Category Archives: Encryption

Virtual Encryption Fun

Earlier this month, I found myself wondering, “Just what is the password for my encrypted hard drives?” I remember encrypting the drives, but then after putting them away, forgot.

Image Source

VMWare Workstation Player
The problem? I had been spending too much time on my Surface Book, exploring Windows 10, etc. Dual booting Win10 and UbuntuLinux on a Surface Book has eluded me. Yes, while there are a few tutorials out there, I’m not quite ready to jump in and give it a shot. Fortunately, I was able to get VMware Workstation Player (available for free for noncommercial use, thank you!) and load up Lubuntu Linux, which I figured would run light on resources on my 8gig Surface Book. Thank goodness that was true.

Workstation Player is perfect for students, faculty, businesses and corporate users who need a small sandbox environment for testing or control. A simple user interface provides a streamlined approach and enables more focused use cases. 

I’m actually writing this via the Opera browser on my VM running Lubuntu on the Surfacebook. It’s not a great accomplishment technically, but it was fun to spend some time today.

Encrypting Hard Drives
Now that I’m back in, looking at my old data from many years, much of which I migrated to the cloud, I’m finding myself wondering why I bothered encrypting it. It’s not like there was anything top secret. Still, it was fun to encrypt entire devices and save my work there, knowing that it wouldn’t be stolen if the drive fell into the wrong hands.

The process for LubuntuLinux (or Ubuntu for that matter) really involves just one or two steps. On Lubuntu, it involved typing this command then plugging in my USB external drives:

sudo apt-get install cryptsetup

I could then manipulate the drives using Disks, which looks like this:

After plugging the drive in, I was able to enter my remembered password and my data showed right up. Encrypting the drive is really just a matter of playing with the options.

Keeping Data Secure
But, let’s say you don’t want to encrypt an entire drive. You can always use a cross-platform tool like Secure Space Encryptor (SSE). It allows you to encrypt folders or multiple files into a single encrypted (*.enc) file.

If you need something more complex, check out Go Anywhere’s Open PGP Studio.

GoAnywhere OpenPGP Studio is a free desktop tool that makes it easy to protect sensitive files using the popular Open PGP encryption standard. Documents can be encrypted, decrypted, signed and verified from your PC or workstation using this intuitive tool.  An integrated key manager allows you to quickly create, import, export and manage Open PGP keys needed to encrypt and decrypt files. 

GoAnywhere OpenPGP Studio will run on almost any operating system including Windows®, Linux, Mac OS X®, Solaris and UNIX. You can download and install it to your desktop within just a few minutes.

Anyways, what fun to revisit encryption. Here are some other tools I typically install:

  • Secure-Delete (sudo apt-get install secure-delete) includes an assortment of tools to protect/wipe data
  • Keepass (sudo apt-get install keepass) is a friendly, easy to use file manager you can use to keep track of a zillion passwords.
Another tool I learned about today is iPGMail, which is an iOS app that allows you to use your GPG/PGP public key encryption to protect your emails. I often rely on ProtonMail these days, or just use Gmail with Secure Space Encryptor’s companion app, PTE (text encryption). Still, somebody somewhere may prefer iPGMail.
What made me give this all a try again? Well, it was fun to watch Sunday Morning and see David Pogue talking about data centers and the cloud.

Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

Encrypting #OneNote Pages and Sections #free #onlineconference

Looking for an easy way to encrypt and protect data stored in OneNote? Fortunately, OneNote provides encryption when you password protect a section:

Source:

Passwords can be applied only to notebook sections, not to entire notebooks. Passwords are case-sensitive. Make sure that the Caps Lock key is off before you create or enter a password. OneNote uses encryption to secure password-protected sections. (Source)

OneNote’s Password protected section offers a few benefits:

  • AES 128 bit encryption protects any pages you’ve created inside of the passworded section.
  • Microsoft is reported to use the local cryptography built-into Windows operating system.
  • Passworded sections placed on the web (shared online via OneNote Online) require the end-user to enter a password to get access.
  • OneNote uses encryption to secure password-protected sections. If you forget your password, no one will be able to unlock your notes for you (not even Microsoft Technical Support). So take care when assigning passwords to your notebook sections and when changing them.
Here’s what OneNote looks like when you’re Password Protecting a section:
Note that you can modify the Password Options in OneNote settings:
But AES 128 encryption may not be enough.
More Encryption Needed?
Of course, as nice as AES 128bit may be, it doesn’t meet the standard for super confidential information (e.g. everything that is personal identifiable information or health info). If you forget your password to a passworded section in OneNote, it would be difficult, if not impossible, to get access to it again. I don’t know if DocRecryptor exists for OneNote, but I know I wouldn’t want to trust it with data that must be confidential. For that reason, among others, it is important to take a hard look at other encryption options that go above and beyond OneNote’s built-in passworded section. 
Source

Here are some additional solutions I would encourage you to add if you’re going to use any Microsoft product:

  • Encrypt files with the File/Folder Encryption Tool
  • Encrypt text with the Text Encryptor
  • Use Keepass for Windows, Mac, or GNU/Linux to store confidential information. The database file itself is encrypted with AES-256 so you can add it as a file attachment.
  • If you want to keep the source formatting for a document (e.g. font choices, colors, headings, etc.) then you will probably be better off exporting data as a Word document, encrypting it with SSE, then adding it as a file attachment.
    While encryption can be an obstacle for some, it is important to find a way to secure your data, no matter what notes tool you decide to use. You can find my resources for Safeguarding Sensitive Data online.

        Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

        4 Tips for Securing Your Cloud Storage via @diben

        Love this image! Found it on Linked In with
        no attribution. Drop a line in comments
        if you know source!

        Be sure to check out Diana Benner’s Sprinkle Innovation article, 4 Tips for Keeping Your Data Secure in the Cloud! Here is the lead from her article:

        While presenting on Social Media in the Classroom, I ran into a former colleague. She mentioned a fantastic presentation she attended on Cyber Security in the Classroom. Our conversation soon drifted to a discussion about passwords and how secure our passwords really are, especially with the amount of data we are storing in the cloud. 

        When you think about it, the amount of information we are storing in the cloud is growing every day. Most of us no longer use USB flash drives to carry our docs because it so easy just to store our information in the cloud. However, we hear about data breaches happening all the time, so how can we be sure our information is safe and secure out there?

        Find out more.

        In her article, Diana mentions a few of my favorite tools, among them Secure Space Encryptor (SSE). Here’s my print tutorial and video!

        1. Three Steps to Encrypting/Decrypting
        2. View Video for Text Encrypt
        3. View Video for File/Folder Encryption

        And, you may want to read my article, 5 Steps to Protect Your Data!


        Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

        3 Steps To Cloud Safe Computing

        “91% of adults in the survey “agree” or “strongly agree” that consumers,” shares a 2014 Pew Research study, “have lost control over how personal information is collected and used by companies.” Unfortunately, that perception may be tied directly to how many of us are storing confidential data–whether we want to or not–in cloud-based storage systems.

        Image Source

        If you’re like me, you’re storing important data online because of the following reasons:

        1. Easy backup – You’re worried that storing it on USB external flash drives or “sticks” is too dangerous since they are easy to lose, may suffer data corruption. With Dropbox and GoogleDrive, the “backup” of your data happens auto-magically when you save stuff in the appropriate folder on your computer.
        2. Portability – You love to be able to work from anywhere, even when you’re out for coffee at Starbucks. You also don’t want to leave confidential data on your laptop since you carry that everywhere and while it’s password protected, you’re positive you don’t have fancy disk encryption turned on. You DO make sure to logout of your cloud storage, though.
        3. Collaboration – Everything you do involves partnering with someone else, and that’s why GoogleDocs is so good for team projects. When you save stuff on Dropbox or GoogleDrive, other people can get to it and work with it…and that’s great all-around!

        Unfortunately, you can’t just assume that confidential data will be safeguarded appropriately when it’s stored in the Cloud. To safeguard that sensitive data, you need to take a few steps. Here are 3 steps you can take that will immediately protect you when placing your precious data online. Are they the only steps you can take? Absolutely not! The question is, How much security are you willing to trade for ease of use? It’s a tough scale and over time, trust me, you will find the right balance. For now, though, it won’t hurt to be overly protective…well, it won’t hurt TOO much.

        Step #1 – Protect your Device and Connections
        We often carry our devices–laptops, phones, tablets–everywhere we go but fail to protect them adequately. What’s worse, we also forget that when our devices connect over public WiFi, we are in danger of being “packet-sniffed.” This is a fancy way of saying, people can eavesdrop our WiFi and snatch critical information, like our login credentials (more about that in a moment, Step #2).

        Make an effort to protect your device, though, including logging out or “locking” it so someone can’t just pick it up and start using it. Establish a secure “cloud computing base” that protects against malware/viruses that may load keylogging software onto your machine. You can do that by keeping your anti-malware/anti-virus software up to date. Some suggested tools include MalwareBytes, Spyware Blaster, Spybot Search & Destroy for spyware/malware, while using AVG Anti-Virus for antivirus (Windows 10 has solid tools, BTW), and, finally, removing and cleaning up your Windows computer using Revo Uninstaller and CCleaner.

        Step #2 – Safeguard Your Cloud Computing Login Credentials
        As mentioned in Step #1, safeguarding your Cloud Computing Login credentials is critical. You need to invest in a Virtual Private Network (VPN)–especially if your work place isn’t providing one, although most school districts and employers do–like Private Internet Access (my favorite VPN provider, BTW, because it works on ALL my devices). Without a VPN, you are open to packet analyzers and sniffers because your data is being transmitted in clear text….that is, NOT encrypted. While Google and other providers have made every effort to encourage folks, many services still rely on unencrypted connections (without the gold Secure Socket Layer (SSL) padlock).

        Not only do you need to avoid phishing and spear phishing (targeted at specific individuals) schemes–which attempt to steal your credentials so they can expand their circle of confusion and infection to others–you also need to take advantage of tools like Keepass, Dashlane, and LastPass. There are others but you can google “online password manager” and find many solutions. Another important point is to ensure you have a secure password generator, which many of the tools listed above provide. School districts may also consider drafting a policy, a sample of which is available online.

        You can protect yourself by also taking advantage of 2-factor authentication, illustrated below:

        2-factor authentication is available for a variety of services. I use it with GoogleApps, Dropbox, and many others.

        Step #3 – Practice Safe Data Practices
        Since we must all work with confidential at some point, even if it is personally identifiable information (PII), or medical/health information, we must practice safe data practices. One of those practices–aside from shredding paper copies of sensitive data–including encrypting that data when it is NOT in use and/or in transit. If in a work environment, make sure that you ONLY access sensitive data on work devices, avoid clicking on email links and attachments from people you don’t know, and, for goodness sake, DO NOT do that while checking your personal email at work, especially if it is a Yahoo email account given the types of malware spreading ads that find themselves displayed.

        If you aren’t encrypting your data before putting it in the cloud, you are sending a clear message that you just lack concern for confidential data. While some data is intended to be portable, easy to backup, and collaborate with, confidential data is NOT. Some ways to encrypt your data include using tools like Secret Space Encryptor (SSE)–which works on Windows, Mac, GNU/Linux and Android–and/or Chromebook friendly MiniLock. Tutorials are available as videos and/or print. All of these encryption tools ARE EASY to use and encrypted files/folders can be saved directly to cloud storage (e.g. Dropbox, GoogleDrive). Android users typically have more encryption options–given that iOS sandboxes its apps, it’s a little more difficult–available to them, like Secret Space Encryptor (SSE).

        However, if you want an even more dynamic solution, considering using encrypted file storage like SpiderOak storage (Dropbox like storage but encrypted) or even overlaying encryption with BoxCryptor, which includes a portable solution.

        Conclusion
        You can regain control of how data is shared provided you follow the 3 simple steps outlined in this article. Unfortunately, as data goes mobile, you’ll have to find the solution that works best on your device.


        Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

        Managing My Clouds: Unlimited Storage (Updated)

        Update: I take back everything nice I said about Amazon Cloud Drive. Unfortunately, it’s not ready for prime time. While you can store stuff there, it’s difficult to interact with it in the same way you can with Dropbox or Google Drive. As a result, I’ve dumped Amazon Cloud Drive–what a terrible interface they have!–and switched back to GoogleDrive.

        Earlier this month, I received a notice from Dropbox. It said, simply, that I was no longer going to have access to gigs of space (buying a Samsung phone had given me additional hours) I had over the last few years. Instead, access would be knocked down 48 gigs! Still, I had to prioritize content for removal from the cloud, and figure out a way to migrate it from one cloud storage solution to another.

        At the time, I wished for a solution that would allow me unlimited storage and an easy way to blend my work scattered across various cloud storage solutions. Then, Amazon Cloud Driveunlimited storage–for $5 for initial year came along (it may still be available, so I encourage you to take advantage of it!); it regularly costs $60 a year, which still isn’t a bad deal.

        Some other needs:

        • Access cloud storage solution on all platforms (especially GNU/Linux)
        • Unlimited storage or as close to it as possible at low cost
        • A way to move content from one cloud storage solution to another easily.
        • Easy Encryption accessible on mobile as well as computer

        CLOUD STORAGE OPTIONS
        Here are the cloud storage solutions I’m now using:

        • Google Drive (Total Storage: 24gigs)- This is essentially where I store everything I’m using regularly. I don’t imagine moving away from it, but I do occasionally back things up to USB external drives at home. Few items, if any, are confidential. Supports 2 factor authentication $20 per year.
        • Dropbox (Total Storage: previously 64gigs) – This is where I store podcasts and content for the Around the Corner blog. There are no backups of the data stored on Dropbox, and none of it is confidential. Works great across multiple OSs and platforms, even if it has a bad rep for security. Supports 2 factor authentication. No Cost.
        • Amazon Cloud Drive (Total Storage: Unlimited) – This is the first solution that provides unlimited storage at a reasonable cost. This will also let me make encrypted backups available via the cloud and better organize work. $60 per year (except for the initial $5 promotion)
        My goal is to “put all my eggs” in as few baskets as possible, while backing up other data. But how to move it in bulk from one to another?
        MOVING FROM ONE TO ANOTHER
        To move content from one cloud storage solution to another, while I have access to the excellent CloudHQ.net solution, I explored using Multcloud.com (FREE) It flawlessly enabled me to begin the transfer of data from Dropbox to Amazon CloudDrive, even though it could just as easily been another cloud storage provider:
        Multcloud.net

        It’s amazing to see all the data flowing from one location to another:

        SECURING CLOUD STORAGE
        In the past, I’ve eschewed solutions like Boxcryptor (even though it’s great!) in favor of free, open source encryption solutions (e.g. Secure Space Encryptor). Unfortunately, SSE won’t work on mobile devices I use every day and I need some assurance of encryption.

        While Amazon Cloud Drive has a nice web interface, Boxcryptor has just come out with Boxcryptor Portable, a solution that works on GNU/Linux and allows interfaces to all the cloud storage solutions I use (e.g. GoogleDrive, Amazon Cloud Drive, Dropbox) and others.

        With Boxcryptor Portable, you don’t need a local installation of Boxcryptor or even your favorite cloud storage provider’s software. Therefore it is ideal for users who do not have administrator rights on their computer. Boxcryptor Portable connects directly to your provider to maximise your flexibility. Simply log in to your Boxcryptor account to have all your data in one place, encrypt it or perform file actions. Boxcryptor Portable supports all providers which are supported in our official Android version (Dropbox, Google Drive, Box, OneDrive and many more).
        The usage is very similar to our smartphone apps as you decide on uploads and downloads. Therefore, there is no need to sync files locally. Place Boxcryptor Portable on your USB drive, hard drive or download it directly from our homepage and use it on any computer.  Access your secure data without caring about limitations of the computer you are using

        This makes Boxcryptor ($48 a year, although there is a free version that allows access from 2 devices) an easy-to-use solution for encryption. Again, you may not need it and may prefer to just encrypt files on your computer before storing them in the cloud storage solution of your choice.

        How are you managing your cloud storage solutions?


        Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

        Protecting Against a Data Breach

        Every time I check my Twitter feed, I get a notice of a data breach occurring at a business or school district. That’s why it’s critical school leaders come up with a Safeguarding Sensitive Data Plan for their district. Below, you’ll find some of my efforts along with my colleagues’ efforts in developing a District plan. Your feedback is welcome!

        Image Source

        Some points to keep in mind:

        1. Avoid using the term “data breach” should your district experience one.
        2. If you become aware of a potential loss of sensitive confidential data, make sure you notify TASB so they can help you from the get-go (this should be like the first phone call you make after becoming aware of the problem).
        3. Put a policy in place (there are plenty online to choose from, and I’ve included one further below that’s adapted from other sources). Here’s one example.
        4. Provide professional learning to all staff. Here’s one possibe approach.
        5. Remember, it’s not just digital…paper is important to protect, too.

        Overview

        A data security breach occurs any time there is unauthorized access to school district data, including FERPA and/or HIPPA data. Other terms you may encounter when referring to data breaches include a loss of “personally identifiable information,” as well as “personal health information.”  Lost laptops and misplaced USB flash drives are the top two main cause of data breaches in schools.

        The District is putting this policy in place for the following reasons:

        • Ensure that District’s staff and student print and digital information remains confidential and only those who should access that information, can
        • Prevent unauthorized individuals from changing staff’s and/or students’ sensitive information.
        • Verify that your information is available when you need it (by making encrypted, secure backup copies and, if appropriate, storing those secure, encrypted backup copies off-site)

        To accomplish this, you need to secure, not only physical copies of the data (e.g. print-outs in locked file cabinets) but also encrypt digital copies of that data.

        Defining Terms

        Confidential, Sensitive or Personally Identifiable Data

        The SCHOOL ISD is committed to protecting confidential, sensitive data. Personal Information means any information relating to an identified or identifiable person (employees and consumers) and includes, for example, a person’s name, physical address, phone number, e-mail address, social security number (SSN), credit card numbers, driver’s license numbers, passport numbers, date of birth, savings account, checking account, insurance policy or other health account or financial account number or information, and health or disability information.

        Personal Information includes employee background checks, including credit reports, and any records that are derived from this information. Additionally, Personal Information includes consumer credit reports and any records that are derived from this information that relate to an identified or identifiable consumer.

        Family Educational Rights and Privacy Act (FERPA)

        K-12 educators and support staff are largely unaware of the threats and vulnerabilities associated with the information systems they use.  For example, private student data can be stolen, lost, and/or exposed to the public. This threat is especially pertinent as educators and support staff are obligated to protect sensitive information such as Student Test Numbers under the Family Educational Rights and Privacy Act, or FERPA, which is one of the nation’s strongest privacy protection laws.  These individuals need opportunities to learn about the threats and countermeasures associated with information protection. (Source: Purdue University – Data Security in K-12)

        Protected Health Information (PHI) and/or HIPPA

        The SCHOOL ISD is committed to compliance with the health information privacy and security requirements set forth by federal law and the regulations of the U.S. Department of Health and Human Services. These requirements dictate that the privacy of personal or protected health information (PHI) received by or generated through certain District employee health plans be protected from improper use or disclosure.

        Protected health information generally includes personally identifiable health information that is maintained by or on behalf of a HIPAA-covered health plan, including information in writing, electronic medium, and oral communications.

        Protected health information does not include health information that is maintained by the district in its role as an employer (e.g., information maintained in relation to FMLA or worker’s compensation). The HIPAA security rule applies to personally identifiable health information that is in electronic form.

        Privacy and security safeguards will be implemented to ensure the confidentiality, integrity, and availability of protected health information created, received, maintained, or transmitted by the Plan, including information in electronic form, whether it is being stored or transmitted.

        Consequences of NOT Securing Data

        Data breaches leave people six times more likely to become victims of identity theft, according to a survey this year by Javelin Research. There can be various consequences to not securing data, such as the following:
        • Direct costs are incurred by the school district for having to notify individuals whose confidential data has been compromised, as well as notify credit agencies.
        • The cost of paying for credit protection for individuals affected.
        • The school district may suffer damage to reputation.
        • Staff may be disciplined or terminated depending on the severity of the data breach.

        Laptop theft facts that make encryption of confidential data important:
        • Statistics show that as many as one in ten laptops will be stolen or lost from an organization over the lifetime of each computer.
        • 86% of security practitioners report that someone in their organization has had a laptop lost or stolen.
        • 56% report that it resulted in a data breach.
        • Encryption of data stops cyber criminals from stealing data on laptops.
        Ninety-seven percent of stolen computers are NEVER recovered. That means that confidential data could be out there indefinitely, waiting like a time-bomb to explode until someone discovers it and then uses it. What could have been done differently in each of these cases (Appendix 4: Case Studies)? Encryption of the data being transmitted via email, or stored on a computer, USB flash drive or web site. Encrypting the confidential data is the single-most important step that could have been taken.

        Plan for Implementation

        The SCHOOL ISD Plan shall implement and maintain these policies and related procedures to manage the selection, development, implementation, and maintenance of security measures to protect sensitive data (both personally identifiable and health information) and manage the conduct of the District employees in relation to the protection of the protected health information as follows:
        1. Authorization. Only District employees designated by the Privacy and Security Official as requiring access to protected health information will be given such access.
        2. Training. District employees, including management, authorized to use and disclose protected health information will receive annual training, including privacy and security awareness. Initial training upon hiring; annual refreshers required trainings.
        3. Response, Reporting, and Sanctions. Issues of non-compliance with this Policy or the Privacy and Security Rules must be reported promptly upon discovery to the Incident Response Team.
        4. Breach Notification. The Plans shall comply with the District’s breach notification policy.
        5. Physical Safeguards. Plan members’ protected health information shall be secured in a locked file cabinet used solely for the purpose of storing this information. Paper documents containing protected health information shall be shredded before being discarded. Electronic files containing protected health information, if any, shall be password protected. Unattended work stations and terminals will prevent unauthorized access to protected health information by closing files when not at the computer. A facsimile machine used to transmit and receive protected health information shall be in a secure location. Physical access to systems containing electronic protected health information shall be limited, as reasonable and appropriate, to individuals authorized to use those systems.
        6. Technical Safeguards. To the extent protected health information is maintained electronically, access to electronic information systems or software programs will be provided to only those persons who have been granted access rights.
        7. Minimum Necessary. When using, disclosing, or requesting PHI, the Plans shall take reasonable and appropriate steps to ensure that only the minimum amount of PHI necessary is used, disclosed, or requested, consistent with HIPAA’s minimum-necessary rule.
        8. Contracts with third party entities for storage of District’s data in the cloud.  This has been a hot topic at conferences.  There is specific contract language that should exist within contracts including, storage, security, disposal, etc.  This is what the Walsh Anderson advertisement was referring to.

        Incident Response Team

        • Designate someone who will lead the team but train everyone on what to do.

        Plan

        1. Gather thorough, extensive documentation of events leading up to and immediately following the discovery of the breach.
        2. Enable clear and immediate communication with everyone in the District about what happened, and how they should respond to any external inquiries.
        3. Facilitate immediate notification and activation of the designated response team, especially legal counsel, to determine whether law enforcement and/or other regulatory agencies need to be involved.
        4. Participate in identification of the cause of the breach and implementation of whatever steps are necessary to fix the problem.
        5. Manage development of messaging and deployment schedule for notifying those whose data was compromised, based on counsel from lawyers who will review state laws, compliance regulations, and other mandates affecting what the messaging must say and how soon notification must occur, as well as what compensation to affected victims should be provided.
        6. Notify TASB should be the first step; we have data breach coverage, and they have worked with 3rd party vendors with respect to post-data breach protocol.

        Data Breach

        Prevention Checklist

        1. District
        1. Communicate protocols for handling data to all stakeholders. This needs to include paper form, district owned devices, personal devices, and third-party contracts for data.  Challenge will be to identify all stakeholders and what data they currently work with and/or store.  Determine appropriate levels and types of training; implement training for new employees; develop refresher trainings annually for all employees.
        2. Monitor prevention measures on a timely basis.
        3. Establish an incident response team with clear expectations as to role to play.
        4. Conduct an inventory of sensitive data assets.
        5. Categorize data so that end-users know how to protect data.
        6. Implement a communication plan for all stakeholders, including partners.
        7. Heighten awareness of how critical it is to safeguard data.
        8. Maintain up to date firewall and content filtering system.
        9. Require safeguarding sensitive data for all staff in the Responsible Use Agreement.
        10. Provide web visitors/users with terms and conditions for the use of the school district’s web site, network and systems, prohibiting the collection of information through the use of bots and other types of hacking.
        11. Incorporate the District’s Vendor Access Policy into the vendor’s contract to lessen the school district’s risk of a data breach.
        12. All district hard drives and storage media will be wiped (e.g. DBAN) or destroyed as appropriate prior to being made available for auction or released to public and/or community.
      • Campus
        1. Practice steps–modeled via professional learning–to safeguard sensitive data consistently.
        2. Learn how to communicate effectively to District Incident Response Team with critical information about what data was lost, the source of the data, the media (e.g. USB, email with attachment, paper), number of individuals affected, etc.
        3. Establish processes for shredding paper and digital data while maintaining records retention policies when appropriate.
      • Individual
        1. Practice steps to safeguard sensitive data consistently (refer to list)
        1. Lock your workstation when you step away from it.
        2. Encrypt sensitive data that includes staff/student information.
        3. Lock confidential documents.
        4. Avoid opening sensitive data on personal mobile devices and/or removing them from a secure campus location.
      • Engage in healthy data protection practices.
      • Practice encryption of sensitive data, including emails, files.
      • Maintain secure passwords and protect passwords using a “password-keeper.”
      • Response Checklist

        1. District
        1. Receive a report of an alleged data breach from an individual to District personnel (this could be from an employee or a vendor). Need to establish process and protocols for identifying and reporting different types of data breach.
        2. Establish chain of command reporting for staff to ISD.
        3. Establish chain of command for contracted services data breach reported to ISD..
        4. Conduct a forensic analysis of data breach to determine reportable incident.
        1. If data is unencrypted, law requires that a data breach be reported to the Incident Response Team, law enforcement, and affected individuals.
        2. If data is encrypted, no data breach occurred.
      • Types of notice to affected individuals: Per a recent session at TASB, third-party vendors are able to assist with this process and the cost is included within the coverage type.  
        1. Written notice to last known home address for the individual.Telephone notice.
        2. Email notice if a valid email address is available (e.g. staff).
        3. Substitute Notice. This involves conspicuous posting of data breach notice on the School District web site and notification to major media outlets. Campus
      • Practice steps to safeguard sensitive data consistently
      • Communicate effectively to District Incident Response Team should a breach occur.
      • References

        EdTech, How Schools Can Mitigate Data Risk. Available online 07/22/2015 at http://www.edtechmagazine.com/k12/article/2014/10/how-schools-can-mitigate-data-risks

        DRAFT

        I. Introduction

        The SCHOOL ISD collects and works to safeguard sensitive data, such as personally identifiable information (PII), as well as data classified as Family Educational Rights Protection Act (FERPA) and/or Health Insurance Portability and Accountability Act (HIPAA) protected data. This can include data such a person’s name, physical address, phone number, e-mail address, social security (SSN), credit card numbers, driver’s license numbers, passport numbers, data of birth, savings account, checking account insurance policy or health account or financial account number or information, and health or disability information. Unauthorized access, use, or disclosure of sensitive data can seriously harm individuals by enabling the opportunity for identity theft, blackmail or embarrassment. The disclosure of sensitive data can also cause the SCHOOL ISD to suffer a reduction in public trust and can create a legal liability.


        Sensitive data collected and/or used should be considered protected data and must be protected when in digital format and/or print format. This policy covers students, employees and others on whom the SCHOOL ISD may have such information. The policy applies to all persons exposed to sensitive data, its storage mechanisms (how the information is stored, e.g. paper, electronic, other media) and modes of transmission.


        II. Purpose and Scope

        The purpose of this policy is to ensure (a) that employees understand the need to safeguard this information, and (b) that adequate procedures are in place to minimize this risk of improper disclosure of sensitive data. Access to sensitive data may only be granted to authorized individuals on a need to know basis. This policy seeks to ensure the security, confidentiality, and appropriate use of all sensitive data processed, stored, maintained, or transmitted on the SCHOOL ISD’s computer systems and networks. This includes protection from unauthorized modification, destruction, or disclosure, whether intentional or accidental.


        III. Policy

        1. The SCHOOL ISD supports the protection of individual privacy. As such, it will comply with all applicable laws that govern the collection, storage, transfer, use of, and access to sensitive data.
        2. The SCHOOL ISD shall strive to minimize collection of sensitive data to the least amount of information required to complete a particular transaction or to fulfill a particular purpose related to the academic or business needs of the institution. Employees should limit any request for sensitive data to the minimum necessary or appropriate to accomplish the District’s purpose for which it is requested.
        3. All sensitive data in the possession of the SCHOOL ISD is considered confidential unless:
        1. The data owner has authorized the release of information designated as “Directory Information” by the District; or
        2. The data owner has otherwise authorized its disclosure.
      • The SCHOOL ISD requires that sensitive data–such as that listed below–must be stored and transferred in encrypted format when digital, and kept secure when in paper form.
      • Consistent with applicable law and District policy, custodians of sensitive data shall take reasonable and appropriate steps to:
        1. limit access to and further use of or transfer of such information
        2. ensure that the information is maintained in a form and manner that is appropriately secure in light of the nature and sensitivity of the information.
      • How to Protect Sensitive Data
        1. Electronic Storage and Disposal
        1. Do not store sensitive data on a portable, mobile device (e.g. USB drive, CD, laptop) in decrypted format.
        2. Do not store sensitive data in public files accessible via the Internet (e.g. Dropbox, non-District GoogleDrive).
        3. Do not download sensitive data from District databases (e.g. Eduphoria, Data Dashboard) unless legally required or for standard district practice.
        4. Do not transmit sensitive data to external parties via email or the Internet unless the connection is secure and/or the information encrypted. Refer to http://tinyurl.com/ecbesafe for help on how to encrypt/decrypt information).
        5. Safely wipe (a.k.a. “digital shredding”) storage media when disposing of equipment.
        6. Contracts with third party entities for storage of District’s data in the cloud will be signed to ensure protected storage, security and disposal of data in alignment with District policy is assured. The District will require the vendor to detail in the contract how data is securely stored, who has access and use of the data, as well as how data is transferred or shared among users internal to the third party and/or other authorized users. Third party entities will also be expected to detail how data will be destroyed at the end of the contract term and a copy returned to the District.
      • Physical Storage and Disposal
        1. Do not publicly display sensitive data or leave sensitive data unattended, even on your desk or on the desk of a co-worker.
        2. Do not take sensitive data home.
        3. Do not discard sensitive data in the trash. Shred sensitive data when it is no longer needed.
      • Security
        1. Lock your computer when unattended.
        2. Lock offices, desks, and files that contain sensitive data when unattended.
        3. Eliminate the use of forms that ask for sensitive data whenever possible.
        4. Password-protect all accounts with access to sensitive data.
        5. Do not share passwords and do not document passwords.
      • Legal Disclosure Requirements
        1. Do not share sensitive data with anyone unless required by law, specific job responsibilities, or business requirements. Be prepared to say “no” when asked to provide that type of information.
        2. Do not communication sensitive data designated by the Family Educational Rights and Privacy Act (FERPA).
        3. Notify your supervisor immediately if you suspect sensitive data may have been compromised. The Texas Association of School Boards (TASB) will be notified of any situations in which sensitive data is compromised, and apprised of the details of that situation.
      • Laws and Regulations relating to Sensitive Data
        1. FERPA — Family Educational Rights and Privacy Act. Limits the disclosure of “education records” defined as those records that are: (a) directly related to a student, and, (b) maintained by or on behalf of the District.
        1. A record is “directly related” to a student if it is “personally identifiable” to the student.
        2. A record is “personally identifiable” to a student if it expressly identifies the student by name, address, birth date, social security number, ID number, or other such common identifier.
        3. Examples of “education records” include registration records, transcripts, papers, exams, individual class schedules, financial aid records, disability accommodation records, individualized education plans, and placement records.
      • HIPAA — Health Insurance Portability and Accountability Act. Imposes privacy and security standards addressing the use, disclosure, storage and transfer of “protected health information.”
        1. “Protected health information (PHI)” means “individually identifiable health information,” which is any information that identifies an individual and relates to the individual’s past, present, or future physical or mental health or condition.
        2. Examples of information that should be treated as “protected health information” at the District include employee benefit information, worker’s compensation claim information, student health services information, and student counseling information.
      • GLB — Gramm-Leach-Bliley Act. Requires implementation of a written information security program for “customer information.”
        1. “Customer information” means any record containing “nonpublic personal information” handled or maintained by or on behalf of the institution about a customer of that institution.
        2. Examples of “customer information” at the District include financial records of employees, students and/or their parents (such as cashier’s accounts, or information related to financial aid), and donors.
      • PCI-DSS — Payment Card Industry Data Security Standards. Requires implementation of security standards surrounding the authorization, processing, storage, and transmission of credit card data. The security standards apply to electronic and paper credit card data. Credit card data is defined as the first six and/or the last four digits of any credit card provided by a customer to conduct business. If all digits of credit card are used, then name, card expiration date, and source code are considered credit card data and must be protected.
      • Texas Identity Theft Enforcement and Protection Act. Requires implementation and maintenance of reasonable procedures to protect information collected or maintained in the regular course of business from unlawful use or disclosure, including personal identifying information and sensitive personal information.

      • IV. Disciplinary Action

        Violation of this policy may result in disciplinary action, up to and including termination of employment pursuant to the District’s Employee Handbook and Responsible Use Agreement.


        V. Review and Responsibilities


        Responsible Party: Assistant Superintendent of Finance


        Review: Every 2 years, on or before September 1


        VI. Approval


        _________________________________________________
        Superintendent of Schools


        _________________________________________________
        Effective Date

        Adapted from the Texas Southern University Personally Identifiable Information Policy 04.06.28. Available online at http://tinyurl.com/qyb3xww 10/15/2015


        9 Simple Steps for Safeguarding Sensitive Data


        As SCHOOL ISD employees, we are all afforded access to a variety of confidential or sensitive data. This data, which may include personally identifiable information, pertains to students, parents, and/or employees. Below, please find a list of steps you can take to model responsible data practices in line with our Responsible Use Agreement and District Policy.


        CONVERSATION
        1. Avoid discussing sensitive data in the presence of unauthorized personnel. If they are not authorized to view sensitive data, then they are not authorized to hear about it either.


        PAPER DOCUMENTS
        2. Avoid sharing sensitive documents with unauthorized individuals. This includes allowing others to view documents as well as giving them copies of documents.


        3. Store sensitive documents in a lockable file cabinet or drawer.


        4. Shred documents before disposal.


        DIGITAL
        5. Don’t allow others to view your computer programs unless you are present to monitor activity and operate the technology. Also, be sensitive to prevent unauthorized viewing of confidential data or misuse of data while another is viewing content, even when you are present.


        6. When away from your desk area, lock your computer. This will keep unauthorized personnel from accessing and using your computer.


        7. Avoid saving sensitive data in unencrypted format directly to your computer. This includes places such as your Desktop, MyDocuments, or your hard drive. If your computer/laptop/tablet is stolen, any sensitive data stored there will be accessible by the thief and anyone else who touches that device. Also, do not save sensitive data in unencrypted format to external storage devices such as thumb drives, CDs, and “cloud storage.” 

        Get encryption software appropriate for Your Device

        • File Encryption?
        • Mac/Windows/Linux computer? 
              • Chromebook or use Google Chrome? 
                  • Try Minilock for individual file encryption
                  • Android device? 
                    • Text/Email Encryption?
                      • iOS/iPhone/iPad device? 
                          • Any device? 

                            You may also want to get a copy of File Shredder for Windows to securely delete information from your Windows computer.


                            PASSWORDS
                            8. Avoid sharing your passwords. In fact, it is a direct violation of district policy to share your password with other staff. If an issue arises, contact the EC Technology Operations Office for assistance at 210-649-2343.


                            9. Avoid storing your passwords in an unencrypted text file or cloud storage (e.g. GoogleDoc). Instead, take advantage of a “password locker” type program. More information on developing and securely storing your passwords is available online at http://tinyurl.com/safeguardpasswords

                            Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

                            Keepass Password Storage–Hacked! #keefarce #encryption #privacy

                            Oh no! My favorite passwork keeper is now vulnerable! I should have known it couldn’t last:

                            If you are a KeePass user like me, then beware. denandz just posted a tool in github that can break your KeePass password safe. . .this tool is named KeeFarce. It allows extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and url’s are dumped into a CSV file in %AppData% 

                            Tools like KeeFarce reminds us that password managers could represent a single point of failure that could be exploited with severe repercussion by hackers.
                            Source: BlackMoreApps 

                            Fortunately, this appears to only affect Windows users, not GNU/Linux or Mac users. Thank goodness. In the meantime, you may want to encrypt your Keepass password file with something like Secure Space Encryptor (SSE), AEScrypt, or MiniLock for added protection.

                            • Mac/Windows/Linux computer? 
                          • Chromebook or use Google Chrome? 
                            • Try Minilock for individual file encryption


                            Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure