Identity Theft Prevention Committee Updates and Discussions: 3/15. Team,

Transcription

1 Identity Theft Prevention Committee Updates and Discussions: 3/15 Team, We will be meeting on Monday, March 19 th to move forward with the Identity Theft Prevention Program. Please bring the packet that we were working on in November. If you no longer have the packet or are new to the team I have attached an electronic copy for your reference. Meeting Agenda: Quick Overview of the Program Development Process Information Security and Identity Theft Prevention Program Similarities Complete Stage Six Develop the Identity Theft Prevention Policy (packet p. 124) Note Funding Requirements Any new stipulations in our policy that require a project and/or funding Additional Team Members Next Steps Please let me know if you have any questions. 225 East Las Olas Blvd. 3/19 Minutes We will schedule one more meeting to go over the policy/procedure for the Identity Theft Prevention Program. Although we didn t finish the document today we had some extremely valuable discussions. We ended on section on the template. 3/19/2012 Meeting Highlights: The policy will be slimmed down to fit the College s general policy template. A procedure will be created to include the specific guidelines. A section will be added for Academic Information under the Definitions section (4). We will use FERPA guidelines to help define sensitive academic information not already listed.

2 We will add additional bullets under Financial Information for Tax Documents and College Issued Payment Cards. A review will be performed on the Child Development Providers, Health Sciences, and Emergency Medical Teams to see what types of CSI may be stored. Discussion was had on the verbiage under all sections containing Board of Directors, we will use existing policies as a guideline for these sections. A review will be completed of other policies to see where they may overlap. (i.e. Records Retention, Password Policy) A review of scanner/printer procedure for sanitizing information. (schedule meeting with Sharp and IT) Review the current Clean Desk Policy that is used for potential overlap Inventory all Fax Machines on Campus Create Fax Cover Sheet Standardize across the college with a disclaimer Research IT solutions for Encryption and Laptop Encryption Meeting to be scheduled with Peter Agnesi to discuss Locked Facilities and Greg Hale on Surveillance Equipment A review will be completed around the internal mail carrier system. (create secure cart transfer as a standard) Research with Human Resources on how we will complete background checks on Adjuncts and Part-Time Workers Funding needed for regular IT Risk Assessments Discovery of Breach will be high level with individual procedures being developed by the department leads. We will centralize all incident reporting to one location (to be determined with Peter Agnesi and team.) We will create a means for confidential reporting of suspicious activity or potential fraud cases. Mandatory Vacations will be researched by Human Resources to determine the feasibility of the stipulation. We may want to put a mandatory vacation for a specified time interval.. i.e. 1 week vacation every two years. (6.7.3) I will schedule a re-occurring meeting for the next several months so that we can plan accordingly. I will limit the meetings to 1 hour sessions for now. We will be working on a lot of items behind the scenes to move this program forward. The diverse skillset of this team is ideal to the success of the program. If you have any other recommendations of an area that is not represented please let me know. We are off to a great start.

3 225 East Las Olas Blvd. 5/3 Meeting Information: We will set dates / times for the regular meetings during this time. Sorry for the delay. We wanted to make sure that we fit the meeting around most schedules. Agenda: Policy / Procedure Review Continue Policy Content Creation (Ended on section 6.7.3) Set Milestone Dates for the Identity Theft Prevention Program When: Thursday, April 26, :00 PM 4:00 PM Eastern Time Where: 33/1208 DTC Boardroom If you will be attending remotely please use the number and conference ID below. 5/8 Update to Identity Theft Prevention Team Hi Team, I will be sending out the rough draft policy/procedure within the next couple of weeks for everyone to review. I ll work with each of you to make sure that we ve included everything. Quick Update: The Board of Trustees has approved a complete network infrastructure overhaul. We will be replacing most of the core network equipment at all of our campuses. The new infrastructure will have added security features that will help us protect sensitive information. We now have the ability to block anyone on our network at the port that they are connected on. This will be a critical step in stopping a breach if one is detected. Our current equipment allows for a hacker/identity thief to connect to our network anywhere there is an active network port. They can then perform a variety of maneuvers to gain access to our critical information. We were also approved to purchase a security information and event management system (SIEM). All of the privacy regulations (HIPAA, FERPA, PCI, GLBA, Red Flags) require us to be able to detect/prevent unauthorized access to sensitive information. This system will analyze millions of logs from all of our critical systems to help alert us to suspicious activity. I will be reviewing many reports from this system to help meet regulatory compliance. We will be utilizing a Q1 SIEM which is rated #1 by Gartner.

4 Product Info: I created a new WorkPlace site to help spread Identity Theft Awareness at the College. We will be putting more information on the site in the months to come. We will use this site to update the College on the Information Security / Identity Theft Prevention Programs. ault.aspx We have received two different pamphlets on preventing identity theft from the FTC. The electronic documents can be found on our WorkPlace site. We will be distributing them on each campus. Please let me know if you need any for your specific area. rity%20documents/deterdetectdefend.pdf rity%20documents/takingcharge.pdf The IT department will be implementing next-generation firewalls sometime this summer. The next generation firewall comes with a lot of new security features that will help with the Identity Theft/Information Security Program. One unique feature of this device is that it has the ability to detect/block sensitive information leaving our network. The ability to detect CSI leaving the network will help us warn people that are sending unsecured information. There were ~20 separate reported incidents of sensitive data leaks at Colleges in the month of April. I m hoping with the new firewalls we will be able to prevent a serious data leak at Broward. We ve been researching online training for Information Security and Identity Theft related awareness. This is a requirement for most major privacy regulations (GLBA, HIPAA, Red Flags, PCI etc.). The goal would be to have all employees trained within a year of implementation. We ve received a quote from an FBI partner InfraGuard. An example of the training can be found at this link: A few other solutions that I am in the process of working on to make this program a success: Enterprise Encryption Solution (Laptop, USB Drives, CD-ROMs, external hard drives) If electronic media containing sensitive information is lost or stolen the College will be at serious risk. It is important that we have a solution for everyone to encrypt sensitive information that is stored electronically. Mobile Device Management Solutions - Protect data on mobile phones with the ability to lock and/or remotely wipe College Data in the event the device is lost or stolen. Application Firewalls Hackers often use SQL injection and Cross Site scripting on our public facing websites to obtain sensitive information. The application firewalls will prevent this from occurring. Penetration Test We will be hiring a team of ethical hackers to try and penetrate our network. They will then report any vulnerabilities found along with recommendations. I will share the

5 results with the team after this is completed. I expect this to be done sometime in July or August. This is an annual requirement for PCI compliance. We will be implementing a lot of new security monitoring procedures within the next few months. This will greatly enhance the security of our electronic data. Please let me know if you have any questions or concerns. I m available by cell at any time: East Las Olas Blvd. Individual Discussions on Identity Theft Prevention Program Month of June Hi Pat, Nicki, Cheryl: I was hoping we could review the Identity Theft Prevention Procedure with feedback by the end of next week. All stipulations will have an impact on HR but I have highlighted a few specific areas in blue that will have a direct impact on your areas. The training sections should be covered by the Information Security budget (if approved) but I ll definitely need your help managing the process and selecting a vendor. Procedure Standards HR Every Employee will go through a background check and screening process before being authorized to handle CSI A written procedure and checklist will be used by management to terminate access when an employee is terminated from service. (I believe we already have this) All employees must take mandatory vacations Procedure Standards - Training Staff training in relation to the Identity Theft Prevention Program and its policies shall be conducted for all employees, temps, and contractors, both part-time and full-time, on a periodic basis no less than once annually. Please let me know your thoughts around each. Our next steps will be to get the document published. We ll then start to set milestones and dates around the items that we do not have in place today.

6 Hi April, I ve been contacting everyone individually for feedback on the procedure. If you get a chance this week, please review the document. I have copied a few areas of the procedure that may be specific to your area. But feel free to comment on any of the stipulations as they affect us all in one way or another. 6.8 Transaction Identification and Verification 6.9 New and Existing Account Identification and Verification 6.10 Red Flags (I want to make sure these will be clear to the teams. I will be looking for additional red flags that are College specific but if you see anything that needs to be changed just let me know.) The current published policy does a good job of giving a high level overview of the program. We will have a few adjustments though. The procedure is going to be very different. I have attached it for your review. 225 East Las Olas Blvd. Hi April, Sorry for the delay. It has been non-stop the last few weeks. I wanted to make sure that I responded to your comments. S1: Direct Access to Information: I am still waiting on confirmation from procurement but ideally as part of the vendor management process we would validate that some type of Identity Theft Prevention policy exists. I think for now a vendor acknowledgement stating that they have one in place would be sufficient. The best way to confirm the controls of a vendor is with a SAS70 or the new SSAE 16 audit. This is normally a standard for GLBA / FACTA compliance organizations. I don t know that we have a full risk management process around vendor contracts today. S2: Indirect Access to Information: Vendors with both direct and indirect access to information will be required to sign our privacy affidavit, which will provide a link to the full Identity Theft Prevention Policy and Procedure. This will most likely be handled by the procurement team as part of the procurement / vendor management process. I have added this information to the procedure so that it is clear.

7 S3: Employee Personal Belongings: I also do not think this is going to be an obtainable goal. We may need to exclude this from the procedure. S4: Storage Service Providers: They will be made aware during the procurement/vendor management process. It will be a pre-requisite to doing business with the College. S5: Spoken Word Company Representatives must identify and verify callers as authorized before releasing any CSI over phone: I cross referenced the 5.35 policy. S6: Clean Desk Policy I cross referenced the 5.35 policy. S7: All outgoing containing CSI must be encrypted: I will be implementing an encryption solution as part of the Information Security budget. This will allow everyone with a College issued account to encrypt s that contain sensitive information. We have a lot of sensitive files that traverse the network daily that are unsecured. I hope to have a solution in place before January. S8: Employees shall not respond to s requesting CSI unless they first contact the sender and verify that the sender is authorized to have the information being requested: I will add An from a Broward College issued account will be sufficient in identifying students, faculty, and staff. S10: BC requires company representatives to verify adequate means of identification from a person before they can transact business with a check, credit card, or debit card on behalf of themselves a group or an entity: We may want to keep this for the auxiliary services team and others that may take different forms of payment. I ll verify. S12: Customer Identifying Information Power of Attorney We would probably require this in a situation where a student was disabled or required assistance to open an account. But it will also be important in closing accounts as well in the event a student becomes incapacitated. S13: Two Sources of Identification I will verify with Registration what they require. S15: Request Two Sources of Identification when someone wishes to access an account: I agree, this may be a little overkill. The security questions would be sufficient.

8 S16: Account Access On-Line This sets a standard for IT and other 3 rd party vendors for the online access process. We may only use a few of them today but all will be acceptable. S17: Add the number of required verification documents: I will add the number of required documents in the sections. 225 East Las Olas Blvd. Update 10/14 Hi Team, We were informed last week by the Florida Department of Education that a major breach had occurred to Northwest State College. The number of records breached was around 300,000. We know that the files were pulled down from the DOE. We have the name of the files and have been searching our systems to ensure that any stored electronically at Broward College are either deleted or secured. We believe the hacker went after an unpatched server that was facing the internet. We patch all of our systems before they go into production. We are also scanning them on a daily basis to detect any new vulnerabilities. I do not believe this same breach would have occurred at our institution. But it is definitely a wakeup call for other colleges in the state. President Armstrong has been made aware of this issue. We will be drafting a response to notify the DOE that the files stored at BC have been deleted or secured. We have started implementing many new projects to help prevent a breach from occurring at Broward College. I have attached a list of projects that are currently underway. The policy/procedure will reference some of these initiatives so it is important that they start to be realized before we publish the document. I will be scheduling a meeting in November to have a brief discussion about the program. Please let me know if you have any questions. Matt