FFY2010
-
Upload
cade-ballard -
Category
Documents
-
view
44 -
download
1
description
Transcript of FFY2010
1
FFY2010FFY2010
August 12 & 13, 2009
St. Cloud MinnesotaHoliday Inn
EAP Annual EAP Annual TrainingTrainingSection 2.0 Risk ManagementSection 2.0 Risk ManagementIncludes Risk Assessment, Risk Mitigation (Dup Check), Data Practices, Debtor Exemption Claim Notice and Security
2
2. Risk Management2. Risk Management Involves Identifying priority activities within the
organization for risk assessment by considering area that materially impact the financial position and results of operations (e.g., assets, liabilities, revenues, expenses or expenditures account balances that are material in dollar amount)
Risk ManagementRisk Management
3
Risk Management IntroductionRisk Management IntroductionMajor part of ICF Local, regional and natural disaster and technical
failure planning are only a part of risk management Focus is on managing the risk of improper use of
public funds This year the concept was introduced into the Local
Plans• Looking for a single, not a homerun this year• Build on this each year
Risk ManagementRisk Management
4
What is Risk Management?What is Risk Management? Lessening adverse impact if a risk event occurs is the heart of good
risk management Assuring events do not result in disaster It is geared towards potential events that may occur when things are
different from planned, sometimes called omissions and errors
Above & Beyond Program Design: Core EAP design addresses risk with controls policies, technical support
(eHEAT), segregation of duties & monitoring services and financial activities. EAP has controls to reduce the possibility of the actions of an individual creating incident, error or fraud.
Service Providers create detailed plans for their activities to assure, among other things, segregation of duty & back up plans if loss of staff.
Risk ManagementRisk Management
5
Risk ManagementRisk ManagementRisk management involves:DeterminingAssessingPlanningMonitoringMitigating
Risk ManagementRisk Management
6
EAP Role In Risk ManagementEAP Role In Risk Management General Expectations
• Acknowledge your responsibility to design, implement & maintain the control structure• Contribute direction to identify, prioritize and review risks and controls• Remove obstacles for compliance; remedy control deficiencies• Conduct self-assessment & testing to monitor the controls within your processes• Routinely (Quarterly):
• confirm key controls are implemented and effective• maintain documentation to support this assessment
Immediate Action Items• Educate your personnel about this effort• Reinforce internal focus on controls within your area• Surface any risks, concerns or issues promptly to allow adequate attention for
correction• Fix control gaps as soon as possible
Risk ManagementRisk Management
7
Evaluate the nature & types of errors & omissions that could occur, i.e., “what can go wrong”
Consider significant risks (errors and omissions) common in the industry or have been experienced in prior years (ex.: Mich, Penn)
Information Technology risks (i.e. - access, backups, security, data integrity, non-segregation of duties)
Areas where segregation of duties would reduce risk Volume, size, complexity and homogeneity of the individual transactions processed
through a given account or group of accounts (revenue, receivables) Susceptibility to error or omission as well as manipulation or loss Robustness versus subjectiveness of the processes for determining significant
estimates Extent of change in the business and its expected effect Other risks extending beyond potential material errors or omissions in the financial
statements
Risk ConsiderationsRisk Considerations
Risk ManagementRisk Management
8
Consider a railroad crossing and developing appropriate controlsRisk ConsiderationsRisk Considerations
Risk ManagementRisk Management
A rural road with little traffic & slow train, a sign
A busier road & train is faster, add lights & crossing sign at tracks
Very busy, train is flying and school buses cross, crossing gates
9
Risk Management MechanicsRisk Management Mechanics
Risk ManagementRisk Management
The risk assessment tool reduces risk when used to identify, assess, plan for & maintain routine monitoring of risk areas
10
Risk Management MechanicsRisk Management Mechanics
Risk ManagementRisk Management
Uncertainty Item Result of OccurrenceProbability of Occurrence
Severity of Impact Response Indicators
What
Geared towards events that may occur when things are different from planned sometimes called omissions and errors.
Drive around gates
Narrative of the outcomes if the event occurs
Calculate damageSchool bus is very sad & bad publicity
Designate likelihood of event and, if helpful, a description of why the probability was selected
People in this county go around
Designate a level of impact if the event occurred.If applicable, a description of why the probability was selected.
Slow train, low impact injury
Describes what to do when you find out On rural road the injuries might be measured by EMT response time. Maybe different Preparedness for different users. (Bus & tanker rules)
Describes how the event becomes known
How
1. Brainstorm with staff2. Reduce list3. Assess using this
matrix. This is iterative, so change or eliminate as you learn
4. Review periodically
Describe what happens. Be as complete as possible. This helps to determine severity, response and indicator
Can use rating of High, Medium and Low with narrative prose.
Can use rating of High, Medium and Low with narrative prose.
Key response off Result, Probability & Impact. Depending on combinations, responses include:1. Prevent2. Check Routinely3. Response Plan
ID ways event is discovered & develop ways to monitor for if weaknesses are discovered. Enact these measures
11
Uncertainty ItemMatrix Cell Direct Payments to household. Direct payments remove a check
point from normal EAP controls by removing vendor registration and vendor cross checks. Could include an application processor fabricating households. If combined with falsifying households for application, multiple direct payments could be generated
Consider-ationsProgrammaticControls places limits, but riskstill exists.
Risk manage-ment looks theItems beyond the limits
EAP excepts limited risks, but this assures due diligence is done for the omissions. Program Controls EAP pays energy vendor. DOF, DOC & eHEAT registration. Vendors and households gets notification. Policy: Households may receive direct payments when payment to vendors is difficult. 1.Self cut wood receive amount remaining after benefit is distributed2.Households with electric and heat included in the rent. 3.Households with heat included in rent, and only exceeds their electric costs4.Households whose vendors refused to sign the vendor agreement.5.Households unable to secure a vendor.
Item ExampleItem Example
12
Item ExampleItem ExampleResult of Occurrence
Matrix Cell • Household receives one or more cash benefit• Benefit is used for non intended purposes or misused by
household• Very bad publicity for program affects services to others in need,
when 5 Eye Witness News reports people cashing it at local bar• Multiple direct payments by one person would result in services not
available for other households in need
Consider-ations
Thinking of results is also constrained by the program rules
13
Item ExampleItem ExampleProbability of Occurrence
Matrix Cell Low to MediumFor a single household MediumFor conspiracy with an Application processor Low
Consider-ations
Conspiracy reduces the probability, but this must be considered with the ease, the payback and the penalty:- A higher payback makes it more worth the risk- Conspiracy makes it complicated to keep secretIn this exampleFor the household: - The penalty is low- The payback is medium considering penaltyFor the Application processor - Penalties are high (Job)- Payback is higher
14
Item ExampleItem ExampleSeverity of Impact
Matrix Cell • Low to Medium• For a single household Low• For conspiracy with an Application processor high
Consider-ations
Low because of limits on benefit amounts unless multiple
15
Item ExampleItem ExampleResponse
Matrix Cell • Require accounts whenever possible • Recover funds when it occurs• File Incident Report• Investigate incident and escalate appropriately (Error and Fraud)• Terminate staff if involved
Consider-ations
Plan for the response and educate people
16
Item ExampleItem ExampleIndicators
Matrix Cell • Report from concerned citizen• Pattern of direct payments to a similar addresses, name etc. (Data
analysis)• An inordinate amount of direct payments for an SP without socio
economic reason (eHEAT data)• Inordinate number of direct payments form a particular Application
Processor (Files and eHEAT)
Consider-ations
The first bullet is a common way to hear about this but developing ways to monitor is the maturation of risk management
17
Risk Management ExampleRisk Management Example
Risk ManagementRisk Management
Uncertainty Item Result of OccurrenceProbability of Occurrence
Severity of Impact
Response Indicators
Direct Payments to household. Direct payments remove a check point from normal EAP controls by taking vendor registration and vendor cross checks. Could include an application processor fabricating households. If combined with falsifying households for application, multiple direct payments could be generated.
Household receives one or more cash benefit
Benefit is used for non intended purposes or misused by household
Very bad publicity for program affects services to others in need, when 5 Eye Witness News reports people cashing it at local bar
Multiple direct payments by one person would result in services not available for other households in need
Low to MediumFor a single
household Medium
For conspiracy with an Application processor high but conspiracy requires more risk of secrecy and penalty
Low to medium For a single
household Low
For conspiracy with an Application processor high especially with if multiple households
Limit occurrences of direct payments by having system distribute to next available vendor. For risk areas: Require accounts whenever possible Recover funds when
it occursFile Incident ReportInvestigate incident
and escalate appropriately (Error and Fraud)
Terminate staff if involved
Report from concerned citizenPattern of direct payments to a similar addresses, name etc. (Data analysis)An inordinate amount of direct payments for an SP without socio economic reason (eHEAT data)Inordinate number of direct payments form a particular Application Processor (Files and eHEAT)
18
The Local Plan requires risk assessment. The State has started to conduct formal risk assessment State & Service Providers identify risk and use program
specific knowledge to do diligent planning, monitoring and actions for these risks.
The State will continue to develop risk management requirements and practices. Examples include: Duplication Checks and other queries The FFY2010 Local Plan is a first step of formalizing the SP process SP should design practices to improve it DOC will support the development of competency in this area DOC will conduct risk management activities
Risk Management and EAPRisk Management and EAP
Risk ManagementRisk Management
19
Dup Check is not a Russian hockey playerDup Check is not a quality control effortDup check is a risk mitigation activityEAP must do due diligence on risk areas to assure
responsible management of public funds
Dup CheckDup Check
Risk ManagementRisk Management
20
Payments to vendors accounts is the main way money money flows
Using it as a key, there cross checks with other data:
Why Dup Check on Vendor Accounts?Why Dup Check on Vendor Accounts?
HH_NBR FIRST_NM LAST_NM SSN DOB CUST_ACCT_NM
VNDR_NM
HOUSE_NBR STREET
APT_NBR
CUST_ACCT_NBR
111111 CAROL NUMBERSWITCH 717449103 16-Feb-51 CAROL NUMBERSWITCH CPE 3828 LIAR AVE S<null> 1111111
888888 CAROL NUMBERSWITCH 414779103 16-Feb-51 CAROL NUMBERSWITCH S CPE 3828 LIAR AVE<null> 1111111
222222 SPACEY EL ROY 472111111 03-Jul-58 SPACEY ELROY CPE 1410 GERRYRIG AVE 2 2222222
999999 TOUHY SHAM ELROY 475222222 06-Dec-82 SPACEY EL ROY CPE 1410 GERRYRIG AVE 1 2222222
333333 WANDA TRICKYBERGER 472111111 24-Oct-68 ERNEST TRICKYBURGER CPE 4208 12TH AV S<null> 3333333
666666 WANDA TRICKYBERGER 475222222 24-Oct-68 WANDA TRICKYBERGER CPE 4208 12TH AVE S<null> 3333333
Risk ManagementRisk Management
21
Overview DOC will periodically produce a matching account numbers list
(Early & often to keep effort sizable). SP will receive a secure email with their list. SP investigates by performing the following processes:
1. Analyze & validate reason match is correct2. Escalate as needed (Detail in the following slides)3. Take appropriate corrective action4. Document results and report
Dup Check Procedure for FFY2010Dup Check Procedure for FFY2010
Risk ManagementRisk Management
22
Step 1: Validate the Reason for Match Is Correct If you know a valid reason for duplication enter the reason for
the duplicate vendor account number on the spreadsheet Look at paper application and file. Determine probable reason
and escalate appropriately. Ask household(s) to explain if appropriate occurrences and
record finding in list
Examples: One household moved out and now rents the house to a relative who applied for EAP. Building has multiple units with one landlord account.
Dup Check Procedure for FFY2010Dup Check Procedure for FFY2010
Risk ManagementRisk Management
23
Step 2: Duplicate Application Error Take corrective action including recalling fundsClose duplicate applications Record an explanation of your determination on the
spreadsheet
Dup Check Procedure for FFY2010Dup Check Procedure for FFY2010
Risk ManagementRisk Management
24
Step 3. Duplicate Application – Fraud Suspected Review previous years and review all the information provided Take corrective action including recalling funds Submit an incident report Close duplicate applications Record an explanation on the spreadsheet
Investigate fraud, report to officials and follow EAP Policy Manual Chapter 17
Dup Check Procedure for FFY2010Dup Check Procedure for FFY2010
Risk ManagementRisk Management
25
Step 4: Return list with validation or actions to DOC The completed list (Excel spreadsheet) with
explanations is due at [email protected] A deadline will be prescribed. DOC tracks compliance.Delete the household’s private data (name, SSN,
address, vendor account name) before returning the spreadsheet. Contact your EAP field representative if you have any questions.
Dup Check Procedure for FFY2010Dup Check Procedure for FFY2010
Risk ManagementRisk Management
26
Best & Other Practice Applications with the same vendor for Heat & Electric should
list the vendor once, choose heat and electric as vendor type. Less likely to get false positives for risk and best for application processing.
Need to report issues and non issues. As a program we need to assure we have done due diligence to protect the integrity of the program
Late report will result if you don’t respond to request
Dup Check Procedure for FFY2010Dup Check Procedure for FFY2010
Risk ManagementRisk Management
27
Data Practices in the EAP Data Practices in the EAP ManualManualChapter 19. DATA PRACTICES AND RECORDS p. 120
Risk ManagementRisk Management
28
CChapter 19. DATA PRACTICES AND RECORDShapter 19. DATA PRACTICES AND RECORDSData Practices Policies and Procedures, Private Data
• Who has access• Who does not• Must be released to the individual or to a 3rd party with
consent
Social Security Number for EAP Applications• Optional
Risk ManagementRisk Management
29
Chapter 19. DATA PRACTICES AND Chapter 19. DATA PRACTICES AND RECORDSRECORDS Application Documentation, p. 122
• Where and how to save application documentation Security Of Records, p. 123
• List of requirements to secure records Records Accessibility, p.124
• What it means to have access to records• Reasons for maintaining access to records
Record Retention Requirements, p.124• Records to retain
Risk ManagementRisk Management
30
Informed Consent For Release Informed Consent For Release Of InformationOf Information Informed consent is needed when the information
will be given or sent to a third party.• Example: Garnishment information requests often go
to an attorney
“Informed consent” are key words that need to be taken at face value• The statute is very specific about what must be
included in an informed request
Risk ManagementRisk Management
31
Data Practices FocusData Practices Focus Develop a good working relationship with the data practices
contact in your agency, if there is one Plan – Have a written policy
• Who will have authority to see private data• Who will have authority to release private data• How your agency will maintain data security in all situations• How you will request private data and document the request• How you will maintain documentation of requests for private data• How you will train staff on data privacy requirements
Use centralized authority in the agency, if any Centralize authority in EAP, if possible
Risk ManagementRisk Management
32
Plan - Local Procedures Plan - Local Procedures NeededNeeded To request information allowed by the application
consent so the request is done in a consistent manner and so each request is documented
Best practice is for the local procedures to use a form for requesting information by letter or e-mail and a format for documenting a request by telephone
Risk ManagementRisk Management
33
Minnesota Department of Administration Minnesota Department of Administration Information Policy Analysis Division – Information Policy Analysis Division – IPAD IPAD The State authority on Data Practices If you have questions about information policy laws,
including Minnesota’s Data Practices Act and the Open Meeting Law, you’re at the right place. Look over the resources on this website or give us a call. (Copied from IPAD
website) http://www.ipad.state.mn.us
Risk ManagementRisk Management
34
New Technology – New Data PracticesNew Technology – New Data Practices Laptop Security Imaging Equipment
• Data access• Data storage• Data retrieval and back-up• Best Practice – Before destroying paper documents–Make sure it all works– Every imaged document is accessible and as readable– No problems exist regarding record retention
Risk ManagementRisk Management
35
Electronic Records Management Electronic Records Management GuidelinesGuidelines Recommended by IPAD
• Minnesota Historical Society http://www.mnhs.org/index.htm - home pagehttp://www.mnhs.org/preserve/records/electronicrecords/erintro.html
Imaging/scanning and storage of household files• Which Minnesota laws apply to electronic records? • How do we use electronic records to help ensure public accountability while ensuring
that not-public records are protected? • Who is responsible for developing our electronic records management strategy? • How do we dispose of electronic records? • Should we manage our electronic records differently from our paper records? • How do we know what information is an electronic record? • Is an electronic copy of a record an acceptable substitute for the original? • Does an electronic record have the same legal significance as a paper record?
Risk ManagementRisk Management
36
eHEAT Security and AgreementseHEAT Security and Agreements Levels of authority
• State Data Base Administrator• Local (or vendor) eHEAT Administrators– Administrative Change Process, Chapter 3, p. 16
• Local (or vendor) users
Agreements—Annual• See EAP Tools on website www.energy.mn.gov
Risk ManagementRisk Management
37
Summary of Data PracticesSummary of Data Practices Staff should know:
• What private data is and how it relates to EAP• What data they can reveal and what they need to do to assure
they aren’t violating data privacy• How to document information they have revealed
Staff with authority to release private data should know:• All of the above• The SP-approved processes for following up on data requests
Agency management should:• Support the data practices activities with knowledge and practical
resources
Risk ManagementRisk Management
39
Debtors Exemption Claims (Issue)Debtors Exemption Claims (Issue)Collection Firms are asking for information beyond
what the manual states that we have to tell them They are saying that unless we tell them when
payments were made, they will not honor the garnishment exemption (sometimes people lie)
We need a universal form that gives only the information that they need
40
Debtor’s Exemptions Claims Debtor’s Exemptions Claims (Solution) (Solution) You don’t need to be experts in the law but you do
need to know and understand it There were changes made to the law for 2009Garnishment firms need to be told EAP rules and
timelines by you; You are the EAP expert!
41
Debtors Exemption ClaimsDebtors Exemption Claims Many of you may have already seen these requests A household is being pursued to pay a debt by a third party
collection agent that may or may not be an attorney The collection agents use tools like garnishment of wages
and levies aka “Freezing” of the bank accounts The law provides certain protections of some or all of their
money in certain situations, for certain people The form used to claim these protections is called an
“Exemption Notice”
42
Debtors Exemption ClaimsDebtors Exemption ClaimsSome or all of their money is protected if: The source of the money is Government benefits such as Social Security
benefits; Unemployment benefits; Workers' compensation; or Veterans benefits
They currently receive other assistance based on need They have received government benefits in the last six months They were in jail or prison in the last six months
Some or all of their earnings (wages) are protected if: They get government benefits (see list of government benefits) They currently receive other assistance based on need They have received government benefits in the last six months They were in jail or prison in the last six months
43
Debtor’s Exemptions Claims Law Debtor’s Exemptions Claims Law The legislation, which will become effective on Aug. 1, 2009, updates the
exemption process and makes technical changes to the current law The legislation modifies legal requirements regarding levies and
garnishments and expedites the process for both the creditor and debtor and makes the following revisions to the current garnishment law:• Modifies the process;• Updates forms;• Creates a new notice of intent to garnish;• Alters the exemption form and creditor’s exemption form; and• Adjusts timing requirements.
It does not change the intent of existing law or impact current or future case law (quote from the new law)
44
Debtors Exemption Claim LawsDebtors Exemption Claim Laws
Website: MN office of the Revisor of Statues • Index of the laws relating to Fuel Assistance in MN
https://www.revisor.leg.state.mn.us/statutes/?topic=202092• Address of the website with the new law
https://www.revisor.leg.state.mn.us/laws/?id=31&doctype=chapter&year=2009&type=0
45
Debtor’s Exemption Claim Debtor’s Exemption Claim FormForm Section 1. Minnesota Statutes 2008, section 550.143, is amended to
read: 550.143 LEVY ON FUNDS AT A FINANCIAL INSTITUTION.
Form of notice. The notice required by subdivision 3 must be provided as a separate form and must be substantially in the following form:
EXEMPTION FORM• HOW MUCH MONEY IS PROTECTED..... • I claim ALL of the money being frozen by the bank is protected...... • I claim SOME of the money is protected. The amount I claim is
protected is $.......
46
Debtor’s Exemption Claim Debtor’s Exemption Claim FormFormWHY THE MONEY IS PROTECTED My money is protected because I get it from one or more of the following
places: (Check all that apply)..... Government benefits include, but are not limited to, the following: MFIP - Minnesota family investment program, MFIP Diversionary Work
Program, Work participation cash benefit, GA - general assistance, EA - emergency assistance, MA - medical assistance, GAMC - general assistance medical care, EGA - emergency general assistance, MSA - Minnesota supplemental aid, MSA-EA - MSA emergency assistance, Food Support, SSI - Supplemental Security Income, Minnesota Care, Medicare part B premium payments, Medicare part D extra help,
Energy or fuel assistance.
47
Debtor’s Exemption Claim Debtor’s Exemption Claim FormForm Government benefits also include:..... Social Security benefits.....
Unemployment benefits..... Workers' compensation..... Veterans benefits
If you receive any of these government benefits, include copies of any documents you have that show you receive Social Security, unemployment, workers' compensation, or veterans benefits......
Other assistance based on need You may have assistance based on need from another source that is not on the list. If you do, check this box, and fill in the source of your money on the line below:
Case Number:..... County: ... Source: ..... Include copies of any documents you have that show the source
of this money. Some of your earnings (wages) are protected
48
Debtor’s Exemption Claim Debtor’s Exemption Claim FormForm OTHER EXEMPT FUNDS The money from the following are also completely protected...... An accident, disability, or retirement pension or annuity..... Payments to you from a life insurance policy..... Earnings of your child who is under 18 years of age..... Child support… Money paid to you from a claim for damage or destruction of
property…• Property includes household goods, farm tools or machinery, tools for your job,
business equipment, a mobile home, a car, a musical instrument, a pew or burial lot, clothes, furniture, or appliances......
Death benefits paid to you
49
Debtor’s Exemption Claim Debtor’s Exemption Claim FormForm I give permission to any agency that has given me cash benefits
to give information about my benefits to the above-named creditor, or its attorney.
The information will ONLY concern whether I get benefits or not, or whether I have gotten them in the past six months
If I was an inmate in the last six months, I give my permission to the correctional institution to tell the above-named creditor that I was an inmate there.
There are additional instructions and timelines in the new law that I did not include here, but would encourage you all to take a look at so you’re familiar
50
Debtor’s Exemption Claims and EAPDebtor’s Exemption Claims and EAP A person's wages are exempt if they currently receive need
based aid, or have been a recipient within the last 6 months Households are now required to provide bank statements with
the exemption notices The creditor is looking for some proof that the debtor currently
receives EAP or was a recipient in the last 6 months • Will need additional help from us unless they received a direct payment
A benefit statement from us will suffice So, here’s what you need to do
• The new export will contain information on payments and dates • Redact what is unnecessary (payment amounts)• If they demand more you can refer them to the state
51
Debtor’s Exemption Claims and Debtor’s Exemption Claims and EAPEAPYou are the EAP experts You have the support of DOC and our timelines for
eligibility is clearly documented in our EAP policy manual
Once determined eligible; a household is eligible until the end of the program year (September 30)
They are still protected for 6 months after they last received assistance
52
Debtor’s Exemption Claim NoticeDebtor’s Exemption Claim Notice The “Debtor’s Exemption Claim Notice” is a type of
Informed Consent form (Appendix 19B) and will be updated to reflect the new statues
New template letter for providing the information that will meet the legal requirements and reflect EAP policy guidelines
53
Data Security and You!Data Security and You!Richard Gooley Chief Information Security Officer
Minnesota Department of Commerce
Risk ManagementRisk Management
55
Executive SummaryExecutive SummaryBe cyber smart – Sec rity needs U! Security is everyone’s responsibilitySecurity doesn’t need to be intimidatingSecurity doesn’t have to cost an arm and a leg
Risk ManagementRisk Management
56
AgendaAgenda 7 Top Tips for Keeping Your Data Secure
1.Identify and guard sensitive information2.Create bulletproof passwords3.Use secure email4.Protect your computer5.Keep your computer patched6.Properly dispose of information no longer needed7.Be mindful of social engineering
Excellent Resources for Free Stuff! Questions and Discussion
Risk ManagementRisk Management
57
7 Top Tips for Keeping Your 7 Top Tips for Keeping Your Data Secure *Data Secure *
* aka “How to Keep Out of Current Events”
Risk ManagementRisk Management
58
7 Top Tips for 7 Top Tips for Keeping Your Data Secure Keeping Your Data Secure Tip 1: Identify and guard sensitive information Dumpster diving What sensitive information do you work with?
• Social Security Number• Addresses• Children• Household income• Private financial information
Risk ManagementRisk Management
59
7 Top Tips for 7 Top Tips for Keeping Your Data Secure Keeping Your Data Secure Tip 2: Create bulletproof passwords Weak passwords are all too common
• They are easy for users to remember.• They include personal information about the user.• They consist of known words found in many hacker
password dictionaries.
Risk ManagementRisk Management
60
7 Top Tips for 7 Top Tips for Keeping Your Data Secure Keeping Your Data Secure Examples of bulletproof passwords
• eX@mp13s0f• Bu!1e7Pr0of• Do you know my address?– DUKma?45410akland
Risk ManagementRisk Management
61
7 Top Tips for 7 Top Tips for Keeping Your Data Secure Keeping Your Data Secure Tip 3: Use secure emailAll email from The State containing private data will be
sent using secure emailMethod for retrieving secure email
• Use link in email to go to The State’s secure site• Establish password• Retrieve email and attachments• Retain password for future use
Risk ManagementRisk Management
62
Example of Secure email from The StateExample of Secure email from The State
Risk ManagementRisk Management
65
Secure email Secure email What is TLS encryption?
Transport Layer Security TLS is a standard protocol that is used to provide secure Web communications on the Internet or intranets. It enables clients to authenticate servers or, optionally, servers to authenticate clients. It also provides a secure channel by encrypting communications. TLS is the latest version of the Secure Sockets Layer (SSL) protocol.
Risk ManagementRisk Management
67
7 Top Tips for 7 Top Tips for Keeping Your Data Secure Keeping Your Data Secure Tip 4: Protect your computer (with your life!) Where’s my laptop?
Risk ManagementRisk Management
68
7 Top Tips for 7 Top Tips for Keeping Your Data Secure Keeping Your Data Secure Tip 5: Properly dispose of information no longer needed Where's that usb drive?
Risk ManagementRisk Management
69
7 Top Tips for 7 Top Tips for Keeping Your Data Secure Keeping Your Data Secure Tip 6: Keep your computer patched
Risk ManagementRisk Management
71
7 Top Tips for 7 Top Tips for Keeping Your Data Secure Keeping Your Data Secure Tip 7: Be mindful of social engineering Know thy neighbor
Risk ManagementRisk Management
72
““All I did was smile and they let All I did was smile and they let me in the door” me in the door”
Risk ManagementRisk Management
73
Excellent Resources for Free Excellent Resources for Free Stuff!Stuff!
Risk ManagementRisk Management
75
Business Continuity & Disaster RecoveryBusiness Continuity & Disaster Recovery
Risk ManagementRisk Management
77
Excellent Resources for Free Stuff!Excellent Resources for Free Stuff!Tools to wipe drives when disposing computer www.killdisk.com/ www.diskwipe.org/
Free anti-virus protection for home use www.free.avg.com/
Some Internet Providers offer free anti-virus
Risk ManagementRisk Management
78
Excellent Resources for Free Excellent Resources for Free Stuff!Stuff!www.act-online.netwww.killdisk.comwww.diskwipe.orgwww.free.avg.comwww.msisac.org
Business continuity and Disaster Recoverywww.disaster-recovery-guide.comwww.flu.govwww.drj.comwww.ready.gov
Risk ManagementRisk Management