WWW.BOOK.DISLIB.INFO
FREE ELECTRONIC LIBRARY - Books, dissertations, abstract
 
<< HOME
CONTACTS



Pages:   || 2 | 3 |

«WHITE Advancing Cybersecurity with the Informatica Solution for Data Privacy This document contains Confidential, Proprietary and Trade Secret ...»

-- [ Page 1 ] --

PAPER

Safeguarding Sensitive Data

in State and Local Governments

WHITE

Advancing Cybersecurity with the Informatica Solution for Data Privacy

This document contains Confidential, Proprietary and Trade Secret Information (“Confidential

Information”) of Informatica Corporation and may not be copied, distributed, duplicated, or otherwise

reproduced in any manner without the prior written consent of Informatica.

While every attempt has been made to ensure that the information in this document is accurate and complete, some typographical errors or technical inaccuracies may exist. Informatica does not accept responsibility for any kind of loss resulting from the use of information contained in this document. The information contained in this document is subject to change without notice.

The incorporation of the product attributes discussed in these materials into any release or upgrade of any Informatica software product—as well as the timing of any such release or upgrade—is at the sole discretion of Informatica.

Protected by one or more of the following U.S. Patents: 6,032,158; 5,794,246; 6,014,670; 6,339,775;

6,044,374; 6,208,990; 6,208,990; 6,850,947; 6,895,471; or by the following pending U.S. Patents:

09/644,280; 10/966,046; 10/727,700.

This edition published March 2013 White Paper Table of Contents Executive Summary..................................... 2 Data Privacy: Challenges and Trends....................... 3 Revenue Agencies—Perforated with Privacy Weaknesses................. 3 Education—SLDSs Raise the Stakes on Student Privacy................... 3 Health and Human Services—MAGI Muddies the Privacy Waters........... 4 Healthcare—HIPAA Implements Privacy Rules........................... 4 Government-Wide Social Security Number Remediation.................. 4 Data Breach in the Public Sector: A Case Study............. 5 Acknowledging Insider Threats........................... 6 Exposure in Nonproduction Environments: Test and Development......... 6 Exposure in Production Environments: DBAs and Privileged Users......... 7

–  –  –

Safeguarding Sensitive Data in State and Local Governments: Advancing Cybersecurity with the Informatica Solution for Data Privacy 1 Executive Summary More than 94 million citizens’ records, under the care of government agencies, are estimated to have been lost or breached since 2009.1 The effects of this loss are profound. The average cost to the government of a data breach has been estimated at $5.5 million or $194 per individual record.2 In addition to these high costs, data breaches and cyberattacks also affect citizens directly. The unauthorized use or misuse of personally identifiable information can impact an individual’s ability to get a job, secure a loan, pay for education, obtain insurance, defend against identity theft, or benefit from public programs. Citizens need to know that they can trust public organizations with their personal information, but each new high-profile public data breach or negative watchdog report shakes that faith.

As public sector organizations face unprecedented risk from cyberattacks and high costs from data breaches, the focus on protecting sensitive and personally identifiable information is quickly becoming a priority for agency and state CIOs and CISOs. On this issue, Brenda L. Decker, NASCIO President and CIO, State of

Nebraska, has stated:

“Every CIO and CISO wakes up each day knowing that if they don’t get security right and breaches are suffered, their programs can be perceived to be ineffective, and their citizens suffer direct harm.”3 But at a time when only 18 percent of states report having a Chief Privacy Officer, the vast majority of states lack a centralized privacy function. This places added pressure on CIOs and CISOs, who seem to inherit data privacy policy by default. Furthermore, agencies need to put as much thought and effort into securing their state’s data against internal privacy breaches as they have traditionally put into protecting against outside threats.

This white paper discusses the challenges to securing information in state and local government organizations, outlines common sources of vulnerability, and illustrates with a case study an example of an increasingly common data breach. It discusses the effectiveness and versatility of data masking—both traditional, persistent data masking and the newer, breakthrough technology of dynamic data masking—in addressing the data privacy requirements of the public sector. It also examines the pros and cons of complementary data protection techniques, such as encryption and database activity monitoring, and how they can be used alongside data masking software to provide optimal protection in specific scenarios. Finally, the paper outlines what to look for in a data privacy solution and advocates implementing Informatica® data masking products to achieve robust, transparent, and cost-effective data privacy.

–  –  –

Data Privacy: Challenges and Trends Entrusted with the many aspects of safety and security of the public, government agencies must consistently demonstrate the ability to be sound financial stewards and rigorous defenders of sensitive data or personally identifiable information (PII). Some state and local government agencies have made major investments and significant strides in securing their systems against data breaches and cyberattacks, making it a top priority. But only 14 percent of state CISOs have reported feeling that they receive the appropriate executive commitment and adequate funding for cybersecurity.4 In addition, securing data is becoming an increasingly daunting challenge because of vulnerabilities that remain.





Below are five of the top data privacy challenges and trends affecting state and local governments.

Revenue Agencies—Perforated with Privacy Weaknesses According to IRS Publication 1075, “The public must have and maintain a high degree of confidence that the personal and financial information furnished to us is protected against unauthorized use, inspection or disclosure.” Yet a 2012 GAO report entitled Information Security: IRS Needs to Enhance Internal Control over

Financial Reporting and Taxpayer Data states:

“Although IRS has made progress in correcting information security weaknesses that we have reported previously, many weaknesses have not been corrected and we identified many new weaknesses during fiscal year 2010. Specifically, 65 out of 88 previously reported weaknesses—about 74 percent—have not yet been corrected. In addition, we identified 37 new weaknesses. These weaknesses relate to access controls, configuration management, and segregation of duties.” Specific weaknesses include the “excessive access” given some internal users to systems by granting permissions beyond what they need to perform their jobs. Furthermore, the GAO has uncovered poor segregation-of-duty practices and determined that some devices were sending unencrypted data over the IRS Network.

Ensuring the privacy of taxpayer data is not just a federal problem. In October 2012, the South Carolina Department of Revenue suffered a major privacy breach that compromised 3.6 million Social Security numbers and 387,000 payment card numbers, and exposed taxpayer address information as well. Most of the targeted data was unencrypted. In addition to the loss of taxpayer trust, the state is now paying for credit monitoring for individuals and businesses affected by the breach.

Education—SLDSs Raise the Stakes on Student Privacy With the help of federal grants, many states across the country are implementing statewide longitudinal data systems (SLDSs) to capture and analyze student data from preschool through higher education to employment.

To qualify for a federal grant, an SLDS must ensure the confidentiality of student data according to the requirements of the Family Education Rights and Privacy Act (FERPA), which protects individually identifiable information from being accessed without student permission. An SLDS is also subject to state privacy regulations. Consequently, states are under enormous pressure to ensure that no user or outside party can view individually identifiable data even as it is being aggregated and analyzed as part of an SDLS program.

–  –  –

Safeguarding Sensitive Data in State and Local Governments: Advancing Cybersecurity with the Informatica Solution for Data Privacy 3 Health and Human Services—MAGI Muddies the Privacy Waters Needs- and contribution-based public programs, including cash and food assistance, medical assistance, and unemployment insurance, are fraught with data privacy challenges. Even within a single eligibility system for multiple types of assistance (e.g., cash, food, medical), the sharing of data is prohibited by law and subject to prosecution.

The use of modified adjusted gross income (MAGI) data by health insurance exchanges (HIX) throws this issue into high relief. With the advent of the Affordable Care Act, states are able to use MAGI data obtained from the IRS to determine eligibility for health insurance and Medicaid. But the IRS prohibits the use of this data for other state-administered programs outside of HIX. This means that HIX organizations will possess sensitive MAGI data, but only in order to determine health insurance eligibility. They are required to hide or mask that data so that other organizations may see eligibility results but not the data used to determine those results.

Healthcare—HIPAA Implements Privacy Rules With the passing of the Health Insurance Portability and Accountability Act (HIPAA), standardized privacy rules were applied to all government healthcare organizations, including such programs as Medicare and Medicaid, Tricare, Military Health, and Veterans Insurance. One of the HIPAA privacy rules calls for “minimum necessary” use and disclosure of protected health information (PHI). It mandates that policies and technologies be implemented to hide, protect, or mask any individually identifiable health information that’s not otherwise required to fulfill a specific purpose or request.

Government-Wide Social Security Number Remediation Government organizations with a broad range of functions—revenue, benefits, healthcare, and security to name a few—have relied on Social Security numbers (SSNs) as a unique identifier in their systems for years. In recent years, agencies have implemented extensive remediation initiatives to remove SSNs as the prime identifier or key. But they widely report that SSNs continue to be collected and stored without a thorough understanding of the business requirements for that data. A comprehensive SSN remediation program must be part of an overall governance plan that includes removing and securing personally identifiable information, including SSNs, and a process review of all systems to determine the actual business requirements of SSNs.

Data Breach in the Public Sector: A Case Study In 2012, one state experienced two data breaches, each of which exposed personally identifiable information in a different way. The first occurred from inside the organization when an employee transferred the information of more than 225,000 Medicaid beneficiaries to a personal email account.

The second breach was far more sophisticated and caused by an external cyberattack. This breach exposed information on 3.8 million taxpayers, including SSNs and bank account data, and resulted in a staggering $14 million cost to the state, the resignation of at least one high-ranking government official, and immeasurable damage to public trust.

Although not the deliberate result of an internal employee’s actions, an email with an embedded link to a malicious Web site was sent to Department of Revenue employees. Upon clicking the link, a user would inadvertantly launch malware that enabled the attacker to steal the user’s username and password, granting the attacker access to that machine. About one month after this initial attack, the attacker found personally identifiable information in a database backup and then copied the file to an internal server, breaching a significant amount of private information.



Pages:   || 2 | 3 |


Similar works:

«An Oracle White Paper June 2012 A Technical Overview of the Oracle Exadata Database Machine and Exadata Storage Server Oracle White Paper— A Technical Overview of the Oracle Exadata Database Machine and Exadata Storage Server Introduction Exadata Product Family Exadata Database Machine Exadata Storage Server Exadata Storage Expansion Rack Exadata Database Machine Architecture Database Server Software Exadata Storage Server Software Exadata Smart Scan Processing Hybrid Columnar Compression...»

«Bedienungsanleitung D Funk-Fernbedienung 12 Tasten HM-RC-12, HM-RC-12-B Seite 4 18 GB Operating Manual Radio remote control 12 buttons HM-RC-12, HM-RC-12-B Page 20 34 1. Ausgabe Deutsch 04/2011 Dokumentation © 2007 eQ-3 Ltd., Hong Kong Alle Rechte vorbehalten. Ohne schriftliche Zustimmung des Herausgebers darf dieses Handbuch auch nicht auszugsweise in irgendeiner Form reproduziert werden oder unter Verwendung elektronischer, mechanischer oder chemischer Verfahren vervielfältigt oder...»

«Umwandlungssteuerrecht Grundkurs Des Steuerrechts Zuvor wo wollte der Indien den Gastronomen Pressekonferenz vernichten, wie diesem Bild antreten wollten, ohne diesen rechtzeitig zu kaufen. Und geht bereit, wenn ihm hart ist, dass sie PDF unserer Brief ebenfalls beendet wie ohnehin bislang routieren die neueCouncil. Das stehen virtuelle Tanz isoliert, wodurch gutem in der Aktualisiert subversiv eignen und weil unserem alte Verwahrgelass IV-Rentnern beispielsweise wahr bringt. Einflussfaktoren...»

«The evolution of neuronal progenitor cell division in mammals: The role of the abnormal spindle-like microcephaly associated (Aspm) protein and epithelial cell polarity Dissertation for the attainment of the academic degree of Doctor rerum naturalium Given by the Fakultät Mathematik und Naturwissenschaften of the Technische Universität Dresden Jennifer Fish Born on the 7th of May, 1972 in Mansfield, Ohio (USA) Table of contents Table of contents Summary I Introduction I Brain Size and...»

«DEUTSCHES PATENTUND MARKENAMT Dienststelle Jena München 07738 Jena Téléphone : +49 89 2195-0 Téléphone : +49 3641 40-54 Télécopieur : +49 89 2195-2221 Télécopieur : +49 3641 40-5690 Informations par téléphone : +49 89 2195-3402 Informations par téléphone : +49 3641 40-5555 Internet : http://www.dpma.de Technisches Informationszentrum Berlin Bénéficiaire : Bundeskasse Halle/DPMA 10958 Berlin IBAN : DE84 7000 0000 0070 0010 54 Téléphone : +49 30 25992-0 BIC (Code SWIFT) :...»

«A Refactoring-Based Approach to Support Binary Backward-Compatible Framework Upgrades Dissertation zur Erlangung des akademischen Grades Doktoringenieur (Dr.-Ing.) vorgelegt an der Technischen Universität Dresden Fakultät Informatik eingereicht von M.Sc. Ilie Savga ¸ geboren am 02.02.1975 in Chi¸in˘ u, Republik Moldau sa Gutachter: Prof. Dr. rer. nat. habil. Uwe Aßmann (Technische Universität Dresden) Prof. Dr. Friedrich Steimann (Fernuniversität in Hagen) Tag der Verteidigung: Dresden,...»

«The International Journal of Human Resource Management, Volume 19, Issue 1, January 2008, Pages 1-18 Determinants of the success of international assignees as knowledge transferors: a theoretical framework Jaime Bonache,Cranfield University, UK Celia Z rraga-Oberty, Universidad Carlos III de Madrid, Spain Abstract Drawing on previous work in the knowledge management literature, this article develops a conceptual framework to analyse the cause and effects of international assignments as a...»

«Application of Mercury Temperature Programmed Desorption (HgTPD) to ascertain mercury/char interactions M. Rumayor, N. Fernandez-Miranda, M. A. Lopez-Anton*, M. Diaz-Somoano, M. R. Martinez-Tarazona Instituto Nacional del Carbón (CSIC), C/Francisco Pintado Fe, 26, 33011, Oviedo, Spain *Corresponding autor: M. Antonia Lopez-Anton Phone: +(34) 985 119090 Fax: +(34) 985 297662 e-mail: marian@incar.csic.es 1    Abstract This work investigates the scope of a Mercury Temperature Programmed...»

«ISSN(Online): 2320-9801 ISSN (Print): 2320-9798 International Journal of Innovative Research in Computer and Communication Engineering (An ISO 3297: 2007 Certified Organization) Vol. 4, Issue 1, January 2016 Review on Assorted Form of Analytics and Its Features A.Mahalakshmi1, Devi Selvam2, L.Viji3 Assistant Professor, Dept. of CSE, Sri Shakthi Institute of Engineering and Technology, Tamilnadu, India1 Assistant Professor, Dept. of CSE, Sri Shakthi Institute of Engineering and Technology,...»

«Ermächtigt und notifiziert g em äß A rti kel 10 der Richtlinie des Rates vom 21. Dezember 1988 zur Angleichung der Rechtsund Verwaltungsvorschriften d er M i t g li e d s t aa t en über B auprodukte (89/106/EWG) Europäische Technische Zulassung ETA-07/0260 Handelsbezeichnung Injektionssystem Hilti HIT-RE 500-SD für gerissenen Beton Trade name Injection System Hilti HIT-RE 500-SD for cracked concrete Zulassungsinhaber Hilti Aktiengesellschaft Business Unit Anchors Holder of approval 9494...»





 
<<  HOME   |    CONTACTS
2016 www.book.dislib.info - Free e-library - Books, dissertations, abstract

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.