Data Security Issues in IR

Eileen DriscollInstitutional Planning and ResearchCornell University

efd2@cornell.edu

What IR practitioners can do

Legal consequences of data loss

Resources

Don’t take work home

• If you must access student or other sensitive data from home, use a secure connection like Remote Desktop in Windows XP

• Use a VPN connection• Wireless access

– Create a closed network– Rename network– Encrypt– Update software regularly– Set adminstrator password– Disable file sharing

At Work

• Store student data files on a secure server, not on your personal computer

• Turn your computer off at night if you can be backed up during the day

• Strip identifying student information from data files when you work on them (ssn, address, name)

Securing your computer

• Run an anti-virus program daily• Enable file autoprotect (Symantec Anti-Virus)• Use complex passwords (test with password tester)• Activate Windows Firewall• Run Spybot, Windows Defender and Ad-Aware

frequently• Secure Delete

Secure your computer (cont)

• Turn off file sharing on your computer• Turn off guest accounts• Don’t use the administrator account on your

computer for routine work• Turn on a password protected screen saver for when

you are away from your computer• Lock your office• Monitor your network traffic and usage• Turn off FTP if you are not using it

Secure your computer (cont)

• Clear out your web browser cache• Set Windows to automatic update• Be sure that your anti-virus software is updated

frequently

When traveling with a laptop

• Use an encrypted flash (thumb) drive• Keep close physical possession of your computer

and data• Remove sensitive data from the laptop before travel• If you need sensitive data, store it on a separate

device like a CD and store it separately from the laptop

• Use full disk encryption

Sharing data

• Zip and password protect before sending• Try not to send files via email• Cornell has the registrars drop box. Files are

encrypted during transport over SSL (https://) using strong encryption only.

New York Information Security Breach and Notification Act

• Any NYS resident whose private information was acquired by a person without valid authorization must be notified

• You must notify the NYS attorney general, NYS consumer protection board, NYS office of cybersecurity

• Other states, including California, are passing similar laws

What to do if data security is breached

• Notify security office– Scan– Traffic analysis– Image– System (log) analysis

• IT security may report to data loss team (audit, police, counsel, communications, risk management, IT, representatives from unit)

Resources

http://www.cit.cornell.edu/computer/security/secure.html

Securing your web browser http://www.cert.org/tech_tips/securing_browser/

EDUCAUSE http://www.educause.edu/security

Using wireless technology securely http://www.us-cert.gov/reading_room/Wireless-Security.pdf

Procedures for dealing with security breach http://www.cit.cornell.edu/computer/security/data-loss-prepare.html