company logo creating a security risk-aware culture at nccu information technology services north...

Company

LOGO

Creating a Security Risk-Aware Culture at NCCU

Information Technology ServicesNorth Carolina Central University

September 2008

1

Information Security

“Security is a negative deliverable. You don’t know when you have it. You only know when you’ve lost it.”

22

3

Cybersecurity - Why Do We Care?

Chancellor – good legislative audits

Provost – academic integrity

Vice Chancellor Research – compliance

HIPAA

FERPA

GLBA

Sarbanes Oxley Act

Grant requirements

Local state and federal regulations

Today’s Agenda

Information Security in Higher Education

NCCU Information Security Policies & Best Practices

Banner Security

Top 10 Reminders

4

Information Security

Between February 2005 and July 2006, there were 237 reported security breaches involving the compromise of more than 89 million records containing personal information.

Of these, 83 incidents involved institutions of higher education, including academic medical centers.

5

EDUCAUSE Review, vol. 41, no. 5 (September/October 2006): 46–615

6

Process Technology

Systems must be built to technically adhere to

policy

People must understand their responsibilities

regarding policy

Policies must be developed,

communicated, maintained and

enforced

Processes mustbe developed that

show how policieswill be

implemented

Security Implementation Relies On

People

Today’s Agenda



Banner Security

Top 10 Reminders

7

NCCU IT Security Training

Outline NCCU Security Policies Copyright Laws of the United States Security Incidents – whom to call or a site

for security incidents to be reported

8


Outline Introductions NCCU Security Policies Copyright Laws of the United States Security Incidents – whom to call or a site for security

incidents to be reported

9


Course Outline Introductions

Steve OrnatIT Audit Compliance and Business Continuity

NCCU – Information Technology Services

[email protected]

530-7171

10


Course Outline Introductions NCCU Security Policies Copyright Laws of the United States Security Incidents – whom to call or a site for security


11


Course Outline, Continued NCCU Security Policies

Data and Information Policy File Sharing Policy Electronic Mail Policy Responsible Use Policy Wireless and Network Policy Server Policy Software License Policy NCCU Telephone and Cell Policy

Documentation of all of NCCU Policies – Version: 1.01-090908 CD

12

Data and Information Policy

General guidance on the protection of University data and information being processed by manual as well as automated systems and the protection of the records and reports generated by these information processing systems.


13

Handling of Institutional Data

Guidelines

The Chancellor, Provost, Vice Chancellors, General Counsel, and the Director of Athletics are responsible for ensuring the appropriate handling of Institutional data produced and managed by their division/unit

ITS is responsible for ensuring that the appropriate technologies and system policies and permissions are in place to ensure appropriate access to electronic data.

14

Data Owners

Owners of data are responsible for making decisions about the use and protection of information in their custody. Areas of concern shall include:

1. Accuracy and completeness of data and information;

2. Classification of data as confidential (subject to privacy laws), sensitive (non public salary information) or public;

3. The authorization process to permit access to the information and to terminate access when necessary;

4. The identification and minimization of risks and exposures;

5. The utilization of established procedures designed to protect information from unauthorized access or disclosure, whether accidental or intentional;

6. Communication of information protection procedures to authorized users;

7. Physical access to hard copy records, computers and other technologies

8. Providing procedural safeguards including backing up information for business

9. Evaluating security control procedures related to information in their custody.

15

File Sharing Policy

File sharing applications allow users to download and share electronic files of all types and to use any computer as a server for file sharing requests.


16

H.R. 4137

17

www.ruckus.com

18

Electronic Mail Policy

This policy provides guidelines for the responsible and appropriate use of the North Carolina Central University's electronic mail (e-mail) and communication resources and services.


19

Responsible Use Policy Or called by the proper name: “Responsible

Use of University Computing and Electronic Communication Resources Policy”

Responsible use includes, but is not limited to, respecting the rights of other users, sustaining the integrity of systems and related physical resources, and complying with all relevant policies, laws, regulations, and contractual obligations.


20

Wireless and Network Policy

This policy has been developed to ensure that North Carolina Central University (NCCU) community has a secure and reliable network with access and the performance needed to carry out the goals of the university as well as meet the needs of its constituents.


21

Server Policy

Purpose of this policy is to define standards to be met by all servers owned and/or operated by North Carolina Central University (NCCU) on the University’s network.


22

Software License Policy

(Waiting approval by NCCU Board of Trustees)

All University constituents must respect the rights of software developers and abide by copyright and other intellectual property laws.


23

NCCU Telephone and Cell Policy

All University employees are prohibited from misusing University telephones and cellphones for personal calls. Misuse includes the use of office telephones and cell phones for personal long distance calls charged to departmental budgets and excess use of office telephones for local telephone calls.


24




25

Copyright Laws of The United States of AmericaTitle 17

Circular 92

Copyright Law of the United Statesand Related Laws Contained in Title 17 of the United States Code

October 2007

Contains: ‐ Table of Contents ‐ Chapter 11 – “Sound Recordings and Music Videos” ‐ Appendix A – “The Copyright Act of 1976” ‐ Appendix B – “The Digital Millennium Copyright Act of 1998”

26

Copyright Laws of The United States of America

27


Chapter 11 – “Sound Recordings and Music Videos”

§ 1101 · Unauthorized fixation and trafficking in sound recordings and music videos

Definition.—As used in this section, the term “traffic in” means transport, transfer, or otherwise dispose of, to another, as consideration for anything of value, or make or obtain control of with intent to transport, transfer, or dispose of.

28


Appendix A The Copyright Act of 1976

Title I – General Revision of Copyright Law

Sec. 103. This Act does not provide copyright protection for any work that goes into the public domain before January 1, 1978. The exclusive rights, as provided by section 106 of title 17 as amended by the first section of this Act, to reproduce a work in phono- records and to distribute phono-records of the work, do not extend to any non-dramatic musical work copyrighted before July 1, 1909.

29


Appendix A The Copyright Act of 1976

Title I – General Revision of Copyright Law

Sec. 113. (a) The Librarian of Congress (hereinafter referred to as the “Librarian”) shall establish and maintain in the Library of Congress a library to be known as the American Television and Radio Archives (hereinafter referred to as the “Archives”). The purpose of the Archives shall be to preserve a permanent record of the television and radio programs which are the heritage of the people of the United States and to provide access to such programs to historians and scholars without encouraging or causing copyright infringement.

30


Appendix B The Digital Millennium Copyright Act of 1998

Section 1 · Short Title. This Act may be cited as the “Digital Millennium

Copyright Act (DMCA)”.

Title I — WIPO Treaties Implementation Sec. 101 (World Intellectual Property Organization)

Short Title. This title may be cited as the ‘‘WIPO Copyright and Performances and Phonograms Treaties Implementation Act of 1998’’.

31


Appendix B The Digital Millennium Copyright Act of 1998

Section 1 · Short Title. This Act may be cited as the “Digital Millennium

Copyright Act (DMCA)”.

Title II — Online Copyright Infringement Liability Limitation Sec. 201 ·

Short Title. This title may be cited as the ‘‘Online Copyright Infringement Liability Limitation Act’’.

32


Course Outline Introductions NCCU Security Policies Copyright Laws of the United States Security Incidents – whom to call or a site

for security incidents to be reported

33


Security Incidents – whom to call or how to report a security violation

Reporting an incident via telephone: Call the Eagle Technical Assistance

Center (ETAC) Extension X 7676

Call Steve OrnatIT Audit Compliance and Business Continuity

Extension X 7171

34



Reporting an incident via email: Eagle Technical Assistance Center

(ETAC) [email protected]

Steve OrnatIT Audit Compliance and Business Continuity

[email protected]

35



Reporting an incident via the WEB: To be announced – Coming soon to the NCCU WEB page.

36



incidents to be reported Documentation of NCCU ITS Employee

Information CDVersion: 1.01-090908

37


Table of Contents for:

ITS Employee Information CD

Version: 1.01-090808

File Description 1 - ITS Employee Handbook The July 2008 version of

the ITS employee Handbook

38

Today’s Agenda



Banner Security

Top 10 Reminders

39

Steps To Ensure User AccountSecurity

Every User should have his/her own assigned “USERID”

Each User is accountable for transactions made with the assigned “USERID”

Do not share you password

If you feel your password has been compromised, request your password be reset.

40

Changing Banner Passwords

Attempting to log into Banner more than twice unsuccessfully will cause your account to lock.

Password must be at least “8” eight characters long

Password must include at least “1” one number.

41

Avoid Special Characters

Pound sign (#) Slash (/ ) Plus (+) Hyphen (- ) Ampersand (&) At-sign (@) Dollar sign ($) Exclamation point (!) Comma ( , ) Asterisk ( * ) Percent sign ( % )

42

Banner Signatures Required for Access

43

Banner Access Signatures Required

Student ModuleUndergraduate Admissions Jocelyn FoyRegistrar Jerome GoodwinFinancial Aid Sharon OliverStudent Billing Yolanda Banks DeaverResidential Life Jennifer WilderAuxiliary Services Tim MooreUniversity College Dr. Bernice Johnson

FinanceAdministration & Finance Dr. Alan RobertsonPurchasing Danielle HearstComptroller Yolanda Banks Deaver

Human ResourcesAdministration & Finance Dr. Alan RobertsonEPA Services Daphine RichardsonSPA Services Laurie Charest

Institutional AdvancementChief of Staff Susan HesterDirector of Stewardship LaMissa McCoy

Today’s Agenda



Banner Security

Top 10 Reminders

44

Top 10 Concerns / Reminders

45

Top 10 Information Security Reminders

10. Know University IS Policies & Procedures

11. NCCU e-Mail is the “official” university provided e-Mail system

12. Don’t open SPAM e-Mail – just delete

13. When you put your names on listservs and other distribution list outside the university – you are setting your self up for SPAM e-Mail – vendors sell their distribution list

46


6. Passwords should not be written on “sticky notes” placed on your computer or other locations within your office

Passwords should not be your first initial, last name Passwords should be a minimum of 8-characters Passwords should be changed minimum every 60-days Do not share passwords with Admin Assistants or

Workaid Students

7. Phishing e-Mails – ITS will NEVER ask for any personal information (userID, passwords, etc.) via e-Mail (watch out for e-Mails that appear to come from someone on campus asking for personal info)

47


4. All units should have a SHREDDER – no personal or student information should ever be dropped in the garbage (same practice at home).

5. Access to University data is provided to University employees for the conduct of University business only. Faculty and staff must follow data privacy laws (FERPA).

6. Do not share Banner Passwords or Account Information. Follow Banner Data Standards when putting data into Banner.

48


1. Be conscious of Information Security concerns and report any incidents immediately:

Banner employee access should be terminated if an employee job changes

Laptops – passwords & security tracking software installed

Memory sticks / thumb drives (sensitive data) Blackberries / Cellphones

49


In closing Keep the intellectual and private information of

North Carolina Central University the private and intellectual property of North Carolina Central University

Here to Serve

50


And remember!

There may be a Pop Quiz soon!

Steve Ornat

Extension X 7171

[email protected]

51

52

Thank you!Thank you!

QUESTIONS

company logo creating a security risk-aware culture at nccu information technology services north...

Documents

information security

security implementation

policy policies

protection of information

reported security breaches

security control procedures

personal information

nccu policies version