Data Security Practices & Safeguards for Users 01/2009

The security of your computer and data is crucial for you and the success of your agency. Lost or stolen information can expose confidential or personal information. The more you do to keep your computer secure, the safer your information will be. Keeping client information secure is a top priority for all of us at Children’s Services Council. We protect personal information by maintaining physical, electronic, and procedural safeguards. We’ve designed this presentation to inform you of the security features that are incorporated into our data systems (FOCiS, Welligent 7.0, SAMIS, Aquarius). Purpose

Do I really need to learn about Security – “Shouldn’t the I.T. department take care of that?” Security Standards follow the “90/10” Rule: ■10% of security safeguards are technically related ■ 90% of security safeguards rely on YOU (the user) to use good information security practices Example: Putting a lock on your file cabinet is 10%. Remembering to lock the cabinet, checking to see if it is locked, and keeping control of the keys is the 90%. As you can see – the 10% is useless without the 90% which is “YOU.”

Understanding Data Security The information entered into the CSC’s web applications is transmitted over the communication line using two forms of encryption. The first is login and password and the second is firewall security between your agency’s network and the internet. Sample network diagram. Data is transmitted by the agency to the web application through a secured network. CSC can access the data and download to their secured network.

How can I have good security computing practices? ☞ If you become suspicious, you should pay attention, it just may be a problem! ☞ Learn and incorporate the following 8 security safeguards into your everyday work habits and encourage your coworkers to do the same. ☞ Report unusual behavior – Notify your supervisor if you become aware of a suspected security incident.

Objective of good security practices – Safeguards for users Safeguard # 1 - Login/Password Safeguard # 2 - User Access Request/Termination Safeguard # 3 - Workstation Security Safeguard # 4 - Portable Device Security Safeguard # 5 - Remote Access Safeguard # 6 - Data Disposal Safeguard # 7 - Safe Internet Use (WIFI) Safeguard # 8 - Security Breach

Safeguard #1 – Login/Password Using a secured logon is like locking your file cabinet with a physical key. Users are assigned a unique ID and temporary password for login purposes. Guidelines for choosing your password are: ■ Don’t use a word that can easily be found in a dictionary ■ Don’t use your children, spouse, or pets name ■ Use a combination of letters and numbers (we recommend using eight characters with one number or special symbol) ■ Don’t share your password! Protect it the same as you would the key to your home, after all, it is a key to your identity. ■ Don’t let web browser remember your passwords. This causes problems with future access (i.e., password changes, sharing computer) ■ You can try a “pass-phrase” to help you remember your password such as: MdHF&NAW (My dog Has Fleas and Needs A Wash) Sharing of user ID’s and Passwords is not permitted!

Safeguard #2 – User Access Request/Termination ■The security model of the data systems is designed to allow access based on job tasks. The authorizing agency representative approves the user’s level of access by submitting an Access Request form. This form may also be used to terminate access or request modification to a user’s profile. ■ There is no limit to the number of users an agency or program may be assigned and passwords can be changed at any time. However, an Access Request Form must be received from the agency and signed by an authorized representative from the agency before access can be granted to any individual user. ■Since the application can be reached from any location with Internet access, it is important that agencies notify the CSC Business Information Systems (BIS) department immediately when someone leaves the agency or no longer requires access to the application.

Workstations include laptop and desktop computers. Unauthorized physical access to these devices can result in harmful or fraudulent modification or use of data. To protect your workstation you should always: ■ Lock computer by pressing Ctrl+Alt+Del ■ Log-off before leaving a workstation unattended ■ Lock-up! – laptops, offices, windows, sensitive paper and mobile devices ■ Do not leave sensitive information on remote printers or copiers ■ Where possible set devices to “auto lock” or “auto log-off” by using Screen Savers. The screen savers should be set to 10 minutes with password protection. To set a screen saver password  From the desktop in a blank space, right click properties  Select the Screen Saver tab  Under the Screen Saver box, set the minutes and click the box password protect Safeguard #3 – Workstation Security

Safeguard #4 – Portable Device Security Portable Storage Devices are flash-drives (USB memory stick), external hard-drives, CD/DVD-ROM, etc. To the extent possible, please avoid storing client data on these devices. In the event that data is stored to these devices, please take these precautions: ❑ Encrypt and password-protect the device ❑ Delete the data from flash-drive or external hard drives when no longer needed; data stored on CD/DVD should be physically destroyed ❑ Protect the device from loss and damage

Safeguard #5 – Remote Access It is possible to access the web based applications from another site location, such as your home. If you are using another computer other than the one supplied by your agency, make sure of the following: ■ Virus definitions updated, firewall protection is on ■ Latest security patches installed ■ Do not store client information on your local computer ■ Close the application appropriately before walking away ■ Do not use external systems (i.e., hotmail, yahoo) to send sensitive information. By doing so you are compromising client data.

Safeguard #6 – Data Disposal Have an IT professional overwrite your digital media before discarding. Please follow your agency guidelines for disposal of material containing client level data. ❑ Clean laptop/desktop hard-drives and other media devices before recycling or donating ❑ Shred documents with sensitive data (note: some shredding machines are able to shred CD/DVDs) Do you recycle your credit card bills? Do NOT recycle client information, instead, make sure you SHRED the data.

Safeguard #7 – Safe Internet Use (WIFI) Why you should only take coffee from Starbucks… ❑ Free WIFI is a haven for hackers! Wireless devices open up more avenues for data to be improperly accessed. To minimize the risk, use the following precautions: ■ DO NOT use public free wireless internet access to transmit client information (i.e., Starbucks, Panera Bread, Airport) ■ If you have a wireless aircard (via Sprint, AT&T, Verizon, T-Mobile) it is more secure to use this type of internet access because… ■ The security features imbedded provide digital encryption and outside traffic is prevented ■ The aircard disconnects whenever a user closes the connection manually or shuts down

Safeguard #8 – Security Breach Intentional or unintentional release of information includes: What if the data is compromised? ■ Embarrassment, bad publicity, and media coverage ■ Loss of clients’ trust ■ Internal disciplinary actions, termination of employment ■ Penalties or lawsuits If things go wrong? ☞ Contact your supervisor immediately ☞ Contact CSC’s Business Information Systems division ■ A report containing sensitive information could have been left in a conference room has disappeared; or a file was mistakenly sent to the wrong address. ■ You believe that someone else may have gotten your account ID and password.

Thank you! We hope you found this tutorial helpful and will make it a part of your daily work practices. ✍ Disclaimer: This presentation is intended to provide educational information and is not legal advice. If you have questions regarding the privacy / security laws and implementation procedures at your agency, please contact your supervisor or the information technology department at your agency for more information.

THIS CERTIFICATE IS AWARDED FOR COMPLETION OF THE WORKSHOP Data Security Safeguards When you have completed the training please print this page and fill in the following information, sign, and give to your supervisor. By signing you are certifying that you have completed and understand the entire Data Security Safeguards and Practices for Users Training. Signature: Name (please print): Job Title/Department:: Date training completed: