Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Information Security Office of the Vice President for Information Technology Mr. Corbett Consolvo, IT Security Analyst Ms. Lori McElroy,

Similar presentations


Presentation on theme: "Introduction to Information Security Office of the Vice President for Information Technology Mr. Corbett Consolvo, IT Security Analyst Ms. Lori McElroy,"— Presentation transcript:

1 Introduction to Information Security Office of the Vice President for Information Technology Mr. Corbett Consolvo, IT Security Analyst Ms. Lori McElroy, IT Security Officer

2 Agenda Introduction The State of Texas States Information Security program Appropriate Use Policy Confidential Information Current Threats and Protections Best Practices Q&A

3 Information Security Introduction Whats Information Security? The protection of data against unauthorized access. This includes: –How we access, process, transmit, and store information –How we protect devices used to access information –How we secure paper records, telephone conversations, and various types of digital media

4 The State of Texas States Information Security Program Comprehensive Set of Security Policies, Practices, and Services that address: –Network Access Management –Threat Management –Incident Management and Response

5 Information Security Program Network Access Management Firewall services Virtual Private Network (VPN) access Host and endpoint security –Malware protection and remediation –Patch management –Encryption (future)

6 Information Security Program Threat Management Policy Development and Compliance Security Awareness Training and Consulting Risk Assessment

7 Information Security Program Threat Management – Policy Development Texas State University Policies –Appropriate Use of Information Resources (UPPS 04.01.07) http://www.txstate.edu/effective/upps/upps-04-01-07.html –Security of Texas State Information Resources (UPPS 04.01.01) http://www.txstate.edu/effective/upps/upps-04-01-01.html –Appropriate Release of Information (UPPS 01.04.00) http://www.txstate.edu/effective/upps/upps-01-04-00.html

8 Information Security Program Threat Management – Compliance Texas Administrative Code, Chapter 202, Information Security Standards FERPA – Federal Educational Rights & Privacy Act –Protects the privacy of student educational records and prohibits the University from disclosing information from those records without the written consent of the student –http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.htmlhttp://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html HIPAA – Health Insurance Portability & Accountability Act –Protects the privacy and security of Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) –http://www.cms.hhs.gov/HIPAAGenInfo/http://www.cms.hhs.gov/HIPAAGenInfo/ Gramm-Leach-Bliley Act (GLBA) –Universities/agencies must not disclose any non-public, financial information to anyone except as permitted by law –http://www.ftc.gov/privacy/privacyinitiatives/glbact.htmlhttp://www.ftc.gov/privacy/privacyinitiatives/glbact.html TPIA – Texas Public Information Act –formerly known as the Open Records Act, specifies that all recorded information owned or accessed by a governmental body is presumed to be public information, with certain exceptions –http://www.oag.state.tx.us/AG_Publications/txts/2004publicinfohb_toc.shtmlhttp://www.oag.state.tx.us/AG_Publications/txts/2004publicinfohb_toc.shtml

9 Information Security Program Threat Management Security Awareness Training and Outreach IT Security contact points: –itsecurity@txstate.eduitsecurity@txstate.edu –512 245 HACK (4225) New Employee Orientation II (NEO II) IT Security Website –http://www.vpit.txstate.edu/security.htmlhttp://www.vpit.txstate.edu/security.html Annual Cyber Security Awareness Month-October Introductory and technical security classes TXState security discussion lists: Information-Security@groups.txstate.edu TXState-ServerAdmins@groups.txstate.edu

10 Information Security Program Threat Management – Assessments & Testing Information Technology Risk Assessment –Device Registration application –Information Security Awareness, Assessment, and Compliance (ISAAC) Vulnerability Assessment –regular scans of information resources and networks looking for potential weaknesses in defenses –employs specialized tools and technologies Security Testing –penetration testing – attempts to exploit vulnerabilities –policy and compliance review –security controls review

11 Information Security Program Incident Management and Response Incident investigation E-discovery Evidence preservation Digital forensics Law enforcement coordination Reporting an Incident –Call 245-HACK (4225) or 245-ITAC (4822) –Email itsecurity@txstate.eduitsecurity@txstate.edu –Contact any IT Security team member

12 Appropriate Use Policy UPPS 04.01.07 IT Security is responsible for enforcement Applies to all faculty, staff, and students Acceptance when you change your password

13 Appropriate Use Policy Highlights Illegal, threatening or deliberately destructive use Authorized use Email use Circumventing security procedures Protect your identity Copyright infringement

14 Confidential Information Release Precautions FACT 1 Texas State is a public institution FACT 2 Texas State is subject to the Texas Public Information Act FACT 3 TPIA does not make all Texas State information freely available to the public IMPORTANT NOTE: If you receive a request for information from any external party, and you arent certain that the information can be released, consult the Office of the University Attorney before releasing the information.

15 Confidential Information Classes of Information may be freely disseminated to the public without potential harm to the University, individuals, or affiliates, e.g., job postings, service offerings, published research, directory information, degree programs. Public information is limited to those with a need to know; uncontrolled disclosure might prove harmful to the University, individuals, or affiliates, e.g., performance appraisals, dates of birth, and email addresses), donor information. Sensitive information release of this information is regulated by legal statutes such as TPIA, HIPAA, FERPA. Disclosure would seriously harm the University, individuals, or affiliates. E.g., SSN, credit card info, personal health info. Restricted information

16 Confidential Information Protections Share confidential information only with those who are authorized to see it When in doubt, don't give it out! Prevent eavesdropping - keep confidential phone conversations from being overheard Quickly retrieve and secure any document containing confidential information that you have printed, scanned, copied, faxed, etc.

17 Confidential Information Protections Store media containing confidential information in locking file-cabinets or drawers Delete and write over (i.e., "wipe") data from any electronic media before transferring or disposing of Position computer screens so they're not visible to anyone but the authorized user(s )

18 Confidential Information Protections Shred media containing confidential information and secure such items until shredding Be alert to fraudulent attempts to obtain confidential information and report these immediately Lock your workstation Use strong passwords; dont share them

19 Information Security Current Threats and Protections- Video EDUCAUSE Computer Security Awareness Video Contest 2006 gold winner, Superhighway Safety, by Nathan Blair, Savannah College of Art and Design http://www.educause.edu/SecurityVideoContest2006/ 7103

20

21 Information Security Current Trends Symantec – Last six months of 2007 Professional hackers are commercializing –$ is the motivator –They are selling our information (medical, credit card, identities) The Web as the focal point –Where we spend our time and divulge our information End-users are the primary target –Phishing, web browsers (plug ins), malware, spam, botnets –Mobile device security (clever ploys) Increasing privacy data breaches –http://www.privacyrights.org/identity.htmhttp://www.privacyrights.org/identity.htm –https://www.ssnbreach.org/https://www.ssnbreach.org/

22 Information Security Current Threats and Protections SPAM – what is it and how do I protect myself from it? –Spamming is the abuse of email to indiscriminately send unsolicited bulk messages. It can be illegal. –Protections: Do not open emails or attachments from an unknown source Use available filtering/blocking tools (see www.tr.txstate.edu/help/spam-filter-faq.html ) www.tr.txstate.edu/help/spam-filter-faq.html Dont click on any links in spam Dont forward spam on to your friends Validate hoax email: www.snopes.com, www.hoax-slayer.com www.snopes.com, www.hoax-slayer.com

23 Information Security Current Threats and Protections Phishing – what is it and how do I protect myself from it? –Phishing is an attempt to fraudulently acquire sensitive information by masquerading as a trustworthy entity in an email or instant message. Spear Phishing-a highly targeted attempt. Phishing is illegal. –Valid companies dont ask you to submit confidential information via email! If in doubt, contact the company directly by telephone or independently obtained email address –http://www.sonicwall.com/phishing/ -- Phishing IQ Testhttp://www.sonicwall.com/phishing/ –Protections: Do not submit personal information in response to an email Verify the authenticity and security of web sites before entering your personal information (https, certificates)

24

25 Information Security Current Threats and Protections Spyware – what is it and how do I protect myself from it? –Spyware is computer software that is installed without your knowledge and used to intercept or take partial control over interactions with your computer. Unauthorized access to a computer is illegal. –Spyware is often unwittingly downloaded and installed along with other programs like toolbars and screensavers –Protections: Do not download or install untrusted or unknown programs Use anti-spyware software, such as –Ad-Aware (www.lavasoftusa.com)www.lavasoftusa.com –Spybot - Search & Destroy (www.spybot.info)www.spybot.info

26

27 Information Security Download Security Video EDUCAUSE Computer Security Awareness Video Contest 2006 honorable mention, Act Now - Know Your Sources by Stephen Hockman, Christina Manikus, John Sease, & Erin Shulsinger, James Madison University http://www.educause.edu/SecurityVideoContest200 6/7103

28

29 Information Security Best Practices Data Backup –Regular or automatic backups –Protect backup media –Protect sensitive information stored on backup media –Critical data should be backed up frequently to minimize the amount of data that might be lost if recovery from a backup becomes necessary –Recovery procedures should be tested on a regular basis.

30 Information Security Best Practices System, Software, & Anti-Malware Updates –Operating system patches –Anti-Virus and anti-spyware –Host-based firewalls –Application software Regularly scheduled or automatic updates are best

31 Information Security Best Practices User Accounts and Passwords –Use separate user accounts Administrator accounts for installing software, etc. User accounts for normal usage –Use strong passwords Mix upper case, lower case, and numeric characters The longer the better, but a minimum of 8 characters Use passphrases Avoid valid dictionary words and proper names Avoid re-using passwords

32 Information Security Passwords Creating strong passwords that are easy to remember Strong password checker websites –http://www.microsoft.com/protect/yourself/password/checke r.mspxhttp://www.microsoft.com/protect/yourself/password/checke r.mspx –http://strongpasswordgenerator.com/http://strongpasswordgenerator.com/ Use different passwords for different functions –Banking –Purchasing –Email Password management tools –Password safe

33 Information Security Best Practices Mobile computing and portable media –If you store confidential or Personally Identifiable Information (PII) on your portable device, it is your responsibility to protect it Use Passwords, preferably power on passwords Use an additional authentication factor, such as a fingerprint reader on a laptop -Remove or shred all data before turning device over to another user or to be sold at auction -Always keep the device with you when you are away from the office -E.g. do not leave it unattended in a hotel room, conference, or your vehicle -Laptop theft tracker http://adeona.cs.washington.edu/http://adeona.cs.washington.edu/

34 Information Security Best Practices Wireless network security –Texas State University's wireless networks Open network Encrypted network http://www.tr.txstate.edu/get-connected/wireless.html –Wireless network security at home Change the routers default password Use strongest available encryption If possible, restrict access to authorized devices via MAC addresses –Use public wireless networks only for risk-free activities

35 Information Security Wireless Security Video EDUCAUSE Computer Security Awareness Video Contest 2007 bronze award, When You Least Expect It, by Nolan Portillo, California State University – Bakersfield http://www.educause.edu/SecurityVideoContest2007 /713549

36

37 Information Security Best Practices Identity Theft and Credit Card Fraud –Do not give out your personal information unnecessarily –Be aware of possible phishing attempts –Dont use public computers or networks to check your bank account, pay credit cards, or submit personal information –Check your receipts for credit card numbers –Monitor your bank accounts and credit card balances –Apply for your free annual credit report from all 3 agencies –Use anti-spyware software –http://onguardonline.gov/idtheft.htmlhttp://onguardonline.gov/idtheft.html –Identity Theft IQ Test

38 Information Security Identity Theft Video EDUCAUSE Computer Security Awareness Video Contest 2007, Out in the Open, Mark Lancaster, Texas A&M University http://www.researchchannel.org/securityvideo2007/

39

40 Information Security Best Practices – Social Networking MySpace and Facebook – most popular –Use caution when posting personal information –Photos can be used by a stalker to gather information about you or your family –Talk about social networking protections with your family and friends –Limit access to your personal site –Remember that pages are cached

41 Information Security Best Practices – Useful Links Top 20 Vulnerabilities http://www.sans.org/top20/http://www.sans.org/top20/ PII detector –Identity Finder, SERF, Spider (Google these) Identity Theft –http://onguardonline.gov/idtheft.htmlhttp://onguardonline.gov/idtheft.html –http://www.vpit.txstate.edu/security/items_interest/identity.htmlhttp://www.vpit.txstate.edu/security/items_interest/identity.html Annual Credit Report –https://www.annualcreditreport.com/cra/index.jsphttps://www.annualcreditreport.com/cra/index.jsp Best Practices –http://www.educause.edu/section_params/security/cd/higher_educatio n/checklist/Indiana%20Best%20Practices%20for%20Securing%20Tec hnology%20Resources.htmlhttp://www.educause.edu/section_params/security/cd/higher_educatio n/checklist/Indiana%20Best%20Practices%20for%20Securing%20Tec hnology%20Resources.html

42 Information Security How Do I Find Out More? Texas State Sites –IT Security - http://www.vpit.txstate.edu/security http://www.vpit.txstate.edu/security –Privacy Rights Notice - http://www.tr.txstate.edu/privacy- notice.html http://www.tr.txstate.edu/privacy- notice.html –Identity theft - http://webapps.tr.txstate.edu/security/identity.html http://webapps.tr.txstate.edu/security/identity.html –FERPA at Texas State - http://www.registrar.txstate.edu/persistent- links/ferpa.htmlhttp://www.registrar.txstate.edu/persistent- links/ferpa.html Contacts –Information Technology Security 512-245-HACK(4225), itsecurity@txstate.edu –Information Technology Assistance Center (Help Desk) 512-245-ITAC(4822) or 512-245-HELP, itac@txstate.edu

43 Q & A


Download ppt "Introduction to Information Security Office of the Vice President for Information Technology Mr. Corbett Consolvo, IT Security Analyst Ms. Lori McElroy,"

Similar presentations


Ads by Google