Presentation is loading. Please wait.

Presentation is loading. Please wait.

Personal Information Security Workshop Williams College Office for Information Technology (OIT) Winter 2010.

Similar presentations


Presentation on theme: "Personal Information Security Workshop Williams College Office for Information Technology (OIT) Winter 2010."— Presentation transcript:

1 Personal Information Security Workshop Williams College Office for Information Technology (OIT) Winter 2010

2 What is Personal Information?

3 If Nothing Else, Remember This: Legitimate online service providers, including OIT staff, will never, ever ask you for your password over the phone or by . Legitimate online service providers, including OIT staff, will never, ever ask you for your password over the phone or by .

4 Its the Law Protect Student Educational Records Protect Student Educational Records –Family Education Right to Privacy Act (FERPA), enacted in 1974

5 Its the Law: Protect Student Information –FERPA covers living students and former students (in other words, alumni) –Each educational institution defines student directory information –Everything else is non-directory information –Williams may release directory information –Williams may not release non-directory information without prior consent of the student, except in specific circumstances (such as a subpoena) –A student may request that their directory information not be published

6 Its the Law: Protect Student Information Directory College Directory College –Name –Permanent and College addresses –Campus electronic mail address –Permanent and Campus telephone numbers –Date and place of birth –Country of citizenship –Major field –Extra-curricular activities –Height and weight of members of athletic teams –Dates of attendance –Degrees, honors and awards –Other schools attended.

7 Its the Law: Protect Student Information In general, faculty and staff have access to personally identifiable, non-directory information about students as long as they have a legitimate educational interest in it, in other words a "need to know." Releasing personally identifiable non-directory information to others without prior permission from the student or alumnus/a is illegal. You cannot, for instance, provide information about grades to others, even parents, unless the student or alumnus/a has given you prior permission to share the data. You cannot even share course registration information with other students.

8 Its the Law Protect Personal Health Information Protect Personal Health Information –Regulated by Health Insurance Portability and Accountability Act (HIPAA) and other laws –Personal Health Information (PHI) must be protected, including Health Status Health Status Provision of Health Care Provision of Health Care Payment for Health Care Payment for Health Care In general, any information about a patients medical record or payment history In general, any information about a patients medical record or payment history –Defines administrative, physical, and technical safeguards for protecting PHI –Some states require notification in case of a breach

9 Its the Law: Protect Health Information HIPAA applies to faculty and staff information HIPAA applies to faculty and staff information HIPAA does not apply to student health information at Williams, but FERPA does cover it as non-directory information, and so do some state laws HIPAA does not apply to student health information at Williams, but FERPA does cover it as non-directory information, and so do some state laws

10 Credit Card Transactions Any entity which collects payments with credit cards is contractually bound to follow the Payment Card Industry (PCI) Standard to protect information related to credit-card transactions. Any entity which collects payments with credit cards is contractually bound to follow the Payment Card Industry (PCI) Standard to protect information related to credit-card transactions. The PCI standard provides very specific guidelines on how to protect such information in both paper and electronic formats. The PCI standard provides very specific guidelines on how to protect such information in both paper and electronic formats. Failure to comply can result in withholding of credit card revenue to pay fines & penalties. Failure to comply can result in withholding of credit card revenue to pay fines & penalties. See https://www.pcisecuritystandards.org See https://www.pcisecuritystandards.orghttps://www.pcisecuritystandards.org

11 Credit Card Transactions Credit Cards at Williams Credit Cards at Williams –Dining Services facilities (on-site) –WTF Box Office (on-site) –WCMA Museum Shop (on-site) –Alumni Donations (off-site) –PaperCut Printing (off-site) –Student Bus Travel (future) –Others?

12 Its the Law Protect Personal Financial Information Protect Personal Financial Information –Gramm Leach Bliley Act (GLBA) –FTC Red Flag Rules –Massachusetts General Law –38 other state identity theft laws

13 Its the Law: Protect Personal Financial Information What is Personal Financial Information? What is Personal Financial Information? –Massachusetts definition: A persons name in combination with their Social Security Number (SSN) Social Security Number (SSN) Drivers License or State-issued ID Number Drivers License or State-issued ID Number Financial Account Number Financial Account Number Credit Card Number Credit Card Number

14 Its the Law: Protect Personal Financial Information Protect means preserve Protect means preserve –Confidentiality –Integrity –Availability Information in any format: paper or digital Information in any format: paper or digital Protection applies to all Massachusetts residents Protection applies to all Massachusetts residents Students Students Employees Employees Alumni Alumni Guest speakers, contractors…and everybody else Guest speakers, contractors…and everybody else

15 Its the Law: Protect Personal Financial Information – MA WISP Per MA CMR , Massachusetts businesses must develop, implement and maintain a comprehensive Written Information Security Program (WISP) to… Put in place administrative, technical, and physical safeguards to ensure the security and confidentiality of such records Put in place administrative, technical, and physical safeguards to ensure the security and confidentiality of such records Designate one or more employees to design, implement and coordinate the program Designate one or more employees to design, implement and coordinate the program Verify that third-party service providers with access to personal information have the capacity to protect such personal information Verify that third-party service providers with access to personal information have the capacity to protect such personal information

16 Its the Law: Protect Personal Financial Information – MA WISP… Put in place processes for Inventorying paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to identify those records containing personal information. Put in place processes for Inventorying paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to identify those records containing personal information. Provide Education and training of employees on the proper use of the computer security system and the importance of personal information security Provide Education and training of employees on the proper use of the computer security system and the importance of personal information security

17 Its the Law: Protect Personal Financial Information – MA WISP… Information on the Internet Information on the Internet – & files sent over the Internet containing personal financial information must be encrypted Information on portable devices Information on portable devices –By March 1 st, 2010, all laptops and other portable information devices (Smart Phones, PDAs, USB Drives) that store personal financial information or store information that may give access to it must be encrypted.

18 What is an Information Security Breach? The unauthorized use or acquisition of personal information that creates a substantial risk of identity theft or fraud In Massachusetts, a breach means the (potential) release of either - Unencrypted personal financial information - Unencrypted data capable of compromising personal financial information -In other words, usernames & passwords

19 Information Security Breach If a breach or possible breach occurs (at least in Massachusetts): Business must notify - MA Office of Consumer Affairs and Business Regulation - The Massachusetts Attorney General - The individual(s) whose information is at risk The notification must include: –The date or approximate date of the breach –Steps that have been taken to deal with the breach –Consumers right to obtain a police report –Instructions for requesting a credit report security freeze The notification may not include: –The number of MA residents affected

20 Credit Report Security Freeze Any consumer in Massachusetts, New York, or Vermont may place a security freeze on his or her credit report by sending a request in writing, by mail to all 3 consumer reporting agencies (EquiFax, Experian, TransUnion). Theres no fee for victims or their spouses for placing or removing a security freeze on a credit report. You can prove youre a victim by sending a copy of a police report. All other consumers must pay a $5-$10 fee. See the Consumers Union web site for more information:

21 Williams Breach: October, 2009 Cause was a stolen laptop computer (3 college laptops have been stolen in past 8 months) Interviewed laptop owner about information on laptop Interviewed laptop owner about information on laptop Scanned laptop backup files for protected financial information and health data Scanned laptop backup files for protected financial information and health data Protected data found (SSNs), so laws in 39 states and many foreign countries might apply, depending on residency Protected data found (SSNs), so laws in 39 states and many foreign countries might apply, depending on residency Obtained legal assistance and contracted for breach counseling services Obtained legal assistance and contracted for breach counseling services

22 Williams Breach: October, 2009 Compiled list of residential and addresses for approximately 750 potential victims Compiled list of residential and addresses for approximately 750 potential victims Notified potential victims by mail and by Notified potential victims by mail and by Sent all-campus notice Sent all-campus notice Responded to phone calls and s Responded to phone calls and s Financial costs to handle a breach included staff time, legal assistance and breach counseling services. Final cost has exceeded $50,000. Financial costs to handle a breach included staff time, legal assistance and breach counseling services. Final cost has exceeded $50,000.

23 Where did the SSNs come from? Excel files of pre-2006 class rosters from the old Student System (SIS) Excel files of pre-2006 class rosters from the old Student System (SIS) messages related to paying individuals such as guest speakers, performers, referees messages related to paying individuals such as guest speakers, performers, referees Unsolicited messages Unsolicited messages

24 College Confidentiality Policy Published January, 2010 Published January, 2010 Find it at Find it at Confidentiality Confidentiality (you can also search for confidentiality policy on the Williams web

25 College Confidentiality Policy Responsibility of Administrative Departments Each department head is responsible for ensuring the appropriate protection of information within his or her office. Responsibility of Faculty Each faculty member is responsible for ensuring the confidentiality of any information s/he collects or uses, both electronic and on paper.

26 What about your office? Does your office handle legally-protected or confidential information? Does your office handle legally-protected or confidential information? –What kind? –If youre not sure whats confidential, ask! Does your office or department have a policies and procedures for protecting confidential information? Does your office or department have a policies and procedures for protecting confidential information?

27 What about your office? An information usage policy explains An information usage policy explains –What information is confidential –How to protect confidential information –How to handle requests for information, both internal and external –When and how to dispose of confidential information –What the consequences are if the policy isnt followed

28 What about your office? Goal: Minimize the potential risks from information leaks Goal: Minimize the potential risks from information leaks If you dont need it, get rid of it (use a shredder if its paper) If you dont need it, get rid of it (use a shredder if its paper) Be skeptical of requests for information Be skeptical of requests for information Again: If you dont need it, get rid of it! Again: If you dont need it, get rid of it!

29 What about your office? Does your office send or receive confidential information via ? Does your office send or receive confidential information via ? Does your office use a shredder? Does your office use a shredder? Do you lock up your files when the office is closed and turn off your computers at the end of the day? Do you lock up your files when the office is closed and turn off your computers at the end of the day? What if your paper files were damaged due to fire or flood? What if your paper files were damaged due to fire or flood?

30 Methods by which data is lost or stolen Physical: Theft of computer, external drives, usb flash drives, CDs, smartphones Theft of computer, external drives, usb flash drives, CDs, smartphones Carelessness with passwords (written in obvious places) or passwords are too simple Carelessness with passwords (written in obvious places) or passwords are too simpleElectronic: (phishing scams – replying with passwords) (phishing scams – replying with passwords) Web (phishing scams, website hijack) Web (phishing scams, website hijack) Viruses / spyware (from , web sites or downloads) Viruses / spyware (from , web sites or downloads) Rogue software (fake antivirus) Rogue software (fake antivirus) Wireless data sniffing Wireless data sniffing

31 Simple computer security at work Dont use post-its to manage your passwords (if you need to have a file that stores your various passwords, keep it up on the network or use an Excel file that is locked with a password). Dont use post-its to manage your passwords (if you need to have a file that stores your various passwords, keep it up on the network or use an Excel file that is locked with a password). If you have your own office: keep your door locked when away If you have your own office: keep your door locked when away If you work in a public area: consider a privacy screen If you work in a public area: consider a privacy screen Require a password when your computer wakes from sleep Require a password when your computer wakes from sleep Laptop security cable? Cheap, prevents opportunistic theft. OIT will give you one for free. Laptop security cable? Cheap, prevents opportunistic theft. OIT will give you one for free.

32 Traveling with a computer Before you leave, think about what it would mean if your laptop were stolen or lost – are you sure you need it on your trip? Consider checking out a Library loaner – should be no personal data on those If you just need to check you can use a smart phone Do not EVER leave a laptop in a parked car in a city – this is by far the most common way that laptops are stolen Dont check your laptop when flying – in general dont let your computer out of your sight. If using a foreign wireless network, run the VPN client to prevent data sniffing If your laptop is stolen, contact OIT immediately and change your password (consider it compromised)

33 OIT initiatives for To protect against data loss due to computer or device theft OIT is starting initiatives for: Full disk encryption (TrueCrypt) on laptops Full disk encryption (TrueCrypt) on laptops Full data backup (Atempo Livebackup or USB external drive) Full data backup (Atempo Livebackup or USB external drive) Remediation and removal of PII from college computers* Remediation and removal of PII from college computers* * SS#s, Credit Card #s, Bank Account #s and passwords in clear text are some of the many things we commonly find We have software called Identity Finder which will search documents (word, excel, powerpoint, pdfs) and for this type of information

34 Security + Phishing NEVER FORGET: It is easy to spoof the From: address in an . NEVER FORGET: It is easy to spoof the From: address in an . Does the From: address match the Reply-to: address (if not, beware) Does the From: address match the Reply-to: address (if not, beware) Phishing s often start out your account has been used to send spam or we are doing maintenance on our webmail system – then they ask that you reply with your username and password Phishing s often start out your account has been used to send spam or we are doing maintenance on our webmail system – then they ask that you reply with your username and password There will never be a reason to give anyone your password by – honestly. There will never be a reason to give anyone your password by – honestly. Note: notifications to the community from Williams OIT will always have a subject line beginning with: OIT Eph Notice {mm/dd/yy} Note: notifications to the community from Williams OIT will always have a subject line beginning with: OIT Eph Notice {mm/dd/yy} Phishing is the fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

35 Find the phishing clues From: "Williams College" Date: February 13, :25:45 AM EST Subject: Webmail Subscriber Reply-To: Attn. Webmail User, We regret to announce to you that we will be making some vital maintainance on our webmail. During this process you might have login problems in signing into your Online account, but to prevent this you have to confirm your account immediately after you receive this notification. Your williams.edu Account Confirmation Name: ID: Password: Date of birth: Your account shall remain active after you have successfully confirmed your account details. Thanks Williams College Webmail Support Team

36 We are often required to log into web sites. How can you tell if the site is legitimate? Check the domain – which of these could be a real Williams site? Web Security

37 We are often required to log into web sites. How can you tell if the site is legitimate? Check the domain – which of these could be a real Williams site: The domain is the last two words between the and the first / Same format as addresses: or Any Williams site will be //xyz.williams.edu/ Any American Express site will be //xyz.americanexpress.com/ is legitimate because the domain is correct Web Security

38 Website copy On Monday Sept. 29, a bogus was sent with the subject line Read Security Message to many hundreds of college employees and students. The had an attachment with a link to a bogus Williams webmail site. On Monday Sept. 29, a bogus was sent with the subject line Read Security Message to many hundreds of college employees and students. The had an attachment with a link to a bogus Williams webmail site. The itself was not particularly believable, but the fake webmail site was a perfect copy of our real site. The only way to tell it was fake was to look at the domain information The itself was not particularly believable, but the fake webmail site was a perfect copy of our real site. The only way to tell it was fake was to look at the domain information

39 Preventing Viruses Common ways to get viruses: An e-card (Hallmark greeting, etc) - Dont follow the link unless you are sure. If you are asked to download or install something quit your browser or ask OIT to check it out. An e-card (Hallmark greeting, etc) - Dont follow the link unless you are sure. If you are asked to download or install something quit your browser or ask OIT to check it out. attachment – Dont open it unless you are sure. Check with the sender. This includes Word documents and PDFs. attachment – Dont open it unless you are sure. Check with the sender. This includes Word documents and PDFs. Web link in an – Dont follow it unless you know for sure where it goes. Web link in an – Dont follow it unless you know for sure where it goes. General browsing and downloading of things not work-related is the cause of nearly all infections. General browsing and downloading of things not work-related is the cause of nearly all infections. AT HOME: Keep your Anti-virus up to date – its worthwhile to know what you use. Keep your computer up to date with Windows patches.

40 Preventing Spyware What is Spyware? The simplest explanation is that it is like a virus specifically designed to steal information. What is Spyware? The simplest explanation is that it is like a virus specifically designed to steal information. Follow the same rules you follow when avoiding viruses. Follow the same rules you follow when avoiding viruses. Dont download cool applications: Bonzi Buddy, Weather Bug, Kazaa, Limewire, CoolWebSearch (this one is bad), Comet Cursor Dont download cool applications: Bonzi Buddy, Weather Bug, Kazaa, Limewire, CoolWebSearch (this one is bad), Comet Cursor For your home computer install Windows Defender from has it built in) For your home computer install Windows Defender from has it built in) Malware, short for malicious software, is software designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code covering viruses, spyware, trojan horses, worms, rogues, etc. softwareinformed consentsoftwareinformed consent

41 Rogue Security Software Rogue security software is software that misleads users into paying for the fake removal of malware. Rogue security software is software that misleads users into paying for the fake removal of malware. Typically you get a pop-up window while on the web alerting you that you have viruses or spyware on the computer and offering to clean it up. If you accept the offer the program installs itself, then will continuously try to get you to pay for a professional version – which does nothing, except maybe remove itself. Typically you get a pop-up window while on the web alerting you that you have viruses or spyware on the computer and offering to clean it up. If you accept the offer the program installs itself, then will continuously try to get you to pay for a professional version – which does nothing, except maybe remove itself. Generally these rogue programs will not be picked up by real anti-virus software because you agreed to install the software. Generally these rogue programs will not be picked up by real anti-virus software because you agreed to install the software. One program that does very well at removing this type of software is called Malwarebytes. One program that does very well at removing this type of software is called Malwarebytes. A partial list of know rogue software. Just the as!! Advanced Cleaner, AlfaCleaner, Alpha AntiVirus, AntiSpyCheck 2.1, AntiSpyStorm, AntiSpyware 2009, AntiSpyware Bot, AntiSpywareExpert, AntiSpywareMaster, AntiSpywareSuite, AntiSpyware Shield, Antivermins, Antivirus 2008, Antivirus 2009, Antivirus 2010, Antivirus 360, Antivirus Pro 2009, AntiVirus Gold, Antivirus Master, Antivirus XP 2008, Antivirus Pro 2010, Antivirus System PRO, Avatod Antispyware 8.0, Awola

42 Security recap 1. Physical security can usually be attained by applying common sense and a little care – treat your computer like a passport or your wallet or purse. 2. Avoiding viruses and spyware can usually be achieved by following a simple rule: Your office computer is a business tool – dont use it like a home entertainment system. 3. Wireless is everywhere and incredibly convenient, but anyone can sniff traffic (traffic generally meaning whatever you are typing). If you are doing anything off-campus that requires a username and password, or requires entry of confidential information run the VPN software. 4. Your username and password protect a lot more than just YOUR personal info – you probably have access to many peoples personal info.

43 Quick Quizzes Youre travelling without a computer and want to see if you were paid on time. You find an internet café, pay for access, and log in to your online banking web site. You note that the username/password page in the web browser on the computer youre using is encrypted (using https://). Should you log in?

44 Quick Quizzes Which of these web addresses (URLs) are legitimate Williams College addresses? https://webmail.williams.edu/ https://webmail.williams.collegebound.net/

45 Quick Quizzes You get an from the HR Benefits Coordinator telling you about a new Williams employee benefits program called WilliamsRewards. The directs you to The web site has the look of a typical Williams web page and instructs you sign up for the program by logging in with your Williams username & password. What do you do?

46 How to check on links in (Outlook)

47 How to check on links in (WebMail)

48 If Nothing Else, What should you remember? ?

49 Questions? Thanks to Dennis Devlin and Brandeis University for their assistance WWII Posters from American Merchant Marine at War,


Download ppt "Personal Information Security Workshop Williams College Office for Information Technology (OIT) Winter 2010."

Similar presentations


Ads by Google