Secure IT 2005 Panel Discussion Felecia Vlahos, SDSU Sally Brainerd, UCSD Brooke Banks, CSU Chico.

Secure IT 2005Secure IT 2005Panel DiscussionPanel Discussion

Felecia Vlahos, SDSUFelecia Vlahos, SDSU

Sally Brainerd, UCSDSally Brainerd, UCSD

Brooke Banks, CSU ChicoBrooke Banks, CSU Chico

Secure IT 2005 – Panel Secure IT 2005 – Panel DiscussionDiscussion

AgendaAgenda

CCC 1798.29 ReviewCCC 1798.29 ReviewSDSU OverviewSDSU OverviewUCSD OverviewUCSD OverviewCSU Chico OverviewCSU Chico OverviewCommon QuestionsCommon QuestionsQuestions From AttendeesQuestions From Attendees


California Civil Code 1798.29California Civil Code 1798.29AKA SB1386, California Database Notification ActAKA SB1386, California Database Notification Acthttp://www.leginfo.ca.gov/calaw.htmlhttp://www.leginfo.ca.gov/calaw.html (check civil code box, type 1798.29) (check civil code box, type 1798.29)

Any agency that owns or licenses computerized data that includes Any agency that owns or licenses computerized data that includes personalpersonal

informationinformation shall shall disclose any breach of the security of the system disclose any breach of the security of the system

following discovery or notificationfollowing discovery or notification of the breach in the security of the data to of the breach in the security of the data to

any any resident of Californiaresident of California whose whose unencryptedunencrypted personal information was, or personal information was, or

is is reasonably believed to have beenreasonably believed to have been, acquired by an unauthorized person., acquired by an unauthorized person.


Personal informationPersonal information:: individual's individual's first name or first initial and last name infirst name or first initial and last name in

combinationcombination with any one or more of the following data elements, when either with any one or more of the following data elements, when either the name or the data elements are not encrypted:the name or the data elements are not encrypted:

(1) (1) Social security numberSocial security number. . (last four SSN + DOB, TAX ID)(last four SSN + DOB, TAX ID) (2) (2) Driver's license numberDriver's license number or or California Identification Card numberCalifornia Identification Card number.. (3) (3) Account number, credit or debit card numberAccount number, credit or debit card number, in combination with any , in combination with any required required security code, access code, or passwordsecurity code, access code, or password that would permit that would permit access to an individual's financial account (access to an individual's financial account (ACHACH).).

Breach of the security of the system..Reasonably believed to have beenBreach of the security of the system..Reasonably believed to have been::unauthorized acquisition of computerized data that compromises theunauthorized acquisition of computerized data that compromises thesecurity, confidentiality, or integrity of personal information maintained bysecurity, confidentiality, or integrity of personal information maintained bythe agency.the agency.

California Civil Code 1798.29California Civil Code 1798.29…continued…continued

The disclosure shall be made in the The disclosure shall be made in the most expedient time possible and most expedient time possible and

without unreasonable delaywithout unreasonable delay, consistent with the legitimate , consistent with the legitimate needs of law needs of law

EnforcementEnforcement, as provided in subdivision (c), or , as provided in subdivision (c), or any measures necessary toany measures necessary to

determine the scope of the breachdetermine the scope of the breach and and restore the reasonable integrityrestore the reasonable integrity of of

The data system…The data system…


Resident of California:Resident of California:

Unencrypted:Unencrypted:

Most expedient time possible and without unreasonable delay:Most expedient time possible and without unreasonable delay:

Needs of law EnforcementNeeds of law Enforcement:: will impede a criminal investigation….the will impede a criminal investigation….the

law enforcement agency determines that it will not compromise the investigationlaw enforcement agency determines that it will not compromise the investigation

Any measures necessary to determine the scope of the breach:Any measures necessary to determine the scope of the breach:

Restore the reasonable integrity:Restore the reasonable integrity:


SDSU OverviewSDSU Overview Felecia Vlahos, ISOFelecia Vlahos, ISO Feb 24/March 16-22 2004Feb 24/March 16-22 2004 Financial aid file server+19 othersFinancial aid file server+19 others Unpatched faculty system/Internal password Unpatched faculty system/Internal password

attackattack Sending spam and downloading musicSending spam and downloading music FAFSA applicants up to 10 years priorFAFSA applicants up to 10 years prior SSN/DOBSSN/DOB Managed by IT Security OfficeManaged by IT Security Office 206,876 notified206,876 notified $187,254$187,254


UCSD OverviewUCSD Overview Sally Brainerd, Associate ControllerSally Brainerd, Associate Controller April 16 – 18, 2004April 16 – 18, 2004 EFT (Financial Aid), 2 Scan Stations & a Check EFT (Financial Aid), 2 Scan Stations & a Check

Process StationProcess Station Non- encrypted files, stranded images and Non- encrypted files, stranded images and

stored cached check data stored cached check data FTP Servers installedFTP Servers installed Students, applicants, staff, faculty, parentsStudents, applicants, staff, faculty, parents SSN, DL, Bank (Checking account)SSN, DL, Bank (Checking account) Office of the Controller/BFS SystemsOffice of the Controller/BFS Systems Announced 380k, actual 364k, notified 322kAnnounced 380k, actual 364k, notified 322k $204,000$204,000


CSU Chico OverviewCSU Chico Overview Brooke Banks, ISOBrooke Banks, ISO Feb 16/March 14-16 2005Feb 16/March 14-16 2005 Housing office serverHousing office server Web/File/Print server with unencrypted historical records Web/File/Print server with unencrypted historical records Root kit and FTP server installed, scans of other serversRoot kit and FTP server installed, scans of other servers ID card file - faculty, staff and students (Name, SSN)ID card file - faculty, staff and students (Name, SSN) Housing database – prospective students, as well as Housing database – prospective students, as well as

residents for last 5 years (Name, SSN, contact residents for last 5 years (Name, SSN, contact information)information)

Managed by IT Security OfficeManaged by IT Security Office 59,268 notified via e-mail and/or postal mail59,268 notified via e-mail and/or postal mail Cost TBDCost TBD


FAQFAQ

1.1. What security measures What security measures were in place to were in place to prevent incident? What prevent incident? What changed afterward?changed afterward?


FAQFAQ

2.2. Was law enforcement Was law enforcement contacted? Able to contacted? Able to identify hacker?identify hacker?


FAQFAQ

3.3. Discuss interpretation of Discuss interpretation of CCC 1798.29 “most CCC 1798.29 “most expedient” and process expedient” and process used to produce used to produce notifications notifications (letters/web/emails)(letters/web/emails)


FAQFAQ

4.4. Reaction from Reaction from University University staff/faculty/students?staff/faculty/students?


FAQFAQ

5.5. What volume and types What volume and types of of calls/emails/letters/medcalls/emails/letters/media received after ia received after notification?notification?


FAQFAQ

6.6. What types and values What types and values of cost were incurred?of cost were incurred?


Questions from Questions from AttendeesAttendees

Secure IT 2005 Panel Discussion Felecia Vlahos, SDSU Sally Brainerd, UCSD Brooke Banks, CSU Chico.

Documents

Transcript of Secure IT 2005 Panel Discussion Felecia Vlahos, SDSU Sally Brainerd, UCSD Brooke Banks, CSU Chico.