1 / 83

Data Protection Practices

Data Protection Practices. 2008 NSAA IT Conference Nathan Abbott, TN Joe Moore, AZ Doug Peterson, NV. Agenda. Introduction Why? Our recent experiences What? Technology solutions How else? Questions. Introduction. Format for presentation Individual introductions.

sheila-zimmerman
Télécharger la présentation

Data Protection Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Protection Practices 2008 NSAA IT Conference Nathan Abbott, TN Joe Moore, AZ Doug Peterson, NV

  2. Agenda • Introduction • Why? Our recent experiences • What? Technology solutions • How else? • Questions

  3. Introduction • Format for presentation • Individual introductions

  4. Why has data protection become more important now?

  5. Nevada

  6. Why… • Contractor with DMV: • Lost USB Flash drive • Contained names of 109 individuals • University of Nevada, Reno professor lost a flash drive that contained the names and Social Security numbers of 16,000 incoming freshmen from 2001 to 2007current and former students

  7. Why… • DMV Audit • Prior to audit--Truck drives through front of DMV building and steals computer. Contained personal information on 8,700 Nevada residents. • Prior to audit--Planned to encrypt files and not store on computers • Audit found information on desktops, laptops, zip drives, USB drives. • Audit found process of removing personal information from computers didn’t always work as planned. Over 300 files, each with a person’s name, address, and SS#.

  8. Arizona

  9. Why… • Arizona #1 in Identity Theft • Newspaper publishes “public” information • Audit responsibilities require sensitive data • Agency requests for agreements • Encroachment on statutory authority • Public relations nightmare

  10. Tennessee

  11. Why… • Portable Media • Auditor was in car accident and lost their thumbdrive • Nashville Davidson County Election Commission Office • The office was broken into

  12. Why…

  13. Why… • Nashville Davidson County Election Office • Office was broken into on December 24, 2007 • Break-in was not noticed until December 27, 2007 • Two Laptops were some of the items that were missing

  14. Why… • It was standard practice for the office to tape to the machine user name and passwords. • The laptops were using an access database that contained all register voters personal information including their SSN.

  15. Why… • The office was preparing for the primary election and was in the process of removing the SSN’s from the Access database. • The street value of the stolen laptops was probably $600 total, but the incident is costing the city millions in Identity Theft Protection.

  16. What solutions are we using?

  17. Tennessee

  18. Where Did We Start? • Researched available options • Evaluated software • Determined best option

  19. TRUECRYPT VS ENTRUST • TRUECRYPT • Partial disk encryption • Passwords do not sync • No vendor support • USB encryption • Encryption time 30-40 minutes • Cost FREE • ENTRUST • Full disk encryption • Passwords sync with operating system • Vendor Support – 1-800 number • Removable media encryption • Encryption time 4-8 hours • Cost $130 per licence

  20. Truecrypt Concerns • File Restoration • Key Management • Administrative Support • Removable Media Support • Partial Disk Encryption

  21. Why Did We Choose Truecrypt • Strategic Plan • Our purpose is to serve the people of Tennessee by Enhancing effective public policy decisions at all levels of government • 47-18-2107 TCA Release of personal consumer information • …Unauthorized acquisition of unencrypted computerized data…

  22. Truecrypt Harddrive Setup

  23. Truecrypt Harddrive Setup

  24. Truecrypt USB Setup

  25. Truecrypt USB Setup

  26. Arizona

  27. What? • Statutes • Drive Crypt Plus Pack (DCCP) • Ironkey • VPN and Tokens • Winzip

  28. Statutes • Provide broad access to information • Authorized to review confidential records without limitation • Agencies required to provide records • Working papers and audit files are not public information • Audit exclusions for other Acts, such as HIPPA, FERPA

  29. DCPP • Whole disk encryption (partition based) • Boot protection • Pre-Boot authentication • Sector level protection • Administrator / user specific rights • Transparent to users • Minimal administration and user training

  30. DCPP

  31. DCPP

  32. DCPP

  33. DCPP

  34. DCPP

  35. DCPP

  36. DCPP

  37. DCPP

  38. Ironkey • Always-on military grade data encryption • No software or drivers to install • Easy to deploy and use • Ability to create and manage enforceable policies • Unique serial numbers

  39. Ironkey

  40. Ironkey

  41. Ironkey

  42. Ironkey

  43. Ironkey

  44. Ironkey

  45. Ironkey

  46. Ironkey

  47. Ironkey

  48. Ironkey

  49. Remote Access via VPN and Tokens

  50. WinZip

More Related