| Security Breaches & Recommended Practices | Definitions | Contact Information | Additional Resources |
EXAMPLES OF SECURITY BREACHES AND CORRESPONDING RECOMMENDED PRACTICES
Theft or loss: Computers and laptops, portable electronic devices, electronic media, paper files. The Security Breach That Started It All
|
Ensure proper physical security of electronic and physical sensitive data wherever it lives.
Laptops should be secured at all times. Keep it with you or lock it up securely before you step away -- and make sure it is locked to or in something permanent. Use extra security measures for portable devices (including laptop computers) and portable electronic media containing sensitive or critical info:
Securely delete personally identifiable informationn (PII) and other sensitive data when it is no longer needed for business purposes. Minimizing the amount of sensitive data stored reduces risk in the case of theft. For information on how to securely delete files, see PC/Mac, or email) Report suspected theft of UCSC-related computing equipment to the UCSC Police Department. Be sure to let them know if the stolen equipment contains any sensitive information. Local authorities should also be contacted if the incident occurs away from campus. |
Insecure storage or transmission of PII and other sensitive information: Examples
|
|
Password hacked or revealed. This can lead to compromised data, compromised systems, and people using your accounts without your knowledge. |
|
Missing "patches" and updates: Hackers can take advantage of vulnerabilities in operating systems (OS) and applications if they are not properly patched or updated. This puts all of the data on those system and other connected systems at risk. |
Make sure all systems connected to the network/Internet have all necessary operating system (OS) and application security “patches” and updates. |
Computer infected with a virus or other malware: Computers that are not protected with anti-malware software are vulnerable. Out-of-date anti-malware may not detect known malware, leaving your computer vulnerable to infection. |
|
Improperly configured or risky software: This can open your computer up to attackers. |
|
Insecure disposal & re-use: Examples:
|
|
Contractor computer compromised: Examples:
|
|
Development server compromised: People sometimes think that "test" and "development" systems don't need to be as secure as "live" or "production" systems. This is a myth. If real data is used, it needs to be protected based on its level of sensitivity, regardless of what kind of system it is in. Otherwise, it's an easy invitation for hackers. |
Don’t use actual sensitive data in test or development systems, or for training purposes. If actual data is used, security for the system, test results (including screenshots), log files containing personal data, etc., must be equal to a comparable production system or data, including access controls.
|
Application vulnerabilities and mis-configuration: UC Examples
Other Educational Institutions
|
|
DEFINITIONS
Personally identifiable information (PII)
Personally identifiable information (PII) is unencrypted computerized information that includes an individual’s first name or initial, and last name, in combination with any one or more of the following:
- Social Security number (SSN),
- Drivers license number or State-issued Identification Card number,
- Account number*, credit card number, or debit card number in combination with any required security code, access code, or password such as expiration date or mother’s maiden name that could permit access to an individual’s financial account,
- Medical information, including any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional,
- Health insurance information, including an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.
* “Account number” is not defined in the legislation but can refer to any financial account such as a bank or brokerage account, etc.
P3-P4 Data
P3-P4 data is used to describe information with some level of sensitivity. At the University of California, the sensitivity of data is categorized using the Protection Level and Availability Level scales.
CONTACT INFORMATION
For questions or additional information about any of the above recommended practices, personally identifiable information (PII), sensitive data, or security awareness education at UCSC, please contact the ITS Support Center:
To report a computer security incident:
- Report any suspected compromise (hacking, unauthorized access, etc.) of computing systems or data to your supervisor and the ITS Support Center (contact info above).
- Report lost or missing University computing equipment to your supervisor and the Campus Police - and to the local authorities if the incident occurred away from campus.
Additional information about protecting PII and other sensitive data:
- Practices for Protecting Electronic P3-P4 Data
- The ITS Security web site
For comprehensive chronicles of publicly-reported data security breaches, see:
- PrivacyRights Clearinghouse’s Chronology of Data Breaches