• No results found

Data Security and WNYRIC Services. From Risky Business to Best Practice

N/A
N/A
Protected

Academic year: 2021

Share "Data Security and WNYRIC Services. From Risky Business to Best Practice"

Copied!
22
0
0

Loading.... (view fulltext now)

Full text

(1)

Data

 

Security

 

and

 

WNYRIC

 

Services

(2)

Presenters

Presenters

Joann Lukasiewicz

Joann

 

Lukasiewicz

Lynn

y

 

Reed

Dave

 

Scalzo

Paul

 

Spahn

Rob Warchocki

Rob

 

Warchocki

(3)

States of Data

States

 

of

 

Data

Data at Rest

Data

 

at

 

Rest

Moving

 

Data

Data At Endpoints

Data

 

At

 

Endpoints

 

(4)

Data at Rest

(5)

Data at Rest: Risky Business

Data

 

at

 

Rest:

 

Risky

 

Business

Weak

 

or

 

non

secure

 

passwords

Who

 

can

 

access

 

what

St ff h l

iti

di t i t

Staff

 

who

 

leave

 

position

 

or

 

district

Storing

 

sensitive

 

info

Storing sensitive info

(6)

Does this look familiar?

Does

 

this

 

look

 

familiar?

(7)

T

REAT YOUR PASSWORD LIKE

T

REAT YOUR PASSWORD LIKE

YOUR TOOTHBRUSH

. D

ON

T

LET ANYBODY ELSE USE IT AND

YOUR TOOTHBRUSH

. D

ON

T

LET ANYBODY ELSE USE IT AND

LET ANYBODY ELSE USE IT

,

AND

GET A NEW ONE EVERY SIX

O

S

LET ANYBODY ELSE USE IT

,

AND

GET A NEW ONE EVERY SIX

O

S

MONTHS

.

– Clifford Stoll

MONTHS

.

(8)

Data at Rest: Best Practice

Data

 

at

 

Rest:

 

Best

 

Practice

 

Strong and secure password

Strong

 

and

 

secure

 

password

Verify

 

access

 

is

 

set

 

up

 

properly

Security

 

designee

 

and

 

backup

Avoid

 

storing

g

 

unnecessary

y

 

information

Exit procedures

Exit

 

procedures

(9)

WNYRIC

 

Hosted

 

Services:

 

d

Protecting

 

data

 

at

 

rest

State of the art data center

State o t e a t data ce te

Controlled

 

access

Antivirus

Secure network

VPN

Firewalls

 

protecting

 

data

 

in

 

and

 

out

Employees

AUP

(10)

Data on the Move

(11)

Sharing Data: Risky Business

Sharing

 

Data:

 

Risky

 

Business

Sending data through non secure

Sending

 

data

 

through

 

non

secure

 

means

Ending

 

relationship

 

with

 

vendor

P bli

d i l

(12)

Email is safe, right?

Email

 

is

 

safe,

 

right?

(13)

Mass email by Dent Neurologic inadvertently breaches

privacy of 10,200 patients

D t N l i l t t d t 10 200 Dent Neurologic let out data on 10,200

By Melinda Miller | News Staff Reporter , Stephen Watson | News Staff Reporter | @buffaloscribe on May 14, 2013 - 3:46 PM, updated May 14, 2013 at 4:29 PM

C

fid

i l i f

i

b

h

10 200

i

f D

Confidential information about more than 10,200 patients of Dent

Neurologic Institute was inadvertently sent to more than 200 patients

Monday in an email attachment.

The personal information – including patients’ names and home

addresses, their doctors’ names, last appointment dates and their email

addresses – was contained on an Excel patient spreadsheet

addresses was contained on an Excel patient spreadsheet.

The data does not include specific information about the patients’

medical conditions, birth dates or Social Security numbers, according

to Dent, which attributed the privacy breach to “human error.”

,

p

y

(14)
(15)

To: WNYRIC App Support Team Subject: Student – Tommy Henderson From: Nancy Smith

Hello Team. Tommy Henderson left our school to attend Pleasantview

Elementary School in Happydale, NY as of Monday April 15, 2013. He was i M T l ’ 5th d l Hi St d t N b i 999 55 1234 d hi

in Mr. Taylor’s 5th grade class. His Student Number is 999-55-1234 and his

Date of Birth is November 4, 2002.

Al M T l h d t bl i tt d thi i Hi ID i Also, Mr. Taylor had trouble saving attendance this morning. His user ID is RTaylor123 and his password is “password”. Can you login as him and see if you can save attendance?

(16)

T WNYRIC A S t T To: WNYRIC App Support Team Subject: Support Request

From: Nancy Smith From: Nancy Smith

Hello Team. Please review Student Number 999-55-1234 to see if I exited him correctly, as he has moved to another district.

I also have a teacher that cannot save attendance this morning. Please call me at 822-7777 so I can give you his login information.

(17)

Sharing Data: Best Practice

Sharing

 

Data:

 

Best

 

Practice

Define

 

Your

 

Policy

Know where the data is and where it is going

Know

 

where

 

the

 

data

 

is

 

and

 

where

 

it

 

is

 

going

Securely

 

Automate

 

if

 

possible

Data

 

Integration

Secure

 

File

 

Transfer

 

(SFTP)

Point

 

to

 

Point

 

communication

 

(Remote

 

Desktop,

 

Bomgar)

g )

Outside

 

Contracts

Where

 

are

 

the

 

servers

 

located?

H

i d

f

d?

How

 

is

 

data

 

transferred?

Who

 

will

 

have

 

access

 

to

 

the

 

data?

(18)

aring Data:

Data Integration Partners

aring

 

Data:

 

Data

 

Integration

 

Partners

Student Systems Directory Services Transportation

eSchoolData Active Directory Transfinder P S h l G l Cl d C t V T PowerSchool Google Cloud Connect VersaTrans

Food Services LDAP Library WebSmartt Open Directory Alexandria

Nutrikids eDirectory Destiny H i Vi l C l Lit M d i Horizon Visual Casel Lite Mandarin

Special Education Instructional Support Assessment Systems

Cleartrack My Big Campus Star IEP Direct Study Island iReady

Health Services ConnectEDU AIMSWeb Health Office Performance Plus NWEA

Snap Health My Learning Place eDoctrina

Financial Services Rapid Broadcast Communication Services

Finance Manager Global Connect Domino Notes / Exchange Win Cap SchoolMessenger Webs That Work

Scheduling One Call Now Sametime

(19)

Data at Endpoints

Data

 

at

 

Endpoints

(20)

Data at Endpoints: Risky Business

Data

 

at

 

Endpoints:

 

Risky

 

Business

Sharing data through non

secure means

Sharing

 

data

 

through

 

non

secure

 

means

BYOD

Workstations

 

or

 

devices

 

left

 

unsecured

Sharing of workstations

Sharing

 

of

 

workstations

Digital

 

copiers

 

or

 

fax

 

machines

Cloud

 

Services

 

(21)

Data at Endpoints: Best Practice

Data

 

at

 

Endpoints:

 

Best

 

Practice

Shared drives with limited or controlled

Shared

 

drives

 

with

 

limited

 

or

 

controlled

 

access

Encrypted devices / flash drives

Encrypted

 

devices

 

/

 

flash

 

drives

Password

 

protect/encrypt

 

files

Require

 

locking

 

of

 

device

Prevent downloading of data

Prevent

 

downloading

 

of

 

data

Encrypted

 

data

 

transmission

(22)

Next Steps

Next

 

Steps

Security

 

Review

Ongoing dialogue with technology

Ongoing

 

dialogue

 

with

 

technology

 

coordinator

Educate

 

staff

Get proper approval

Get

 

proper

 

approval

 

References

Related documents

One such miniature curio-cabinet features a tiny room — or doorkijkje — at its centre, which would have been used to display one of the objects the cabinet contained: a display

As a result of that, malnutrition is observed in 30–50% of all cancer patients who are admitted to hospitals, and in 70% of them mal- nutrition becomes more severe within 14 days

The essential problem of gene expression microarray data analysis is to identify differentially expressed genes (DEGs) under different treatment levels.. Various statistical

1000KVA Power regulators Regolatore di potenza 24KVA 24KVA Power regulator. Regolatore di

o Verify fire warning bell sounds, master FIRE WARN lights, MASTER CAUTION lights and OVHT/DET annunciator illuminate.. • Fire warning BELL CUTOUT switch

[r]

The main independent variables include: Distribution, a binary variable that equals one if the share class is subject to a taxable distribution and zero otherwise as well

“ Villanova’s evolution into a “Doctoral/Research” university, as defined by the Carnegie Classification, will elevate the University’s national stature and ensure