Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Awareness Protecting Sensitive Information.

Similar presentations


Presentation on theme: "Security Awareness Protecting Sensitive Information."— Presentation transcript:

1 Security Awareness Protecting Sensitive Information

2 Objectives What types of confidential data should you watch for?What areas of compliance do you need to know about?How can data be compromised?What can you do to protect confidential data?Awareness of University Policies #97 and #95 2

3 What’s so important? Universities hold massive quantities of confidential data and are traditionally seen as easy targets for data theft We must understand the types of data that we hold and related business processes 3

4 Confidential Data 4 Social Security Numbers (SSN) Credit/Debit Card #s Drivers License Numbers Passport Numbers Bank Account #s PINs Personally Health Information Student Education Records Proprietary Research Data Confidential/Privileged Legal Data Personnel Records

5 University Policy #97 Data Security and Stewardship To protect the security and integrity of the University’s data Applies to all data (paper and electronic records) Addresses access to and disclosure of data

6 RESPONSIBILITIES Members of the Executive Council (Chancellor, Vice Chancellors, Athletic Director, and Legal Counsel) are the designated Data Stewards who are ultimately responsible for ensuring the appropriate handling of University data University Policy #97 Data Security and Stewardship (cont.)

7 RESPONSIBILITIES Department Managers are responsible for ensuring that employees comply with all University policies on data security, as well as Information Technology and the Office of Institutional Research and Planning requirements All University employees are responsible for complying with University policies on data security University Policy #97 Data Security and Stewardship (cont.)

8 DATA CLASSIFICATIONS Confidential – limited access to and limited disclosure of data Third Party Confidential – limited access to and limited disclosure of data (usually by contract with non-disclosure agreement) Internal – limited access Public – unlimited access and disclosure University Policy #97 Data Security and Stewardship (cont.)

9 The Information Technology (IT) Division’s Networking & Communications department has the responsibility for the design, maintenance and security of the university’s data network. To insure the integrity of the network the following items must complied with. 9 University Policy #95 Data Network Security and Access Control

10 1. No device may be added to the network which does not conform to the approved list of devices, maintained and published by the IT Division, without prior approval of Networking & Communications. Rogue network devices will be automatically and immediately disabled upon detection. 2. No individual or office may connect a device to the campus data network that provides unauthorized users access to the network or provides unauthorized IP addresses for users. 3. Networking & Communications has the right to quickly limit network capacity to, or disable, network connections that are overwhelming available network bandwidth to the detriment of the university. 4. Access to networking equipment in wiring closets, etc. is limited to the Networking & Communications staff or their designees. 5. No consideration of changing the architecture of any part of the data network may be undertaken without the early and regular involvement of Networking & Communication Services. 10 University Policy #95 Data Network Security and Access Control

11 The “Access Control Procedures Checklist” is accessible at the following link or you may copy and paste the web address. Policy 95 – Data Network Security and Access Control index/university-policy-95.asp All persons with access to the university network must sign a Confidentiality Agreement that is maintained in their personnel records for employees or by the requesting department for non-employees. Employee supervisors are responsible for having employees sign the agreement, and requesting departments are responsible for non-employee compliance with the requirement. 11 University Policy #95 Data Network Security and Access Control

12 Compliance Universities are required to comply with federal & state laws and regulations regarding the way they use, transmit & store sensitive information, and to meet payment card industry contractual obligations HIPAA – Health Insurance Portability and Accountability Act (health data) GBLA – Gramm Leach Bliley Act (financial data) FERPA – Family Educational Rights & Privacy Act (education records) NC Identity Theft Protection Act (personal data, especially SSN) PCI Data Security Standards (MasterCard and Visa) 12

13 NC Identity Theft Protection Act The state’s Identity Theft Protection Act (ITPA) is designed to protect individuals from identity theft by mandating that businesses and government agencies take steps to safeguard Social Security numbers and other personal information 13

14 NC Identity Theft Protection Act (cont.) State agencies must secure personal identifiers Encrypt or secure the transmission of SSN Do not collect SSN unless “imperative” State agencies must report annually to the General Assembly on security efforts State agencies must notify affected persons when there is a security breach, and sometimes law enforcement agencies and the Attorney General 14

15 Identity Theft More then 10 million ID theft victims nationally per year – the equivalent of 19 people per minute Has surpassed drug trafficking as #1 crime in the nation. In NC alone, the number of reported identity theft crimes have more then tripled over a 4 year period. 15

16 Phishing Malware Hacking Unauthorized physical access to computing devices How is Information Stolen? Lost/stolen computing devices Social engineering Lost/stolen paper records 16

17 Phishing The practice of acquiring personal information on the Internet by masquerading as a trustworthy business 17

18 18

19 Malware Usually installed onto a computer by downloading other programs such as screensavers, games, and “free” software Trojans – malicious programs disguised or embedded within legitimate software 19

20 Malware can: Capture and send sensitive information from your workstation to the hacker Download other malware Crash your workstation Be used to perform attacks from inside WCU’s network 20

21 Hacking Unauthorized and/or illegal computer trespass executed remotely via some form of communication network (e.g., the Internet, LAN or dial-up network) 21

22 Unauthorized Physical Access to Computing Devices Unsecured work stations, offices, desks, files Unattended computing devices 22

23 Lost/Stolen Computing Devices 23 Removable Memory Devices PDAs Laptops BlackBerry PCs Smart phones Thumb Drives Flash Cards

24 Which Way Did It Go? Cab drivers in one major city reported that; 4,973 laptops, 5,939 PDAs, and 63,135 mobile phones were left in cabs over a 6 month period. 24

25 Social Engineering A hacker’s favorite tool—the ability to extract information from computer users without having to touch a computer. Tricking people to give out information is known as “social engineering” and is one of the greatest threats to data security. 25

26 Social Engineering (cont.) Social engineers prey on some basic human tendencies…. The desire to be HELPFUL The tendency to TRUST people The FEAR of getting into trouble 26

27 Social Engineering (cont.) Despite security controls, a university is vulnerable to an attack if an employee unwittingly gives away confidential data via , by answering questions over the phone with someone they don't know, or by failing to ask the right questions 27

28 Examine Your Business Processes WHAT – data type WHO – has access to the data WHERE – data originates, resides, goes HOW – data gets where it’s going 28

29 What to do with Confidential Data If you don’t need it for business purposes, don’t collect it If you do need to collect it, maintain it securely If you need to share it, transmit it securely 29

30 Data Security Tips Confidential data should never be located on a web server Use a secure WCU server (H: drive) to store confidential data - do not maintain data on local disk (C: drive) Do not create, maintain “shadow data” (duplicate data) – if you must maintain it, keep it on the H: drive Encrypt confidential data whenever possible Redact confidential data whenever possible (e.g., the last four digits of SSNs, partial credit card numbers) 30

31 Data Security (cont.) Be careful to whom you give sensitive information. Ask yourself some questions: Do you know who they are? Do they have a need to know? Do they have the proper authorization? 31

32 Password Security Never give your password to anyone Don’t use the same password on multiple systems Use a strong password (i.e., 12 alpha, changed case, numeric characters) on all your computer systems and change them regularly Avoid using the “auto complete” option to remember your password Avoid storing passwords (e.g., "check box to remember this password”) 32

33 Securing Your Workstation Log off or lock your workstation when you leave (CTRL-ALT-DEL) Use a screensaver with a password enabled Turn your computer off when you go home 33

34 Steer Clear of Malware Avoid using Instant Messaging and Chat software Avoid using Peer to Peer file sharing software Don’t download or install unauthorized programs Keep your computer up to date with the latest antivirus definitions and security patches 34

35 Safe Practices Don’t open unknown or unexpected attachments If you receive an with a hyperlink, don’t open it in the – open a web browser and type the link in manually is sent in clear text and should never be used to send confidential data 35

36 Practice a “Clean Desk” policy Don’t leave confidential data unattended on your desk, FAX, printers or copiers Keep confidential data stored in a locked desk drawer or file cabinet Shred confidential data for disposal (in compliance with the NC Records Retention and Disposition Schedule) 36

37 If you don’t need it, don’t collect it If you need it only once, don’t save it If you don’t need to save it, dispose of it properly If you have to save it, store it securely If you have to transmit it, transmit securely Don’t give out information without knowing the recipient/positive confirmation Good Business Practices 37

38 Data Security Breach - Consequences HIPAA significant financial penalties per violation; imprisonment for intentional disclosure of protected health information ITPA data security breach requires notification of affected persons-cost up to $250,000 to be borne by department 38

39 Data Security Breach – Consequences (cont.) PCI $500,000 per incident if there is a compromise on the network resulting in loss or theft of cardholder data, and the network was subsequently found to be non-compliant $100,000 per incident if a merchant fails to immediately notify payment card companies of suspected or confirmed loss or theft of transaction information 39

40 Data Security Breach – Consequences (cont.) GLBA Imposition of civil money penalties of up to $250,000 for individuals, and $500,000 for organizations and/or imprisonment up to 5 years for intentional fraudulent access to financial information 40

41 If You Suspect a Problem IMMEDIATELY notify your supervisor 41

42 Security Awareness Mindset: “I understand that there is the potential for some people to deliberately or accidentally steal, damage or misuse the data that is stored within my computer systems and throughout our university. Therefore, it would be prudent for me to stop that from happening.” SEC Y

43 Training Acknowledgement Form Be sure to print and complete the General Security Awareness Training Form Return completed forms to Human Resources 220 HFR


Download ppt "Security Awareness Protecting Sensitive Information."

Similar presentations


Ads by Google