Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Data Security Begins With You
Chris Beresford
Executive Director, British Columbia
Maintenance Enforcement and Locate Services
Erin McDaniel
Performance, Budget, and Statistics Manager
Oregon Department of Justice, Division of Child Support
Presented by:
• What are we afraid of? Data security isn’t such a big deal! - Why data security is important - How is information compromised today - Common concerns
• The Regulations - When it comes to protecting data, everyone has an opinion…
- Governing regulations at national and local levels
• Working for Security, Discussion on “Better” practices - Privacy practices from Canada and Oregon - Ways to reduce concern
Overview
What are we afraid of?
In the Child Support Program, most data we access is regulated in some manner.
– Personally Identifiable Information (PII)
– Child Support Confidential Information
– Federal Tax Information (FTI)
– Automated Clearing House (ACH) information
– Criminal Justice Information (CJIS) and Law Enforcement Data (LEDS)
Child Support Regulated Data
• Much (not all) of the data that child support maintains is publicly obtainable one piece at a time from different public sources.
• Staff and partners can sometimes use this as an excuse. They hesitate to enforce strict security practices like encryption and authentication.
• All of the varied data collected in a child support file makes our records more valuable to thieves. Less work for more information.
It’s just a little bit of info…
Causing a whole lot of damage
Incidents happen, and worry us all
The Regulations
• Internal Revenue Service (IRS) publication 1075 – Tax information security guidelines for federal, state, and
local agencies
• The Office of Child Support Enforcement, State Child Support Agency Security Agreement – National Standard for security, designed to protect Federal
Parent Locator Service data and other confidential child support program information
USA Federal Regulations
• National Institute of Standards and Technology (NIST) Requirements 800-53 Rev 4 – National standard for security and privacy controls for U.S.
federal information systems and organizations
• Health Insurance Portability and Accountability Act (HIPAA) – National standard for the protection of personal health
information
USA Federal Regulations
• Oregon Consumer Theft Protection Act (ORS 646A.600 to 646A.628) – Notification of security breach to individuals
– Notification to consumer reporting agencies
• Oregon Information Systems Security
(ORS 182.122 & 182.124)
– Sets expectation for state agency information security
– Outlines required security policies and practices
Oregon Regulations
• Legislative regime in Canada similar to USA:
• Federal laws and rules for “federal” data
• Provincial (and territorial) laws and rules for “provincial” data
• Practically…
• Data becomes the responsibility of the holder
Canada/BC laws and rules
• Federal privacy and disclosure laws apply to income tax and other information from the Government of Canada
• Generally speaking:
• Can be used for consistent purposes
Canada/BC laws and rules
• Most provincial privacy and disclosure laws are similar:
• Can be used for consistent purposes;
• Can be accessed by the individual;
• Reasons for collection are defined;
• Disclosure is subject to rules and process.
Canada/BC laws and rules
Our challenge:
• We want everyone else’s information
• We don’t want to have to disclose it (except for enforcement purposes)
Canada/BC
Our solution:
• Legislative authority to obtain everyone else’s information
• Legislative authority that we don’t have to disclose it (except for enforcement purposes)
But it’s not always that easy…
Canada/BC
Collecting:
• A brief history of phones, paper, fax machines, going through databases, recording things, and automated data-matching applications…
• Our data providers are collecting less person data…
A brief Canadian history
• International Organization for Standardization (ISO)
ISO 27001 - Information security – ISO is an independent, non-governmental international
organization with a membership of 163 national standards bodies. Founded in 1947, the organization promotes worldwide proprietary, industrial, and commercial standards, and provides leading practice on information security management for implementing or maintaining Information security systems.
International Standards
Working for Security
Protecting and sharing:
• Where is it stored (a very brief history of the Patriot Act)
• How it is purposely shared
• How it is accidentally shared
Context
• Create and maintain a culture of security
Start with the foundation
– Develop business practices (like wearing picture badges or locking computers) that define the security culture of your agency
– Prohibit staff from piggybacking into secure work areas
– Remind staff of the expectations with computer warning banners and office signage
Create a secure work area
– Maintain secured areas to store regulated data:
• Secure mail rooms and file rooms
• Locking cabinets
– Establish clean desk guidelines
– Assign and monitor keys and combos that allow access to regulated data
• Clean work areas provide a second layer of security
Polk County
Provide training that is relevant
– Start training from day one
– Require it before any work commences and annually there after
– Ensure staff understand the types of regulated data and the risks if released
– Provide role based training that ensures everyone, no matter the complexity of their work, has the training they need to be protect our customers
Role based trainings in Oregon
• Regulated Data Overview (all)
• Child Support Confidentiality (all)
• Safeguarding Automated Clearing House Information
• Federal Tax Information
– FTI Overview (all)
– Daily Work Exposure
– Enhanced Exposure
– Information Systems Development
• Incident Response
– Staff
– Managers
– Contractors & Vendors
Secure Portable Electronic
• Agency owned devices
• Password protection
• Encryption
• Two-factor authentication
• Remote wipe
• Locking storage devices
Transport securely via postal mail
• Redact confidential information whenever possible
• Using Double Envelopes in Transit – Including when sending to other agency offices
• Clearly label confidential information
Encrypt electronic information
• Redact confidential information whenever possible
• Use encrypted email
• Send images or other case documents in encrypted password protected attachments
• Send passwords in separate encrypted messages
The Golden Rule
• Create an environment you would use to secure your own personal information
• When sharing files, send and receive with that same care
• Make an environment of information security your first priority
So what have we learned? • Allowed activities may still be high risk
• The biggest threat is often human error
• Come into the web (said the spider to the fly…)
• System-to-system sharing may be better than person-to-person, but it costs money and takes time
In Conclusion
Questions?
Chris Beresford Executive Director, British Columbia Maintenance Enforcement and Locate Services [email protected]
Erin McDaniel Performance, Budget, and Statistics Manager Oregon Department of Justice, Division of Child Support [email protected]