Introduction and welcome Two main topics: Security related Research related They’re related but each has it own distinct requirements 1
Privacy has become the mainstay of security We have loads of data that we freely give away via web pages and publications Security has become a game of motivation! Greed drives “bad guys and gals” to invest heavily in ANY data University is unable to fund at the same levels as government or corporate Government, corporate and universities are not able to fund at the same level as the “bad guys and gals” This disagreement in financial motivation means our universities needs the support of everyone in protecting the data University focus is on protection of data which includes: 1. personal information (students, faculty and staff) 2. administrative and sensitive data (payroll, marks, financial, academic programs) 3. research data (to protect validity and market value) Today, I’ll be discussing the issue we all face at universities. Corporate issues are different as are budget levels However, PII value remains the same across all sectors 2
These are the topics for my presentation – from an Information Technology and security point of view 1. Data refers to information 2. PII refers to data that has been entrusted to your organization and there is an obligation to protect 3. Storage is how you keep the data (including PII) within the organization 4. Physical security is how well you protect the storage of the data and PII 5. Data lifecycle describes how well you maintain the data and PII within your control 3
Notice that the first two items are the same. These are the topics for my presentation – from a Research and ethical point of view 6. Data refers to information collected to perform analysis on 7. PII refers to data that has been entrusted to your organization and there is an obligation to protect – this may be incidentally collected 8. On-line collection describes how the data (and PII) is collected and it comes with many pitfalls versus old-fashioned paper surveys 9. Questions - Please hold all questions until the end of the presentation as there will be time allocated to address them at that time 4
What is data? Any piece of information Does not have to be electronic Does not have to describe anything Why protect it? It is not easily replaceable It has value Could be incriminating Loss of business value Result in something negative happening Why would anyone want my data? They feel it’s valuable Intention to harm Economic gain Malicious intent What would data loss mean? Very open to interpretation May result in no action at all May result in job loss Depends on the data that was lost… Personal Identifiable Information (PII) 5
Drawn from the Dalhousie Policy for the protection of personal information from access outside of Canada This is not a comprehensive list, rather a guideline Birthplace = personal history Name of first pet = personal history 6
Individually, these are not considered PII Collectively, there is enough information to identify the individual Common to protect SIN and DOB only Depending on the two elements, you may be able to identify the individual. NDP supporter and Halifax is NOT PII Phone number… Canada411 or phone book for most… may include address • Is IP number considered PII? US Office of Management and Budget says “yes, in some cases” State of Washington in 2009 said NO David Fraser – Canadian lawyer know as ‘The privacy lawyer’ says YES 7
The security industry is growing in financial magnitudes every few years The ratio of attempts to compromise data to successes is very low Estimated at less than 1% of attacks are successful The volume of information available for identity theft is large Going rate for an identity in 2009 was $12.29 for a typical American male That was a record with investments, credit cards, bank account, mortgage etc. In 2009, the identity sales industry was thought to be in excess of $1 billion USD A disproportionate relationship between government, corporate and university spending to protect privacy and the revenue from identity theft 8
So now we’ve determined what is data and what data is PII I need to collect research data that includes PII “It’s crucial to my research” What are the ethical concerns of collection PII during research? There are NONE! (from a security point of view) IT Security views data without an ethical lens Data classification helps to clarify the importance and the controls used around that data PII and medical should be classified very highly Let’s explore how best to protect the data and the PII you might accumulate during research This could be gathered via: surveys questionnaires interviews research gathered from other means 9
There really are consumer grade and data centre computer components A 2 Tb external hard drive from Future Shop costs $99 A 2 Tb expansion in the data centre world can cost $2,500 – you get what you pay for! There is the cost of the drive, plus RAID (redundant array of independent disks) The cost of the extra backup time The cost of the data storage media (tapes) Password protection alone isn’t enough Latest password cracking computers operate at 350 billion guesses per second! Max time to crack is 6 hours Computer is a PC that costs less than $20,000 Encryption of data will offer additional layer of protection If the data is compromised, it is rendered virtually useless by encryption Free options include built-in BitLocker with Windows TrueCrypt is free open-source solution FileVault in the Apple world 10
Most headlines involving loss of personal identifiable information resulted from lost hard drive, laptop, or USB thumb drive Elections Ontario referred to as a “Perfect storm of errors” – 2 million voters information – unencrypted USB stick - June 2012 Human Resources and Skill Development Canada looses 5,000 records (including SIN) stored on unecrypted USB stick – December 2012 Human Resources and Skill Development Canada looses 583,000 records on unencrypted hard drive – January 2013 USB thumb drives – Ironkey makes US military grade USB drives with built in encryption (approx. $100 for 1Gb) USB hard drives – LaCie makes a ruggedized drive enclosure with fingerprint (biometrics) and encryption (approx. $250 for 1 Tb) Biometrics - problematic as they can’t be shared or changed if they are compromised (a cut finger), what if the finger belongs to a person who is no longer available… fired or quit? Ruggedized laptops – Panasonic Toughbook. 6’ drop rating, waterproof, lockable, encrypted (approx. $3500) There are a lot of very secure and reliable solutions available – None would prevent to loss of the device, but they would all prevent the loss of data/PII 11
Data encryption, password protection, ruggedized cases Keep laptops touching your body at ALL times. Lean the case against your leg when you set it down. Always in sight. Beware of tablets… easy to loose, hard to find. Find out about encryption. This is the security model for tomorrow! 12
Data is often copied or backed up You will loose control of backups UNLESS they are fully in your control Data Centre will backup Weekly copy is set aside Monthly and yearly are also set aside May be kept for years Will not touch an archive tape to remove your data Physical hard drives can be wiped and destroyed if needed Logical data is virtually impossible to destroy unless you can touch ALL copies Backup life is often driven by technology Old tapes can’t be used on new equipment Shelf life is dependent on storage conditions CD/DVD estimated to last 25-100 years Reel-to-reel life is 8-9 years DLT tape is rated at 30 years (Digital Linear Tape) 13
Once you delete a file it can be retrieved Wiped means data is overwritten 7 times If a drive dies and can’t be overwritten, it can still be taken apart and the data retrieved Dead drives require destruction Shredding service Drive crushers Degausser 14
Backup copies require ideal storage conditions Temp controlled Secure Off site Flood proof (second floor) Fire proof (not near a kitchen) Dust proof Technology changes. Make sure the media is still able to be mounted and retrieved End of Security topics … 15
Data classification is best left to the subject matter experts Review of information being collected is where REB can offer guidance and control Three core principles of ethical research 1. Respect for persons Intrinsic value of human beings and the respect and consideration they’re due 2. Concern for welfare Quality of a person’s life in all it’s aspects 3.Justice Obligation to treat people fairly and equitably 16
Participant data kept for compensation reasons MUST be separated Research data MUST never be related to participant Answers provided will always belong to the participant You will only ever hold a copy of their data Allow participant the option to revoke all of their answers at any time The disclaimer may not completely reflect the type of questions They may choose to abandon the survey in the middle Allow people to skip questions if they choose Remember, this is THEIR data, not yours 17
Recommend
More recommend
