information (in)security

Sunyeen (Sunny) Pai Susan Murata

November 12, 2009

Hawaii Library Association Conference Ko’olau Ballrooms

What is sensitive information?Areas of concern for librariesKCC's data breachData breach resultThe laws and policies  KCC Library's response Useful ideas

UH Sensitive Information NAME +Social Security NumberHawaii driver's licenseAddressBank/Credit card infoDate of Birth

FERPA & HIPAA NAME+Social Security NumberHealth InformationFinancial Information Date of birth  

Patron/User Registration recordsEmail notices and correspondenceDelinquent notices via paper or emailSocial Security Numbers, Driver's license infoCollection Agency accountsTax Setoff ListsCredit card paymentsDate of birthShared passwords for login at Circ Desk

Financial aid counselor Computer used to access financial aid server Connected at the beginning of the day and stayed logged into the

financial database all day User behavioro Opened all attachments in emailo Antivirus not up-to-dateo Facebook and MySpace

Computer slowdown Over 1500 viruses and malware Computer found to have malware that was known to search

for sensitive information and sent to Russian domain Computer forensics expert called 15,763 letters sent out Press release Board of Regents and Legislature notified

 COST = over $10,000, excluding staff time

Federal      FERPA - Family Educational Rights and Privacy Act

  State

    Hawaii Revised Statutes (HRS)     487J - Social Security Number Protection     487N - Security Breach of Personal Information     487R - Destruction of Personal Information Records

  University of Hawaii

    E2.214 -  Security and Protection of Sensitive Information

Support of UH Information Security Officer, KCC's head of information technology, and head of the library

Make everyone responsible for his/her behavior through information and coaching. 

Information Technology Team support Vetting ITS recommendations such as

o encryption and secure erase softwareo password testing software o filedrop service o passwording pdfs before email transmission

Daily virus updates and weekly scan Weekly malware updates and weekly scan Automate Windows XP updates Meeting with work units -- auditing for areas of concern Follow-up activities

Briefing document written for the employee in a "how-to" fashion aimed at both paper and electronic information: unauthorized access unauthorized monitoring of information use destructive attacks stores and networks unauthorized use of computers and networks

Simple software cheat sheets and assistance Non-negotiable protocols: weekly malware updates & scans Acknowledging everyone must be more conscientious Asking everyone to look for problems and ask questions.

Presenters:Sunny Pai (sunyeen@hawaii.edu)Susan Murata (smurata@hawaii.edu) A place you can download this presentation and other items:

http://sites.google.com/a/hawaii.edu/kcc-hla-2009/