Information Security Office 1 Copyright Statement Copyright Mary Ann Blair 2008. This work is the...

Information Security Officewww.cmu.edu/iso

1

Copyright Statement

Copyright Mary Ann Blair 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Identity Finder and Carnegie Mellon

Mary Ann BlairDirector of Information Security

Information Security Office (ISO)www.cmu.edu/iso


3

Overview

1. Background

2. What We Did

3. How We Did It

4. What We Learned

5. What Next…


4

Background


5

What We Did

• SSN Remediation Project: local scanning fast tracked after laptop theft

• Learned from peers!• Vendor partnership as a

critical selection criterion• Enterprise license

including home use


6

What We Did

• Voluntary for all faculty, staff, and students

• Appealed to stewardship

• Relied on the shock factor

• Big bang


7

How We Did It

• Customized MSI– Embedded license key– Disabled recycle option– Disabled auto-update

• Customized user documentation

• Pre-announced to partners followed by mass mail

• Surveyed faculty & staff


8

Mass Mail: Do your part to prevent Identity Theft

Protect Yourself, Others and the University from Identity Theft with Identity Finder!

Did You Know? - Your computer might be storing personally identifiable information (PII) such as your Social Security

Number, bank account numbers, credit card numbers and passwords without your knowledge

- If your computer or external media is lost, stolen or broken into over the Internet, someone might use it to steal your identity and the identities of anyone who shares your computer or whose personal information you might handle

- If you store sensitive PII for Carnegie Mellon work and your computer or external media is lost or compromised, the University is obligated under PA state law to notify everyone affected by the breach and could potentially be legally liable

- Over eight million Americans have their identities stolen annually and on average victims spend 600 hours clearing their good name -- Federal Trade Commission & Identity Theft Resource Center

Do Your Part!Clean Up Sensitive PII on Your Computer with Identity Finder!<site links>

NOTE: If your computer is managed by a Carnegie Mellon departmental computing administrator, please consult that person before making ANY system changes.


9

How We Did It

http://www.cmu.edu/computing/doc/security/identity/index.html


10

How We Did It


11Information Security Officewww.cmu.edu/iso

11

What we told folks 1/3

1. Know what data is stored on your personal computer.

2. Delete or redact what you

don’t absolutely need.



12


3. Don’t store it on your personal computer especially not on your laptop or home computer.

If you must store sensitive data, check with your departmental computing administrator about options to store it on a secured file server, one with robust access control mechanisms and encrypted transfer services.



13


4. If you must store it on your personal computer:

A. Follow the “Securing your Computer guidelines”B. Password protect the file if possibleC. Encrypt the file (Identity Finder’s Secure Zip, PGP

Desktop or TrueCrypt)D. Only transmit via encrypted protocolsE. Secure delete it as soon as feasibleF. Reformat and/or destroy your hard drive before

disposal or giving your computer to someone elseG. Secure your backups and mediaH. Tell us why so that we can brainstorm alternatives


14

What we learned

Three Month Adoption Rates

4%

0

2000

4000

6000

8000

10000

12000

Faculty Staff Student

Notified

Downloads

6%

11%

* Only 4% of downloads resulted in a completed survey.


15

What we heard

• “Didn't realize info was stored liked it was.”• “I would not use it again until a MAC version is available,

operating at a more acceptable search rate.”• “I think this is an incredible, very valuable tool. THANKS

for making it available.”• “This was an eye-opener for me. This is a good addition

to our set of security tools.”• “No, the data on my computer was an oversight on my

part. Some of the data existed from a previous employee.”

• “Some 70 of my 90 passwords were from browsers -- that was a learning experience, but it was not worth the 3 hours for this.”


16

What we learned

• Workloads don’t support volunteerism• There is a lot to secure and it’s hard and

time-consuming deciding how to do it• There are local as well as central

retention requirements• User requirements must be easy• Users expect communication via

local channels• We have an expert’s blind spot


17

What Next…

• Getting better air cover (top-down)• Partnering w/local IT and user groups• Pushing installs via AD group policy• Offering hands on classroom training• Preparing for console functionality• Developing Macintosh support• Stopping release of SSNs into the wild• Developing SSN Usage Policy


18

Q&A

Please e-mail for additional information.

[email protected]

[email protected]

Information Security Office 1 Copyright Statement Copyright Mary Ann Blair 2008. This work is the...

Documents

Transcript of Information Security Office 1 Copyright Statement Copyright Mary Ann Blair 2008. This work is the...