identity theft and data responsibilities
DESCRIPTION
TRANSCRIPT
Page 1©2010 Clark Nuber. All rights reserved
Identity Theft and Data Responsibilities
November 16, 2010
Page 2
Summary• Understand the issues• Evaluate your risks• Protect your company• React to a breach
Identity Theft
Data Protection
Statements, Policies, Plans
Page 3
Identity Theft• Credit cards• Bank accounts• New accounts• Housing• Utilities
Page 4
Risk Based Approach
The Program should take into consideration the size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security1.
Page 5
Mandates, Guidelines, Obligations
State of Washington3
State of Massachusetts1,2
Federal Trade CommissionRed Flags
Clients, customers, constituents
Employees
Perceptions
Page 6
DefinitionsPersonal Information2
Financial Institution or Creditor4
Covered Accounts4
Page 7
Red Flags Rule
An Identity Theft Prevention Program to detect the warning signs — or "red flags" — of identity theft in day-to-day operations4,5,6.
Page 8
Information Security7
• Confidentiality • Authorization• Accountability• Non-repudiation
• Authenticity• Integrity• Authentication
Page 9
Confidentiality
• Who should have access to the data? – Username and password– Encryption– Physical location of computer
Page 10
User Accounts
• Require passwords (pass phrases)• Block access after unsuccessful
login attempts.• Restrict access to “personal
information” based on job duties.
Page 11
Passwords
• Pass phrases• No sharing• Not written down• Not transmitted in email
Page 12
Vulnerabilities
• Targeted attacks• Penetration• Inside intentional• Inside accidental
• Email• Laptops• Desktops
Page 13
Deterrents
• Two factor authentication• Know where personal information is:• Inventories of laptops, desktops,
servers, applications, data sets.
Page 14
Testing and Assessment• External Penetration• Internal inspection of infrastructure• Network permissions• Internal password cracking• Policy inspection• Software code inspection• Training effectiveness
Page 15
Security Classifications
• Physical – Stolen laptops, locked server room• Logical – usernames, passwords, two-factor• Transmissions – email, file transfer• Applications – especially custom written• Social – impersonating tech. support
Page 16
Policies, Procedures, Plans
• For customers, clients, constituents– Privacy and Confidentiality Policy8
– Security Statement9
– Security Overview10
– Third Party provider summary11
Page 17
Policies, Procedures, Plans
• For employees– Acceptable Use Policy– Professional Ethics & Standards Policy
• For management– Security Policy– Data Breach Incident Response Plan12
Page 18
Training• Employees should know:1
– What information they have access to– What their responsibilities are regarding it
• Document all training!
Page 19
Information Security Policy13
Who is the audience?
Why will they read it?
What decisions will they make after reading?
Purpose
Assure management that information is safe from theft and loss.
Page 20
Information Security Operations
• Here is a list of our data.• Here is its location.• This is who has access to it.• Here is what we do to protect it.• Here is what we do if we lose it.
Page 21