250 likes | 320 Views
Evaluating PII Presence in a Government Environment. Jonathan Homer. NLIT 2009. Courtesy of Alcatel-Lucent. Background. Laptop Loss is Cheap Data Loss is Expensive Publicity due to data loss DOES NOT attract new business! Data protection is more than just policy
E N D
Evaluating PII Presence in a Government Environment Jonathan Homer NLIT 2009
Background • Laptop Loss is Cheap • Data Loss is Expensive • Publicity due to data loss DOES NOT attract new business! • Data protection is more than just policy • Data protection is more than just encryption
3-Minute Discussion What actions are we taking today to protect our at-risk data? What types of data do we have in our environment?
The Risk FIREDRILL: • Random Employee • Random Laptop • No Advanced Warning • Without contacting the employee • Who is actually using the laptop? • What data has potentially been compromised? • What security measures were in place on the laptop? • Encryption • Password Strength • Remote Tracking • What security risks were potentially compromised? • VPN access program and information • VPN token compromised as well? • Stored Certificates and Credentials • What was the patching and update status of the laptop?
Steps To Risk-Based PII Protection • Identifying the Potential Risks (Policy) • Collecting, Storing and Maintaining Information • Auditing and Assessing Process And Practice • Protecting the Data • Damage Control
Collecting, Storing and Maintaining Information about Devices • Important to know • Who is the owner/user? • What is being stored? • Where is the device and where does it go? • Why is the device? • IT visibility is limited • On-Network • Technical Data Only • Need For Validation
565.06 – Hardware Registration Form • Data validation is comprehensive of all IT devices • Identifies owners AND users • Tells IT: • WHO uses it • WHY they use it • WHERE the device is located • WHAT data is stored on the device
3. Audit and Assess: Process and Practice • Every step has human involvement and fallibility • It is more convenient for humans NOT to follow the rules
3. Audit and Assess: Process and Practice AT THE INL • Self Assessments Quarterly • Internal Audits Annually (conducted by Audits Team) • External Audits as requested by HQ and Corporate • General Public - Hopefully Never!
How We Assess • Integrated into operations (Field Techs, etc) • Behind-The-Scenes Investigation (Management Tools) • Quarterly Self Assessment Team (On-site Visits) Tools: We chose to build our own application
PII Search Script • Script Requirements • Windows, Mac, Linux • Portable • Secure (Encrypted Results) • No Local Install • Networked and Off-Network • Under 10 minutes
PII Search Script - Keywords • Social Security • Identifiable • Birth • Place of Birth • Employee • Maiden • Fingerprints • DNA • Medical • Criminal • Employment • Resume • Financial • Clearance • Badge • SNumber • Middle Name • SSN • PII • Official • Private • Cleared • Military
PII Search Script • How We Pull It Off • Location: Common locations only • File Types: .txt .doc .xls .ppt … • Keywords: Keywords from INL definition of PII and CUI • 10 min limit: If we’re not finished, we stop the scan (5% of the time) • Hand evaluation of the results – not worth the artificial intelligence • NEW IN 2008: Pen Drives (oh yeah!)
PII Search Script • What To Expect: • High # of false positives • Most computers don’t have any PII and CUI on them • Users tend to err of the side of caution • 50% of found instances don’t properly identifyCUI • Other 50% “were getting around to updating the form” • User education will resolve the issue much more effectively than technical controls
What We Have Learned • Cached Files (Windows “Offline files”) • Theoretically could store network data on local drive • Unable to replicate scenario • Mitigated by Encryption • #1 forms of PII and CUI found: Resumes with SSN, Performance Reviews • Medical history is extremely hard to detect when in database and/or spreadsheet format • Before you begin – ensure management is specific on what is and what isn’t PII
What We Have Learned (cont) • Pen Drives • Low Detection Rates • Usually not labeled correctly • Encryption prevents easy assessing • Overall Program • Relatively Inexpensive compared to ROI • Low Impact on Users
Contact Info Jonathan Homer 208.526.9660 Jonathan.Homer@inl.gov