Evaluating PII Presence in a Government Environment - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

Evaluating PII Presence in a Government Environment

Description:

Publicity due to data loss DOES NOT attract new business! ... High # of false positives. Most computers don't have any PII and CUI on them ... – PowerPoint PPT presentation

Number of Views:20
Avg rating:3.0/5.0
Slides: 26
Provided by: info87
Learn more at: http://info.ornl.gov
Category:

less

Transcript and Presenter's Notes

Title: Evaluating PII Presence in a Government Environment


1
Evaluating PII Presence in a Government
Environment
  • Jonathan Homer

NLIT 2009
2
  • Courtesy of Alcatel-Lucent

3
Background
  • Laptop Loss is Cheap
  • Data Loss is Expensive
  • Publicity due to data loss DOES NOT attract new
    business!
  • Data protection is more than just policy
  • Data protection is more than just encryption

4
3-Minute Discussion
  • What actions are we taking today to protect our
    at-risk data?
  • What types of data do we have in our environment?

5
  • Courtesy of Alcatel-Lucent

6
The Risk
  • Who is actually using the laptop?
  • What data has potentially been compromised?
  • What security measures were in place on the
    laptop?
  • Encryption
  • Password Strength
  • Remote Tracking
  • What security risks were potentially compromised?
  • VPN access program and information
  • VPN token compromised as well?
  • Stored Certificates and Credentials
  • What was the patching and update status of the
    laptop?
  • FIREDRILL
  • Random Employee
  • Random Laptop
  • No Advanced Warning
  • Without contacting the employee

7
Steps To Risk-Based PII Protection
  1. Identifying the Potential Risks (Policy)
  2. Collecting, Storing and Maintaining Information
  3. Auditing and Assessing Process And Practice
  4. Protecting the Data
  5. Damage Control

8
Collecting, Storing and Maintaining Information
about Devices
  • Important to know
  • Who is the owner/user?
  • What is being stored?
  • Where is the device and where does it go?
  • Why is the device?
  • IT visibility is limited
  • On-Network
  • Technical Data Only
  • Need For Validation

9
565.06 Hardware Registration Form
  • Data validation is comprehensive of all IT
    devices
  • Identifies owners AND users
  • Tells IT
  • WHO uses it
  • WHY they use it
  • WHERE the device is located
  • WHAT data is stored on the device

10
HRF List of IT Property
11
HRF Property and Hostname
12
HRF Security
13
HRF Updating 565.06
14
3. Audit and Assess Process and Practice
  • Every step has human involvement and fallibility
  • It is more convenient for humans NOT to follow
    the rules

15
3. Audit and Assess Process and Practice
  • AT THE INL
  • Self Assessments Quarterly
  • Internal Audits Annually (conducted by Audits
    Team)
  • External Audits as requested by HQ and Corporate
  • General Public - Hopefully Never!

16
How We Assess
  • Integrated into operations (Field Techs, etc)
  • Behind-The-Scenes Investigation (Management
    Tools)
  • Quarterly Self Assessment Team (On-site Visits)
  • Tools We chose to build our own application

17
PII Search Script
  • Script Requirements
  • Windows, Mac, Linux
  • Portable
  • Secure (Encrypted Results)
  • No Local Install
  • Networked and Off-Network
  • Under 10 minutes

18
PII Search Script - Keywords
  • Social Security
  • Identifiable
  • Birth
  • Place of Birth
  • Employee
  • Maiden
  • Fingerprints
  • DNA
  • Medical
  • Criminal
  • Employment
  • Resume
  • Financial
  • Clearance
  • Badge
  • SNumber
  • Middle Name
  • SSN
  • PII
  • Official
  • Private
  • Cleared
  • Military

19
PII Search Script
  • How We Pull It Off
  • Location Common locations only
  • File Types .txt .doc .xls .ppt
  • Keywords Keywords from INL definition of PII and
    CUI
  • 10 min limit If were not finished, we stop the
    scan (5 of the time)
  • Hand evaluation of the results not worth the
    artificial intelligence
  • NEW IN 2008 Pen Drives (oh yeah!)

20
PII Search Script
  • What To Expect
  • High of false positives
  • Most computers dont have any PII and CUI on them
  • Users tend to err of the side of caution
  • 50 of found instances dont properly
    identifyCUI
  • Other 50 were getting around to updating the
    form
  • User education will resolve the issue much more
    effectively than technical controls

21
What We Have Learned
  • Cached Files (Windows Offline files)
  • Theoretically could store network data on local
    drive
  • Unable to replicate scenario
  • Mitigated by Encryption
  • 1 forms of PII and CUI found Resumes with SSN,
    Performance Reviews
  • Medical history is extremely hard to detect when
    in database and/or spreadsheet format
  • Before you begin ensure management is specific
    on what is and what isnt PII

22
What We Have Learned (cont)
  • Pen Drives
  • Low Detection Rates
  • Usually not labeled correctly
  • Encryption prevents easy assessing
  • Overall Program
  • Relatively Inexpensive compared to ROI
  • Low Impact on Users

23
Courtesy of Alcatel-Lucent
24
Contact Info
  • Jonathan Homer
  • 208.526.9660
  • Jonathan.Homer_at_inl.gov

25
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Evaluating PII Presence in a Government Environment" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!