Information Security Awareness Training for Personally Identifiable Information at LACCD

Slide Note
Embed
Share

This training session by LACCD Office of Information Technology focuses on educating personnel about identifying and handling Personally Identifiable Information (PII) to safeguard student and employee privacy. It covers the definition of PII, laws protecting PII, responsibilities in protecting PII, actions to enhance PII protection, and future plans for PII security. Understanding the significance of protecting PII is crucial to prevent identity theft, comply with regulations, preserve financial resources, and safeguard LACCD's reputation.

olly
olly Follow

Uploaded on Jul 16, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Los Angeles Community College District Information Security Awareness Tactical Training Personally Identifiable Information (PII) Patrick Luce, LACCD CISO Version 1.0 January 28, 2021 LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 1

  2. Training Goal The primary purpose of this training session is to provide LACCD personnel who have access to large volumes of Personally Identifiable Information (PII) with general guidance to identify and handle PII in a manner that protects the privacy of our students and employees. LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 2

  3. Agenda What is PII? Why is protecting PII important? What laws (relevant to LACCD) protect PII? Who is responsible for protecting PII? What can I do to better protect PII? What do I do if something goes wrong? What is the District doing in the future to enhance protection of PII? Q/A LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 3

  4. What is Personally Identifiable Information (PII)? PII is a specific category of particularly sensitive data that can be used to specifically identify an individual. Examples include, but may not be limited to: Social Security number (SSN) Drivers license number Financial account numbers, credit card numbers, or debit card numbers Medical information (any information regarding an individual s medical history, mental or physical condition, or medical treatment or diagnosis) Health insurance information (an individual s health insurance policy number or subscriber identification number, or information in an individual s application and claims history, including any appeals records) Education Records License plate information from automated readers Biometric Data LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 4

  5. Why is protecting PII important? Safeguard individuals from identity theft that may happen as a result of their PII being misused and/or used in a fraudulent way Compliance with many laws and LACCD rules and regulations that are intended to protect the privacy of individuals Preservation of LACCD financial resources This includes both saving the District s financial resources from misuse and responding to potential breaches Protect LACCD s reputation Breaches of PII may require written notification to individuals, public notice and trigger various reporting requirements. This can create reputational damage when breaches occur. LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 5

  6. What laws (relevant to LACCD) protect PII? LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII)

  7. Family Education Rights and Privacy Act 1974 (FERPA) Federal law that protects the privacy of student records Defines who may have access to inspect a student s record and to whom disclosure can be made to without prior consent of the student or student parent/legal guardian (if child is under 18 years of age). Identifies directory information which may be disclosed without consent but requires student to identify annually directory information that may be disclosed. Examples of FERPA protected information: Grades, transcripts, class schedules, etc. LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 7

  8. Health Insurance Portability and Accountability Act of 1996 (HIPAA) Requires organizations to protect the confidentiality of Protected Health Information (PHI). This may include: Past, present, or future physical or mental health conditions Provision of health care services Past, present and future payments for health care that identifies an individual (including policy numbers) LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 8

  9. Gramm-Leach-Bliley Act of 1999 (GLBA) Requires institutions of higher education to protect student financial information Relevant in financial aid processing where student records such as name, address, bank and credit card account information, SSN, loan information. Covers student financial records beyond FERPA. Examples of financial information Student loan applications Information on delinquent loans or loans identified for collection Disbursement data LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 9

  10. California Civil Code Section 1798.80-1798.84 Requires Personal Information of CA residents to be protected and be provided reasonable security. Personal Information is individual s first name or first initial with his or her last name in combination with one or more of the following data elements: Social Security Number, Driver s License number or California identification card number Account number of credit or debit card with combination of security code, access code or password that would permit access to a financial account Medical information medical history or medical treatment information Health insurance information Username or email address that would in combination with a password or security question access to an on-line account. LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 10

  11. California Civil Code Section 1798.80-1798.84 (Continued) Entity that owns, licenses or maintains unencrypted computer data must report breach in the security to the CA resident whose personal information reasonably believed to have been acquired by unauthorized person(s) Provides data breach notice format required for disclosures Requires reporting of data breach to Attorney General Office for public posting if data records of 500 CA residents or more are breached Disclosures shall be made in the most expedient time possible and without unreasonable delay LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 11

  12. California Civil Code Section 1798.80-1798.84: Key Points All breaches of PII for California residents require those residents be notified. All breaches of PII for 500 or more California residents become public information. All notifications shall be made in the most expedient time possible without unreasonable delay. LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 12

  13. A note on encryption California breach notification laws provide some protection for encrypted PII if and only if that encryption meets specific technical criteria. If PII is lost, such as on a stolen laptop, compliance with these encryption requirements would likely need to be reasonably proven after the PII is lost to benefit from those protections. In order to rely on these protections, the encryption should be verified by the Office of Information Technology before the PII is lost. LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 13

  14. Who is responsible for protecting PII? LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 14

  15. LACCD Administrative Regulation B-27 Append Data Owners: Serve as custodians of records for the data record content inputted in the information systems within their area of responsibility. An example of this would be that the Payroll Manager is deemed to be the custodian of records for Human Resource payroll records in the electronic payroll system. Information Systems Custodians: are those individuals in the IT department who protect the data systems from unauthorized access, alteration, penetration or destruction by providing and administering system controls, monitoring the systems and verifying they operate as planned. System Users: individuals granted appropriate access to the information systems of the District to input, display and transact data records as part of their daily and routine job responsibilities or functions. EVERYONE IS RESPONSIBLE FOR KEEPING PII SECURE. LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 15

  16. What can I do to better protect PII? LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 16

  17. Focus first on the most sensitive data elements: An individual s first name or first initial and last name in combination with any one or more of the following data elements: Social Security Number (SSN) Driver s License Number, State-issued ID Card Number, Tax ID Number, Military Number, Passport Number Financial Account Number, credit-card number, or debit card number In combination with required security code, access code or password Medical Information/ Health Insurance Information A username or email address, in combination with the password and/or security question that would allow online access to an account LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 17

  18. Assure the PII is essential to District business If a data source contains PII, whether it is a database, electronic document or piece of paper, assure that PII data source is required in that data source for LACCD business use and/or it is absolutely required for retention by LACCD policy. This includes all COPIES of PII. The best way to protect PII is not to have unnecessary copies of PII in the first place. LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 18

  19. If you find a copy of PII that you believe is essential, VERIFY. Consult with your immediate supervisor if you believe the copy of PII is essential to retain for District business/retention purposes. LACCD Board Rule 7706-7709 Administrative Regulation B-27 Append Administrative Regulation B-28 If your supervisor concurs the copy of PII is essential/required, assure it is stored in a location that has been reviewed by the Information Security team for appropriate protection, including verifiable encryption where applicable. If you aren t sure if it has been reviewed, ask. Email: infosecrequests@laccd.edu LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 19

  20. If you find a copy of PII that is no longer essential, delete it securely as soon as it is no longer needed. If PII is on a piece of paper or removable media (CD/tape, etc.), shred the paper/media securely. If the PII is in an email that is no longer necessary, delete the email, then delete it from the deleted items folder. If the PII is on an online shared drive, a computer or laptop, a mobile device or removable USB drive, consult with the Information Security Team for guidance to delete it securely. Email: infosecrequests@laccd.edu LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 20

  21. What do I do if something goes wrong? LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 21

  22. If you suspect that PII in your care has been lost, compromised, or negatively impacted in any way Immediately notify the IT Information Security team via email at infosecincidents@laccd.edu. This email is monitored 24 hours per day, 7 days per week. In the report, provide your name, position, phone number, and email address. Also provide a brief description of the suspected incident, including the personnel and systems and data that are potentially affected. If the PII is on a computer under your control, disconnect the computer from the local wired or wireless network if feasible, but do not otherwise alter the computer in any way without guidance from the Information Security team. For additional guidance, visit http://www.laccd.edu/Departments/InformationTechnology/InfoSec/Pages/default.aspx LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 22

  23. What is the District doing in the future to better protect PII? LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 23

  24. In Progress Procurement of comprehensive Information Security training for District employees Update of all Administrative Regulations relevant to Information Security Development and implementation of protocols to govern the request, approval and configuration of appropriate locations to store and process PII Acquisition and implementation of appropriate technologies and/or services to detect PII in unauthorized locations LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII) 24

  25. Questions? Information Security Awareness Tactical Training Personally Identifiable Information (PII) LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII)

  26. Thank You Patrick Luce, Chief Information Security Officer, LACCD lucepw@laccd.edu LACCD Office of Information Technology: Information Security Awareness Tactical Training Personally Identifiable Information (PII)

Related


Understanding VA Privacy Issues and Sensitive Information

Understanding VA Privacy Issues and Sensitive Information

mariposa
Understanding PeopleSoft Security: A Comprehensive Guide

Understanding PeopleSoft Security: A Comprehensive Guide

kylen
Understanding PeopleSoft Security: User ID Creation and Role Administration

Understanding PeopleSoft Security: User ID Creation and Role Administration

kasper
Understanding Privacy in Information Security Training

Understanding Privacy in Information Security Training

lillia
FMCSA Privacy Awareness Training Overview for 2022

FMCSA Privacy Awareness Training Overview for 2022

natan
Safeguarding Personal Information at DHS

Safeguarding Personal Information at DHS

augustine
Importance of Confidentiality in Shelter Monitoring Committee Training

Importance of Confidentiality in Shelter Monitoring Committee Training

teal
Understanding FERPA: Family Educational Rights and Privacy Act

Understanding FERPA: Family Educational Rights and Privacy Act

portia
Understanding HIPAA and FERPA Privacy Laws in Schools

Understanding HIPAA and FERPA Privacy Laws in Schools

ronny
Introduction to WISEdata Portal and Data Privacy Guidelines

Introduction to WISEdata Portal and Data Privacy Guidelines

amirah
Clover Flex Annual Security Awareness Training for Point of Service Collections Staff

Clover Flex Annual Security Awareness Training for Point of Service Collections Staff

lylah
Understanding the Role of Security Champions in Organizations

Understanding the Role of Security Champions in Organizations

irvin
CAMPUS SECURITY AUTHORITY (CSA) TRAINING CAMPUS SECURITY AUTHORITY (CSA) TRAINING

CAMPUS SECURITY AUTHORITY (CSA) TRAINING CAMPUS SECURITY AUTHORITY (CSA) TRAINING

croix
TSA Updates on Security Training Rule for OTRB Companies

TSA Updates on Security Training Rule for OTRB Companies

aziza
Certification and Training in Information Security

Certification and Training in Information Security

buck
Understanding the Roles of a Security Partner

Understanding the Roles of a Security Partner

zaara
Understanding Cyber Security and Risks

Understanding Cyber Security and Risks

kathryn
Understanding Computer Security Principles and Practices

Understanding Computer Security Principles and Practices

jos_o
PIN Pad Security Training and Procedures

PIN Pad Security Training and Procedures

elliemae
BCA 601(N): Computer Network Security

BCA 601(N): Computer Network Security

danna
Enhancing Security Definitions for Functional Encryption

Enhancing Security Definitions for Functional Encryption

kalila
International Approaches to Enhance Nuclear Safety and Security

International Approaches to Enhance Nuclear Safety and Security

mazarine
AEP Enterprise Security Program Overview - June 2021 Update

AEP Enterprise Security Program Overview - June 2021 Update

aubriella
Evolving Security Practices in DevOps: A Holistic Approach

Evolving Security Practices in DevOps: A Holistic Approach

madisyn

More Related Content

Understanding Security Onion: Network Security Monitoring Tools
Understanding Security Onion: Network Security Monitoring Tools
Overview of Social Security and Health Care System in Turkey
Overview of Social Security and Health Care System in Turkey
Understanding Transport Layer Security (TLS)
Understanding Transport Layer Security (TLS)
Understanding Provable Security Models in Cryptography
Understanding Provable Security Models in Cryptography
Understanding Information Security Basics
Understanding Information Security Basics
Understanding Information Security Policies for Effective Cybersecurity
Understanding Information Security Policies for Effective Cybersecurity
The Importance of Self-Awareness in Personal Growth
The Importance of Self-Awareness in Personal Growth
Understanding Data Use Agreements (DUAs) in Sponsored Projects Office
Understanding Data Use Agreements (DUAs) in Sponsored Projects Office
Componentisation of Assets: Readiness and Overview for SCOPA June 2023
Componentisation of Assets: Readiness and Overview for SCOPA June 2023
Cost Allocation, Apportionment, and Absorption in Accounting
Cost Allocation, Apportionment, and Absorption in Accounting
Klebsiella Species: Characteristics and Pathogenicity
Klebsiella Species: Characteristics and Pathogenicity
British Academy Small Grants Scheme 2020
British Academy Small Grants Scheme 2020
Understanding Security Management in an ICT Environment
Understanding Security Management in an ICT Environment
Private Security Training: Law, Regulations, and Civil Liability
Private Security Training: Law, Regulations, and Civil Liability
Phriendly Phishing Training Solutions Overview
Phriendly Phishing Training Solutions Overview
Comprehensive Asbestos Awareness Training Program
Comprehensive Asbestos Awareness Training Program
Comprehensive Training and Competency Program for Mobile Plant and Equipment
Comprehensive Training and Competency Program for Mobile Plant and Equipment
OWASP Bricks - Web Application Security Learning Platform
OWASP Bricks - Web Application Security Learning Platform
Modernizing Personnel Security Vetting for National Intelligence and Security
Modernizing Personnel Security Vetting for National Intelligence and Security
Cyber Security Toolkit for Boards: Comprehensive Briefings and Key Questions
Cyber Security Toolkit for Boards: Comprehensive Briefings and Key Questions
Mobile Device and Platform Security in Spring 2017: Lecture Highlights
Mobile Device and Platform Security in Spring 2017: Lecture Highlights
Understanding Security Reports and Hospital Security Services
Understanding Security Reports and Hospital Security Services
Cyber Threat Detection and Network Security Strategies
Cyber Threat Detection and Network Security Strategies
Understanding LXI Network Security in Industrial Environments
Understanding LXI Network Security in Industrial Environments