Difference between revisions of "Tips to prevent data leaks"

From CT Wiki
Jump to navigation Jump to search
Line 1: Line 1:
Data leaks occur when personal data about other people come in possession of other people who have no business with them, or when such data are lost and cannot be recovered. A data leak may occur in various circumstances, for example:
+
Data leaks occur when personal data about other people come in possession of other people who have no business with them, or when such data are lost and cannot be recovered. Sensitive data typically are personal data about other people. Within the scope of Nikhef, typical examples are information about applicants, apprentices and (former) employees, including (email) addresses, phone numbers, education or past work experience, performance reviews and even pictures.
  
* a computer account get compromised, which allows unauthorized persons to access data
+
A data leak may occur in various circumstances, for example:
 +
 
 +
* a computer account gets compromised, which allows unauthorized persons to access data
 
* an electronic device is lost or stolen, after which an unauthorized person gets access to the data on the device
 
* an electronic device is lost or stolen, after which an unauthorized person gets access to the data on the device
 
* data are accidentally shared, ''e.g.'' via a public webpage or document that is distributed to people who have no need to access the personal data
 
* data are accidentally shared, ''e.g.'' via a public webpage or document that is distributed to people who have no need to access the personal data
Line 13: Line 15:
  
 
Fortunately, you can take some measures to prevent data leaks or to minimize the risk for one. Some measures are technical, other are behavioral and require awareness and a certain degree of discipline.
 
Fortunately, you can take some measures to prevent data leaks or to minimize the risk for one. Some measures are technical, other are behavioral and require awareness and a certain degree of discipline.
 +
==Preventing data leaks==
 +
The number 1 rule to prevent data leaks: ''what you don't store, you cannot leak!'' It is really as simple as that.
  
=Encrypt your hard drive! How do I do that?=
+
=== Storing sensitive data ===
 +
* Collect and process '''only required''' information. Do not ask for data about people which is not '''strictly''' required.
 +
* '''Remove data''' about persons when the data is not needed anymore. This is required in order to comply with the privacy laws! For example, after the end of an application procedure or when someone has left the institute.
 +
* Periodically clean up old data. Remove files that are no longer needed or will not be used anymore. Again, it is a legal obligation. For example, clean up data about participants of a conference or workshop after the event is finished.
  
With a stolen electronic work facility, there is a (possible) data leak and this has to be taken serious. To limit the damage, we would like to emphasise again the importance of disk encryption.  
+
 
 +
If you are sure you must collect or store personal and/or sensitive data, always report it to the Nikhef privacy team: privacy@nikhef.nl
 +
 
 +
Also take the following into account:
 +
* Only store sensitive data on '''encrypted devices''' (see below). That applies to your laptop and telephone, but also backups on a USB disk or NAS device at home.
 +
* '''Organize''' sensitive data, '''know''' what you store and where you keep it, so that you can easily clean up when the data are no longer needed.
 +
 
 +
==Encrypt your device! How do I do that?==
 +
 
 +
Encrypting your devices is a technical defense measure to prevent a data leak when the device is lost or stolen. This applies to laptops, desktop computers, mobile telephones, external devices like a USB drive or NAS.  
 +
 
 +
Of course, when you encrypt your device, you must ensure that you keep the encryption key safe and that access to your device is '''protected''' with a good password, fingerprint, pin code or pattern. '''Do not share your code with others''', also not your family members!
  
 
<blockquote>
 
<blockquote>
Line 35: Line 53:
 
For the Unix users among us there are various options for encrypting your hard drive, please check the following link: https://www.tecmint.com/file-and-disk-encryption-tools-for-linux/
 
For the Unix users among us there are various options for encrypting your hard drive, please check the following link: https://www.tecmint.com/file-and-disk-encryption-tools-for-linux/
  
= Tips on preventing data leaks =
+
=== Android ===
Below are some tips that can help to prevent that your account will be abused and a data leak occurs. More extensive documenation in Dutch can be found on the [https://www.ncsc.nl/ site of the National Cyber Security Centre (NCSC)].
+
<TBD>
 +
 
 +
=== iOS ===
 +
<TBD>
  
 
== Accounts and passwords ==
 
== Accounts and passwords ==
 
* Do not use your Nikhef email address for private purposes.
 
* Do not use your Nikhef email address for private purposes.
* Choose ''strong'' passwords, certainly for work accounts or (private) banking accounts. Strong passwords are long (at least 10 characters), include various types of characters (lowercase and uppercase, numbers and special characters like !@#$%^&*()_+[];':",./<?>. Password that can be guessed because they are based on names or dates are not strong.
+
* Choose ''strong'' passwords, certainly for work accounts or (private) banking accounts. Strong passwords are long (at least 10 characters), include various types of characters (lowercase and uppercase, numbers and special characters like !@#$%^&*()_+[];':",./<?>. Password that can be guessed because they are based on names or dates are not strong. The longer the password, the more resilient against automated attacks!
 
* Use ''different'' passwords for all accounts and all registrations with web sites.
 
* Use ''different'' passwords for all accounts and all registrations with web sites.
 
* To remember all these different passwords, use a password manager like KeePass (https://keepass.info/), LastPass (https://lastpass.com/?lang=en_UK) or Bitwarden (https://bitwarden.com/).
 
* To remember all these different passwords, use a password manager like KeePass (https://keepass.info/), LastPass (https://lastpass.com/?lang=en_UK) or Bitwarden (https://bitwarden.com/).
 
* Do not store passwords in unencrypted files.
 
* Do not store passwords in unencrypted files.
* Accounts and passwords are personal. Do '''not''' share them with others, also not with your colleagues.
+
* Accounts and passwords are personal. Do '''not''' share them with others, also not with your colleagues or family members.
 
 
== Storing sensitive data ==
 
Sensitive data typically are personal data about other people. Within the scope of Nikhef, typical examples are information about applicants, apprentices and (former) employees, including (email) addresses, phone numbers, education or past work experience.
 
* Collect and process only required information. Do not ask for data about people which is not strictly required.
 
* '''Always''' inform the Computer Technology department if you intend to collect, store or process a new collection of sensitive data.
 
* Remove data about persons when the data is not needed anymore. For example, after the end of an application procedure or when someone has left the institute.
 
* Only store sensitive data on encrypted devices. That applies to your laptop and telephone, but also backups on a USB disk or NAS device at home.
 
* Periodically clean up old data. Remove files that are no longer needed or will not be used anymore.
 
* Organize sensitive data, know what you store and where you keep it, so that you can easily clean up when the data are no longer needed.
 
  
 
== Travel abroad ==
 
== Travel abroad ==
Take into account that when you travel to certain countries the information on laptops or telephones can be inspected or copied by security agencies, or that they can take control of the device. This may happen when travelling to [https://www.volkskrant.nl/buitenland/ministerie-neem-alleen-lege-laptop-en-telefoon-mee-naar-china-rusland-iran-en-turkije~a4591490/ China, Russia, Iran, Turkey (article in Dutch)] and the United States.
+
Take into account that when you travel to certain countries the information on laptops or telephones can be inspected or copied by security agencies, or that they can take control of the device. This may happen when traveling to [https://www.volkskrant.nl/buitenland/ministerie-neem-alleen-lege-laptop-en-telefoon-mee-naar-china-rusland-iran-en-turkije~a4591490/ China, Russia, Iran, Turkey (article in Dutch)] and the United States.
 
* Bring an empty laptop and telephone, which you normally do not use. You can temporarily borrow a laptop via the Helpdesk.
 
* Bring an empty laptop and telephone, which you normally do not use. You can temporarily borrow a laptop via the Helpdesk.
* Make sure there are no sensitive information or passwords on the telephone or laptop when travelling to these countries. The Helpdesk laptops are completely re-installed after each use.
+
* Make sure there is no sensitive information or passwords on the telephone or laptop when traveling to these countries. The Helpdesk laptops are completely re-installed after each use.
 +
 
 +
== Further reading ==
 +
More extensive documentation in Dutch can be found on the [https://www.ncsc.nl/ site of the National Cyber Security Centre (NCSC)].

Revision as of 10:50, 14 June 2021

Data leaks occur when personal data about other people come in possession of other people who have no business with them, or when such data are lost and cannot be recovered. Sensitive data typically are personal data about other people. Within the scope of Nikhef, typical examples are information about applicants, apprentices and (former) employees, including (email) addresses, phone numbers, education or past work experience, performance reviews and even pictures.

A data leak may occur in various circumstances, for example:

  • a computer account gets compromised, which allows unauthorized persons to access data
  • an electronic device is lost or stolen, after which an unauthorized person gets access to the data on the device
  • data are accidentally shared, e.g. via a public webpage or document that is distributed to people who have no need to access the personal data


If you discover a potential data leak, immediately report it to meldpunt-datalek@nikhef.nl


When a data leak occurs, Nikhef should quickly take action to comply with the law and do whatever is possible and needed to control damage. So please immediately report the discovery of a potential data leak.


Fortunately, you can take some measures to prevent data leaks or to minimize the risk for one. Some measures are technical, other are behavioral and require awareness and a certain degree of discipline.

Preventing data leaks

The number 1 rule to prevent data leaks: what you don't store, you cannot leak! It is really as simple as that.

Storing sensitive data

  • Collect and process only required information. Do not ask for data about people which is not strictly required.
  • Remove data about persons when the data is not needed anymore. This is required in order to comply with the privacy laws! For example, after the end of an application procedure or when someone has left the institute.
  • Periodically clean up old data. Remove files that are no longer needed or will not be used anymore. Again, it is a legal obligation. For example, clean up data about participants of a conference or workshop after the event is finished.


If you are sure you must collect or store personal and/or sensitive data, always report it to the Nikhef privacy team: privacy@nikhef.nl

Also take the following into account:

  • Only store sensitive data on encrypted devices (see below). That applies to your laptop and telephone, but also backups on a USB disk or NAS device at home.
  • Organize sensitive data, know what you store and where you keep it, so that you can easily clean up when the data are no longer needed.

Encrypt your device! How do I do that?

Encrypting your devices is a technical defense measure to prevent a data leak when the device is lost or stolen. This applies to laptops, desktop computers, mobile telephones, external devices like a USB drive or NAS.

Of course, when you encrypt your device, you must ensure that you keep the encryption key safe and that access to your device is protected with a good password, fingerprint, pin code or pattern. Do not share your code with others, also not your family members!

PLEASE SETUP YOUR DEVICE WITH DISK ENCRYPTION IF YOU HAVEN'T ALREADY DONE THAT!

Every modern operating system nowadays offers the possibility to do this and setting this up is very simple. See below for how to set this per operating system.

Windows

In Windows this functionality is called 'Bitlocker', here is described how you can easily set this yourself: https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838

macOS

In macOS this functionality is called 'FileVault', here is described how you can easily set this yourself: https://support.apple.com/en-us/HT204837

Unix

For the Unix users among us there are various options for encrypting your hard drive, please check the following link: https://www.tecmint.com/file-and-disk-encryption-tools-for-linux/

Android

<TBD>

iOS

<TBD>

Accounts and passwords

  • Do not use your Nikhef email address for private purposes.
  • Choose strong passwords, certainly for work accounts or (private) banking accounts. Strong passwords are long (at least 10 characters), include various types of characters (lowercase and uppercase, numbers and special characters like !@#$%^&*()_+[];':",./<?>. Password that can be guessed because they are based on names or dates are not strong. The longer the password, the more resilient against automated attacks!
  • Use different passwords for all accounts and all registrations with web sites.
  • To remember all these different passwords, use a password manager like KeePass (https://keepass.info/), LastPass (https://lastpass.com/?lang=en_UK) or Bitwarden (https://bitwarden.com/).
  • Do not store passwords in unencrypted files.
  • Accounts and passwords are personal. Do not share them with others, also not with your colleagues or family members.

Travel abroad

Take into account that when you travel to certain countries the information on laptops or telephones can be inspected or copied by security agencies, or that they can take control of the device. This may happen when traveling to China, Russia, Iran, Turkey (article in Dutch) and the United States.

  • Bring an empty laptop and telephone, which you normally do not use. You can temporarily borrow a laptop via the Helpdesk.
  • Make sure there is no sensitive information or passwords on the telephone or laptop when traveling to these countries. The Helpdesk laptops are completely re-installed after each use.

Further reading

More extensive documentation in Dutch can be found on the site of the National Cyber Security Centre (NCSC).