© 2012 boise state university1 information security for your office created by oit information...
TRANSCRIPT
© 2012 Boise State University 1
Information Security for Your Office
Created By OIT Information Security Services
http://oit.boisestate.edu/security/
© 2012 Boise State University 2
Universities in the News!• University of Idaho• 70,000 Donor Records
• University of Texas at Austin• 225,000 Student Records
• UCLA• 500,000 Student Records
© 2012 Boise State University 3
University NOT in the News!Boise State University
• Zero Lost Records
• So Far!
Go Broncos!
© 2012 Boise State University 4
Information We KeepStudents, Faculty, Staff, Donors, Contractors
• Financial Records• Grades• Credit Card Information• Health Care Information• Addresses• Phone Numbers• Insurance Records• Social Security Numbers
All Protected By Law!
© 2012 Boise State University 5
Alphabet SoupSo Many Laws . . .• FERPA• HIPAA• PCI-DSS• GLBA• SOX• “Red Flag” Alerts• Idaho Code
• §28-51-105• §28-51-
© 2012 Boise State University 6
Alphabet Soup
Information Technology Resource Use (8000)• http://policy.boisestate.edu/wp-content/uploads/2011/05/8000_informationtechnologyresourceuse.pdf
Information Privacy and Security (8060)• http://policy.boisestate.edu/wp-content/uploads/2011/05/8060_InformationPrivacySecurity.pdf
Cash Handling (6010)• http://policy.boisestate.edu/wp-content/uploads/2011/05/6010_CashHandling.pdf
© 2012 Boise State University 7
Alphabet SoupWhat is PII?
• Personally • Identifiable • Information
The One Acronym That Says it All!
© 2012 Boise State University 8
Best PracticesKnow the Data Your Office Handles• Data Classification
Know How to Safeguard the Data• Protecting Information
© 2012 Boise State University 9
Best PracticesData Classification• Method to identify the level of protection various
kinds of information need or require
• A rubric of three levels of sensitivity Level One - Private
Level Two - Protected Level Three - Publichttp://oit.boisestate.edu/security/it-security-policy-and-procedures/dataclassification/
© 2012 Boise State University 10
Best Practices• Data Classification—Level One
– Private information that must be protected as required by law, industry regulation, or by contract
Examples - Student or employee records; social security numbers; A numbers; grades; employee performance reviews; personnel files; personally identifiable information;
– Consequences of loss• Loss of funding• Fines• Bad Publicity• Expose students, staff, contractors, donors to identity theft
© 2012 Boise State University 11
Best PracticesData Classification—Level Two
• Protected information that may be available through Freedom of Information Act Requests to Examine or Copy Records. Or, Idaho’s Open Records Law• Examples - Internal e-mails; meeting minutes; unit working &
draft documents.
Consequences of loss• Loss of funding• Fines• Bad Publicity• Expose students, staff, contractors, donors to identity theft
© 2012 Boise State University 12
Best PracticesData Classification—Level Three• Public Information• Examples - Standard practice guides and policies;
college plan; personal directory; maps; course catalog, public web page, press releases, advertisements, schedules of classes.
• Consequences of loss• Loss of personal data with no impact to the university• Bad Publicity
© 2012 Boise State University 13
Best PracticesData Classification—How To
CIA: The “Big Three” of Information Security• Confidentiality
• the need to strictly limit access to data to protect the university and individuals from loss
• Integrity• data must be accurate and users must be able to trust its
accuracy
• Availability• data must be accessible to authorized persons, entities, or
deviceshttp://oit.boisestate.edu/security/it-security-policy-and-procedures/dataclassification/how2classdata/
© 2012 Boise State University 14
Best PracticesData Classification—How Can Data be Lost?
• Laptop or other data storage system stolen from car, lab, or office. • Research Assistant accesses system after leaving
research project because passwords aren't changed. • Unauthorized visitor walks into unlocked lab or office
and steals equipment or accesses unsecured computer. • Unsecured application on a networked computer is
hacked and data stolen.
© 2012 Boise State University 15
Best PracticesData Classification—How To Protect Systems
• Minimum Security Standard for Systems
Click for Next Slide!
© 2012 Boise State University 16
Best PracticesProtecting Information• Don’t let personnel issues become security issues• Control access to buildings and work areas• If you print it—go get it right away• Lock up sensitive information—including laptops• Store sensitive information on file servers• Shred it if you can
Know Boise State Information Handling Policies
© 2012 Boise State University 17
Best PracticesProtecting Information• Use strong passwords• Change passwords often• Use different passwords on different systems• Never share your password• Password protect your screensaver• Manually lock your screen whenever you leave your
desk
© 2012 Boise State University 18
Best PracticesProtecting Information• Be sure your office computers’ operating systems
and anti-virus software are up-to-date• Remind staff to never open unsolicited email from
an unknown source or click on unfamiliar web addresses
• Follow computer salvage procedures—for disks, too!
© 2012 Boise State University 19
Example of Poor Practices• The next two slides show articles from a local newspaper
regarding an insurance agency just “Dropping Off” boxes full of personal records at a local recycling center.
• These boxes were left after hours when the recycling center was closed.
• The article states that it could have been an Identity Thief's “gold mine”
© 2012 Boise State University 20
Click for Next Slide!
© 2012 Boise State University 21
Click for Next Slide!
© 2012 Boise State University 22
What to Do! Know who to call!
• I think an office computer is infected, what do I do?• Call the Help Desk @ 6-
4357
• I think I lost the USB drive I used to take some sensitive files home to work on, what do I do?• Call Information Security
Services -@ 6-5501
© 2012 Boise State University 23
Information Security for Your Office• Incident Response Procedure