Case Security
Awareness: 2009-2010
Overview
Case announces National Cyber Security Awareness
Month starting October 5, 2009, with a focus on the topic of
Identity Theft
Awareness and Prevention
Identity Theft is Fraud
The Federal Trade Commission reports that more than 9 milllion people a
year are impacted by identity theft. This is fast becoming the
largest crime, online or otherwise, affecting the nation. Case
Western Reserve University announces the
kickoff of a program to increase awareness of This
policy was developed over the past year and aligns the security
controls requir
Updated SSN Use Policy
Case Western Reserve University has updated the SSN Use
Policy to include required actions for removal of SSN from older
data files. If you are new to Case, you may not be affected by
older SSN data, but faculty, staff, and students should know the terms
of the SSN use on campus. In general, any old SSN information is
to be removed or redacted. Unless users are specifically
authorized to handle Restricted.
Thanks to the transition to the new Student
Information System,
the university risk environment has changed as all facutly and students
are accessing the web-based application with userID and password
authentication. The SSN is no longer used as a student
identifier, except in the cases where financial information (e.g.
financial aid, employment) are used, and these data are considered Restricted,
and must be protected with Tier III Controls.
Many staff who have access to Restricted
information systems have already come under the provisions of
the new global password management policy. The CaseID and
password combination are considreed Tier III, and need to be protected
from disclosure. The University will NEVER ask a user to disclose their
password via email- an obvious clue to a phishing or social engineering
attack.
Check the inventory your registered computers here
(requries CaseID and password).
SSN Abatement Using Identity Finder
Why?
Case has a very open computing environment, where users have the
liberty and flexibility to implement IT solutions to academic
processes. Case
Western Reserve University has identified the top risk to the
university's
information architecture as the presence of SSN-based data in the
desktop and laptop computing environment. To address this risk of
loss or disclosure of this information,
we are
conducting a program of SSN Abatement.
The univeristy adminstration is calling all faculty and staff users to
download and install the Identity Finder application, which can be used
by users to
identify and remediate old SSN data.
In September 2009, the Case School of Engineering and IT Services
department conducted a pilot of the Identity Finder tool. The
results
vary by individual and role, but those who found SSN files were
surprised, in general, at what they found. Much of the data users
will find is either administrative of academic data that is no longer
pertient.
Users should download the software from https://softwarecenter.case.edu
What is required of me?
The campus community is directed to use the Identity Finder application
to find and remove old SSN data. The Unversity
SSN Use Policy directs the removal of SSN from IT workflow, and
proscribes protection of SSN-containing data as Restricted data.
All departments will receive directives on how and when to implement
the policy, but in general all users will need to follow the abatement
procedure, and conduct regulary (e.g. monthly) scans of their systems
to remove the risk of SSN data in open computing environments.
The SSN Abatement procedure is:
0. Inventory
Each responsible user must identify and inventory computers which
contain, or possibly contain, SSN based files. Users with unix or
Linux based systems are outside of the scope of this project, but they
will need to scan and remediate with different tools at a later time.
1. Install
For each computer, download and install the Identity Finder software.
Users should download the software from https://softwarecenter.case.edu.
Note if a user needs to download more copies than the current limit
permits, they should request a Lab Manager
access to the SoftwareCenter.
2. Scan
Use the Identity Finder tool to scan hard drives, external media,
and USB drives where may have sensitive data at risk of loss, theft, or
disclosure. The
default settings search for SSN and credit card numbers.
Additional
settings are available to the user under the "Identities" tab.
3. Evaluate Results
The user is going to be the best judge of whether the files found are
valid "matches". Here are some definitions of terms used by the
Identity Finder tool:
- Match: A data element that meets
one of the identity critera. This could be an SSN found, for
example.
- Identity: A class of data that has impact on a
user's identity, including addresses, SSN, Passport numbers, etc.
- Location: The directory path in the computer to
the file where the match data was found.
- Shred: The tool overwrites the file with
1's and 0's, rendering it non-recoverable.
- Scrub: For files in Office 2007 format
(documents, spreadsheets,
etc.) the tool can overwrite the match with XXXX's, but keeping the
file for later use. This effectively redacts the identity data
from
the file.
- Secure: Creates a new file that is
encrypted and access controlled with a password.
The ultimate goal is to reduce the risk of sensitive data
loss through the use of the Identity Finder tool to clean their
computers.
4. Action
After evaluating the results, users should use the Identity Finder tool
to shred, scrub, and secure any
sensitive (SSN-based) files found by the search. When users are
comfortable,
they may move ahead in sensitive data removal.
Users may use this Identity Finder Decision Chart to guide the
process for data removal and protection.
Questions should be directed to security[at]case[dot]edu.
Identity Finder Town Hall Meeting Schedule
Mini-town hall meetings will be scheduled for each school and group of
departments by request. Please contact your CTO for your school
or department, or you can request support by calling the Case Help Desk
at 268-HELP.
Case Paranoid Geeks
Be a real geek and play the ISS Security Game.
|
