General Awareness Training * 07/16/96 General Awareness Training Security Awareness Module 2 What is a Security Incident? How Vulnerable am I? *

What is a Security Incident? Computer or Network based activity which results (or may result) in: IDENTITY THEFT Additional Information PERSONAL LITIGATION TOWARD YOU Additional Information LOSS OF SENSITIVE DATA OR APPLICATIONS Additional Information USE OF YOUR COMPUTER TO COMMIT A CRIME Additional Information USE OF YOUR COMPUTER TO COMMIT MISCHIEF Additional Information LOSS OF DATA CONFIDENCE Additional Information UNABLE TO USE YOUR COMPUTER Additional Information LOST WORK TIME Additional Information

How vulnerable am I? Extremely likely unless your computer is properly protected and secured.

How vulnerable am I? IDENTITY THEFT Use of personal information to commit fraud Use of your computer to commit mischief, misdemeanor crimes, or felony crimes Can be physical access or network access to your computer Lack of “due diligence” makes you responsible Use of your computer accounts to commit mischief, misdemeanor crimes, felony crimes Theft of your information (data) and used by others or merging of copyright material with your information Return What can you do to minimize the threat of identity theft? Additional Information

Personal Actions to Mitigate Identify Theft Perform Vulnerability Assessment Minimize Computer Service Available Install and maintain anti-virus, spyware and firewall software Implement system and security logs and review daily Use patch management software to maintain operating system Establish STRONG passwords and change them frequently Encrypt all sensitive data stored on system Encrypt all sensitive data transfers Return

How Vulnerable am I? PERSONAL LITIGATION TOWARD YOU If your identity (computer or accounts) is used in the commission of a crime, you are directly responsible If your computer or accounts are “owned” by the University and therefore, the State of Texas, the crime also involves the use of state property If your computer accesses another computer without permission it is a felony. If you change information on someone else’s computer without permission, it is a felony The University network is state property. Illegal access to the UH network is a felony The legal defense and costs for a security breach is your responsibility Return What can you do to mitigate potential litigation towards you Additional Information

Personal Actions to Mitigate Litigation Towards YOU Understand principle of “Due Diligence” Assume separation of function across business functions Establish and review access controls frequently to application and data Document machine processes and procedures Assume viable backup and recovery Comply with Federal, State and Institutional requirements Return

How Vulnerable am I? LOSS OF SENSITIVE DATA OR APPLICATIONS It is the data application owner’s responsibility legally to protect sensitive data or applications If sensitive data or applications are inadvertently or intentionally altered or stolen it is the owner’s responsibility to notify affected parties and remediate the damage Classification of data is the owner’s responsibility Backup/Recovery and availability of data and applications are the owner’s responsibility Return What can you do to prevent loss of sensitive data or applications Additional Information

Protect against loss of Sensitive Data or Applications Document Data and Application classification in accordance with University of Houston policies Establish and frequently review Compliance with Federal, State and Institutional policies Access logs for sensitive data or application Business Continuity Plan for system recovery Encryption of sensitive data Return

How Vulnerable am I? USE OF YOUR COMPUTER TO COMMIT A CRIME The user of the computer is directly responsible for the consequences of using the computer. Criminal defense and liability are the user’s responsibility Data and application owners of a computer used in security incident are responsible for adhering to the applicable university policies, state and federal laws Return What you can do to prevent use of your computer to commit a crime Additional Information

Personal Actions to reduce exposure of your computer to commit a crime Assure completion of actions resulting from system vulnerability assessment Assure completion of actions resulting from system compliance assessment Analyze system logs daily and report suspicious activity to system administrator Review changes to system configuration Return

How Vulnerable am I? USE OF YOUR COMPUTER TO COMMIT MISCHIEF Use of a computer or account for the purpose of mischief is usually not classified as a crime but can result in many wasted hours of staff time SPAM is a good example of mischief it is often offensive and definitely is expensive to try and defend Return What can you do to prevent use of your computer to commit mischief Additional Information

Personal Actions to prevent use of your computer to commit mischief Review changes to system configuration Review activity of spyware Be cognizant of your surroundings and make personal and departmental hygiene changes Share your information security responsibility and reduce liability Do not write down your password and leave it easily accessible by others (like under your computer keyboard) Return

How Vulnerable am I? LOSS OF DATA CONFIDENCE Validation of data integrity is required by data owners Verification of data transactions is the responsibility of the data owners What can you do to prevent loss of data. Additional Information

UNABLE TO USE YOUR COMPUTER How Vulnerable am I? UNABLE TO USE YOUR COMPUTER Loss of computer, application, or data availability is a security incident Recovery from the lost of “availability” must be reported Return What can you do to prevent being unable to use your computer Additional Information

Personal Actions to prevent loss of Data confidence and unable to use your computer Credit card information should not be stored on individual computers Storage of social security numbers should be minimized Do not use simply, easy-to-guess passwords Use passwords that include numbers and letters Immediately contact IT if you believe that has been a breach of computer security Return

How Vulnerable am I? LOST WORK TIME Security incidents require significant numbers of people and time to remediate “damaged” computers and notify those affected Legal response to security incidents can absorb significant amounts of time Forensic studies to investigate security incidents require significant amounts of time Time lost must be reported for each security incident Return Personal actions to prevent lost of work time due to a data security incident. Additional Information

Personal Actions to prevent loss work time Do not use simply, easy-to-guess passwords Use passwords that include numbers and letters Use passwords on all secure systems and files and change frequently Use passwords for sensitive files or documents Immediately contact IT if you believe there has been a breach of computer security Seek more information as it is appropriate for your position Return