Secure IT 2005 Panel Discussion

1
Secure IT 2005Panel Discussion

• Felecia Vlahos, SDSU
• Sally Brainerd, UCSD
• Brooke Banks, CSU Chico

2
Secure IT 2005 Panel Discussion

• Agenda
• CCC 1798.29 Review
• SDSU Overview
• UCSD Overview
• CSU Chico Overview
• Common Questions
• Questions From Attendees

3
Secure IT 2005 Panel Discussion

• California Civil Code 1798.29
• AKA SB1386, California Database Notification Act
• http//www.leginfo.ca.gov/calaw.html (check civil
  code box, type 1798.29)
• Any agency that owns or licenses computerized
  data that includes personal
• information shall disclose any breach of the
  security of the system
• following discovery or notification of the breach
  in the security of the data to
• any resident of California whose unencrypted
  personal information was, or
• is reasonably believed to have been, acquired by
  an unauthorized person.

4
Secure IT 2005 Panel Discussion

• Personal information individual's first name or
  first initial and last name in
• combination with any one or more of the following
  data elements, when either
• the name or the data elements are not encrypted
• (1) Social security number. (last four SSN
  DOB, TAX ID)
• (2) Driver's license number or California
  Identification Card number.
• (3) Account number, credit or debit card
  number, in combination with any
• required security code, access code, or
  password that would permit
• access to an individual's financial
  account (ACH).
• Breach of the security of the system..Reasonably
  believed to have been
• unauthorized acquisition of computerized data
  that compromises the
• security, confidentiality, or integrity of
  personal information maintained by
• the agency.

5

• California Civil Code 1798.29continued
• The disclosure shall be made in the most
  expedient time possible and
• without unreasonable delay, consistent with the
  legitimate needs of law
• Enforcement, as provided in subdivision (c), or
  any measures necessary to
• determine the scope of the breach and restore the
  reasonable integrity of
• The data system

6
Secure IT 2005 Panel Discussion

• Resident of California
• Unencrypted
• Most expedient time possible and without
  unreasonable delay
• Needs of law Enforcement will impede a criminal
  investigation.the
• law enforcement agency determines that it will
  not compromise the investigation
• Any measures necessary to determine the scope of
  the breach
• Restore the reasonable integrity

7
Secure IT 2005 Panel DiscussionSDSU Overview

• Felecia Vlahos, ISO
• Feb 24/March 16-22 2004
• Financial aid file server19 others
• Unpatched faculty system/Internal password attack
• Sending spam and downloading music
• FAFSA applicants up to 10 years prior
• SSN/DOB
• Managed by IT Security Office
• 206,876 notified
• 187,254

8
Secure IT 2005 Panel DiscussionUCSD Overview

• Sally Brainerd, Associate Controller
• April 16 18, 2004
• EFT (Financial Aid), 2 Scan Stations a Check
  Process Station
• Non- encrypted files, stranded images and stored
  cached check data
• FTP Servers installed
• Students, applicants, staff, faculty, parents
• SSN, DL, Bank (Checking account)
• Office of the Controller/BFS Systems
• Announced 380k, actual 364k, notified 322k
• 204,000

9
Secure IT 2005 Panel DiscussionCSU Chico
Overview

• Brooke Banks, ISO
• Feb 16/March 14-16 2005
• Housing office server
• Web/File/Print server with unencrypted historical
  records
• Root kit and FTP server installed, scans of other
  servers
• ID card file - faculty, staff and students (Name,
  SSN)
• Housing database prospective students, as well
  as residents for last 5 years (Name, SSN, contact
  information)
• Managed by IT Security Office
• 59,268 notified via e-mail and/or postal mail
• Cost TBD

10
Secure IT 2005 Panel DiscussionFAQ

• What security measures were in place to prevent
  incident? What changed afterward?

11
Secure IT 2005 Panel DiscussionFAQ

• Was law enforcement contacted? Able to identify
  hacker?

12
Secure IT 2005 Panel DiscussionFAQ

• Discuss interpretation of CCC 1798.29 most
  expedient and process used to produce
  notifications (letters/web/emails)

13
Secure IT 2005 Panel DiscussionFAQ

• Reaction from University staff/faculty/students?

14
Secure IT 2005 Panel DiscussionFAQ

• What volume and types of calls/emails/letters/medi
  a received after notification?

15
Secure IT 2005 Panel DiscussionFAQ

• What types and values of cost were incurred?

16
Secure IT 2005 Panel Discussion

• Questions from Attendees