130 likes | 249 Views
Data Privacy Day @ IU Financial Transactions. Sterling George Director, Financial Systems Administration and Records Management. Presentation Topics. Principles related to privacy of financial transactions Importance of a measured, proactive approach
E N D
Data Privacy Day @ IUFinancial Transactions Sterling George Director, Financial Systems Administration and Records Management
Presentation Topics • Principles related to privacy of financial transactions • Importance of a measured, proactive approach • Use of Identity Finder and other security measures to safeguard information
Principles for Privacy Protection • Collect only the information needed to achieve the identified business purposes in support of the university’s mission • Use and keep the individual’s information only as long as necessary to fulfill the stated purpose
Attachments and Collection Limitation Redact sensitive information from Disbursement Voucher attachments sent for imaging Personally identifiable information for prescription or health care re-imbursements Credit card information for membership re-imbursements Banking information for copies of cleared checks How much do we redact? Full credit card number, routing and account numbers, SSNs and individual names (HIPPA)
Limit Your Paper, Limit Your Exposure • Don’t retain un-necessary copies of documents within your department • Payroll: W-4, WH-4 and direct deposit sign-up information • IRS Forms: W-8, W-9 • Employment Verification: I-9 • Personal information: copies of driver’s licenses, SSN card, passports, credit card numbers for hotel reservations • Process information, not paper
Proper use of Designated Fields • Bank Account information should not be added to EPIC notes for requisitions, Purchase Orders, Payment Requests nor should they be added to EPIC Vendor Note records • Significant time and resources can be expended tracking down and removing personally identifiable information from common use fields like descriptions, reference fields and notes
Payment Card Industry Data Security Standards • REMEMBER: It is against University Policy VI-110 to store credit card numbers on any computer, server, or database • Applies to all members, merchants, and service providers that process or transmit cardholder data • Use central systems or run approved specialty system in the PCI DSS network • If you process credit card numbers, please contact pmtcards@indiana.edu IMMEDIATELY for an assessment
2009 Breach Statistics • Gathered from the Identity Theft Resource Center (http://www.idtheftcenter.org/index.html) • Educational • # of Breaches: 78 • # of Records: 803,667 • % of Breaches: 15.7 • % of Records: 0.4% • Totals for All Categories • # of Breaches: 498 • # of Records: 222,477,043 • % of Breaches: 100.0% • % of Records: 100.0%
Compliance Pays • Breaches happen • You are safer to work at a steady pace, find and fix problems, and remain vigilant • Exhibiting a pattern of compliance can ease consequences • Receive “Safe Harbor” from card associations
Identity Finder • It can search for, protect, and dispose of personal information stored on your computer, file shares, or external media • Credit card numbers, bank account numbers, social security numbers, birthdates, passwords, driver's license numbers, addresses, passports, employee identification numbers, maiden names, or other data you determine • To learn more: https://keepitsafe.iu.edu/identityfinder • Or visit http://iuware.iu.edu and select Security under Software Categories
Scanning and Results • Prior notification • have written permission from the individual, or • have given prior written notification to the individuals that this tool will be used, by whom, for what purpose, and how the resulting information will be used • Send the names of the files found to the owner of the account/system where the files were stored, and direct the owner to review the files and take appropriate action • Most of the time people had forgotten what was stored on the CPU • Some applications were storing sensitive data in internet cache and temporary files • Group Policy to remove internet cache, temporary files and cookies (clear IE cache on close, all else on log out, and force Secure Delete each night)
Additional Security Measures • Encrypt data transmissions • check printing • retirement contributions • unemployment/new hire reports • tax transmissions to 3rd party vendors • Kuali Financial System provides field level encryption • Removal of System Admin rights – Principle of Least Privilege • Installation of only the required software • Up to date virus scans, push our Windows updates/patches, run current software • Periodic reminders of policies • Monthly ITSO scans to detect vulnerabilities from outside attacks • DBAN to securely wipe hard drives – shred hard drives • Secunia Personal Software Inspector • Never store critically sensitive data on personal storage devices