Information Security
advertisement
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts Headlines Target 70 Million 2013 Credit Card Breach Community Health Systems 4.5 Million 2014 HIPAA Breach UPS Unknown 2014 Credit Card Breach Linkedln 6.5 Million 2012 Passwords Living Stolen Walgreens Social 100,000 Home 50 Million 2013 Depot 2013 PHI breach 56 Million Password 2014 & PII South Credit Card Breach Carolina TriCare Breach DOR 4.6 Million 3.6 million 2012 2012 HIPAA PII Breach breach Georgia Department of Audits and Accounts 2 Total Number of Records Exposed About 17.8 Million Source : Identity Theft Resource Center Total Number of Data breaches Jan Through Sept 2, 2014 521 First Things First Security Awareness Data Classification Risk Assessments Georgia Department of Audits and Accounts 4 Security Awareness Establish Policies Educate Staff Enforce Compliance Staff IT Policies Awareness Training Monitoring Georgia Department of Audits and Accounts 5 Security Awareness Staff are required to go through security awareness training every year Last year we purchased SANs training Securing the Human Prior years – IT Division has developed training and focused on: IT policies Current security events that have occurred in public Georgia Department of Audits and Accounts 6 Security Awareness Emphasis SecUrity is everyone's responsibility and "U" are at the center. Make sure U are not the weakest link Georgia Department of Audits and Accounts 7 Security Awareness Emphasis Be a good example to entities that you audit. We should be setting the example for good SecUrity Georgia Department of Audits and Accounts 8 Data Classification Once you have trained ~ need to make sure all Data is Classified. Data classification – classifying the data based on its level of sensitivity/confidentiality and the impact to our office in the event the data is disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. Georgia Department of Audits and Accounts 9 Data Classification GA Department of Audits is in the process of classifying all our confidential data Developing a Department Catalog to identify datasets and business owners Georgia Department of Audits and Accounts 10 Data Classification Catalog Georgia Department of Audits and Accounts 11 Data Classification Georgia Department of Audits and Accounts 12 Questions to ask Where is my sensitive/confidential data? Can I manage all copies & versions of confidential data? Is all confidential data appropriately protected? Who can access confidential data? Is confidential data required for audit? Is confidential data being sent or transferred out (email and/or removable media) Are correct security processes being applied to confidential data? What about retention of confidential data? Georgia Department of Audits and Accounts 13 What should be kept confidential? Risk Assessment After we do a Data Classification we will be doing a risk assessment Select a risk assessment methodology ( a repeatable process) Use data classification information Determine gaps in security Assess potential risks, threats and vulnerabilities Risk = Likelihood * Impact Georgia Department of Audits and Accounts 15 Risk Assessment If there was a Breach make sure you think about things such as: Reputation Credibility Cost to investigate Credit monitoring services for those affected Georgia Department of Audits and Accounts 16 GA State Law 50-6-29 Georgia Department of Audits and Accounts 17 Obtaining Confidential Data Give DOAA Confidentiality Form to Entity Sometimes entity wants to modify form Especially in regard to how long we can keep data The entity’s lawyer usually wants to get involved Federal law supersedes State Law Data and system may be with 3rd Party Try to get data well in advance of start of audit Entity stall Practices Too big Wrong format Georgia Department of Audits and Accounts 23 Transmitting Confidential Data For most transfers we use a product called Accellion Secure File Transfer If large Dataset will give the entity an encrypted drive to copy data to Georgia Department of Audits and Accounts 24 Storing Confidential Data Encryption In Oracle – work with business owner to make sure field level encryption is on datasets Laptops – use PGP to encrypt all laptops Flash Drives– for HIPAA data encrypt all Flash Drives with PGP Looking at BitLocker to start encrypting all DOAA Flash Drives and possibly laptops Backups are encrypted Georgia Department of Audits and Accounts 25 Using Confidential Data In Oracle DB – if have to decrypt data fields– email sent to IT and Manager of project to alert that data fields were decrypted DLP – Data Loss Prevention – use Cisco’s appliance – for email DLP violations Notification sent to ISO and IT Director if a DLP violation – make sure it is not false positive Employee’s Director notified of any DLP violation in order to guide employees’ behavior to be more security conscious Georgia Department of Audits and Accounts 26 Destroying Confidential Data Destruction of Data – auditor’s responsible for destroying confidential data at the end of audit or, if needed for work papers, at the end of the retention period of 5 years. Auditors are provided with software (PGP Shredder) that facilitates the destruction of confidential electronic data by overwriting the data with random text and repeats this process through multiple passes. Records managers in each Division ensure compliance Georgia Department of Audits and Accounts 27 Additional tools Evaluating a product called Sensitive Data Manager by Identity Finder Georgia Department of Audits and Accounts 28 Final Thought State of _________ Audit Department Breach Georgia Department of Audits and Accounts 29 Questions Lynn Bolton (404) 657-9978 boltonln@audits.ga.gov Georgia Department of Audits and Accounts 30
