Presentation on theme: "IT Security Information Security & Appropriate Use of Information Resources."— Presentation transcript:
IT Security Information Security & Appropriate Use of Information Resources
Information Security Understanding… Who’s responsible? What’s information security? Why do we need information security? What do I need to protect? How do I protect information? What’s appropriate use? What are the important policies and laws? Where do I find out more?
Information Security Who’s Responsible? Students? Faculty? Staff? Security administrators? The Answer = All of the above, security is everyone’s responsibility!
Information Security What’s Information Security? The protection of data against unauthorized access. This includes: –How we access, process, transmit, and store information –How we protect devices used to access information –How we secure paper records, telephone conversations, and other types of digital media
Information Security Why Do We Need Information Security? Confidential information is entrusted to us Laws and regulations govern the use of some of this confidential information We have an ethical obligation to protect this information from unauthorized access Failure to do so could leave others vulnerable to fraud and other exploits
Information Security What’s Confidential and What’s Not ? FACT 1 Texas State is a public institution FACT 2 Texas State is subject to the Texas Public Information Act FACT 3 Even though Texas State is subject to TPIA, this does not mean that all information at Texas State is freely provided to the public IMPORTANT NOTE: If you receive a request for information from any external party, and you aren’t certain that the information can be released, refer them to the Office of the University Attorney for further action.
Information and Records What Do I Need to Protect ? You may freely disclose information already available to the general public, such as information on the University’s public web pages Public information Be careful with information that may be disclosed under certain conditions, such as: telephone lists, technical and proprietary documentation, salaries, performance appraisals Sensitive University information Do not disclose information that is protected by laws, including: Social Security Numbers, credit card information, grades, transcripts, medical records Confidential information
Information Security How Do I Protect Information? Share confidential information only with other employees who have a need for the information When in doubt, don't give it out! If you are unsure whether or not to disclose certain information, err on the side of caution and don't release it Keep confidential phone conversations and dictation from being overheard Quickly retrieve or secure any document containing protected information that you have printed, scanned, copied, faxed, etc.
Information Security How Do I Protect Information? Delete and write over (i.e., "wipe") data from any electronic media before transferring or disposing of it. Ask your IT support person for assistance Position computer screens so they're not visible to anyone but the authorized user(s)
Information Security How Do I Protect Information? Shred paper documents and/or CDs containing confidential information before disposal, and secure such items until shredding Store documents or physical media containing confidential information in locking file-cabinets or drawers Be alert to fraudulent attempts to obtain confidential information and report these to management for referral to appropriate authorities
Information Security How Do I Protect Information? Log out or lock your workstation when you walk away from your work area Use strong passwords; don’t share them –At least 8 or more characters long –Mix alpha, numeric, & special characters; upper & lower case –Don’t include dictionary words or proper names –Don’t re-use all or a major portion of a prior password
Information Security How Do I Protect Information? Use anti-virus software and leave auto-update enabled or update your virus definitions regularly
Appropriate Use of Information Resources Any University device, tool, function, or process capable of receiving, storing, managing, or transmitting electronic data as well as the data itself Examples include: personal and laptop computers, servers, personal digital assistant (PDA), networks, laboratory equipment, telephones, copiers, faxes, software, and all University data Question: Is the thumb drive I received from my co-worker a University resource? Answer: Yes - if it was purchased with University funds. NOTE: If University data is on the drive, that data is a resource, regardless of the source of funds used to purchase the drive What is an information resource?
Appropriate Use of Information Resources – Policy Examples: unauthorized access, intentional corruption or misuse of resources, theft, child pornography, and sending harassing or threatening email to others All illegal activities will be reported to the authorities Never do anything illegal, threatening or deliberately destructive Protect against unauthorized use or access to any information resource Example: Keep confidential files secure Authorized use only Never use resources for personal financial gain or commercial purposes Examples: creating a website to accept payments, gambling, advertising or marketing personal property Personal financial gain
Appropriate Use of Information Resources – Policy This applies to all university resources, whether on or off campus. Do not use resources in a way that will violate any other University policy such as racial, ethnic, religious, or sexual harassment Use resources appropriately Don’t falsify your identity or send an email using someone else’s NetID. Never share your password with anyone else, including your coworker or members of your family Protect your identity Don’t duplicate or distribute copyrighted materials without explicit owner permission Examples: sharing copyrighted music or video files on the Internet, copying software or other digital media protected by copyright Be aware of copyright infringement
Appropriate Use of Information Resources – Policy You may not use resources to affect the result of any election or for other political purposes Political purposes Transmitting spam mail, chain letters or personal advertisements or solicitations is against policy Email Don’t attempt to break into computers, websites, or any information resources, regardless of where they are located (e.g. on or off campus, the Internet) Never try to circumvent security procedures
Appropriate Use of Information Resources - Privacy Don ’ t think of your e-mail as private Email can be viewed by authorized staff such as System Administrators Files may be subject to open records requests Employee privacy may be limited by: –Evidence of fraud –Harassment –Other illegal conduct or rule violations
Appropriate Use of Information Resources – FAQs No, you may not use email to transmit spam, forward chain letters, personal advertisements, solicitations or promotions Can I use University email to advertise my new home business? Yes, you may take resources home if approved by your department head but don’t store confidential information on the laptop unless it is encrypted Can I take my laptop home for University use? No, you may not use resources to affect the results of any local, state, or national election or for any political purpose I am working on the 2008 presidential election, can I use my printer to create flyers for my candidate? Probably not. You may download from reputable sources like Itunes or Ruckus, but not from p2p file sharing networks like Ares. You may never distribute copies to friends without permission from the copyright owner Is it OK to download my favorite song to give to my friends? Check the University policy on harassment and if you believe that you are being harassed, contact the Office of Equity and Access I feel as though I am being harassed through email, what should I do?
Information Security What Are the Rules and Laws? FERPA – Federal Educational Rights & Privacy Act –is a federal law that protects the privacy of student educational records, and prohibits the University from disclosing information from those records without the written consent of the student –http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.htmlhttp://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html HIPAA – Health Insurance Portability & Accountability Act –is a federal law that: –Protects the privacy and security of Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) –Gives patients more control over their health records –Sets limits on the accessibility and disclosure of patient health information –http://www.cms.hhs.gov/HIPAAGenInfo/http://www.cms.hhs.gov/HIPAAGenInfo/
Information Security What Are the Rules and Laws? Gramm-Leach-Bliley Act (GLBA) –includes provisions to protect the security and confidentiality of a consumers' personal financial information held by financial institutions - in any form or medium –Universities/agencies must not disclose any non-public, financial information to anyone except as permitted by law –http://www.ftc.gov/privacy/privacyinitiatives/glbact.htmlhttp://www.ftc.gov/privacy/privacyinitiatives/glbact.html TPIA – Texas Public Information Act –formerly known as the Open Records Act, specifies that all recorded information owned or accessed by a governmental body is presumed to be public information, with certain exceptions –http://www.oag.state.tx.us/AG_Publications/txts/2004publicinfohb_toc.shtmlhttp://www.oag.state.tx.us/AG_Publications/txts/2004publicinfohb_toc.shtml
Information Security What Are the University Policies? Texas State University Policies –Appropriate Use of Information Resources (UPPS 04.01.07) http://www.txstate.edu/effective/upps/upps-04-01-07.html –Security of Texas State Information Resources (UPPS 04.01.01) http://www.txstate.edu/effective/upps/upps-04-01-01.html –Appropriate Release of Information (UPPS 01.04.00) http://www.txstate.edu/effective/upps/upps-01-04-00.html –Texas State policy requires that information resources be used only in support of University missions
Information Security How Do I Find Out More? Texas State Sites –IT Security - http://www.vpit.txstate.edu/security http://www.vpit.txstate.edu/security –Privacy Rights Notice - http://www.tr.txstate.edu/privacy- notice.html http://www.tr.txstate.edu/privacy- notice.html –Identity theft - http://webapps.tr.txstate.edu/security/identity.html http://webapps.tr.txstate.edu/security/identity.html –FERPA at Texas State - http://www.registrar.txstate.edu/persistent- links/ferpa.htmlhttp://www.registrar.txstate.edu/persistent- links/ferpa.html Contacts –Information Technology Security 512-245-HACK(4225), firstname.lastname@example.org –Information Technology Assistance Center 512-245-ITAC(4822), email@example.com