn Rob Warchocki

3 States of Data Data at Rest Moving Data Data At Endpoints

4 Data at Rest

5 Data at Rest: Risky Business Weak or non secure passwords Who can access what Staff who leave position or district i t Storing sensitive info Storing old data

6 Does this look familiar?

7 TREAT YOUR PASSWORD LIKE YOUR TOOTHBRUSH. DON T LET ANYBODY ELSE USE IT, AND GET A NEW ONE EVERY SIX MONTHS. Clifford Stoll

8 Data at Rest: Best Practice Strong and secure password Verify access is set up properly Security designee and backup Avoid storing unnecessary information Exit procedures Policy for data storage

9 WNYRIC Hosted Services: Protecting data at rest State of the art data center State o t eatdata ce te Controlled access Antivirus Secure network VPN Firewalls protecting data in and out Employees AUP Active Directory

10 Data on the Move

11 Sharing Data: Risky Business Sending data through non secure means Ending relationship with vendor Public unsecured wireless access

12 is safe, right?

13 Mass by Dent Neurologic inadvertently breaches privacy of 10,200 patients Dent Neurologic let out data on 10,200 By Melinda Miller News Staff Reporter, Stephen Watson News Staff on May 14, :46 PM, updated May 14, 2013 at 4:29 PM Confidential i information i about more than 10,200 patients of Dent Neurologic Institute was inadvertently sent to more than 200 patients Monday in an attachment. The personal information including patients names and home addresses, their doctors names, last appointment dates and their addresses was contained on an Excel patient spreadsheet. The data does not include specific information about the patients medical conditions, birth dates or Social Security numbers, according to Dent, which attributed the privacy breach to human error.

14

15 To: WNYRIC App Support Team Subject: Student Tommy Henderson From: Nancy Smith Hello Team. Tommy Henderson left our school to attend Pleasantview Elementary School in Happydale, NY as of Monday April 15, He was in Mr. Taylor s 5 th grade class. His Student t Number is and his Date of Birth is November 4, Al M T l h d t bl i tt d thi i Hi ID i Also, Mr. Taylor had trouble saving attendance this morning. His user ID is RTaylor123 and his password is password. Can you login as him and see if you can save attendance?

16 To: WNYRIC App Support Team Subject: From: Support Request Nancy Smith Hello Team. Please review Student Number to see if I exited him correctly, as he has moved to another district. I also have a teacher that cannot save attendance this morning. Please call me at so I can give you his login information.

17 Sharing Data: Best Practice Define Your Policy Know where the data is and where it is going Securely Automate if possible Data Integration Secure File Transfer (SFTP) Point to Point communication (Remote Desktop, Bomgar) Outside Contracts Where are the servers located? How is data transferred? Who will have access to the data? What happens when the contract expires?

18 aring Data: Data Integration Partners Student Systems Directory Services Transportation eschooldata Active Directory Transfinder PowerSchool Google Cloud Connect VersaTrans Food Services LDAP Library WebSmartt Open Directory Alexandria Nutrikids edirectory Destiny Horizon Visual Casel Lite Mandarin Special Education Instructional Support Assessment Systems Cleartrack My Big Campus Star IEP Direct Study Island iready Health Services ConnectEDU AIMSWeb Health Office Performance Plus NWEA Snap Health My Learning Place edoctrina Financial Services Rapid Broadcast Communication Services Finance Manager Global Connect Domino Notes / Exchange Win Cap SchoolMessenger Webs That Work Scheduling One Call Now Sametime Schedule Star Quikr (Communities)

19 Data at Endpoints

20 ata at Endpoints: Risky Business Sharing data through non secure means BYOD Workstations or devices left unsecured Sharing of workstations Digital copiers or fax machines Cloud Services

21 Data at Endpoints: Best Practice Shared drives with limited or controlled access Encrypted devices / flash drives Password protect/encrypt files Require locking of device Prevent downloading of data Encrypted data transmission

22 Next Steps Security Review Ongoing dialogue with technology coordinator Educate staff Get proper approval Develop and enforce policies