250 likes | 386 Views
Obtaining, Storing and Using Confidential Data. October 2, 2014. Georgia Department of Audits and Accounts. Headlines. UPS Unknown 2014 Credit Card Breach. Target 70 Million 2013 Credit Card Breach. Linkedln 6.5 Million 2012 Passwords Stolen. Living Social 50 Million 2013
E N D
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts
Headlines UPS Unknown 2014 Credit Card Breach Target 70 Million 2013 Credit Card Breach Linkedln 6.5 Million 2012 Passwords Stolen Living Social 50 Million 2013 Password & PII Breach Walgreens 100,000 2013 PHI breach Home Depot 56 Million 2014 Credit Card Breach Community Health Systems 4.5 Million 2014 HIPAA Breach South Carolina DOR 3.6 million 2012 PII Breach TriCare 4.6 Million 2012 HIPAA breach Georgia Department of Audits and Accounts
Data Breaches in 2014 Total Number of Total Number Records Exposed of Data breaches Jan Through Sept 2, 2014 About 17.8 Million 521 Source : Identity Theft Resource Center
First Things First • Security Awareness • Data Classification • Risk Assessments Georgia Department of Audits and Accounts
Security Awareness Georgia Department of Audits and Accounts
Security Awareness • Staff are required to go through security awareness training every year • Last year we purchased SANs training Securing the Human • Prior years – IT Division has developed training and focused on: • IT policies • Current security events that have occurred in public Georgia Department of Audits and Accounts
Security Awareness Emphasis SecUrityis everyone's responsibility and "U" are at the center. Make sure U are not the weakest link Georgia Department of Audits and Accounts
Security Awareness Emphasis Be a good example to entities that you audit. We should be setting the example for good SecUrity Georgia Department of Audits and Accounts
Data Classification • Once you have trained ~ need to make sure all Data is Classified. • Data classification– classifying the data based on its level of sensitivity/confidentiality and the impact to our office in the event the data is disclosed, altered or destroyed without authorization. • The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. Georgia Department of Audits and Accounts
Data Classification • GA Department of Audits is in the process of classifying all our confidential data • Developing a Department Catalog to identify datasets and business owners Georgia Department of Audits and Accounts
Data Classification Catalog Georgia Department of Audits and Accounts
Data Classification Georgia Department of Audits and Accounts
Questions to ask • Where is my sensitive/confidential data? • Can I manage all copies & versions of confidential data? • Is all confidential data appropriately protected? • Who can access confidential data? • Is confidential data required for audit? • Is confidential data being sent or transferred out (email and/or removable media) • Are correct security processes being applied to confidential data? • What about retention of confidential data? Georgia Department of Audits and Accounts
Confidential Information What should be kept confidential? Credit Cards Health Care Personally Identifiable Information SSN’s Student Records
Risk Assessment • After we do a Data Classification we will be doing a risk assessment • Select a risk assessment methodology ( a repeatable process) • Use data classification information • Determine gaps in security • Assess potential risks, threats and vulnerabilities Risk = Likelihood * Impact Georgia Department of Audits and Accounts
Risk Assessment If there was a Breach make sure you think about things such as: • Reputation • Credibility • Cost to investigate • Credit monitoring services for those affected Georgia Department of Audits and Accounts
GA State Law 50-6-29 Georgia Department of Audits and Accounts
Obtaining Confidential Data • Give DOAA Confidentiality Form to Entity • Sometimes entity wants to modify form • Especially in regard to how long we can keep data • The entity’s lawyer usually wants to get involved • Federal law supersedes State Law • Data and system may be with 3rd Party • Try to get data well in advance of start of audit • Entity stall Practices • Too big • Wrong format Georgia Department of Audits and Accounts
Transmitting Confidential Data • For most transfers we use a product called Accellion Secure File Transfer • If large Dataset will give the entity an encrypted drive to copy data to Georgia Department of Audits and Accounts
Storing Confidential Data • Encryption • In Oracle – work with business owner to make sure field level encryption is on datasets • Laptops – use PGP to encrypt all laptops • Flash Drives– for HIPAA data encrypt all Flash Drives with PGP • Looking at BitLocker to start encrypting all DOAA Flash Drives and possibly laptops • Backups are encrypted Georgia Department of Audits and Accounts
Using Confidential Data • In Oracle DB – if have to decrypt data fields– email sent to IT and Manager of project to alert that data fields were decrypted • DLP – Data Loss Prevention – use Cisco’s appliance – for email DLP violations • Notification sent to ISO and IT Director if a DLP violation – make sure it is not false positive • Employee’s Director notified of any DLP violation in order to guide employees’ behavior to be more security conscious Georgia Department of Audits and Accounts
Destroying Confidential Data • Destruction of Data – auditor’s responsible for destroying confidential data at the end of audit or, if needed for work papers, at the end of the retention period of 5 years. • Auditors are provided with software (PGP Shredder) that facilitates the destruction of confidential electronic data by overwriting the data with random text and repeats this process through multiple passes. • Records managers in each Division ensure compliance Georgia Department of Audits and Accounts
Additional tools • Evaluating a product called Sensitive Data Manager by Identity Finder Georgia Department of Audits and Accounts
Final Thought State of _________ Audit Department Breach Georgia Department of Audits and Accounts
Questions Lynn Bolton (404) 657-9978 boltonln@audits.ga.gov Georgia Department of Audits and Accounts