Protecting personally identifiable information: What data is at risk and what you can do about it

Similar documents
Sample Data Security Policies

Did you know your security solution can help with PCI compliance too?

Protecting Your Data On The Network, Cloud And Virtual Servers

Stopping data leakage: Making the most of your security budget

Applications, virtualization, and devices: Taking back control

Laws, regulations and compliance: Top tips for keeping your data under your control

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

Top five strategies for combating modern threats Is anti-virus dead?

Encryption Buyers Guide

Trend Micro Data Protection

Symptoms of a Data Breach in Your Business

Protection for Mac and Linux computers: genuine need or nice to have?

Why Lawyers? Why Now?

Top tips for improved network security

Top Four Considerations for Securing Microsoft SharePoint

Network Security & Privacy Landscape

White Paper. Improved Delivery and Management of Critical Information: Solicitors Regulation Authority Compliance

PCI Data Security Standards (DSS)

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Managing BitLocker With SafeGuard Enterprise

National Cyber Security Month 2015: Daily Security Awareness Tips

UIT Security is responsible for developing security best practices, promoting security awareness, coordinating security issues, and conducting

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

Acceptable Use Policy

Endpoint Security Management

Your Company Data, Their Personal Device What Could Go Wrong?

Security Management. Keeping the IT Security Administrator Busy

Are You Ready for PCI 3.1?

ITAR Compliance Best Practices Guide

Deciphering the Code: A Simple Guide to Encryption

Small businesses: What you need to know about cyber security

Understanding Layered Security and Defense in Depth

Protect your personal data while engaging in IT related activities

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

The Impact of HIPAA and HITECH

AB 1149 Compliance: Data Security Best Practices

Stopping zombies, botnets and other - and web-borne threats

Seven for 7: Best practices for implementing Windows 7

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

How to use Alertsec to Enable SOX Compliance for Your Customers

How To Protect Yourself From Cyber Threats

10 Quick Tips to Mobile Security

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

plantemoran.com What School Personnel Administrators Need to know

Research Information Security Guideline

How are we keeping Hackers away from our UCD networks and computer systems?

How to stay safe online

Verve Security Center

Secure Your Mobile Workplace

FileCloud Security FAQ

SecureAge SecureDs Data Breach Prevention Solution

How To Protect Your Data From Being Hacked

Certified Secure Computer User

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

POLICIES. Campus Data Security Policy. Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central.

Next Gen Firewall and UTM Buyers Guide

Don't Be The Next Data Loss Story

The Ministry of Information & Communication Technology MICT

A practical guide to IT security

I ve been breached! Now what?

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Course: Information Security Management in e-governance

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

Securing Your Customer Data Simple Steps, Tips, and Resources

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Somansa Data Security and Regulatory Compliance for Healthcare

EndUser Protection. Peter Skondro. Sophos

Are your multi-function printers a security risk? Here are five key strategies for safeguarding your data

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

SUPREME COURT OF COLORADO OFFICE OF THE CHIEF JUSTICE

Network Security for End Users in Health Care

Management and Storage of Sensitive Information UH Information Security Team (InfoSec)

PREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO

Securing Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology

A Buyer's Guide to Data Loss Protection Solutions

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

NC DPH: Computer Security Basic Awareness Training

Malware and Other Malicious Threats

Spyware: Securing gateway and endpoint against data theft

Cyber Self Assessment

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Payment Card Industry Data Security Standard

Healthcare IT Compliance Service. Services > Overview MaaS360 Healthcare IT Compliance Service

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_ Effective of 7 Title: Corporate Information Technology Usage Policy

Seven Tips for Securing Mobile Workers

Top Ten Technology Risks Facing Colleges and Universities

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

HIPAA Security Training Manual

HIPAA and Health Information Privacy and Security

Beef O Brady's. Security Review. Powered by

Need to be PCI DSS compliant and reduce the risk of fraud?

Policy. London School of Economics & Political Science. Application Control. Jethro Perkins Information Security Manager IMT

Protecting Your Roaming Workforce With Cloud-Based Security

WHITE PAPER: Cyber Crime and the Critical Need for Endpoint Security

Transcription:

Protecting personally identifiable information: What data is at risk and what you can do about it Virtually every organization acquires, uses and stores personally identifiable information (PII). Most have it for their employees and, depending on their area of business, may also have it for a wider group including customers, patients, residents and students. Organizations are expected to manage this private data appropriately and take every precaution to protect it from loss, unauthorized access or theft. Misusing, losing or otherwise compromising this data can carry a steep financial cost and damage an organization s reputation. This white paper examines the challenges companies face and the steps they can take to protect themselves against data breaches and ensure the safety of this sensitive information. by John Stringer, Product Manager, Sophos 1

What data is at risk and what you can do about it Not so long ago, the most common way people protected their personally identifiable information (PII) was to pay for an unlisted telephone number. Today, there are many types of PII and it s not just businesses that use and must protect PII. Schools, universities, healthcare facilities, retailers, government offices and many other organizations also acquire, process and store highly sensitive records. Use of technology has resulted in much greater flexibility and speed when it comes to making purchases, processing payments and managing data records. However, it has also led to a growing data loss prevention (DLP) problem that puts people s PII at risk. There are two types of data loss: accidental and malicious. Human error or carelessness as well as a lack of data security processes in an organization can lead to accidental loss, including something as simple as sending an email attachment containing PII to the wrong recipient. Malicious data breaches, on the other hand, are deliberate internal or external attacks on an organization s data systems. What is PII? PII, according to the U.S. Office of Management and Budget, is any information that can be used to uniquely identify, contact or locate an individual, or can be used with other sources to uniquely identify a person. It consists of a broad range of information that can identify individuals, including dates of birth, addresses, driver s license numbers, credit card numbers, bank account numbers, health and insurance records, and much more. Unless your organization keeps no payroll-related data about its employees, it has PII it needs to protect. While most adults are careful about disclosing their personal information, this issue is particularly sensitive for organizations that have information on minors, such as schools, councils and medical services. It becomes incumbent on the holder of that PII to be vigilant about its use and access. According to the U.S. General Accounting Office, 87% of the U.S. population can be uniquely identified using only gender, date of birth and ZIP code. So it s not just the most obvious types of PII, like credit card numbers, that require protection. Table 1: Examples of PII First or last name (if common) Date of birth Country, state or city of residence Credit card numbers Immunization history/medical records Age Telephone numbers Email addresses Gender Race Criminal record 87% of the U.S. population can be uniquely identified using only gender, date of birth and ZIP code. 2

Consequences of not protecting PII Regardless of how the data is lost, the cost of a data breach can be huge. Fines are one of the most widely-known consequences of losing personal data, and they can be very expensive (e.g., up to $1.5 million per year in the case of a breach of healthcare records in violation of the Health Insurance Portability and Accountability Act [HIPAA] regulation or up to 500,000 from the UK Information Commissioner). However, the consequences extend much further and include reputation damage, loss of customer trust, employee dissatisfaction and attrition, and clean-up costs following the breach. Examples include: Hartland Payment Systems committed $8 million to settle lawsuits following a data breach which compromised 130 million credit and debit cards Health Net of the Northeast Inc. agreed to pay for two years of credit-monitoring for 1.5 million members whose details were on a lost hard drive Sony provided free services to customers affected by their 2011 data breaches to help them protect against identify theft The three states of data Data in use is data on endpoints being used by employees to do their jobs. Data at rest is information stored on endpoints, file servers and information repositories like Exchange servers, Sharepoint and web servers. Data in motion is data sent over networks. Organizations must ensure they they consider data in all three states when protecting their PII. Questions for developing PII acceptable use policies (AUPs) Who needs access to PII to do their jobs? What regulatory mandates must your organization comply with? What are your data security vulnerabilities? What data can be transferred within the organization? Sent outside to third parties? What rules and permissions for data transfer does your organization have or need? Is encryption required before data can be transmitted or stored on portable devices? Who is authorized to change or update the AUP? Creating acceptable use policies IT managers must balance the desire to tightly control and protect PII with the needs of employees to use the data to perform their jobs. Think of it in terms of CIA: confidentiality, integrity and availability of PII. The goal is to create and enforce AUPs that clearly define which data is most sensitive and which employees are allowed to access and use it in their work. Form a team to help identify and prioritize all the PII your organization possesses. The team typically would include IT operations, the security team and data controllers who know what data is available and where it s located and representatives of the HR and legal departments, who have expertise in compliance regulation and legal obligations. This team can help you define your organization s acceptable use policies for handling and storing PII. Regardless of how the data is lost, the cost of a data breach can be huge. 3

5 steps to acceptable use policy There are five key steps every organization must take to begin the process of preventing data loss: Identify PII your organization must protect Prioritize PII Find where PII is located Create an AUP Educate your employees about your AUP How do you find the PII in your organization? It may be in multiple places, redundant on servers, laptops, PCs and removable media. Thinking about the data in each of its three states (see Table 2) will help you identify where it s located. Once you ve found the PII, you need to define what your organization s AUPs are for accessing and using it. AUPs will vary from organization to organization, but should accomplish three goals: Protect PII data Define who can access PII Establish rules for how authorized employees can use PII The AUPs you develop will only be effective if your employees feel they have a part to play in protecting your PII. Comprehensively educating employees is a critical and often overlooked step. Deliver copies of AUPs to employees, offer training sessions and have them sign a statement acknowledging they will abide by the policies. This will make every employee an active participant in the enforcement of AUPs, and the organization-wide effort to prevent data loss and the loss of PII. Table 2: Five rating criteria to determine what data needs to be protected most Distinguishability Aggregation How PII is stored, transmitted, used Compliance Ease of access Look for data that by itself can identify a unique individual. Look for two or more pieces of data that when combined can identify a unique individual. Frequently transmitted over networks Stored redundantly on servers or portable devices Used by many people in the organization Your organization must comply with regulations and standards for protecting PII. Which ones will depend where you are based and scope of work. However these may include: Payment Card Industry Data Security Standards (PCI DSS) (International) setting out requirements for data security when handling card payments Data Directive (EU) requiring the safe storage using data loss prevention technology of data generated in connection with public electronic communication HIPAA and HITECH ACT (U.S.) enabling fines of up to $1.5 million per year for a breach of healthcare records Criminal Justice and Immigration Act (UK) giving the Information Commissioner power to levy fines of up to 500,000 for data breaches There are also a large number of data security regulations applicable at regional or state level. If you work in a geography covered by such legislation you should understand the implications for your organization. Decide if the PII: Is easily accessed by any employee Can be copied, sent and saved without restriction Is available for use by HR for employee management or by staff Is not protected by PINs or passwords before being accessible by staff 4

Choosing the right solution to protect PII After you ve identified your organization s PII and adopted AUPs for its safe use, it s time to look at how to secure your network, endpoints, other devices and applications. Strong, system-level security can prevent accidental data loss and stop malicious threats before they harm your organization, while ensuring the right employees have access to the data they need to do their jobs within established AUPs. There is no silver bullet to accomplish these goals (see Table 3). Rather, it requires a combination of technologies for defense-indepth or a multilayer security strategy. Table 4: Protecting PII Example scenario: A HR manager needs to provide important papers to a pension company. The company s network security solution must provide: Encryption that will keep the data safe if the manager s laptop is lost or stolen Threat protection to keep his PC safe from viruses, phishing and other threats Data loss prevention that will warn him he is about to send a file with PII Policy compliance that will block him from using a browser with a known security vulnerability or stop him from saving the file to an unencrypted USB stick Blocking of anonymous proxies for web searches, because they allow personal information to be accessed by administrators of the proxy server Table 3: PII solutions Encryption Threat protection Data loss prevention Policy compliance Full-disk encryption. USB, CD and removable media encryption Policy-based email encryption File share encryption Central key management and backup Ability to audit encryption status Protect endpoint, email and web vectors with proven security. Detect known and unknown malware proactively without the need for an update, including viruses, worms, Trojans, spyware, adware, suspicious files, suspicious behavior, potentially unwanted applications (PUAs) and more Get antivirus, firewall, application and device control in a single agent Defend all of your platforms (Windows, Mac, Linux, UNIX) Stop accidental data loss by scanning content for sensitive information uploaded to websites, sent by email or IM, and saved on storage devices with automatic rules, such as: File matching rule: Specified action is taken based on name or type of file a user is attempting to access or transfer Content rule: Contains one or more data definitions and specifies the action taken if a user attempts to transfer data that matches those definitions Develop a list of applications that need to be controlled under all or certain circumstances to prevent the accidental transmission of sensitive data, by email, IM, P2P, online storage, smartphone synchronization and other frequently used communications apps. Introduce and enforce methods of web control, as the Internet is the source of most malware Enable control of three types of devices that are commonly used in the accidental storage or sending of sensitive data: Storage: Removable storage devices (USB flash drives, PC card readers, and external hard drives); optical media drives (CD-ROM/ DVD/Blu-ray); floppy disk drives Network: Modems, wireless (Wi-Fi interfaces, 802.11 standard) Short range: Bluetooth interfaces, infrared (IrDA infrared interfaces) 5

Recommendations Protecting PII requires organizations to work through a number of steps. Exactly what you do under each step will vary depending on your industry, the type of data you hold, the geographies you work in, your attitude to risk, your resources, and other factors. However all organizations should follow the same broad steps: Identify what PII you hold Create policies around handling the data Educate your users (for resources to help educate users about data security download the free Sophos Data Security Toolkit) Implement a layered technology approach that puts in place practical data security controls, including: Encryption Threat protection Data loss prevention Policy compliance (devices, applications and web access) To learn more about Sophos and to evaluate any of our products free for 30 days, please visit us at www.sophos.com United Kingdom Sales: Tel: +44 (0)8447 671131 Email: sales@sophos.com North American Sales: Toll Free: 1-866-866-2802 Email: nasales@sophos.com Boston, USA Oxford, UK Copyright 2011. Sophos Ltd. All rights reserved. All trademarks are the property of their respective owners.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information