Welcome Personally Identifiable Information (PII) Protection Training Training

1
Welcome Personally Identifiable Information
(PII) Protection Training Training
2
PII Training

• Goal
• The purpose for todays training program is to
  introduce you to your role and responsibilities
  to help ensure the security of personal data at
  Loyola.

3
PII Training

• Learning Objectives
• As a result of participating in todays program
  you will
• Learn about Loyolas Personally Identifiable
  Information (PII) Protection program
• Gain a better understanding of your role and
  responsibilities to secure PII and other
  sensitive data at Loyola

4
PII Training

• Protecting Personally Identifiable Information

5
PII Training

• Loyola recently approved policies covering
• Data Classification
• Loyola Protected-Sensitive Data Identification
• Physical Security of Loyola Protected-Sensitive
  Data
• Electronic Security of Loyola Protected-Sensitive
  Data
• Disposal of Loyola Protected-Sensitive Data
• Loyola Encryption
• Data Breach Response
• Compliance Review
• The policies are online at http//luc.edu/its/poli
  cies.shtml

6
PII Training

• All data produced by employees of Loyola
  University Chicago during the course of
  University business will be classified as
• Loyola Protected Data
• Loyola Sensitive Data
• Loyola Public Data
• (Definitions on next slide)

7
PII Training

• Definitions
• Loyola Protected data (LPro data)
• Protected by Federal, state, or local laws
• Includes SSNs, credit card numbers, bank account
  info, drivers license numbers, personal health
  info, FERPA info, etc
• Loyola Sensitive data (LSen data)
• Not covered by laws, but information that Loyola
  would not distribute to the public
• Classified by department that created the data
• Loyola Public data (LPub data)
• Information that Loyola is comfortable
  distributing to the general public.

8
PII Training

• Changes
• in how your department handles
• Loyola data

9
PII Training

• Data Stewards
• All departments will have at least one data
  steward
• The data steward(s) help coordinate activities
  that your department must perform every 6 months
  to ensure compliance with the policies
• They will send you an email asking you to run a
  piece of software, then they will schedule a time
  to review the results with you

10
PII Training

• Changes for Paper documents
• Limit access to department workspaces that store
  LPro or LSen data in paper form
• Use your badge or key to access the area
• Do not allow the public to access those areas
• Use approved shredders to dispose of documents
  (in accordance with your departments retention
  policy)
• LPro or LSen data should only be sent to printers
  and faxes in secured areas
• Properly store LPro or LSen documents avoid
  leaving protected information on desks and other
  work areas

11
PII Training

• Changes for electronic documents
• Restrict access to computers and other electronic
  devices that store LPro or LSen data in
  electronic form
• LPro or LSen data cannot be stored on computers
  or electronic devices that are not encrypted
• ITS will provide instructions for installing the
  encryption software for those users that need it

12
PII Training

• Preferred storage for remote access
• LPro or LSen data preferred storage for remote
  access
• Network drives (VPN Remote Desktop)
• Laptop w/ encryption software
• PDA/Blackberry/Smartphone w/ encryption
• Portable drive w/ encryption software
• CD/DVD/disk as an encrypted file

13
PII Training

• Disposal of LPro or LSen data
• Paper Shred either through shredding service or
  approved personal shredder
• Electronic Contact ITS for proper disposal
• If taken outside of Loyola, either dispose of as
  above or bring paper / device back to Loyola for
  proper disposal

14
PII Training

• Encryption of data
• Encryption will be provided by ITS
• Electronic data transfers must be secured
• Methods for transferring encrypted emails are
  available from ITS
• LPro or LSen data on physical media (CD, portable
  drive, etc) must be encrypted
• ITS will assist in configuration and training for
  department-specific issues on an as-needed basis

15
PII Training

• Report possible breaches / exposures
• Call 86086 / 773-508-6086
• Email datasecurity_at_luc.edu
• Go to anonymous reporting page at
  http//www.luc.edu/its/security/data_security_form
  _anonymous.shtml

16
What Youll Be Asked To Do

• Run Scanning software (Spider) when asked by your
  data steward
• Schedule a time with your data steward to review
  the results of your spider log file
• If your data steward says you need encryption
  software, install encryption software on your
  machine or call ITS to schedule an installation
• Follow the policies listed previously

17
How Do I Run Spider?

• Log in to your computer normally
• Empty your Internet Explorer cache (Open IE -gt
  Tools -gt Internet Options -gt Delete -gt Delete
  Files)
• Select Start -gt Loyola Software -gt Useful Tools
  -gt Spider Scanner
• This will install and run the spider tool
• The spider tool will scan your computer for files
  that might contain PII

18
How Do I Run Spider?

• You can continue working while it scans
• When complete, it will close and leave a file on
  your desktop
• Please do not do anything to this file until your
  data steward reviews it with you
• Let your data steward know that you are ready to
  review your spider log with them

19
How Do We Review a Spider File?

• Your data steward will schedule a time to go over
  the log file with you
• Log in to your computer normally when the data
  steward is there
• The data steward will open up the Spider log file
  using the Spider program
• Review the entries in the Spider log file with
  your data steward

20
How Do We Review a Spider File?

• As you open each file in the log, scan it to
  determine if it contains Social Security number
  or credit card numbers
• The file will contain a large number of false
  positives such as files that contain a 9-digit
  number that is not a SSN
• Your data steward will record information about
  your machine
• If your data steward indicates that you need the
  encryption software, install it on your computer

21
How Do I Install Encryption Software?

• Preparation
• Only for Windows machines does not work on Mac,
  Linux, or other computer types
• Save all of your work and close all open programs
• Initial installation can take up to 15 minutes,
  and the encryption can take up to 2 hours
• Computer is usable while encrypting data, but
  will run slightly slower
• You may want to begin this process 20 minutes
  before you leave for the evening

22
How Do I Install Encryption Software?

• Save your work and close all your programs
• Start -gt Loyola Software -gt Useful Tools -gt
  SafeGuard Easy Install
• Click Yes to begin, which will make your machine
  automatically reboot
• The program will check your hard drive for
  errors, and reboot several times
• Login when you see the login prompt

23
How Do I Install Encryption Software?

• After logging in, the program will install more
  software, then reboot two more times
• Login again
• You will see an image showing how to tell the
  encryption is present close this image
• At this point the encrypting is beginning as
  long as the machine is on it will continue to
  encrypt, even if locked or logged off
• Call ITS if you need assistance

24
Short Version Install Encryption

• Save open documents, close programs
• Launch installer, click yes, computer will reboot
• Login when you are able to, computer will reboot
  automatically
• Login when you are able to, close encryption
  picture that appears
• Encryption will occur while machine is on even
  if locked or logged off

25
Encryption Questions

• Will this affect USB devices?No it only
  encrypts your internal hard drive
• Will this affect email?No ITS has a separate
  program available if you need to encrypt email
• How will this change how I use my computer?It
  shouldnt change anything the encryption should
  be invisible to the user
• How can I tell it is installed?A yellow key on
  your hard drive icon indicates it is now encrypted

26
PII Training

• Tools and Resources
• ITS Contact
• Joe Bazeley
• jbazele_at_luc.edu
• 773-508-6086 / 86086
• Policies
• Reporting breaches
• Email datasecurity_at_luc.edu
• Anonymous reporting page at http//www.luc.edu/its
  /security/data_security_form_anonymous.shtml

27
Summary

• In closing, each one of us plays an important
  role in ensuring that our department is in and
  remains in compliance with Loyola Universitys
  policies for protecting Personally Identifiable
  Information

28
Summary notes about major changes

• Badge/key access restrictions
• Printers and faxes in secure areas
• Use approved shredders
• Secure desk when not around
• Encryption of computers
• Cannot store LPro or LSen data on unencrypted
  computers
• Store files on network drives for remote access

29
PII Training

• Questions?

30
PII Training

• Thank you
• for
• Your participation