Pete Jansson wrote: > On Tue, Dec 1, 2009 at 3:00 PM, Mark McCullough wrote: > >> Or do you require encryption >> of all such potentially removable media (tapes, removable disks, etc.)? >> > [poof] > >> For purposes of discussion, please ignore data governed by external >> certifications or audits (e.g. credit card numbers). This is dealing >> with data that is suitable to live unencrypted on internal disk but is >> being backed up on some media that will be removed from the server >> potentially, usually as a part of a rotation to a vaulting process. >> > > The risk is that the removable media will be lost, either en route > to/from the vault, or while in the custody of the vault. > > A few years ago, the Office of the Comptroller of the Currency made > Citi stop doing acquisitions until it improved security, in part > because of some security incidents, including the loss of unencrypted > backup tapes. > > HITECH, the new HIPAA revisions that were passed as part of ARRA > earlier this year, say that a covered entity suffering a data breach > involving more than 500 individuals, in addition to notifying the > individuals and the secretary of HHS, must notify "prominent media > outlets." Data breach notification requirements do not apply to data > encrypted to the specifications in the act (referencing some NIST > specs -- see 45 CFR part 164 for the "HITECH Interim Final Rule"), so > encryption (done right) is pretty much a get-out-of-jail-free card for > notification requirements. > > So, you have a risk and a potential impact. If your organization > isn't subject to such regulation today, it may be in the near future, > because, as a society, we're getting more aware and panicked about > data breaches (not yet starting to worry about whether having those > big piles of data is a good idea to begin with).
Actually, we are being told campus wide that we have to identify systems possessing sensitive data, and it is better, if possible, not to have such systems. In other words, don't store sensitive data. Some departments have to, like comptroller, registrar and health services. Others can avoid a lot of what has been historically done. Oh, and old backup tapes that might have stuff on them? Or that you don't know what is on them? Shred them. Keep only what you know and need. This is sort of separate from research data. Some federal agencies have requirements for maintaining backups of research data. A researcher probably wants to keep all their original data for their entire career. But that's not sensitive in the same sense that personal data is. Unless you are a climate researcher that is. ;-) I actually have a prominent researcher down the hall 2 doors from me whose name appears probably numerous times in the recent blob of mail and data that was hacked from The University of East Anglia’s Climatic Research Unit. He was a co-author on the United Nations report, and, before the last election, the Republicans in Congress were hammering him with subpoenas to document his data and research. They basically shut down his research, because he didn't ahve the staff to handle all this. Shit. Just as I was writing this, I got hit with a public records request related to all that. Outfall from the hacking. Does the UK have public records laws? Why wouldn't the hackers just go at it that way? I know. They're hackers. Anyway, that's politically sensitive data which is a totally different thing. -- --------------- Chris Hoogendyk - O__ ---- Systems Administrator c/ /'_ --- Biology & Geology Departments (*) \(*) -- 140 Morrill Science Center ~~~~~~~~~~ - University of Massachusetts, Amherst <[email protected]> --------------- Erdös 4 _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
