Leading Edge Online Security

1
Leading Edge Online Security Privacy
Mary Anne Busse Managing Director Great
Disclosure LLC
Troy Runnells, CPAAssistant DirectorUtah
Educational Savings Plan
Saturday, July 14, 2007, CSPN Conference
2
Outline

• Part 1 Online Security
• Part 2 Other Security Items to consider
• Part 3 Privacy

3
Part 1

• Online Security

4
Online Security Web site

• Ensure that the sensitive area of your website
  has the following

• Captcha image for setting up online access.
• 128 bit encryption (look for the "HTTPS" in the
  address line or lock icon).

• Time out users after a certain period of
  inactivity.

5
Online Security Web site continued

• Lock out users after a number of unsuccessful
  login attempts.

• Conduct periodic security tests from the
  viewpoint of someone trying to hack in to the
  system.

• Detailed vulnerability audits for the existence
  of dangerous holes in security.

6
Online Security - Require a strong password

• No password is 100 percent secure. It can always
  be guessed or worked out. However, you can swing
  the odds in your favor by requiring a strong
  password.
• A strong password cannot be easily worked out by
  anyone else.

A strong password is like a padlock.
7
Online Security Require a strong password

• Strong passwords

• Are at least seven characters long.
• Include both uppercase and lowercase letters,
  numbers, and a symbol character.

A strong password is like a padlock.
8
Part 2

• Other Security Items to consider

9
Other Items to Consider - Computers

• Consider these items to help make your data more
  secure

• Disable your USB ports to disallow read or write
  functionality.
• Encrypt all laptops.
• Ensure all data is stored on the network.

10
Other Items to Consider Network

• Consider the potential risk of allowing these
  features
• Personal e-mail Web Site access.
• Personal instant messaging.
• DVD/CD writable drives.

11
Other Items to Consider - Data

• Your data should be protected at all costs. Do
  you know all the methods your data can be
  accessed?

• Account for all data that is generated (i.e.,
  quarterly statements).
• Confirm destruction of all data.

12
Other Items to Consider Office Security

• The Association of Certified Fraud Examiners
  has reported a median loss per fraud incident of
  258,000 in their 2006 Report to the Nation on
  Occupation Fraud Abuse (specific to the
  banking/financial services industry).
• In a 2005 Celent study, surveyed risk managers
  reported that on average, 60 of bank fraud is
  committed by insiders.

13
Other Items to Consider Office Security

• To ensure an environment that promotes security,
  consider these steps
• Auditing rights and permissions for users on a
  frequent basis.
• Perform Clean Desk audits No sensitive
  information should ever be left in the open.

14
Part 3

• Privacy

15
Trends in Online Privacy Protection

• Website Control and Policing
• Activities designed to discourage phishing
• Site design to protect the privacy of account
  owner and beneficiary information

16
Trends in Online Privacy Protection

• If program manager has day to day control over
  the plan website
• State administrator should still police privacy
  issues online
• Level of responsibility will depend on State and
  federal law

17
Trends in Online Privacy Protection

• Self Regulation Issues
• Effective enforcement of self-regulation
• verification and monitoring
• complaint resolution
• education and outreach

18
Trends in Online Privacy Protection

• Third-Party Enforcement Programs Privacy Seal
  ProgramValidation by an independent third party
  that the plan is engaged in meaningful
  self-regulation of online privacy
• Easily recognized by consumers
• through the use of a seal or other symbol

19
Online Privacy Policy

• Should
• Be easy to find, read and understand
• Be available prior to or at the time that
  individually identifiable information is
  collected or requested
• Ensure third parties are aware of security
  practices and that they also take reasonable
  precautions to protect any transferred information

20
Online Privacy Policy

• A privacy policy can/should contain
• Explanation of what information is being
  collected
• How information is used
• Possible third party distribution of that
  information
• Choices available to an individual regarding
  collection, use and distribution of information
• Statement of plan's commitment to data security

21
Online Privacy Policy

• A privacy policy can/should contain
• Consequences of an individual's refusal to
  provide information
• What accountability mechanism the plan uses
• How to contact the plan
• Opt ins or opt outs

22
Online Privacy Policy

• A privacy policy can/should contain
• Data Quality and Access
• account owner ability to correct errors online
• Steps designed to ensure accuracy of information

23
Online Privacy Policy

• Examples

24
Contact Information
Mary Anne Busse Managing Director Great
Disclosure LLC mabusse_at_greatdisclosure.com www.gre
atdisclosure.com

• Troy Runnells, CPA
• Assistant Director
• Utah Educational Savings Plan
• trunnells_at_utahsbr.edu