What is considered Personal Information by the State?
- an individual's:
- first name and last name; or
- first initial and last name; and
- at least one (1) of the following data elements:
- Social Security number.
- Driver's license number or identification card number.
- Account number, credit card number, debit card number, security code, access code, or password of an individual's financial account.
Some agencies maintain information that must be protected under other Federal and State Statues such as HIPAA, which may require additional information to be protected or additional protection to be in place.
Are Telephone Numbers considered personal information?
No, telephone numbers are not included in the definition of personal information per IC 4-1-11. However, agencies may want to take steps to protect this information to avoid negative publicity.
How long does personal information remain confidential after a person’s death?
Unless a specific law provides for access after death to a person's confidential personal information, the information would continue to be confidential until 75 years after the creation of the record. Indiana. Code 5-14-3-4(d): “Notwithstanding any other law, a public record that is classified as confidential, other than a record concerning an adoption, shall be made available for inspection and copying seventy-five (75) years after the creation of that record.”
Social Security Numbers remain confidential indefinitely.
Are federal ids or employer identification numbers considered personal information?
The statue specifically pertains to Social Security numbers of individuals this would included social security numbers to legal aliens. IC 4-1-11 does not specifically apply to federal ids and Employer Identification Numbers (EINs). Based on our research, federal ids and EINs are not specifically protected in a similar fashion to that of Social Security Numbers.
Do you know if anyone at IOT has software that will scan a hard drive and evaluate the files to see if they contain potential personal information?
There is a tool called spider that is available on the web it can be downloaded from the following site: http://www.it.cornell.edu/services/idfinder/. While the tool will provide some assurance it is not perfect. Hard drives should be completely wiped or destroyed if equipment will be reused or sent to surplus.
What about temp files left over from applications used to access server files containing PI, how do we ensure that personal data is not left on our local drive?
That depends totally on the application. Some applications leave the temp files, and some delete them. Get to know your application and determine if additional steps must be taken to delete temporary files containing personal information.
Should personal information be included in emails?
Generally individuals should avoid including personal information in emails or email attachments. In the cases that it is necessary to include this information in emails, emails should be encrypted.
What encryption tool does the State have for email containing personal information?
To date, the State does not have a product for email encryption; however, we are in the middle of an RFP process to acquire a state-wide product. For the interim, IOT suggests renting a product called “Certified Mail”.
What steps will IOT take to address encryption on laptops?
All new laptops purchased after July 1st of this year are purchased with an encryption license and encrypted. For existing laptops “SafeBoot” encryption software can be purchased. For additional information or to order contact Steve Kremer at IOT.
Can IOT limit IOT Server Administration Staff to only required Application and Database Servers that they service?
IOT is studying methods to lower the number of people with administrator rights to systems as well as audit the activities of administrators. The process will be a gradually reduce the numbers over time as support issues from consolidation are streamlined.
Will the IOT provide standardized training for all state employees?
IOT will continue to provide IRUA training via the web. In addition, we will look at continued opportunities to provide training on specific security topics and/or policies that are relevant similar to the training provided on personal information protection. Agencies, system owners in particular, should train employees on the nuances of their system and associated risks. There will probably be overlap between IOT efforts and the agencies but responsibility falls to both.
Does IOT have an Automated Security Assessment Tool to run against Servers, to provide a potential security risk report to assist agencies?
IOT is seeking a reporting method for key security metrics. The metrics and the interval for reporting are not yet finalized. When completed, they should be required of all host service providers doing business with the state.
Will IOT establish an Enterprise Wide Document Management and Imaging Software Solution, similar to the approach with PeopleSoft including Document Security, Archiving, and Retrieval of Case Files?
Agencies with this need should contact their IOT Account Executive. If there is common interest a project similar may be explored.
CISO requested to support and initiate changes in the Commission on Public Records (CPR) policy regarding acceptance of secured digital images as the official state document, permitting the destruction of the physical original source document for records retention purposes?
This issue is beyond the office of the CISO. We can weigh in on the security of the solution and the business value but the CPR will have to determine the acceptability of digital records for retention.
What kind of guidance can IOT provide on Application Code Weaknesses Vulnerability as related to Regular Scanning of Application Code, and Certification Process?
IOT is seeking a methodology to test all web applications for secure code. The tool(s) to be used, methodology, and cost recovery are yet to be finalized.
Will IOT implement Secure Passwords as an Enterprise Standard for Windows Active Directory Authentication?
Guidance on complex passwords is provided at the IOT Security page. This is the standard suggested by IOT. Due to consolidation and agency issues, these are not presently strictly enforced by Active Directory but the intention is to do so in the future.
Will IOT perform an annual self-assessment regarding compliance with policies and procedures?
Risk management is an ongoing, daily activity. The interval for outside, independent verification confirming compliance with policy and procedures will vary depending upon the business application or regulations governing the system. These assessments are often costly and may limit independent audits to longer intervals. In such cases, agencies should conduct their own assessments to ensure risks are addressed.
Can IOT provide a Biannual SAS 70 Type 2 Audit by an independent auditor regarding compliance with policies and procedures?
This has been researched in the past and IOT has determined that at this time the process would not provide enough benefits to offset the cost of the review.
What are IOT’s Policies and Procedures?
IOT continues to develop policies and procedures covering the network, security etc. Many of the policies, procedures, practices and service levels can be found on the IOT website. IOT continues to update this information as it is developed.
Can I get a report of….?
Quarterly report of current patch levels compared to current available patches. Patches levels for the Windows environment are relatively easy to obtain. Other reports are harder to provide, IOT can provide reports if requested by an individual agency, however at this time reports should be requested only if necessary.
Listing of staff with administrative authority to each server a report can be provided for an individual server that contains name and organization of the person with access.
Listing of staff with access to server room can be provided that includes name and organization of individual.
Report of directory/file security can be provided for a particular directory or file that indicates name, type of access.
A bot, short for robot, is an automated software program that can execute certain commands. A botnet, short for robot network, is an aggregation of compromised computers that are connected to a central “controller.” The compromised computers are often referred to as “zombies.”
Should I be concerned?
Yes, botnets are a significant problem on the Internet. They are a growing source for staging denial of service attacks, stealing personal information for identity theft, sending out email-based phishing attacks and spam. The compromised hosts or “zombies” are often home computers but business, government and education organizations are not immune. The sophisticated malicious code used by botnets make it difficult to detect by an untrained individual.
How does a bot infection happen?
Bot infections follow the same path as the typical Internet worm or virus. You may open an attachment in an email, visit a malicious web site or download malicious software often associated with “free software”, such as games, screensavers, any of which may result in malware being installed on your computer. Once infected, the bot software sends a notice to the “controller.” The controller then downloads additional malicious software to the compromised host. The botnet controller then may have complete control of your computer.
Examples of malicious software commonly associated with botnets and the subsequent activity impact on your computer are:
- Keystroke logger programs that specialize in capturing all of your key strokes and are adept at capturing personal information including your user name and password, as well as credit card and other financial information.
- Programs that are used to distribute spam. The next email you receive regarding a hot stock tip or prescription drugs could be coming from your neighbor. These emails usually employ a”spoofed” or phony email address.
- Denial of service attack programs. The botnet controller can summon tens of thousand of zombies to overwhelm web sites, computers or entire networks. Even large companies such as Microsoft, Yahoo and the New York Times have had their web sites impacted by denial of service attacks.
How prevalent are botnets?
Consider the following:
- According to Postini, an electronic messaging provider which processes over two billion messages a day, over 80% of email is spam.
- It is estimated that over 65% of spam worldwide is sent by botnets.
- The FBI recently reported a botnet containing over one million zombies!
How can I tell if my computer is part of a botnet?
If you are infected with a worm or virus, your chances are today that you may also be part of a botnet.
Some of the symptoms of infection are: your computer and Internet connection are slower than usual; programs that use to run on your computer no longer are able to run; your hard drive is spinning (making a noise) and you are not using your computer; or any other strange behaviors or anomalous activity on a computer.
If you detect any of the above your computer may be an indication of an infection and should be investigated further to determine if there is an infection, and if so, the type and the scale of the infection.
What can I do to protect my computer?
Bots propagate by taking advantage of security vulnerabilities in software, poor security controls, as well as by using social engineering techniques to entice users to open an email attachment that infects your computer or to visit a web site that downloads malware.
The following recommendations will help prevent your computer from becoming part of a botnet:
- Never open an email attachment unless you know what it is--even if it's from someone you know and trust.
- Do not visit untrusted web sites.
- Do not download free software from untrusted sites.
- Do not use free file sharing programs. These are commonly used to distribute music files and often contain malware.
- Use a firewall to filter Internet traffic.
- Use anti-virus and anti-spyware software and keep it up to date.
- Keep you operating system and application software, especially your Internet browser, up-to-date.