Protecting Personally Identifiable Information (PII) Data Encryption for the Emergency Services Sector (ESS)

Similar documents
Protecting Student and Institutional Privacy Data Encryption for Education

Securing Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology

A Guide to Managing Microsoft BitLocker in the Enterprise

Top Five Ways to Protect Your Network. A MainNerve Whitepaper

New Drive Technologies Enable Strong Data Protection Strategies: Managing Self-Encrypting Drives in the Enterprise

Encryption Buyers Guide

Kaspersky Lab s Full Disk Encryption Technology

YOUR DATA UNDER SIEGE. DEFEND IT WITH ENCRYPTION.

DSHS CA Security For Providers

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Why Encryption is Essential to the Safety of Your Business

Managing BitLocker Encryption

SecureAge SecureDs Data Breach Prevention Solution

Navigating Endpoint Encryption Technologies

FileDrawer An Enterprise File Sharing and Synchronization (EFSS) solution.

Data Security in a Mobile, Cloud-Based World

FACT SHEET: Ransomware and HIPAA

SecureDoc for Mac v6.1. User Manual

Full Drive Encryption Security Problem Definition - Encryption Engine

Security Architecture Whitepaper

Bring Your Own Device Mobile Security

Best Practices for Protecting Laptop Data

Symantec Endpoint Encryption Deployment Best Practices and Roadmap

Cloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

RSA Solution Brief RSA. Encryption and Key Management Suite. RSA Solution Brief

Seagate Secure Technology

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

Data Encryption Demystified: Seven Common Misconceptions and the Solutions That Dispel Them

The Impact of HIPAA and HITECH

Excerpt of Cyber Security Policy/Standard S Information Security Standards

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

Supporting FISMA and NIST SP with Secure Managed File Transfer

Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance with Data-centric Information Security

Preemptive security solutions for healthcare

Deciphering the Code: A Simple Guide to Encryption

How To Protect Your Mobile Devices From Security Threats

Data Loss Prevention Whitepaper. When Mobile Device Management Isn t Enough. Your Device Here. Good supports hundreds of devices.

Securing Data at Rest ViSolve IT Security Team

Disk Encryption. Aaron Howard IT Security Office

What Consumers Believe About Cloud File Sharing & Why That s a Warning to IT Pros

For Managing Central Deployment, Policy Management, Hot Revocation, Audit Facilities, and Safe Central Recovery.

Global security intelligence. YoUR DAtA UnDeR siege: DeFenD it with encryption. #enterprisesec kaspersky.com/enterprise

Did security go out the door with your mobile workforce? Help protect your data and brand, and maintain compliance from the outside

The True Story of Data-At-Rest Encryption & the Cloud

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

Using BitLocker As Part Of A Customer Data Protection Program: Part 1

Hands on, field experiences with BYOD. BYOD Seminar

Comprehensive Endpoint Security

DHHS Information Technology (IT) Access Control Standard

TOP FIVE RECOMMENDATIONS FOR ENCRYPTING LAPTOP DATA A BEST PRACTICES GUIDE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

How To Manage A Mobile Device Management (Mdm) Solution

Odyssey Access Client FIPS Edition

Mobile Device Security Is there an app for that?

Bring Your Own Device (BYOD) and Mobile Device Management. tekniqueit.com

Bring Your Own Device (BYOD) and Mobile Device Management.

Neoscope

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

7 VITAL FACTS ABOUT HEALTHCARE BREACHES.

Enterprise Information Security Procedures

WIRELESS LOCAL AREA NETWORK (WLAN) IMPLEMENTATION

Endpoint protection for physical and virtual desktops

Endpoint protection for physical and virtual desktops

BEST PRACTICE GUIDE TO ENCRYPTION.

IBM Data Security Services for endpoint data protection endpoint encryption solution

EmulexSecure 8Gb/s HBA Architecture Frequently Asked Questions

Bring Your Own Device:

Research Information Security Guideline

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Mobile Device Management for CFAES

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Dell s Five Best Practices for Maximizing Mobility Benefits while Maintaining Compliance with Data Security and Privacy Regulations

Supplier Information Security Addendum for GE Restricted Data

HIPAA Security Alert

SecureDoc Disk Encryption Cryptographic Engine

How To Write A Mobile Device Policy

BEST PRACTICES IN BYOD

For your eyes only - Encryption and DLP Erkko Skantz

Acceptable Encryption Usage for UTHSC

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Identity and Access Management Initiatives in the United States Government

S E A h a w k C r y p t o M i l l CryptoMill Technologies Ltd.

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

HIPAA Compliance Review Analysis and Summary of Results

The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training

Samsung SED Security in Collaboration with Wave Systems

BUSINESS PROTECTION. PERSONAL PRIVACY. ONE DEVICE.

DRAFT Standard Statement Encryption

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

Certification Report

Endpoint data protection solutions for Healthcare

SecureD Technical Overview

Transcription:

20130311 Protecting Personally Identifiable Information (PII) Data Encryption for the Emergency Services Sector (ESS)

FOREWORD In 2007, more than 79 million records were reported compromised in the U.S. according to the Identity Theft Resource Center. The scope and breath of data collected, stored, shared and/or disposed of by government agencies, is crucial and far-reaching. The highly interdependent nature of agencies within the Emergency Services Sector (ESS) necessitates the sharing of high-stakes information (often laden with personally identifiable information [PII]) across multiple cooperating agencies in real-time, which makes cyber security a major concern. Although some similarities exist, each discipline uses electronic systems differently, which combined with widely varying standards and resources, adds an additional layer of difficulty in securing data across the ESS. This ebook will review the basics of data encryption; data concerns specific to ESS; how data encryption addresses the unique data security challenges facing ESS, and key points to consider when building the case for data encryption. TABLE OF CONTENTS FOREWORD 1 INTRODUCTION 2 CHALLENGES FACING THE EMERGENCY SERVICES SECTOR 3 PROTECTING SENSITIVE DATA ACROSS MULTIPLE PLATFORMS 3 COMPLYING WITH PRIVACY LAW AND FEDERAL REGULATIONS 4 ENABLING SECURE SHARING OF DATA 5 DATA ENCRYPTION DEFINED 6 BENEFITS OF DATA ENCRYPTION 7 TOTAL COST OF OWNERSHIP (ESS) 8 WHAT TO LOOK FOR 9 READY TO LEARN MORE? 13 1

INTRODUCTION The Emergency Services Sector (ESS) includes five disciplines: Law Enforcement, Fire and Emergency Services, Emergency Management, Emergency Medical Services (EMS), and Public Works. These disciplines, and their personnel, work in close tandem with each other, with large numbers cross-trained to work in one or more other agencies. Data sharing is requisite to the sector, but variances in cyber usage are common from discipline to discipline. The very nature of the information collected by ESS agencies makes it very attractive to cyber criminals. Post-9/11 national directives to government agencies consistently underscore the need to achieve and maintain high levels of cyber security. Cyber security is defined by the 2009 U.S. National Infrastructure Protection Plan (NIPP) as: prevention of damage to, unauthorized use of, or exploitation of electronic information and communications systems and the information contained therein to ensure confidentiality, integrity, and availability. That directive, taken together with the vast amount of Personally Identifiable Information (PII) routinely collected by ESS, and the inherent complexity of IT and cyber systems, makes data security a serious concern for the sector. 2

CHALLENGES FACING THE EMERGENCY SERVICES SECTOR The ESS, the first-responder network of Federal, State, local, tribal, territorial, and private partners, functions to prevent and mitigate the risk from physical and cyberattacks, and manmade and natural disasters and provides life-safety and security services across the nation. In the course of normal operations, branches of the ESS come in contact with, collect, and share, large quantities of PII, which can be defined as: information which can be used to distinguish or trace an individual s identity, such as their name, social security number, biometric records, etc. This information may be gathered as part of an ongoing criminal investigation, may involve zero data-breach subjects (i.e., witness protection candidates, victims of domestic violence or child abuse, confidential patient information, informants, undercover officers, etc.), or contain evidence that could be linked to a future criminal investigation. In some instances, a data breach could compromise an entire investigation, impair a rescue operation, or worse, put people s lives at risk. As such, the nature of the information collected by ESS mandates the strictest of data security controls. The key challenges prompting the ESS to consider data protection solutions are the need to: Protect sensitive data and personal identifiable information (PII) on multiple platforms and devices Comply with privacy law and Federal regulations Enable secure sharing of data within ESS and with other Federal agencies If someone s identity were a whole pie, each piece of PII would be a slice. PROTECTING SENSITIVE DATA ACROSS MULTIPLE PLATFORMS Core ESS activities, such as emergency operations communications, database management, biometric activities, telecommunications, and electronic systems (e.g., security systems), are conducted via atrest and portable data systems and require vigorous data security controls. The ESS also operates in a highly mobile environment in which agents collect and disseminate highlysensitive information through a variety of portable electronic devices (e.g., USB keys, tablets, mobile devices, etc.). This information, however, can carry significantly higher stakes than information collected by other industries. For the ESS in particular, data integrity is paramount, as it can inform the actions of a suite of ESS and other Federal agencies and carry legal ramifications for a number of interested parties. 3

CHALLENGES FACING THE EMERGENCY SERVICES SECTOR COMPLYING WITH PRIVACY LAW AND FEDERAL REGULATIONS Information data breaches (the viewing, leaking, or accessing of data by anyone not the individual or authorized to have access to this information as part of his/her duties) have now become commonplace. In lieu of the elevated risks involved in a data breach for all government agencies, including the ESS, strict guidance and laws have been proposed and/or enacted. One example would be the existing U.S. Privacy Act of 1974, which has undergone revisions to ensure compliance with the emerging technology capabilities. U.S. Privacy law impacts records creation, file management for both active and inactive records, records protection, records access, and records retention and disposition. As an example, US ESS organizations have two privacy laws they must comply with which are The Privacy Act of 1974 and The E-Government Act of 2002. The Privacy Act of 1974 (U.S.) specifically provides strict limits on the maintenance and disclosure by any Federal agency of information both outside and under the rubric of PII, such as: education, financial transactions, medical history, and criminal or employment history and that contains [the] name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph. The limited exceptions to this law still require strict recordkeeping on any disclosure. One common application of privacy law is the medical profession s adherence to HIPAA (the Health Insurance Portability and Accountability Act, which also applies to EMS), whose principal focus is protecting a patient s PII. The E-Government Act of 2002 (U.S.) was enacted to ensure public trust in electronic government services, in response to the increased use of computers and the Internet to process government information. The E-Government Act also directed the Office of Management and Budget (OMB) to issue implementation guidance to Federal agencies. OMB continually provides privacy such guidance to Federal agencies on many PII protection topics such as remote access to PII, encryption of PII on mobile devices, and breach notification. 4

CHALLENGES FACING THE EMERGENCY SERVICES SECTOR ENABLING SECURE SHARING OF DATA Another data security challenge specific to ESS is the highly mobile platform of its personnel: fire and emergency services, law enforcement, public works, emergency medical services, and emergency management personnel, are perpetually in the field. As such, data they collect, share and store has a greater chance of unauthorized access and or disclosure through being lost or stolen than if it were within the physical boundaries of the organization. The interrelated nature of each division of the sector, and the sharing of information throughout, creates strong ties of collaboration and cooperation, but carries a significant drawback: the more people and systems that access PII, the more opportunities for it to be compromised. While every piece of data ESS collects may not be classifiable as PII, even partially identifying data can be sufficient to identify an individual, due to the versatility of current re-identification algorithms. These algorithms can take a piece of data and combine it with other data elements to complete the puzzle, making any and all data collected and shared by ESS highly sensitive. Ironically, to operate at peak efficiency, ESS must be able to share sensitive data across all divisions, rapidly and continuously, which consequently makes that data even more vulnerable to unauthorized access. For example, in the U.S. Department of Homeland Security s (DHS) Emergency Services Sector- Specific Plan, An Annex to the National Infrastructure Protection Plan 2010, the DHS recognized that each ESS division has, and works to address, its own sectorspecific cyber-related issues, but also indicated that an integrated cross-sector The interrelated nature of ESS agencies necessitates greater controls to ensure data integrity. cyber-security perspective is needed to address mutual concerns and issues all agencies within ESS share. The DHS argued that such a crossfunctional approach would facilitate greater implementation of best practices in data security. Another example of such an initiative is the U.S. National Institute of Standards and Technology s (NIST) Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), an exhaustive survey of data security best practices (including Federal guidance, regulations, and privacy law) for Federal agencies, of which data encryption for at-rest and mobile data storage devices, is a recurring component. The NIST s method for protecting PII, The Cryptographic Module Validation Program (CMVP), is operated jointly by the NIST Computer Security Division and the Communications Security Establishment (CSE) of the Government of Canada. The use of validated cryptographic modules is required by the United States Government for all unclassified uses of cryptography. The Government of Canada also recommends the use of FIPS 140 validated cryptographic modules in unclassified applications of its departments. Each country has their own Privacy and Data Protection policies that local ESS organizations need to adhere to. As a result many have turned to data encryption as one of the prime methods of securing critical PII data across their networks. 5

DATA ENCRYPTION DEFINED Data encryption refers to the process of transforming electronic information into a coded form that can only be read by those authorized to access it. To read an encrypted file, a user must have access to a secret key or password that enables them to decrypt it. The way in which an organization can protect their data encompasses a variety of options. The foundation or core group of options typically start with: Full Disk Encryption (FDE): Protects the entire hard disk (all sectors and volumes) and can only be accessed with a secure key. Removable Media Encryption (RME): The protection of all or a portion of a USB key, external hard drive, or similar removable media. File and Folder Encryption (FFE): Protection is associated with specific folder or files where they are encrypted with specific user access permissions, much like network permissions. There are a number of solutions available to fulfill virtually any data protection requirement, so before embarking on any new project, it s important to research and understand the options that work best for your unique situation. 6

BENEFITS OF DATA ENCRYPTION The US Privacy Act, PIPEDA, FERPA, and the Data Protection Acts of the United Kingdom and European Union have all defined the way that data can be used and the penalties for its mishandling. REGULATORY COMPLIANCE Data encryption enables organizations to better adhere to numerous local, state, federal and global privacy laws and regulations. DATA SECURITY Encrypting data provides protection for sensitive information whether it s stored on a desktop or laptop, a smartphone, tablet, removable storage media, an email server or even the network, so in the event the device is lost or stolen, the information is protected. TRANSPARENCY Data encryption solutions enable agencies to run at their normal pace while the encryption solution silently secures critical data in the background. Some of the best data encryption options perform without the user even being aware. PEACE OF MIND Despite best efforts, data breaches can occur. Laptops and removable storage devices are prone to theft and loss. Data encryption protects critical assets if it falls into the wrong hands, and protects the integrity and credibility of your organization. The use of encryption provides a safe harbor in the event of a data breach. 7

TOTAL COST OF OWNERSHIP (ESS) The challenge with data security solutions for most organizations is trying to balance the expense of the solution against the productivity of the users. Maximizing that total cost of ownership (TCO) of the solution is critical. A recent study from the Ponemon Institute looked into what an encryption solution would cost an average organization per year. The results were shocking. What became apparent was that with features like pre-boot network authentication (WinMagic s PBConnex), data encryption solutions could help reduce TCO by not only managing encryption and security but improving the efficiency of other processes for IT Administrators such as support. Looking at typical costs associated with Password resets and device staging alone, the savings were staggering. Cost Savings with Pre-Boot Network Authentication Password Resets over 8,000 Users Cost of Password Reset WITHOUT Pre-Boot Network Authentication Cost of Password Reset WITH Pre-Boot Network Authentication PASSWORD RESET - SAVINGS Times per user per annum 3.3 STAGING AN FDE COMPUTER - SAVINGS Time to stage a computer with FDE 20 mins per machine Value of Tech and User Time for reset $8.10 Time to stage computer using Pre-Boot Network Authentication 5 mins per machine Total cost of password reset for user/tech per annum $26.70 Value of Tech time to stage machine $12.00 Savings with Pre-Boot Network Authentication Total Cost Saving in Password resets per organization of 5,000 devices $20.04 $100,200 Value Saved with Pre-Boot Network Authentication Size of Organization Total Cost Saving to stage a computer per organization $9.00 5,000 $45,000 8

WHAT TO LOOK FOR IN A BEST-IN-CLASS DATA ENCRYPTION PROVIDER 1 Before embarking on a data encryption initiative, you ll need to determine which provider can offer you the protection that best suits your needs. Obviously, there s a lot to think about, but by taking the time to select the INTEGRATION Look for a provider that has proven third party integration with hardware and software companies for optimal security offerings and increased functionality. Be sure they offer services for different operating systems and hardware, and mobile device management for devices like tablets and smart phones. 2 3 PRE-BOOT NETWORK BASED AUTHENTICATION Pre-boot network authentication (wired or wireless) utilizes network based resources to authenticate users, enforce access controls, and manage end point devices before the operating system loads. This approach to FDE management also results in significant cost savings for organizations by streamlining the time and cost associated with things such as password resets and device staging. This capability truly separates the best from the rest. right provider, you ll be poised for success as you move forward with your deployment. These are some key things to look for when seeking out a best-in-class data encryption solution. MULTI-PLATFORM/MULTI DEVICE MANAGEMENT 76 percent of employees today use more than one mobile device and cyber usage varies widely with the ESS sector. Ensure the provider you select can offer central management for systems running any operating system, whether it s Windows, Mac OS X or variants of Linux, Android, ios. Mobile device management offers the proof that information security officers require to ensure compliance with key sector regulations. 9

WHAT TO LOOK FOR IN A BEST-IN-CLASS DATA ENCRYPTION PROVIDER 4 SINGLE MANAGEMENT CONSOLE Monitoring and tracking devices from a single console supports the information system security division of each ESS agency in their operations, enables easy integration into accounts with laptops, desktops, tablets, smart phones, and SED devices, and supports full mobile device management. A central view of all devices reduces the need for desk side support calls because administrators can determine if a device is in a secure, compliant state, and if not, quickly contact the user to rectify the situation. 5 6 SUPPORT FOR SELF ENCRYPTING DRIVES (SEDS) While SED technology has improved the security of laptops and workstations, it does not require specific authentication during boot up, leaving data at risk. Providers on your short list should have the capability to centrally support users with SED devices and employ a pre boot authentication to ensure the drive is encrypted, compliant and functioning properly, while taking advantage of the transparency, performance and security that a SED offers. FILEVAULT MANAGEMENT OR FULL DISK ENCRYPTION FOR MAC OS Some organizations prefer to leverage the native encryption and security offered by Mac OS X s FileVault 2. Using a solution that supports FileVault 2 and offers centralized management to oversee all devices ensures you ve got the best of both worlds. 10

WE LL PROTECT YOU... WinMagic understands the data security challenges and changing needs of the ESS. In order to help effectively meet and adapt to the changing needs of the sector and the expectations of the public, WinMagic works closely with the ESS and other critical infrastructure and key resources (CIKR) sectors, such as the Department of Homeland Security (DOHS) and Department of Defense (DOD), to develop and deliver the most secure data encryption protection. SECUREDOC SecureDoc is a comprehensive disk encryption and data security solution that secures data at rest. It has two main components: the client software used to encrypt and protect data and the server software (SecureDoc Enterprise Server or SES) used to configure, deploy, and manage encryption for an entire organization. SecureDoc is FIPS 140-2 validated, meeting U.S. NIST and Canadian CSE requirements and guidelines for data encryption and security. When you consider the relatively tiny cost of protecting each laptop to the potentially high cost associated with a single user losing their data, it is remarkable to think that every organization is not protecting information in this fashion. Installing encryption software makes perfect sense from both a data security and an ROI perspective. Andrew Labbo, Privacy and Data Security Officer and Information Security Manager, The Children s Hospital, Denver, Colorado 11

PBCONNEX SES WEB CONSOLE MOBILE DEVICE MANAGEMENT (MDM) FILEVAULT 2 SUPPORT SecureDoc with PBConnex is The SES web console provides a SecureDoc s MDM feature is a key SecureDoc offers one of the the only data encryption and web-based interface for SecureDoc component of the SES Web console, strongest Mac OS X FDE solutions management solution that allows Enterprise Server, WinMagic s offering government agencies available on the market today. For for pre-boot network authentication solution for centrally managing a holistic view to their status of customers that prefer to leverage either wired or wirelessly. encrypted devices in an enterprise their mobile devices, allowing the native encryption and security PBConnex utilizes network based environment. The SES web them to manage the deployment offered by Mac OS X s FileVault 2 resources to authenticate users, console supports many of the daily of Android and ios devices and solution, SecureDoc can manage enforce access controls, and administration features provided by also to ensure that the appropriate that as well. FileVault 2 enterprise manage end point devices before the SecureDoc Enterprise Server, security and password policies are management gives agencies the the operating system loads. This including user management, enforced. SecureDoc MDM offers flexibility to choose how they want unique and ground-breaking administrator management, the proof that IT administrators to encrypt and manage their Apple approach to FDE management also device management and recovery, require to ensure compliance with devices yes still have the ability to results in significant cost savings password management, and report key sector regulations while at the have all their devices managed by for organizations by streamlining management. It also includes a same time offering a strong solution SES s central management console. the time and cost associated with Mobile Device Management (MDM) for BYOD environments. things such as password resets server component. and device staging. In addition, multiple users can safely use the same device without ever putting confidential data at risk. 12

READY TO LEARN MORE? WinMagic provides the world s most secure, manageable and easy-to-use data encryption solutions. With a full complement of professional and customer services, WinMagic supports over five million SecureDoc users in approximately 84 countries. We can protect you too. For more information on SecureDoc Enterprise Server contact sales@winmagic.com or visit our website to access a number of valuable resources: PRODUCT PAGE http://www.winmagic.com/products WHITE PAPERS http://www.winmagic.com/resource-centre/white-papers CONTACT WinMagic Inc. Phone: 905. 502. 7000 Fax: 905. 502. 7001 Toll Free: 888. 879. 5879 sales@winmagic.com www.winmagic.com SOCIAL MEDIA http://blog.winmagic.com/ http://www.facebook.com/winmagicinc http://www.linkedin.com/company/winmagic WANT TO TRY OUR SOFTWARE? http://twitter.com/winmagic http://www.youtube.com/user/winmagicinc 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information