160 likes | 169 Views
Learn about the importance of protecting High Risk Confidential Information (HRCI) and the measures in place to prevent data breaches. Understand the legal obligations and best practices for obtaining, storing, and exchanging HRCI. Stay updated on recent security developments.
E N D
SPH Information Security Update September 10, 2010
Today’s Agenda • Case Studies • Types of Confidential Information • High Risk Confidential Information (HRCI) • Why We Are Focusing on This • Obtaining and Storing HRCI • Exchanging Confidential Files • Encrypting Laptops • Recent Security Developments • What We Are Asking of You
Case Studies • Data breach in February, 2008, costing Harvard over $1,000,000 with out any legal penalties. • 6,600 victims were involved, requiring individual notification and fraud monitoring services • Security consulting services were engaged by the University • A back up tape was lost containing 21,000 records • In 2008, the number of stolen records ranged between 4,200 – 113,000 per data breach • In 2007, the mean cost of fraud per victim was $5,720 • In 2009, the average organizational cost of a data breach was $6.7 million per incident. • January 2010 - Boston Globe article reported “One million Massachusetts residents - or 1 in 6 people - have had their credit card numbers, medical records, or other personal information leaked or stolen over the past two years, according to records provided to the Globe by state officials.” • The primary preventive measures taken after a breach are training and awareness education. • Reputational harm to an organization can be substantial.
Types of Confidential Information Confidential Information • High Risk Confidential Information (HRCI): • A person’s name or other identifier, in conjunction with: • Social Security number • Credit or Debit card number • Individual financial account • Driver’s license • State ID or Passport number • Biometric information • Personally-identifiable Medical Information • Other Confidential Information • Detailed information about University buildings, activities, or events • Faculty searches • Future University development plans • Grant information • HR Records • Student Grades • Human Subjects information • Whatever else your group considers confidential
High Risk Confidential Information (HRCI) • Certain categories of information are classified as High Risk, either because the exposure of this information can cause harm or because the information is specifically protected under law or under contract. • Extra care must be taken to protect HRCI in both electronic and paper form. • Improper access to or release of high-risk confidential information may be subject to legal reporting requirements. • High Risk Confidential Information (HRCI): • A person’s name or other identifier, in conjunction with: • Social Security number • Credit or Debit card number • Individual financial account • Driver’s license • State ID or Passport number • Biometric information • Human Subjects information • Personally-identifiable Medical Information
Why We Are Focusing on This • State Law • CMR 201 17.00 sets forth regulations for anyone who uses personal information about Massachusetts residents • Harvard Enterprise Information Security Policy (HEISP) • University Mandates (Risk Management Committee: May 2009) • Training • Comprehensive Communications • Laptop Encryption • Finding HRCI • Vulnerability Testing • Network Requirements • Remote Access • Standard File Transfers • Non-Administrative System Certification • Managing Security and Practices • University Contracts • Non-disclosure agreements, etc. • FERPA (Family Educational Rights and Privacy Act)
Obtaining High Risk Confidential Information • High Risk Confidential Information (HRCI): • A person’s name or other identifier, in conjunction with: • Social Security number • Credit or Debit card number • Individual financial account • Driver’s license • State ID or Passport number • Biometric information • Human Subjects information • Personally-identifiable Medical Information • You must obtain prior approval from the SPH/ University CIO to collect or work with HRCI or to contract with a vendor to collect or work with such information. • Request for HRCI Form • OGC Contract Rider
Storing High Risk Confidential Information • High-Risk Confidential Information shall not exist outside of an approved system (e.g., PeopleSoft), and cannot be stored locally. This includes: • cannot be stored on Individual user computers • cannot be stored on USB key / flash drives • cannot be stored on External hard drives • All University-owned servers and user computers will be scanned annually for • HRCI. We will deploying in the near future McAfee’s Data Loss Prevention(DLP) software to all PCs. • Paper, and other non-electronic records containing HRCI must be kept in secure, locked containers when not in use: • Use a key locker, or assigned and numbered keys. • Store HRCI in a supervised room controlled by card access, and review the access logs. • High Risk Confidential Information (HRCI): • A person’s name or other identifier, in conjunction with: • Social Security number • Credit or Debit card number • Individual financial account • Driver’s license • State ID or Passport number • Biometric information • Human Subjects information • Personally-identifiable Medical Information
Exchanging Confidential Files • Do not include or attach confidential information in your email. • All confidential information must be encrypted when sent across a network. • We are offering an Accellion Secure File Transfer Server to send and receive files containing confidential information. • http://accellion.sph.harvard.edu Confidential Information • High Risk Confidential Information (HRCI): • A person’s name or other identifier ,in conjunction with: • Social Security number • Credit or Debit card number • Individual financial account • Driver’s license • State ID or Passport number • Biometric information • Human Subjects information • Personally-identifiable Medical Information • Other Confidential Information • Detailed information about University buildings, activities, or events • Faculty searches • Future University development plans • Grant information • HR Records • Student Grades • Whatever else your group considers confidential
Encrypting Laptops: what and why? • Encryption software encodes and password-protects the contents of your hard drive when your computer is not in use. • The theft of a Harvard computer or portable storage device (e.g., USB key, external hard drive) must not put Confidential Information at risk of disclosure. • Because University-owned laptops are particularly vulnerable to loss or theft, they must be encrypted. • Several Harvard faculty have reported stolen laptops. Family financial data was compromised. • A scientist irretrievably lost 3 years of medical research data in 2008 when thieves stole his laptop in a domestic burglary. Confidential Information • High Risk Confidential Information (HRCI): • A person’s name or other idemtifier, in conjunction with: • Social Security number • Credit or Debit card number • Individual financial account • Driver’s license • State ID or Passport number • Biometric information • Human Subjects information • Personally-identifiable Medical Information • Other Confidential Information • Detailed information about University buildings, activities, or events • Faculty searches • Future University development plans • Grant information • HR Records • Student Grades • Whatever else your group considers confidential
Encrypting Laptops: when and how? • SPH IT purchased licenses of McAfee Endpoint Encryption software to encrypt all laptops. • Contact Helpdesk to schedule Note: HRCI is not allowed to be stored on a laptop even if it is encrypted. Confidential Information Confidential Information • High Risk Confidential Information (HRCI): • A person’s name, in conjunction with: • Social Security number • Credit or Debit card number • Individual financial account • Driver’s license • State ID or Passport number • Biometric information • Human Subjects information • Personally-identifiable Medical Information • High Risk Confidential Information (HRCI): • A person’s name or other identifier, in conjunction with: • Social Security number • Credit or Debit card number • Individual financial account • Driver’s license • State ID or Passport number • Biometric information • Human Subjects information • Personally-identifiable Medical Information • Other Confidential Information • Detailed information about University buildings, activities, or events • Faculty searches • Future University development plans • Grant information • HR Records • Student Grades • Etc. • Other Confidential Information • Detailed information about University buildings, activities, or events • Faculty searches • Future University development plans • Grant information • HR Records • Student Grades • Whatever else your group considers confidential
Recent Security Developments • Annual Certification for Staff • On-line Training Course (EUREKA!) • Harvard Confidentiality Agreement • All Harvard owned PCs will be annually scanned for HRCI • SPH IT has purchased McAfee DLP software to be installed on all PCs with our SPH image. We will be deploying it in the near future. • New University Standard for Remote Access to HRCI will be forth coming and will most likely include the following • Access to High Risk Confidential Information must be limited to those with a specific business, educational, or research need. • Computers used to access HRCI off campus must comply with additional software configuration requirements, and must use an encrypted network connection such as VPN. • Passwords are required to be “strong passwords” for Novell and Groupwise. • Harvard Research Data Security Policy • Defines 5-level categorization schedule for research information and defines the minimum protections required for each level • Individual researchers do not have the authority to sign an information use agreement on behalf of the University. Only the SPA group of OFS has authority.
What We Are Asking of You • Staff to participate in Annual Certification • On-Line Security Training • Harvard Confidentiality Agreement • Partner with us to foster security awareness and compliance • Appropriate use of Confidential Information • Accellion for exchanging confidential files • Operators of systems not managed by SPH IT must self certify their system(s) is in compliance with University Policy • Promptly report any security incidents • If your laptop is not encrypted contact the Helpdesk to schedule your laptop to be encrypted
Contact Information • SPH Information Security • helpdesk@hsph.harvard.edu • Andrew Ross 617.432.1279 aross@hsph.harvard.edu • Questions?