160 likes | 351 Views
Today's Agenda. Case StudiesTypes of Confidential InformationHigh Risk Confidential Information (HRCI)Why We Are Focusing on ThisObtaining and Storing HRCIExchanging Confidential FilesEncrypting LaptopsRecent Security DevelopmentsWhat We Are Asking of You. Case Studies. Data breach in F
E N D
1. SPH Information Security Update
March 16, 2010
2. Today’s Agenda
Case Studies
Types of Confidential Information
High Risk Confidential Information (HRCI)
Why We Are Focusing on This
Obtaining and Storing HRCI
Exchanging Confidential Files
Encrypting Laptops
Recent Security Developments
What We Are Asking of You
3. Case Studies
Data breach in February, 2008, costing Harvard over $1,000,000
10,000 victims were involved, requiring individual notification and fraud monitoring services
Security consulting services were engaged by the University
In 2008, the number of stolen records ranged between 4,200 – 113,000 per data breach
In 2007, the mean cost of fraud per victim was $5,720
In 2009, the average organizational cost of a data breach was $6.7 million per incident.
January 2010 - Boston Globe article reported “One million Massachusetts residents - or 1 in 6 people - have had their credit card numbers, medical records, or other personal information leaked or stolen over the past two years, according to records provided to the Globe by state officials.”
The primary preventive measures taken after a breach are training and awareness education.
Reputational harm to an organization can be substantial.
5. High Risk Confidential Information (HRCI)
Certain categories of information are classified as High Risk, either because the exposure of this information can cause harm or because the information is specifically protected under law or under contract.
Extra care must be taken to protect HRCI in both electronic and paper form.
Improper access to or release of high-risk confidential information may be subject to legal reporting requirements.
6. Why We Are Focusing on This
State Law
CMR 201 17.00 sets forth regulations for anyone who uses personal information about Massachusetts residents
Harvard Enterprise Information Security Policy (HEISP)
University Mandates (Risk Management Committee: May 2009)
Training
Comprehensive Communications
Laptop Encryption
Finding HRCI
Vulnerability Testing
Network Requirements
Remote Access
Standard File Transfers
Non-Administrative System Certification
Managing Security and Practices
University Contracts
Non-disclosure agreements, etc.
FERPA (Family Educational Rights and Privacy Act)
7. Obtaining High Risk Confidential Information
You must obtain prior approval from the SPH/ University CIO to collect or work with HRCI or to contract with a vendor to collect or work with such information.
Request for HRCI Form
OGC Contract Rider
8. Storing High Risk Confidential Information
High-Risk Confidential Information shall not exist outside of an approved system (e.g., PeopleSoft), and cannot be stored locally. This includes:
cannot be stored on Individual user computers
cannot be stored on USB key / flash drives
cannot be stored on External hard drives
All University-owned servers and user computers will be scanned annually for
HRCI. We will deploying in the near future McAfee’s Data Loss Prevention(DLP) software to all PCs.
Paper, and other non-electronic records containing HRCI must be kept in secure, locked containers when not in use:
Use a key locker, or assigned and numbered keys.
Store HRCI in a supervised room controlled by card access, and review the access logs.
9. Exchanging Confidential Files
Do not include or attach confidential information in your email.
All confidential information must be encrypted when sent across a network.
We are offering an Accellion Secure File Transfer Server to send and receive files containing confidential information.
http://accellion.sph.harvard.edu
10. Accellion: login screen
11. Accellion: exchanging confidential files
12. Encrypting Laptops: what and why?
Encryption software encodes and password-protects the contents of your hard drive when your computer is not in use.
The theft of a Harvard computer or portable storage device (e.g., USB key, external hard drive) must not put Confidential Information at risk of disclosure.
Because University-owned laptops are particularly vulnerable to loss or theft, they must be encrypted.
13. Encrypting Laptops: when and how?
April 30, 2010
Goal to encrypt all high profile department laptops
June 1, 2010
Goal to encrypt all remaining laptops
---
SPH IT purchased licenses of McAfee Endpoint Encryption software to encrypt all laptops, as well as all desktop computers used to process or store Confidential Information:
Note: HRCI is not allowed to be stored on a laptop even if it is encrypted.
Now we need your help to collect a list of all Harvard-owned laptops.
Please got to http://www.hsph.harvard.edu/it/laptop-encryption and register.
14. Recent Security Developments
Annual Certification for Staff
On-line Training Course (EUREKA!)
Harvard Confidentiality Agreement
All Harvard owned PCs will be annually scanned for HRCI
SPH IT has purchased McAfee DLP software to be installed on all PCs with our SPH image. We will be deploying it in the near future.
New University Standard for Remote Access to HRCI will be forth coming and will most likely include the following
Access to High Risk Confidential Information must be limited to those with a specific business, educational, or research need.
Access rights must be updated when individuals change jobs.
Computers used to access HRCI off campus must comply with additional software configuration requirements, and must use an encrypted network connection such as VPN.
15. What We Are Asking of You
Staff to participate in Annual Certification
On-Line Security Training
Harvard Confidentiality Agreement
Partner with us to foster security awareness and compliance
Appropriate use of Confidential Information
Accellion for exchanging confidential files
Operators of systems not managed by SPH IT must self certify their system(s) is in compliance with University Policy
Promptly report any security incidents
Register your laptop online or contact the Helpdesk to schedule your laptop to be encrypted
16. Contact Information
SPH Information Security
helpdesk@hsph.harvard.edu
Info_security@hsph.harvard.edu
Andrew Ross
617.432.1279
aross@hsph.harvard.edu
Questions?