Transcript Security Awareness Section - Western Carolina University

Western Carolina University
March 2011
• What types of confidential data should you watch for?
• What areas of compliance do you need to know about?
• How can data be compromised?
• What can you do to protect confidential data?
• Awareness of University Policies #97 and #95
2
Universities hold massive quantities of
confidential data and are traditionally
seen as easy targets for data theft
We must understand the types of data
that we hold and related business
processes
3
Credit/Debit Card #s
Social Security Numbers (SSN)
PINs
Passport Numbers
Bank Account #s
Drivers License Numbers
Personally Health Information
Student Education Records
Proprietary Research Data
Confidential/Privileged Legal Data
Personnel Records
4
To protect the security and integrity of the
University’s data
Applies to all data (paper and electronic
records)
Addresses access to and disclosure of data
RESPONSIBILITIES
Members of the Executive Council (Chancellor,
Vice Chancellors, Athletic Director, and Legal
Counsel) are the designated Data Stewards
who are ultimately responsible for ensuring the
appropriate handling of University data
RESPONSIBILITIES
Department Managers are responsible for ensuring
that employees comply with all University policies on
data security, as well as Information Technology and
the Office of Institutional Research and Planning
requirements
All University employees are responsible for
complying with University policies on data
security
DATA CLASSIFICATIONS
Confidential – limited access to and limited
disclosure of data
Third Party Confidential – limited access to and
limited disclosure of data (usually by contract
with non-disclosure agreement)
Internal – limited access
Public – unlimited access and disclosure
The Information Technology (IT) Division’s
Networking & Communications
department has the responsibility for the
design, maintenance and security of the
university’s data network.
To insure the integrity of the network the
following items must complied with.
9
1. No device may be added to the network which does not conform
to the approved list of devices, maintained and published by the
IT Division, without prior approval of Networking &
Communications. Rogue network devices will be automatically
and immediately disabled upon detection.
2. No individual or office may connect a device to the campus data
network that provides unauthorized users access to the network
or provides unauthorized IP addresses for users.
3. Networking & Communications has the right to quickly limit
network capacity to, or disable, network connections that are
overwhelming available network bandwidth to the detriment of
the university.
4. Access to networking equipment in wiring closets, etc. is limited
to the Networking & Communications staff or their designees.
5. No consideration of changing the architecture of any part of the
data network may be undertaken without the early and regular
involvement of Networking & Communication Services.
10
The “Access Control Procedures Checklist” is
accessible at the following link or you may
copy and paste the web address.
Policy 95 – Data Network Security and Access Control
http://www.wcu.edu/25378.asp
All persons with access to the university network must sign a
Confidentiality Agreement that is maintained in their
personnel records for employees or by the requesting
department for non-employees. Employee supervisors are
responsible for having employees sign the agreement, and
requesting departments are responsible for non-employee
compliance with the requirement.
11
Universities are required to comply with federal & state
laws and regulations regarding the way they use, transmit &
store sensitive information, and to meet payment card
industry contractual obligations
HIPAA – Health Insurance Portability and Accountability Act (health
data)
GBLA – Gramm Leach Bliley Act (financial data)
FERPA – Family Educational Rights & Privacy Act (education records)
NC Identity Theft Protection Act (personal data, especially SSN)
PCI Data Security Standards (MasterCard and Visa)
12
The state’s Identity Theft Protection Act (ITPA) is
designed to protect individuals from identity theft
by mandating that businesses and government
agencies take steps to safeguard Social Security
numbers and other personal information
13

State agencies must secure personal identifiers

Encrypt or secure the transmission of SSN

Do not collect SSN unless “imperative”

State agencies must report annually to the
General Assembly on security efforts

State agencies must notify affected persons when
there is a security breach, and sometimes law
enforcement agencies and the Attorney General
14
More then 10 million ID theft victims nationally per
year – the equivalent of 19 people per minute
Has surpassed drug trafficking as #1 crime in the
nation.
In NC alone, the number of reported identity theft
crimes have more then tripled over a 4 year period.
15
Phishing
Lost/stolen computing devices
Malware
Social engineering
Hacking
Lost/stolen paper records
Unauthorized physical access to computing devices
16
The practice of acquiring personal information on the
Internet by masquerading as a trustworthy business
17
18
Usually installed onto a computer by downloading
other programs such as screensavers, games, and
“free” software
Trojans – malicious programs disguised or embedded
within legitimate software
19
Malware can:
 Capture and send sensitive information from your workstation
to the hacker
 Download other malware
 Crash your workstation
 Be used to perform attacks from inside WCU’s network
20
Unauthorized and/or illegal computer trespass executed
remotely via some form of communication network
(e.g., the Internet, LAN or dial-up network)
21
Unsecured work stations, offices, desks, files
Unattended computing devices
22
Laptops
PCs
PDAs
Smart phones
BlackBerry
Removable Memory Devices
Thumb Drives
Flash Cards
23
Cab drivers in one major city reported that;
4,973 laptops, 5,939 PDAs, and 63,135 mobile
phones were left in cabs over a 6 month period.
24
A hacker’s favorite tool—the ability to extract
information from computer users without
having to touch a computer.
Tricking people to give out information is
known as “social engineering” and is one of
the greatest threats to data security.
25
Social engineers prey on some basic human
tendencies….
HELPFUL
The tendency to TRUST people
The FEAR of getting into trouble
The desire to be
26
Despite security controls, a university is vulnerable to an
attack if an employee unwittingly gives away
confidential data via email,
by answering questions over the phone with
someone they don't know,
or by failing to ask the right questions
27
WHAT – data type
WHO – has access to the data
WHERE – data originates, resides, goes
HOW – data gets where it’s going
28
If you don’t need it for business
purposes, don’t collect it
If you do need to collect it, maintain it
securely
If you need to share it, transmit it
securely
29
Confidential data should never be located on a web server
Use a secure WCU server (H: drive) to store confidential
data - do not maintain data on local disk (C: drive)
Do not create, maintain “shadow data” (duplicate data) – if
you must maintain it, keep it on the H: drive
Encrypt confidential data whenever possible
Redact confidential data whenever possible (e.g., the last
four digits of SSNs, partial credit card numbers)
30
Be careful to whom you give sensitive
information.
Ask yourself some questions:
Do you know who they are?
Do they have a need to know?
Do they have the proper authorization?
31
Never give your password to anyone
Don’t use the same password on multiple systems
Use a strong password (i.e., 12 alpha, changed case,
numeric characters) on all your computer systems
and change them regularly
Avoid using the “auto complete” option to remember
your password
Avoid storing passwords (e.g., "check box to remember
this password”)
32
Log off or lock your workstation when you leave
(CTRL-ALT-DEL)
Use a screensaver with a password enabled
Turn your computer off when you go home
33
Avoid using Instant Messaging and Chat software
Avoid using Peer to Peer file sharing software
Don’t download or install unauthorized programs
Keep your computer up to date with the latest
antivirus definitions and security patches
34
Don’t open unknown or unexpected email
attachments
If you receive an email with a hyperlink, don’t
open it in the email – open a web browser
and type the link in manually
Email is sent in clear text and should never be
used to send confidential data
35
Don’t leave confidential data unattended on
your desk, FAX, printers or copiers
Keep confidential data stored in a locked desk
drawer or file cabinet
Shred confidential data for disposal (in
compliance with the NC Records Retention
and Disposition Schedule)
36
If you don’t need it,
don’t collect it
Don’t give out
information without
knowing the
recipient/positive
confirmation
If you need it
only once, don’t
save it
If you have to
transmit it,
transmit
securely
If you don’t
need to save
it, dispose of it
properly
If you have to
save it, store it
securely
37
IMMEDIATELY
notify your supervisor
41
Security Awareness Mindset:
“I understand that there is the potential for some
people to deliberately or accidentally steal,
damage or misuse the data that is stored within
my computer systems and throughout our
university. Therefore, it would be prudent for me
to stop that from happening.”
SEC
Y
Be sure to print and complete
the General Security Awareness
Training Form
Return completed forms to
Human Resources
220 HFR