Springfield Technical Community College Security Awareness Training

Why? Payment Card Industry (PCI) requirement to provide security training to staff on an annual basis Payment Card Industry (PCI) requirement to provide security training to staff on an annual basis Massachusetts General Law (MGL) 93H Security Breaches; must provide breach notice Massachusetts General Law (MGL) 93H Security Breaches; must provide breach notice Executive Order (EO) 504 requirement to train all employees in safeguarding personal information Executive Order (EO) 504 requirement to train all employees in safeguarding personal information Federal Trade Commission Accurate Credit Transactions Act of 2003 (Red Flag Rules) Federal Trade Commission Accurate Credit Transactions Act of 2003 (Red Flag Rules) Gramm-Leach-Bliley Act Protection of financial information Gramm-Leach-Bliley Act Protection of financial information Family Educational Rights and Privacy Act (FERPA) Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA) Health Insurance Portability and Accountability Act (HIPAA)

What is personal information? Personal information is defined (MGL 93H) as: Personal information is defined (MGL 93H) as: A resident’s first name and last name or first initial and last name, in combination with any one or more of the following: A resident’s first name and last name or first initial and last name, in combination with any one or more of the following: - Social Security number - Driver’s license number - State issued ID number - Financial account number

PCI Requirements  Credit card numbers should not be stored on campus  The transmission of credit card number information should be treated with the utmost sensitivity

Red Flag Rules  Red Flag = a pattern, practice, or specific activity that indicates the possible existence of Identity Theft  Identity Theft = a fraud committed or attempted using the identifying information of another person without authority.

Red Flags at STCC: 1.Documentation appears to have been altered or forged 2.The photograph/ description is inconsistent with the student holding the ID 3.Documentation inconsistent with existing student information 4.A request made from a non-College issued account 5.A request to mail something to an address not listed on file 6.Notice received regarding possible identity theft 7.Information inconsistent with current information 8.Information inconsistent with other information source 9.Same Information as shown on known fraudulent documents 10.Same Social Security Number as is used by another student

Red Flags Responses at STCC: 1.Deny access to the covered account 2.Gather information to attempt to authenticate/ determine if attempted transaction was fraudulent or authentic 3.Contact the student 4.Change any passwords, security codes or other security devices that permit access 5.Notify and cooperate with law enforcement 6.Notify any credit reporting agency or third party, if applicable 7.Determine no response is warranted under particular circumstances

Maintain, Safeguard Personal Information Collect minimum quantity of information Collect minimum quantity of information Only access information necessary for the proper performance of your job Only access information necessary for the proper performance of your job Disclose only on a “need to know” basis Disclose only on a “need to know” basis If you receive a request for personal information outside the normal course of program management, escalate the request before responding If you receive a request for personal information outside the normal course of program management, escalate the request before responding

Maintain, Safeguard Personal Information (cont.) Beware of non-authorized people seeking information, through: Phishing Phishing Impersonation Impersonation Shoulder surfing Shoulder surfing Desk/dumpster retrieval Desk/dumpster retrieval

Maintain, Safeguard Personal Information (cont.) Destroy personal information when no longer needed Destroy personal information when no longer needed Each network device is an entry point into the College’s network Each network device is an entry point into the College’s network Ensure publically accessible terminals are used in an authorized manner Ensure publically accessible terminals are used in an authorized manner Each STCC computer is related to an identity on the network Each STCC computer is related to an identity on the network

Additional Security Measures Create strong passwords Create strong passwords Strong Password: 3BM3BMShtr! Weak Password: password Periodically change passwords Periodically change passwords Requests for additional access must be approved by supervisors and/or by IT Department Requests for additional access must be approved by supervisors and/or by IT Department

Physical Access Avoid displaying confidential information on desk or computer monitor Avoid displaying confidential information on desk or computer monitor Lock confidential information in a secure location Lock confidential information in a secure location Store confidential information only on network drives Store confidential information only on network drives

Other Security Reminders Treat all payment information confidentially Treat all payment information confidentially Do not customer payment information Do not customer payment information Do not download any sensitive information onto laptops, removable disks, flashdrives, etc. Do not download any sensitive information onto laptops, removable disks, flashdrives, etc. Properly secure sensitive information before leaving your desk (lock computer!) Properly secure sensitive information before leaving your desk (lock computer!) Log out when you leave for the day Log out when you leave for the day Secure laptops that have Virtual Private Network (VPN) access to the College environment Secure laptops that have Virtual Private Network (VPN) access to the College environment Use common sense! Use common sense!

Data Breach Definition: The release of secure, personally identifiable information (PII), to an unintended audience. Definition: The release of secure, personally identifiable information (PII), to an unintended audience. Information security laws Information security laws Data breach notification laws Data breach notification laws

Data Breach – How does it happen? ~98% of data breaches involve electronic information Hackers Hackers Malicious insiders (ex. disgruntled employees) Malicious insiders (ex. disgruntled employees) Theft of a device (laptop, pc, thumb/ flash drive, or other storage media) Theft of a device (laptop, pc, thumb/ flash drive, or other storage media) Through the fault of a 3rd party vendor working with the institution Through the fault of a 3rd party vendor working with the institution By the untrained employee By the untrained employee

Reporting Security Incidents Change your password immediately and report the incident to the IT Help Desk for assistance for additional access blocking/ review Change your password immediately and report the incident to the IT Help Desk for assistance for additional access blocking/ review Report loss/theft of door key/ swipe card immediately to Campus Security Report loss/theft of door key/ swipe card immediately to Campus Security

Shared Responsibility It is our combined responsibility to prevent data breaches from occurring. It is a costly mistake; the information compromised could be your own. Please take precautions to protect sensitive data in your work environment.

Additional Information Security Resources: (College’s IT web site) (College’s IT web site) (web site for Educause, whose mission is to promote the intelligence use of information technology) (web site for Educause, whose mission is to promote the intelligence use of information technology) (information on cyber security for Commonwealth Higher Education institutions) (information on cyber security for Commonwealth Higher Education institutions) “Stop. Think. Stay Connected. Stay Safe Online” “Stop. Think. Stay Connected. Stay Safe Online”