SPH Information Security Update September 10, 2010.

SPH Information Security Update

September 10, 2010

Today’s Agenda

Case Studies

Types of Confidential Information

High Risk Confidential Information (HRCI)

Why We Are Focusing on This

Obtaining and Storing HRCI

Exchanging Confidential Files

Encrypting Laptops

Recent Security Developments

What We Are Asking of You

Case Studies

Data breach in February, 2008, costing Harvard over $1,000,000 with out any legal penalties.

• 6,600 victims were involved, requiring individual notification and fraud monitoring services

• Security consulting services were engaged by the University

A back up tape was lost containing 21,000 records

In 2008, the number of stolen records ranged between 4,200 – 113,000 per data breach

In 2007, the mean cost of fraud per victim was $5,720

In 2009, the average organizational cost of a data breach was $6.7 million per incident.

January 2010 - Boston Globe article reported “One million Massachusetts residents - or 1 in 6 people - have had their credit card numbers, medical records, or other personal information leaked or stolen over the past two years, according to records provided to the Globe by state officials.”

The primary preventive measures taken after a breach are training and awareness education.

Reputational harm to an organization can be substantial.

High Risk Confidential Information (HRCI):

A person’s name or other identifier, in conjunction with:

•Social Security number•Credit or Debit card number•Individual financial account•Driver’s license•State ID or Passport number•Biometric information•Personally-identifiable Medical Information

Confidential Information

Other Confidential Information

•Detailed information about University buildings, activities, or events•Faculty searches•Future University development plans•Grant information•HR Records•Student Grades•Human Subjects information•Whatever else your group considers confidential

Types of Confidential Information

High Risk Confidential Information (HRCI)

Certain categories of information are classified as High Risk, either because the exposure of this information can cause harm or because the information is specifically protected under law or under contract.

Extra care must be taken to protect HRCI in both electronic and paper form.

Improper access to or release of high-risk confidential information may be subject to legal reporting requirements.



•Social Security number•Credit or Debit card number•Individual financial account•Driver’s license•State ID or Passport number•Biometric information•Human Subjects information•Personally-identifiable Medical Information

Why We Are Focusing on This

State Law

• CMR 201 17.00 sets forth regulations for anyone who uses personal information about Massachusetts residents

Harvard Enterprise Information Security Policy (HEISP)

University Mandates (Risk Management Committee: May 2009)

• Training• Comprehensive Communications• Laptop Encryption• Finding HRCI• Vulnerability Testing• Network Requirements• Remote Access• Standard File Transfers• Non-Administrative System Certification• Managing Security and Practices

University Contracts

• Non-disclosure agreements, etc.

FERPA (Family Educational Rights and Privacy Act)

Obtaining High Risk Confidential Information

You must obtain prior approval from the SPH/ University CIO to collect or work with HRCI or to contract with a vendor to collect or work with such information.

• Request for HRCI Form

• OGC Contract Rider




Storing High Risk Confidential Information

High-Risk Confidential Information shall not exist outside of an approved system (e.g., PeopleSoft), and cannot be stored locally. This includes:

• cannot be stored on Individual user computers• cannot be stored on USB key / flash drives• cannot be stored on External hard drives

All University-owned servers and user computers will be scanned annually for

HRCI. We will deploying in the near future McAfee’s Data Loss Prevention(DLP) software to all PCs.

Paper, and other non-electronic records containing HRCI must be kept in secure, locked containers when not in use:

• Use a key locker, or assigned and numbered keys.

• Store HRCI in a supervised room controlled by card access, and review the access logs.




Exchanging Confidential Files

Do not include or attach confidential information in your email.

All confidential information must be encrypted when sent across a network.

We are offering an Accellion Secure File Transfer Server to send and receive files containing confidential information.

http://accellion.sph.harvard.edu


A person’s name or other identifier ,in conjunction with:


Confidential InformationOther Confidential

Information

•Detailed information about University buildings, activities, or events•Faculty searches•Future University development plans•Grant information•HR Records•Student Grades•Whatever else your group considers confidential

Accellion: login screen

Accellion: exchanging confidential files

Encrypting Laptops: what and why?

Encryption software encodes and password-protects the contents of your hard drive when your computer is not in use.

The theft of a Harvard computer or portable storage device (e.g., USB key, external hard drive) must not put Confidential Information at risk of disclosure.

Because University-owned laptops are particularly vulnerable to loss or theft, they must be encrypted.

Several Harvard faculty have reported stolen laptops. Family financial data was compromised.

A scientist irretrievably lost 3 years of medical research data in 2008 when thieves stole his laptop in a domestic burglary.


A person’s name or other idemtifier, in conjunction with:



Information

•Detailed information about University buildings, activities, or events•Faculty searches•Future University development plans•Grant information•HR Records•Student Grades• Whatever else your group considers confidential

Encrypting Laptops: when and how?

SPH IT purchased licenses of McAfee Endpoint Encryption software to encrypt all laptops.

Contact Helpdesk to schedule

Note: HRCI is not allowed to be stored on a laptop even if it is encrypted.


A person’s name, in conjunction with:

• Social Security number• Credit or Debit card number• Individual financial account• Driver’s license• State ID or Passport number• Biometric information• Human Subjects information•Personally-identifiable Medical Information


Information

•Detailed information about University buildings, activities, or events•Faculty searches•Future University development plans•Grant information•HR Records•Student Grades•Etc.





Information

•Detailed information about University buildings, activities, or events•Faculty searches•Future University development plans•Grant information•HR Records•Student Grades•Whatever else your group considers confidential

Recent Security Developments

Annual Certification for Staff

• On-line Training Course (EUREKA!)

• Harvard Confidentiality Agreement

All Harvard owned PCs will be annually scanned for HRCI

SPH IT has purchased McAfee DLP software to be installed on all PCs with our SPH image. We will be deploying it in the near future.

New University Standard for Remote Access to HRCI will be forth coming and will most likely include the following

• Access to High Risk Confidential Information must be limited to those with a specific business, educational, or research need.

• Computers used to access HRCI off campus must comply with additional software configuration requirements, and must use an encrypted network connection such as VPN.

• Passwords are required to be “strong passwords” for Novell and Groupwise.

• Harvard Research Data Security Policy

Defines 5-level categorization schedule for research information and defines the minimum protections required for each level

Individual researchers do not have the authority to sign an information use agreement on behalf of the University. Only the SPA group of OFS has authority.

What We Are Asking of You

Staff to participate in Annual Certification

• On-Line Security Training

• Harvard Confidentiality Agreement

Partner with us to foster security awareness and compliance

• Appropriate use of Confidential Information

• Accellion for exchanging confidential files

Operators of systems not managed by SPH IT must self certify their system(s) is in compliance with University Policy

Promptly report any security incidents

If your laptop is not encrypted contact the Helpdesk to schedule your laptop to be encrypted

Contact Information

SPH Information Security

• [email protected]

• Andrew Ross

617.432.1279

[email protected]

Questions?

SPH Information Security Update September 10, 2010.

Documents

Transcript of SPH Information Security Update September 10, 2010.