western carolina university march 2011. what types of confidential data should you watch for?what...
Post on 21-Dec-2015
214 views
TRANSCRIPT
![Page 1: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/1.jpg)
SECURITY AWARENESS
PROTECTING SENSITIVE INFORMATION
Western Carolina University March 2011
![Page 2: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/2.jpg)
OBJECTIVES
•What types of confidential data should you watch for?
•What areas of compliance do you need to know about?
•How can data be compromised?
•What can you do to protect confidential data?
•Awareness of University Policies #97 and #95
2
![Page 3: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/3.jpg)
WHAT’S SO IMPORTANT?
Universities hold massive quantities of confidential data and are
traditionally seen as easy targets for data theft
We must understand the types of data that we hold and related
business processes
3
![Page 4: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/4.jpg)
CONFIDENTIAL DATA
4
Social Security Numbers (SSN)Credit/Debit Card #s
Drivers License Numbers
Passport Numbers
Bank Account #s
PINs
Personally Health Information
Student Education Records
Proprietary Research Data
Confidential/Privileged Legal Data Personnel Records
![Page 5: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/5.jpg)
UNIVERSITY POLICY #97DATA SECURITY AND STEWARDSHIP
To protect the security and integrity of the University’s data
Applies to all data (paper and electronic records)
Addresses access to and disclosure of data
![Page 6: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/6.jpg)
RESPONSIBILITIES
Members of the Executive Council (Chancellor, Vice Chancellors, Athletic Director, and Legal Counsel) are the designated Data Stewards who are
ultimately responsible for ensuring the appropriate handling of University data
UNIVERSITY POLICY #97DATA SECURITY AND STEWARDSHIP (CONT.)
![Page 7: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/7.jpg)
RESPONSIBILITIESDepartment Managers are responsible for ensuring that employees comply with all
University policies on data security, as well as Information Technology and the Office of
Institutional Research and Planning requirements
All University employees are responsible for complying with University policies on
data security
UNIVERSITY POLICY #97DATA SECURITY AND STEWARDSHIP (CONT.)
![Page 8: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/8.jpg)
DATA CLASSIFICATIONS
Confidential – limited access to and limited disclosure of data
Third Party Confidential – limited access to and limited disclosure of data (usually by contract with non-disclosure agreement)
Internal – limited access
Public – unlimited access and disclosure
UNIVERSITY POLICY #97DATA SECURITY AND STEWARDSHIP (CONT.)
![Page 9: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/9.jpg)
The Information Technology (IT) Division’s Networking &
Communications department has the responsibility for the design,
maintenance and security of the university’s data network.
To insure the integrity of the network the following items must complied
with.9
UNIVERSITY POLICY #95DATA NETWORK SECURITY AND ACCESS CONTROL
![Page 10: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/10.jpg)
1. No device may be added to the network which does not conform to the approved list of devices, maintained and published by the IT Division, without prior approval of Networking & Communications. Rogue network devices will be automatically and immediately disabled upon detection.
2. No individual or office may connect a device to the campus data network that provides unauthorized users access to the network or provides unauthorized IP addresses for users.
3. Networking & Communications has the right to quickly limit network capacity to, or disable, network connections that are overwhelming available network bandwidth to the detriment of the university.
4. Access to networking equipment in wiring closets, etc. is limited to the Networking & Communications staff or their designees.
5. No consideration of changing the architecture of any part of the data network may be undertaken without the early and regular involvement of Networking & Communication Services.
10
UNIVERSITY POLICY #95DATA NETWORK SECURITY AND ACCESS CONTROL
![Page 11: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/11.jpg)
The “Access Control Procedures Checklist” is accessible at the
following link or you may copy and paste the web address.
Policy 95 – Data Network Security and Access Control
http://www.wcu.edu/25378.asp
All persons with access to the university network must sign a Confidentiality Agreement that is
maintained in their personnel records for employees or by the requesting department for
non-employees. Employee supervisors are responsible for having employees sign the
agreement, and requesting departments are responsible for non-employee compliance with the
requirement.
11
UNIVERSITY POLICY #95DATA NETWORK SECURITY AND ACCESS CONTROL
![Page 12: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/12.jpg)
COMPLIANCEUniversities are required to comply with federal & state laws and regulations regarding the way they use, transmit & store sensitive information, and to meet payment card industry contractual obligations
HIPAA – Health Insurance Portability and Accountability Act (health data)
GBLA – Gramm Leach Bliley Act (financial data)
FERPA – Family Educational Rights & Privacy Act (education records)
NC Identity Theft Protection Act (personal data, especially SSN)
PCI Data Security Standards (MasterCard and Visa)
12
![Page 13: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/13.jpg)
NC IDENTITY THEFT PROTECTION ACT
The state’s Identity Theft Protection Act (ITPA) is designed to protect individuals from identity
theft by mandating that businesses and government agencies take steps to safeguard Social Security numbers and other personal
information
13
![Page 14: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/14.jpg)
NC IDENTITY THEFT PROTECTION ACT (CONT.)
State agencies must secure personal identifiers
Encrypt or secure the transmission of SSN
Do not collect SSN unless “imperative”
State agencies must report annually to the General Assembly on security efforts
State agencies must notify affected persons when there is a security breach, and sometimes law enforcement agencies and the Attorney General
14
![Page 15: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/15.jpg)
IDENTITY THEFT
More then 10 million ID theft victims nationally per year – the equivalent of 19 people per
minute
Has surpassed drug trafficking as #1 crime in the nation.
In NC alone, the number of reported identity theft crimes have more then tripled over a 4
year period.
15
![Page 16: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/16.jpg)
Phishing
Malware
Hacking
Unauthorized physical access to computing devices
HOW IS INFORMATION STOLEN?
Lost/stolen computing devices
Social engineering
Lost/stolen paper records
16
![Page 17: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/17.jpg)
PHISHINGThe practice of acquiring personal information
on the Internet by masquerading as a trustworthy business
17
![Page 19: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/19.jpg)
MALWARE
Usually installed onto a computer by downloading other programs such as
screensavers, games, and “free” software
Trojans – malicious programs disguised or embedded within legitimate software
19
![Page 20: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/20.jpg)
Malware can: Capture and send sensitive information from your
workstation to the hacker Download other malware Crash your workstation Be used to perform attacks from inside WCU’s network
20
![Page 21: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/21.jpg)
HACKING
Unauthorized and/or illegal computer trespass executed remotely via some form of
communication network (e.g., the Internet, LAN or dial-up network)
21
![Page 22: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/22.jpg)
UNAUTHORIZED PHYSICAL ACCESS TO COMPUTING DEVICES
Unsecured work stations, offices, desks, files
Unattended computing devices22
![Page 23: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/23.jpg)
LOST/STOLEN COMPUTING DEVICES
23
Removable Memory Devices
PDAs
Laptops
BlackBerry
PCs
Smart phones
Thumb Drives Flash Cards
![Page 24: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/24.jpg)
WHICH WAY DID IT GO?
Cab drivers in one major city reported that; 4,973 laptops, 5,939 PDAs, and 63,135
mobile phones were left in cabs over a 6 month period.
24
![Page 25: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/25.jpg)
SOCIAL ENGINEERING
A hacker’s favorite tool—the ability to extract information from computer
users without having to touch a computer.
Tricking people to give out information is known as “social engineering” and is one of the greatest threats to data
security.
25
![Page 26: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/26.jpg)
SOCIAL ENGINEERING (CONT.)
Social engineers prey on some basic human tendencies….
The desire to be HELPFULThe tendency to TRUST people
The FEAR of getting into trouble
26
![Page 27: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/27.jpg)
SOCIAL ENGINEERING (CONT.)
Despite security controls, a university is vulnerable to an attack if an employee unwittingly gives
away confidential data via email, by answering questions over the phone with someone they don't know,
or by failing to ask the right questions
27
![Page 28: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/28.jpg)
EXAMINE YOUR BUSINESS PROCESSES
WHAT – data type
WHO – has access to the data
WHERE – data originates, resides, goes
HOW – data gets where it’s going
28
![Page 29: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/29.jpg)
WHAT TO DO WITH CONFIDENTIAL DATA
If you don’t need it for business purposes, don’t collect it
If you do need to collect it, maintain it securely
If you need to share it, transmit it securely
29
![Page 30: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/30.jpg)
DATA SECURITY TIPS
Confidential data should never be located on a web server
Use a secure WCU server (H: drive) to store confidential data - do not maintain data on local
disk (C: drive)
Do not create, maintain “shadow data” (duplicate data) – if you must maintain it, keep it on the H:
drive
Encrypt confidential data whenever possible
Redact confidential data whenever possible (e.g., the last four digits of SSNs, partial credit card
numbers) 30
![Page 31: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/31.jpg)
DATA SECURITY (CONT.)Be careful to whom you give sensitive
information.
Ask yourself some questions:
Do you know who they are?
Do they have a need to know?
Do they have the proper authorization?31
![Page 32: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/32.jpg)
PASSWORD SECURITY
Never give your password to anyone
Don’t use the same password on multiple systems
Use a strong password (i.e., 12 alpha, changed case, numeric characters) on all your computer
systems and change them regularly
Avoid using the “auto complete” option to remember your password
Avoid storing passwords (e.g., "check box to remember this password”)
32
![Page 33: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/33.jpg)
SECURING YOUR WORKSTATION
Log off or lock your workstation when you leave (CTRL-ALT-DEL)
Use a screensaver with a password enabled
Turn your computer off when you go home
33
![Page 34: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/34.jpg)
STEER CLEAR OF MALWARE
Avoid using Instant Messaging and Chat software
Avoid using Peer to Peer file sharing software
Don’t download or install unauthorized programs
Keep your computer up to date with the latest antivirus definitions and security patches
34
![Page 35: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/35.jpg)
SAFE EMAIL PRACTICES
Don’t open unknown or unexpected email attachments
If you receive an email with a hyperlink, don’t open it in the email – open a web browser and type the link in manually
Email is sent in clear text and should never be used to send confidential data
35
![Page 36: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/36.jpg)
PRACTICE A “CLEAN DESK” POLICY
Don’t leave confidential data unattended on your desk, FAX, printers or copiers
Keep confidential data stored in a locked desk drawer or file cabinet
Shred confidential data for disposal (in compliance with the NC Records
Retention and Disposition Schedule)
36
![Page 37: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/37.jpg)
If you don’t need it, don’t collect it
If you need it only once, don’t
save it
If you don’t need to save it, dispose of it properly
If you have to save it, store it
securely
If you have to transmit it,
transmit securely
Don’t give out information without
knowing the recipient/positive
confirmation
GOOD BUSINESS PRACTICES
37
![Page 38: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/38.jpg)
IF YOU SUSPECT A PROBLEM
IMMEDIATELY notify your supervisor
41
![Page 39: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/39.jpg)
Security Awareness Mindset:
“I understand that there is the potential for some people to deliberately or accidentally steal, damage or misuse the data that is stored within my computer systems and throughout our university. Therefore, it would be prudent for me to stop that from happening.”
SEC Y
![Page 40: Western Carolina University March 2011. What types of confidential data should you watch for?What areas of compliance do you need to know about?How can](https://reader036.vdocuments.mx/reader036/viewer/2022081516/56649d575503460f94a35f0e/html5/thumbnails/40.jpg)
TRAINING ACKNOWLEDGEMENT FORM
Be sure to print and complete the General
Security Awareness Training Form
Return completed forms to Human Resources
220 HFR