Today’s Agenda 9:00 - 9:05 Welcome and Orientation

(Dennis Dearbaugh, DTS)

9:05 – 10:05 Media Chain of Custody Presentation(Terry DiVittorio, Project Performance

Corp.)

10:05 – 10:25 QUESTIONS & ANSWERS (Terry)

10:25 – 10:30 Wrap-Up (Dennis)

DTS Introduction• Welcome!

– Dennis Dearbaugh,

Director of DTS Operations

– Presentation Slides and Video will be available on the DTS website

– Evaluation Survey – tell us what other IT topics interest you

• Upcoming DTS Technology Days and Customer Forums

• IT Security Forum – Feb 13 (DTS Training & Events Center)• Network Customer Forum – tentatively schedule for March• Cal Net II Customer Forum – tentatively scheduled for March 8

• Look for more DTS events coming soon at http://www.dts.ca.gov/news_events/

Protecting Personally Identifiable Information (PII): How can we account for it and who is responsible?

Department of Technology Services, State of California

23 January 2007

Terry DiVittorio, Director, Security & Privacy Solutions

5

Agenda

What is PII and why all the hype?What is the challenge?What is being done?What can we do?How do we start?Where do we go from there?Summary and ClosingQuestions/AnswersResources and references

6

Some context…

Increased demands for data

Data ‘leaving’ protected boundaries

New type of data vulnerability – PII

Technology not helping the problem

7

What is PII and why all the hype?

Personally Identifiable Information (PII)Any piece of information which can potentially be used to uniquely identify, contact, or locate a single person

Sometimes referred to as sensitive information: Information, the loss, misuse, or unauthorized access to or modification of, which could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act)

8

What is PII and why all the hype?

Personally Identifiable Information Full name (if not common) National identification numberTelephone number Street address E-mail address IP address (in some cases) Vehicle registration plate number Driver's license number Face, fingerprints, or handwriting Credit card numbersDate of Birth

9

What is PII and why all the hype?

PII is being lost, compromised, mishandled…In February 2005, nearly 35,000 State of California residents and over 110,000 non-California residents fell victim to a compromise of ChoicePoint databases where criminals successfully accessed and viewed PII of these over 145,000 people

In early 2005, Bank of America's admitted that the company lost data tapes containing federal workers' customer and account information. The bank confirmed that a number of computer data tapes were lost during shipment to a backup data center. The missing tapes contained U.S. federal government charge card program customer and account information."

10

What is PII and why all the hype?

PII is being lost, compromised, mishandled…In mid-2005, CitiGroup reported that backup tapes containing personal information on 3.9 million consumer lending customers of its CitiFinancial subsidiary was lost by UPS while in transit to a credit bureau

In May 2006, the Department of Veterans Affairs reported the theft of a government laptop containing PII, to include the social security numbers of over 26 million veterans.

11

What is the challenge?

The Internet has made PII extremely accessible

PII is ‘intermingled’ with other types of data within many IT Infrastructures

No special handling instructions or standards

Evolving technology enhancements

12

What is the challenge?

Mobile computing

Data transfer, backup, and storage

Lack of policies or procedures unique to PII

13

What is being done?

Feds addressing the issue one way

Office of Management and Budget, Memorandum 06-16, “Protection of Sensitive Agency Information”

National Institute of Standards and Technology, (NIST) provided a checklist for protecting PII (known as the 45 day checklist)

TransportedStored OffsiteAccessed Remotely

14

What is being done?

OMB Memo also recommended the following:

Encrypt all data on mobile computers

Allow remote access only with two factor authentication

Use time-out functions for remote access and mobile devices

Log all computer readable data extracts from database holding sensitive data

15

What is being done?

Another OMB Memo, 06-19, Reporting Incidents Involving PII and Incorporating Cost for Security in Agency Information Technology Investments

One hour reporting to US-CERT for all incidents involving PII

Does not distinguish between electronic or physical breaches

Report both suspected and confirmed breaches

16

What is being done?

Incorporating Security Funding into IT Investments

Requires security to be integrated into and funded over the lifecycle of each system undergoing development, modernization, or enhancement

Steady-state system operations must meet existing security requirements before new funds are spent on system development, modernization, or enhancement

17

What can we do?

Risk Management Decision

Accept or absorb the risk

Share the risk

Transfer the risk

18

What can we do?

Accept or absorb the risk

Manage the risk within your enterprise

Identify where the sensitive data is in the enterprise, categorize, and classify the data

Conduct a gap analysis of current operations, policies, and procedures

Put a Security Program Framework in place with Management, Operational, and Technical Controls

19

What we can do?

Share the risk

Identify key stakeholders in IT operations

Define boundaries for accountability and responsibility

Develop Memorandums of Understanding and/or Service Level Agreements

20

What can we do?

Transfer the risk

Insurance like approach

Outsource operations involving protecting sensitive information

Liability rests with service provider

MOUs and SLAs in place defining expectations

21

How do we start?

Determine the appropriate Risk Management Strategy

Categorize data by type (text docs, spreadsheets, application data)

Classify data by critical level of its content

Simplify file management through this process

Determine impact of loss within systems or processes

22

How do we start?

Assess current environment and operations

Conduct gap analysis of ‘As-is” and desired “To-be”

Categorize findings in policies, procedures, and technology (Critical, High, Medium, and Low)

Develop a Plan of Action and Milestones (POA&M)

23

Where do we go from there?

Implement Security Program Framework and Roadmap

Obtain management buy-in, make the case

Define roles and responsibilities – drive accountability

Update and review policies on a regular basis

Training and awareness programs to educate employees

Technology assessments and testing

24

Summary and closing

This issue is going become more challenging

Accountability will be key

Technology isn’t the complete answer

It really is about managing risk

25

Questions/Answers

?

26

Resources and References

OMB Memo 06-16, Protection of Sensitive Agency Information - http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-16.pdf

OMB Memo 06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments - http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-19.pdf

27

Resources and References

National Institute of Standards and Technology (NIST) Special Publications, 800 Series – www.nist.gov

Federal Information Processing Standards (FIPS) - http://www.itl.nist.gov/fipspubs/

Department of Homeland Security, US-CERT - http://www.us-cert.gov/

Thank You…..

• Your participation is very much appreciated!

• Please don’t forget to complete and hand in your evaluation surveys.