Protecting Sensitive Information Objectives 2 Whats so important Universities hold massive quantities of confidential data and are traditionally seen as easy targets for data theft We must understand the types of data that we hold and related business processes ID: 459505
Download Presentation The PPT/PDF document "Security Awareness" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Security Awareness
Protecting Sensitive InformationSlide2
Objectives2Slide3
What’s so important?Universities hold massive quantities of confidential data and are traditionally seen as easy targets for data theftWe must understand the types of data that we hold and related business processes 3Slide4
Confidential Data4Social Security Numbers (SSN)Credit/Debit Card #sDrivers License Numbers Passport Numbers
B
ank
A
ccount #s
PINs
Personally Health
I
nformation
S
tudent Education
R
ecords
Proprietary Research
D
ata
Confidential/Privileged
L
egal
D
ata
P
ersonnel RecordsSlide5
University Policy #97Data Security and StewardshipTo protect the security and integrity of the University’s dataApplies to all data (paper and electronic records)Addresses access to and disclosure of dataSlide6
RESPONSIBILITIESMembers of the Executive Council (Chancellor, Vice Chancellors, Athletic Director, and Legal Counsel) are the designated Data Stewards who are ultimately responsible for ensuring the appropriate handling of University data University Policy #97Data Security and Stewardship (cont.) Slide7
RESPONSIBILITIESDepartment Managers are responsible for ensuring that employees comply with all University policies on data security, as well as Information Technology and the Office of Institutional Research and Planning requirementsAll University employees are responsible for complying with University policies on data security University Policy #97Data Security and Stewardship (cont.) Slide8
DATA CLASSIFICATIONS Confidential – limited access to and limited disclosure of data Third Party Confidential – limited access to and limited disclosure of data (usually by contract with non-disclosure agreement) Internal – limited access Public – unlimited access and disclosure
University Policy #97Data Security and Stewardship (cont.) Slide9
The Information Technology (IT) Division’s Networking & Communications department has the responsibility for the design, maintenance and security of the university’s data network. To insure the integrity of the network the following items must complied with.9University Policy #95Data Network Security and Access ControlSlide10
1. No device may be added to the network which does not conform to the approved list of devices, maintained and published by the IT Division, without prior approval of Networking & Communications. Rogue network devices will be automatically and immediately disabled upon detection. 2. No individual or office may connect a device to the campus data network that provides unauthorized users access to the network or provides unauthorized IP addresses for users. 3. Networking & Communications has the right to quickly limit network capacity to, or disable, network connections that are overwhelming available network bandwidth to the detriment of the university. 4. Access to networking equipment in wiring closets, etc. is limited to the Networking & Communications staff or their designees. 5. No consideration of changing the architecture of any part of the data network may be undertaken without the early and regular involvement of Networking & Communication Services.10University Policy #95Data Network Security and Access ControlSlide11
The “Access Control Procedures Checklist” is accessible at the following link or you may copy and paste the web address.Policy 95 – Data Network Security and Access Controlhttp://www.wcu.edu/about-wcu/leadership/office-of-the-chancellor/university-policies/numerical-index/university-policy-95.aspAll persons with access to the university network must sign a Confidentiality Agreement that is maintained in their personnel records for employees or by the requesting department for non-employees. Employee supervisors are responsible for having employees sign the agreement, and requesting departments are responsible for non-employee compliance with the requirement.11University Policy #95Data Network Security and Access ControlSlide12
Compliance Universities are required to comply with federal & state laws and regulations regarding the way they use, transmit & store sensitive information, and to meet payment card industry contractual obligations HIPAA – Health Insurance Portability and Accountability Act (health data)GBLA – Gramm Leach Bliley Act (financial data)
FERPA – Family Educational Rights & Privacy Act (education records)
NC Identity Theft Protection Act (personal data, especially SSN)
PCI Data Security Standards (MasterCard and Visa)
12Slide13
NC Identity Theft Protection ActThe state’s Identity Theft Protection Act (ITPA) is designed to protect individuals from identity theft by mandating that businesses and government agencies take steps to safeguard Social Security numbers and other personal information 13Slide14
NC Identity Theft Protection Act (cont.)State agencies must secure personal identifiersEncrypt or secure the transmission of SSNDo not collect SSN unless “imperative”State agencies must report annually to the General Assembly on security effortsState agencies must notify affected persons when there is a security breach, and sometimes law enforcement agencies and the Attorney General
14Slide15
Identity TheftMore then 10 million ID theft victims nationally per year – the equivalent of 19 people per minuteHas surpassed drug trafficking as #1 crime in the nation.In NC alone, the number of reported identity theft crimes have more then tripled over a 4 year period.15Slide16
PhishingMalwareHacking
Unauthorized physical access to computing devices
How is Information Stolen?
Lost/stolen computing devices
Social engineering
Lost/stolen paper records
16Slide17
PhishingThe practice of acquiring personal information on the Internet by masquerading as a trustworthy business17Slide18
18www.antiphishing.orgSlide19
MalwareUsually installed onto a computer by downloading other programs such as screensavers, games, and “free” software Trojans – malicious programs disguised or embedded within legitimate software 19Slide20
Malware can:Capture and send sensitive information from your workstation to the hackerDownload other malwareCrash your workstationBe used to perform attacks from inside WCU’s network20Slide21
HackingUnauthorized and/or illegal computer trespass executed remotely via some form of communication network (e.g., the Internet, LAN or dial-up network)21Slide22
Unauthorized Physical Access to Computing DevicesUnsecured work stations, offices, desks, filesUnattended computing devices22Slide23
Lost/Stolen Computing Devices23Removable Memory Devices PDAsLaptops
BlackBerry
PCs
Smart phones
Thumb Drives
Flash CardsSlide24
Which Way Did It Go?Cab drivers in one major city reported that; 4,973 laptops, 5,939 PDAs, and 63,135 mobile phones were left in cabs over a 6 month period.24Slide25
Social EngineeringA hacker’s favorite tool—the ability to extract information from computer users without having to touch a computer.Tricking people to give out information is known as “social engineering” and is one of the greatest threats to data security.25Slide26
Social Engineering (cont.)Social engineers prey on some basic human tendencies….The desire to be HELPFUL The tendency to TRUST people The FEAR of getting into trouble
26Slide27
Social Engineering (cont.) Despite security controls, a university is vulnerable to an attack if an employee unwittingly gives away confidential data via email, by answering questions over the phone with someone they don't know, or by failing to ask the right questions27Slide28
Examine Your Business ProcessesWHAT – data typeWHO – has access to the dataWHERE
– data originates, resides, goes
HOW
–
data gets where it’s going
28Slide29
What to do with Confidential DataIf you don’t need it for business purposes, don’t collect itIf you do need to collect it, maintain it securelyIf you need to share it, transmit it securely
29Slide30
Data Security TipsConfidential data should never be located on a web serverUse a secure WCU server (H: drive) to store confidential data - do not maintain data on local disk (C: drive)Do not create, maintain “shadow data” (duplicate data) – if you must maintain it, keep it on the H: driveEncrypt confidential data whenever possible
Redact confidential data whenever possible (e.g., the last four digits of SSNs, partial credit card numbers)
30Slide31
Data Security (cont.)Be careful to whom you give sensitive information.Ask yourself some questions:Do you know who they are? Do they have a need to know?
Do they have the proper authorization?
31Slide32
Password SecurityNever give your password to anyoneDon’t use the same password on multiple systemsUse a strong password (i.e., 12 alpha, changed case, numeric characters) on all your computer systems and change them regularlyAvoid using the “auto complete” option to remember your password
Avoid storing passwords (e.g., "check box to remember this password”)
32Slide33
Securing Your WorkstationLog off or lock your workstation when you leave (CTRL-ALT-DEL)Use a screensaver with a password enabledTurn your computer off when you go home33Slide34
Steer Clear of MalwareAvoid using Instant Messaging and Chat softwareAvoid using Peer to Peer file sharing softwareDon’t download or install unauthorized programsKeep your computer up to date with the latest antivirus definitions and security patches34Slide35
Safe Email PracticesDon’t open unknown or unexpected email attachmentsIf you receive an email with a hyperlink, don’t open it in the email – open a web browser and type the link in manuallyEmail is sent in clear text and should never be used to send confidential data 35Slide36
Practice a “Clean Desk” policyDon’t leave confidential data unattended on your desk, FAX, printers or copiersKeep confidential data stored in a locked desk drawer or file cabinetShred confidential data for disposal (in compliance with the NC Records Retention and Disposition Schedule)36Slide37
Good Business Practices37Slide38
Data Security Breach - Consequences38Slide39
Data Security Breach – Consequences (cont.)39Slide40
Data Security Breach – Consequences (cont.)40Slide41
If You Suspect a Problem41Slide42
Security Awareness Mindset: “I understand that there is the potential for some people to deliberately or accidentally steal, damage or misuse the data that is stored within my computer systems and throughout our university. Therefore, it would be prudent for me to stop that from happening.”SEC Y
U R ITSlide43
Training Acknowledgement Form