Information Security
Download
Report
Transcript Information Security
Obtaining, Storing and
Using Confidential Data
October 2, 2014
Georgia Department of Audits and Accounts
Headlines
Target
70 Million
2013
Credit Card
Breach
Community
Health
Systems
4.5 Million
2014
HIPAA
Breach
UPS
Unknown
2014
Credit
Card
Breach
Linkedln
6.5 Million
2012
Passwords
Living
Stolen
Walgreens
Social
100,000
Home
50 Million
2013
Depot
2013
PHI breach
56 Million
Password
2014
& PII
South
Credit Card
Breach
Carolina
TriCare
Breach
DOR
4.6 Million
3.6 million
2012
2012
HIPAA
PII Breach
breach
Georgia Department of Audits and Accounts
2
Total Number of
Records Exposed
About
17.8
Million
Source : Identity Theft Resource Center
Total Number
of Data breaches
Jan Through Sept 2, 2014
521
First Things First
Security Awareness
Data Classification
Risk Assessments
Georgia Department of Audits and Accounts
4
Security Awareness
Establish
Policies
Educate
Staff
Enforce
Compliance
Staff IT Policies
Awareness
Training
Monitoring
Georgia Department of Audits and Accounts
5
Security Awareness
Staff are required to go through security
awareness training every year
Last year we purchased SANs training Securing
the Human
Prior years – IT Division has developed training
and focused on:
IT policies
Current security events that have occurred in
public
Georgia Department of Audits and Accounts
6
Security Awareness Emphasis
SecUrity is everyone's responsibility
and "U" are at the center.
Make sure U are not the weakest link
Georgia Department of Audits and Accounts
7
Security Awareness Emphasis
Be a good example to entities that you audit.
We should be setting the example for good
SecUrity
Georgia Department of Audits and Accounts
8
Data Classification
Once you have trained ~ need to make sure all
Data is Classified.
Data classification – classifying the data based on
its level of sensitivity/confidentiality and the
impact to our office in the event the data is
disclosed, altered or destroyed without
authorization.
The classification of data helps determine what
baseline security controls are appropriate for
safeguarding that data.
Georgia Department of Audits and Accounts
9
Data Classification
GA Department of Audits is in the process of
classifying all our confidential data
Developing a Department Catalog to identify
datasets and business owners
Georgia Department of Audits and Accounts
10
Data Classification Catalog
Georgia Department of Audits and Accounts
11
Data Classification
Georgia Department of Audits and Accounts
12
Questions to ask
Where is my sensitive/confidential data?
Can I manage all copies & versions of confidential data?
Is all confidential data appropriately protected?
Who can access confidential data?
Is confidential data required for audit?
Is confidential data being sent or transferred out (email
and/or removable media)
Are correct security processes being applied to confidential
data?
What about retention of confidential data?
Georgia Department of Audits and Accounts
13
What should be kept confidential?
Risk Assessment
After we do a Data Classification we will be doing a
risk assessment
Select a risk assessment methodology ( a repeatable
process)
Use data classification information
Determine gaps in security
Assess potential risks, threats and vulnerabilities
Risk = Likelihood * Impact
Georgia Department of Audits and Accounts
15
Risk Assessment
If there was a Breach make sure you think about things
such as:
Reputation
Credibility
Cost to investigate
Credit monitoring services for those
affected
Georgia Department of Audits and Accounts
16
GA State Law 50-6-29
Georgia Department of Audits and Accounts
17
Obtaining Confidential Data
Give DOAA Confidentiality Form to Entity
Sometimes entity wants to modify form
Especially in regard to how long we can keep data
The entity’s lawyer usually wants to get involved
Federal law supersedes State Law
Data and system may be with 3rd Party
Try to get data well in advance of start of audit
Entity stall Practices
Too big
Wrong format
Georgia Department of Audits and Accounts
23
Transmitting Confidential Data
For most transfers we use a product called
Accellion Secure File Transfer
If large Dataset will give the entity an encrypted
drive to copy data to
Georgia Department of Audits and Accounts
24
Storing Confidential Data
Encryption
In Oracle – work with business owner to make sure
field level encryption is on datasets
Laptops – use PGP to encrypt all laptops
Flash Drives– for HIPAA data encrypt all Flash
Drives with PGP
Looking at BitLocker to start encrypting all DOAA
Flash Drives and possibly laptops
Backups are encrypted
Georgia Department of Audits and Accounts
25
Using Confidential Data
In Oracle DB – if have to decrypt data fields–
email sent to IT and Manager of project to alert
that data fields were decrypted
DLP – Data Loss Prevention – use Cisco’s
appliance – for email DLP violations
Notification sent to ISO and IT Director if a DLP
violation – make sure it is not false positive
Employee’s Director notified of any DLP violation
in order to guide employees’ behavior to be more
security conscious
Georgia Department of Audits and Accounts
26
Destroying Confidential Data
Destruction of Data – auditor’s responsible for
destroying confidential data at the end of audit or,
if needed for work papers, at the end of the
retention period of 5 years.
Auditors are provided with software (PGP Shredder)
that facilitates the destruction of confidential electronic
data by overwriting the data with random text and
repeats this process through multiple passes.
Records managers in each Division ensure compliance
Georgia Department of Audits and Accounts
27
Additional tools
Evaluating a product called Sensitive Data
Manager by Identity Finder
Georgia Department of Audits and Accounts
28
Final Thought
State of
_________
Audit Department
Breach
Georgia Department of Audits and Accounts
29
Questions
Lynn Bolton
(404) 657-9978
[email protected]
Georgia Department of Audits and Accounts
30