The UH Information Security Policy & YOU

Jodi ItoInformation Security Officer, ITS

jodi@hawaii.edu956-2400

Agenda

• Intellectual Property (IP) and Personal Information (PI) working definitions

• Need to Protect IP & PI• PI Hawaii State Laws • UH Executive Policy E2.214: Security &

Protection of Sensitive Information

Intellectual Property (IP)

• From the World Intellectual Property Organization (WIPO):

“Intellectual property refers to creations of the mind: inventions, literary and artistic works, and symbols, names, images, and designs used in commerce”

Need to Protect IP

• $$$$$$$!!• Industrial Espionage• Recent articles - spying by China

http://apnews.myway.com/article/20071115/D8SU6FE80.html

http://www.washingtonpost.com/wp-dyn/content/article/2007/11/15/AR2007111501099.html

The US-China Economic and Security Review Commission's annual report to Congress says:

"Chinese espionage activities in the US are so extensive that they comprise the single greatest risk to the security of American

technologies."

Personal Information

Hawaii State Law definition:"Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number; (2) Driver's license number or Hawaii identification card number; or (3) Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account.

PI or not PI?

• J. Smith: 555-66-777• J. Smith: (808) 999-8888• John Smith: 123 University Avenue• John S.: 555-66-7777

Misuse of Personal Information

• Financial Fraud & ID Theft• Open new credit accounts• Write counterfeit checks against your

accounts• Unauthorized credit card purchases via

phone or Internet• Commit other acts of financial fraud

Other Misuses of Your Information

• Obtain official identification in your name

• Get a job in your name• File fraudulent taxes in your name• Ruin your financial & credit record

Protecting Your Own Information

• Annual credit check: http://www.annualcreditreport.com

• Opt-out: 1-888-567-8688 http://www.optoutprescreen.com

• Use a cross-cut shredder to destroy personal information

• Use locking mailboxes / use US postal mailboxes for outgoing mail

• Ensure receipt of & review monthly statements

More Tips• Don’t respond to unsolicited requests for

personal information• Beware of scams• Change your passwords regularly• Online shopping: make sure shopping websites

are secured• Secure your computer• Securely erase personal information stored on

your computer• Beware of peer-to-peer applications

Hawaii State Laws

• 2006: new state laws regarding identity thefthttp://starbulletin.com/2006/05/26/news/story06.html

New State Laws

• Social Security Number Protection (HRS 487J) • Security Breach Notification (HRS 487N)• Destruction of Personal Information (HRS 487R)• Security Freeze (HRS 489P-1, 489P-2, 489P-3)• Reporting requirements

Social Security Number Protection

• Effective July 01, 2007• Restricts businesses and government

agencies from disclosing SSNs to the general public

• http://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487J/

Security Breach Notification

• Effective January 01, 2007• Businesses & government agencies

must notify individuals if their personal information has been compromised by unauthorized access/disclosure

• http://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/

Destruction of Personal Information Records

• Effective January 01, 2007• Businesses & government agencies

need to properly dispose of “personal information”

• http://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487R/

Security Freeze

• Victim of identity theft can place a “security freeze” on their credit information

• “Fraud Alert” vs. “Security Freeze”• http://www.capitol.hawaii.gov/

hrscurrent/Vol11_Ch0476-0490/HRS0489P/HRS_0489P-.HTM

Reporting Requirements

“A government agency shall submit a written report to the legislature within twenty days after the discovery of a material occurrence of unauthorized access to personal information records in connection with or after its disposal by or on behalf of the government agency.”

E2.214: The New UH Information Security Policy

Why the New Policy?

• Audit compliance & accountability• UH “breach” June 2005: http://www.hawaii.

edu/idalert/

• UH General Confidentiality Notice: http://www.hawaii.edu/ohr/docs/forms/uh92.pdf

UH Information Security Policy

• System-wide policy: E2.214: “Security & Protection of Sensitive Information”

• Signed by President McClain on November 21, 2007

• Encompasses handling of “sensitive” information

• Online at: http://www.hawaii.edu/apis/ep/e2/admin.html

Policy Overview

• Defines classifications of information: • Private• Sensitive

• Defines roles and responsibilities:• Steward• Custodian• User

Overview - continued

• Collection, access, & handling of information:• At rest• In transit• Disposal

• ITS recommendations for “tools”• Breach Notification (mandated by state law)

Data Classification

• Public• Sensitive (examples - not all encompassing)

• Student records (FERPA)• Health information (HIPAA)• Personal financial info • SSN• Date of Birth• Private home addresses & phone numbers• Driver’s license numbers & State ID numbers• Access codes, passwords, PINs, etc.• And more…

Roles & Responsibilities

• Information Resource Stewards• Data Custodians• User• Sign UH Confidentiality Notice

Information Resource Stewards

• Senior administrators responsible for functional operations

• Responsible for granting access to and classifying of data

• Responsible for minimizing use and exposure

• May also function as data custodians

Data Custodians

• Managers/administrators of systems or media on which sensitive information resides

• Responsible for implementing and administering controls over the resources in accordance to all policies

• Downloading of sensitive information by a user makes them a “custodian”

Users

• Individuals granted access to sensitive information as required by their professional responsibilities

• Responsible for understanding and complying with applicable UH policies, procedures and standards for dealing with sensitive information

Access

• Granted by Steward or Designee• Process by which access is requested• Should be on a “need-to-know” basis• Access must be terminated immediately

upon job change or resignation/termination

Transmission - Paper

• Delivered in sealed envelope• Clearly marked for the intended

recipient• Marked “CONFIDENTIAL”• Faxes must be promptly retrieved and

protected at both ends

Transmission - Electronic

• Sensitive information must not be sent “in the clear” including in email & attachments

• Use secure web servers when using web technologies to access sensitive information

• Use “encryption” when doing digital transmissions

Email Transmission

• Minimize use of email for sending of sensitive information

• Use special care to ensure only intended recipient gets the email

• Both sender and receiver should delete email as soon as possible

• Sender should include notice in email informing recipient that email contains sensitive information and requests appropriate handling

Email Notice

CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.

Electronic Storage

• Sensitive information should be stored only when specifically required and on as few systems/media as possible

• Systems must comply with basic computer security standards

• Use encryption as much as possible• If stored unencrypted, systems must be in

physically secure and controlled environments

• De-coupling of data

Mobile Devices• Does it need to be stored on a mobile device??• ENCRYPT, Encrypt, encrypt!• Physically secure devices as much as possible• Examples of mobile devices:

• Laptops• CDs/DVDs• Flash drives• External portable drives• PDAs• Cell phones,• Mobile media players (iPods, MP3 players, etc.)• Magnetic tapes

Destruction

• Paper: use cross shredders or contract shredding companies w/ credentials

• Electronic: • Erasable: Secure deletion tools (see ITS

recommendations)• Unerasable: Physical destruction

Tools & Information• http://www.hawaii.edu/askus/729

“Information Security” section• Securing Your Desktop Computer:

http://www.hawaii.edu/askus/593

• UH Filedrop: http://www.hawaii.edu/askus/673• Encryption

• Windows: http://www.hawaii.edu/itsdocs/win/gswwindowsencryption.pdf

• Macs: http://www.hawaii.edu/askus/676

• Securely Deleting Electronic Information: http://www.hawaii.edu/askus/706• Windows: http://www.hawaii.edu/itsdocs/win/secureerasewin.pdf

Notification of Breaches• Must notify all affected individuals • Reported to the Legislature• Timely notice• Contents: clear & conspicuous and include:

• Description of incident• Type of information that was disclosed• Remediation and prevention actions taken• Telephone number and email address to call for further

information & assistance• General advice on protection against identity theft

• Example: www.hawaii.edu/idalert

Recommended System Configurations

• Do you REALLY need to keep that INFO?• Minimize physical access• Minimize technological access

• Password protected with “secure password”• Firewall, network IPS, host IPS, etc.• Private IP addresses

• Frequently & routinely update OS and applications (install patches on a regular basis)

• Check access logs daily

Backups

• Backup of sensitive information must be protected

• Transmission of backups of sensitive information must be protected

Questions?

Jodi ItoInformation Security Officer, ITS

jodi@hawaii.edu956-2400