Data leaks as a result of sensitive data that is e-mailed to users’ home computers, downloaded to flash drives, copied to unencrypted laptops, stored in shadow databases on local computers or improperly destroyed or disposed when no longer needed.
To protect the universities’ sensitive data, we must plan a data-centric approach to our security programs to protect against data leaks. We can never prevent all sensitive data leaks, but steps can be taken to minimize such leaks. This presentation discusses some of the steps taken at East Carolina University to minimize sensitive data leakage, our continual efforts in this battle and explores future options to address this issue.
Python Notes for mca i year students osmania university.docx
Umphrey hutcherson-ecu-cause2010-rev5
1. Battle Against Sensitive
Data Leakage
Margaret Umphrey
Director IT Security – East Carolina University
streeterm@ecu.edu
(252) 328-9187
Paula Hutcherson
User Account Manager – East Carolina University
hutchersonp@ecu.edu
(252) 328-9186
2. Sensitive Data Leaks
o What are Sensitive Data Leaks?
o Why Should Data Leaks Concern Us?
o How Can We Slow Data Leaks?
o Discussion of Strategies You Use
5. Why are Universities More
Susceptible?
Decentralized IT
staff with own
IT policies and
practices
Huge amount of
data handled
Students
accessing with
limited training
and supervision
6. Why are Universities More
Susceptible?
Open nature of the
university physical
and technical
environment
Early adoption of
mobile devices,
social networking,
cloud computing,
etc.
Numerous
databases
maintained outside
of the centrally
managed databases
7. Why are Universities More
Susceptible?
Business partners
or research
sponsors failure to
protect data
Non-enforced
data-security
practices
Budget constraints
8. Why Should we be Concerned?
oUniversity of Hawaii at Manoa suffered a major data
breach that exposed the confidential records of more than
40,000 former students. A faculty member accidentally
uploaded the files that contained personal student records
to an unencrypted Web server2
oEight cabinets full of tax records were stolen from a
residence. The records belonged to a deceased tax
preparer2
2PHIPrivacy.net
9. Why Should we be Concerned?
oA flash drive containing over 280,000 patient names,
addresses, and personal health information was lost or
stolen by Keystone Mercy Health Plan and AmeriHealth
Mercy Health Plan in Philadelphia, Pennsylvania2
oA portable point of care device was stolen from an
employee of HomeCall Inc. Rockville, Maryland. Client
names, addresses, Social Security Numbers, medical
record numbers, diagnoses and treatment information were
on the unencrypted device2
2PHIPrivacy.net
10. Why Should we be Concerned?
oThe full names, driver's license numbers and Social Security
Numbers of 2,484 full and part-time employees of Arkansas
State University were accidentally emailed to university emails2
oRite Aid paid one million dollars to settle HIPAA privacy
violations; Rite Aid also agreed to update corporate policies and
procedures so that patient medical information would be properly
disposed, employees would be properly trained in disposal of
patient information, and employees would be held
accountable if they did not dispose of patient information
properly2
2PHIPrivacy.net
13. How Can We Slow the Leaks?
oIdentify Location of all Confidential Data
Conduct External DLP Assessment
Purchase and Implement DLP Solution
Conduct Internal Sensitive Data Scans
Integrate Data Security into Data Ownership
Integrate Security Awareness and Training into Culture
oEliminate Duplicate Data
Don’t Download from Centralized Systems
Remove Copies of Confidential Data
De-identify Personally Identifiable Data
Don’t Create Shadow Systems
14. How Can We Slow the Leaks?
oProtect Confidential Data
Implement Appropriate Security Controls
Encrypt Data at Rest
•Database, Server, Desktop, Laptop, Mobile Device
Encrypt Data in Motion
•Email, File Transfer, Remote Access, Data Entry
Securely Dispose of Data
•Paper, Hard Drives, Video, FAX, Printers, Medical Devices, etc.
oImplement Polices, Standards and Procedures
Data Ownership and Classification
Data Security Standards
Required Security Awareness and Training
Integrate Security into Design Phase
Incorporate Security into Governance
16. Challenges
oIntegrating Data Security into Data Ownership
oCentralizing IT Operations and Standards
oIntegrating Security into Research Protocols
oIntegrating Security into Purchase of Medical Devices
oEnforcing Non-compliance Sanctions
17. Where Do We Go From Here?
oHow Does Your University Manage Sensitive Data Leaks?
oShare Your Success
oWhat have You Found as the Top Challenges?
oWhat Recommendations can You Provide?
18. Battle Against Sensitive
Data Leakage
Margaret Umphrey
Director IT Security – East Carolina University
streeterm@ecu.edu
(252) 328-9187
Paula Hutcherson
User Account Manager – East Carolina University
hutchersonp@ecu.edu
(252) 328-9186
19. References
o A Comprehensive Study of Retail Data Security Breaches in the
United States - Kevin Prince - Perimeter eSecurity
o http://www.privacyrights.org/data-breach/new
o http://www.nymity.com/Free_Privacy_Resources
o http://www.sans.org/critical-security-controls/
o http://www.darkreading.com/insiderthreat/index.jhtml
o http://www.educause.edu/CybersecurityInitiative/Resources/1225
Notes de l'éditeur
industry comparisons: 01/13/09
breach incidents by industry:
business - 311 incidents:
includes retail and financial institutions.
education - 281 incidents;
government - 245 incidents; and
healthcare - 108 incidents.
records compromised by industry:
business - 77% of compromised records;
government - 19%;
education - 2%;
healthcare - 2%.