company logo creating a security risk-aware culture at nccu information technology services north...
TRANSCRIPT
Company
LOGO
Creating a Security Risk-Aware Culture at NCCU
Information Technology ServicesNorth Carolina Central University
September 2008
1
Information Security
“Security is a negative deliverable. You don’t know when you have it. You only know when you’ve lost it.”
22
3
Cybersecurity - Why Do We Care?
Chancellor – good legislative audits
Provost – academic integrity
Vice Chancellor Research – compliance
HIPAA
FERPA
GLBA
Sarbanes Oxley Act
Grant requirements
Local state and federal regulations
Today’s Agenda
Information Security in Higher Education
NCCU Information Security Policies & Best Practices
Banner Security
Top 10 Reminders
4
Information Security
Between February 2005 and July 2006, there were 237 reported security breaches involving the compromise of more than 89 million records containing personal information.
Of these, 83 incidents involved institutions of higher education, including academic medical centers.
5
EDUCAUSE Review, vol. 41, no. 5 (September/October 2006): 46–615
6
Process Technology
Systems must be built to technically adhere to
policy
People must understand their responsibilities
regarding policy
Policies must be developed,
communicated, maintained and
enforced
Processes mustbe developed that
show how policieswill be
implemented
Security Implementation Relies On
People
Today’s Agenda
Information Security in Higher Education
NCCU Information Security Policies & Best Practices
Banner Security
Top 10 Reminders
7
NCCU IT Security Training
Outline NCCU Security Policies Copyright Laws of the United States Security Incidents – whom to call or a site
for security incidents to be reported
8
NCCU IT Security Training
Outline Introductions NCCU Security Policies Copyright Laws of the United States Security Incidents – whom to call or a site for security
incidents to be reported
9
NCCU IT Security Training
Course Outline Introductions
Steve OrnatIT Audit Compliance and Business Continuity
NCCU – Information Technology Services
530-7171
10
NCCU IT Security Training
Course Outline Introductions NCCU Security Policies Copyright Laws of the United States Security Incidents – whom to call or a site for security
incidents to be reported
11
NCCU IT Security Training
Course Outline, Continued NCCU Security Policies
Data and Information Policy File Sharing Policy Electronic Mail Policy Responsible Use Policy Wireless and Network Policy Server Policy Software License Policy NCCU Telephone and Cell Policy
Documentation of all of NCCU Policies – Version: 1.01-090908 CD
12
Data and Information Policy
General guidance on the protection of University data and information being processed by manual as well as automated systems and the protection of the records and reports generated by these information processing systems.
NCCU IT Security Training
13
Handling of Institutional Data
Guidelines
The Chancellor, Provost, Vice Chancellors, General Counsel, and the Director of Athletics are responsible for ensuring the appropriate handling of Institutional data produced and managed by their division/unit
ITS is responsible for ensuring that the appropriate technologies and system policies and permissions are in place to ensure appropriate access to electronic data.
14
Data Owners
Owners of data are responsible for making decisions about the use and protection of information in their custody. Areas of concern shall include:
1. Accuracy and completeness of data and information;
2. Classification of data as confidential (subject to privacy laws), sensitive (non public salary information) or public;
3. The authorization process to permit access to the information and to terminate access when necessary;
4. The identification and minimization of risks and exposures;
5. The utilization of established procedures designed to protect information from unauthorized access or disclosure, whether accidental or intentional;
6. Communication of information protection procedures to authorized users;
7. Physical access to hard copy records, computers and other technologies
8. Providing procedural safeguards including backing up information for business
9. Evaluating security control procedures related to information in their custody.
15
File Sharing Policy
File sharing applications allow users to download and share electronic files of all types and to use any computer as a server for file sharing requests.
NCCU IT Security Training
16
H.R. 4137
17
www.ruckus.com
18
Electronic Mail Policy
This policy provides guidelines for the responsible and appropriate use of the North Carolina Central University's electronic mail (e-mail) and communication resources and services.
NCCU IT Security Training
19
Responsible Use Policy Or called by the proper name: “Responsible
Use of University Computing and Electronic Communication Resources Policy”
Responsible use includes, but is not limited to, respecting the rights of other users, sustaining the integrity of systems and related physical resources, and complying with all relevant policies, laws, regulations, and contractual obligations.
NCCU IT Security Training
20
Wireless and Network Policy
This policy has been developed to ensure that North Carolina Central University (NCCU) community has a secure and reliable network with access and the performance needed to carry out the goals of the university as well as meet the needs of its constituents.
NCCU IT Security Training
21
Server Policy
Purpose of this policy is to define standards to be met by all servers owned and/or operated by North Carolina Central University (NCCU) on the University’s network.
NCCU IT Security Training
22
Software License Policy
(Waiting approval by NCCU Board of Trustees)
All University constituents must respect the rights of software developers and abide by copyright and other intellectual property laws.
NCCU IT Security Training
23
NCCU Telephone and Cell Policy
All University employees are prohibited from misusing University telephones and cellphones for personal calls. Misuse includes the use of office telephones and cell phones for personal long distance calls charged to departmental budgets and excess use of office telephones for local telephone calls.
NCCU IT Security Training
24
NCCU IT Security Training
Course Outline Introductions NCCU Security Policies Copyright Laws of the United States Security Incidents – whom to call or a site for security
incidents to be reported
25
Copyright Laws of The United States of AmericaTitle 17
Circular 92
Copyright Law of the United Statesand Related Laws Contained in Title 17 of the United States Code
October 2007
Contains: ‐ Table of Contents ‐ Chapter 11 – “Sound Recordings and Music Videos” ‐ Appendix A – “The Copyright Act of 1976” ‐ Appendix B – “The Digital Millennium Copyright Act of 1998”
26
Copyright Laws of The United States of America
27
Copyright Laws of The United States of America
Chapter 11 – “Sound Recordings and Music Videos”
§ 1101 · Unauthorized fixation and trafficking in sound recordings and music videos
Definition.—As used in this section, the term “traffic in” means transport, transfer, or otherwise dispose of, to another, as consideration for anything of value, or make or obtain control of with intent to transport, transfer, or dispose of.
28
Copyright Laws of The United States of America
Appendix A The Copyright Act of 1976
Title I – General Revision of Copyright Law
Sec. 103. This Act does not provide copyright protection for any work that goes into the public domain before January 1, 1978. The exclusive rights, as provided by section 106 of title 17 as amended by the first section of this Act, to reproduce a work in phono- records and to distribute phono-records of the work, do not extend to any non-dramatic musical work copyrighted before July 1, 1909.
29
Copyright Laws of The United States of America
Appendix A The Copyright Act of 1976
Title I – General Revision of Copyright Law
Sec. 113. (a) The Librarian of Congress (hereinafter referred to as the “Librarian”) shall establish and maintain in the Library of Congress a library to be known as the American Television and Radio Archives (hereinafter referred to as the “Archives”). The purpose of the Archives shall be to preserve a permanent record of the television and radio programs which are the heritage of the people of the United States and to provide access to such programs to historians and scholars without encouraging or causing copyright infringement.
30
Copyright Laws of The United States of America
Appendix B The Digital Millennium Copyright Act of 1998
Section 1 · Short Title. This Act may be cited as the “Digital Millennium
Copyright Act (DMCA)”.
Title I — WIPO Treaties Implementation Sec. 101 (World Intellectual Property Organization)
Short Title. This title may be cited as the ‘‘WIPO Copyright and Performances and Phonograms Treaties Implementation Act of 1998’’.
31
Copyright Laws of The United States of America
Appendix B The Digital Millennium Copyright Act of 1998
Section 1 · Short Title. This Act may be cited as the “Digital Millennium
Copyright Act (DMCA)”.
Title II — Online Copyright Infringement Liability Limitation Sec. 201 ·
Short Title. This title may be cited as the ‘‘Online Copyright Infringement Liability Limitation Act’’.
32
NCCU IT Security Training
Course Outline Introductions NCCU Security Policies Copyright Laws of the United States Security Incidents – whom to call or a site
for security incidents to be reported
33
NCCU IT Security Training
Security Incidents – whom to call or how to report a security violation
Reporting an incident via telephone: Call the Eagle Technical Assistance
Center (ETAC) Extension X 7676
Call Steve OrnatIT Audit Compliance and Business Continuity
Extension X 7171
34
NCCU IT Security Training
Security Incidents – whom to call or how to report a security violation
Reporting an incident via email: Eagle Technical Assistance Center
(ETAC) [email protected]
Steve OrnatIT Audit Compliance and Business Continuity
35
NCCU IT Security Training
Security Incidents – whom to call or how to report a security violation
Reporting an incident via the WEB: To be announced – Coming soon to the NCCU WEB page.
36
NCCU IT Security Training
Course Outline Introductions NCCU Security Policies Copyright Laws of the United States Security Incidents – whom to call or a site for security
incidents to be reported Documentation of NCCU ITS Employee
Information CDVersion: 1.01-090908
37
NCCU IT Security Training
Table of Contents for:
ITS Employee Information CD
Version: 1.01-090808
File Description 1 - ITS Employee Handbook The July 2008 version of
the ITS employee Handbook
38
Today’s Agenda
Information Security in Higher Education
NCCU Information Security Policies & Best Practices
Banner Security
Top 10 Reminders
39
Steps To Ensure User AccountSecurity
Every User should have his/her own assigned “USERID”
Each User is accountable for transactions made with the assigned “USERID”
Do not share you password
If you feel your password has been compromised, request your password be reset.
40
Changing Banner Passwords
Attempting to log into Banner more than twice unsuccessfully will cause your account to lock.
Password must be at least “8” eight characters long
Password must include at least “1” one number.
41
Avoid Special Characters
Pound sign (#) Slash (/ ) Plus (+) Hyphen (- ) Ampersand (&) At-sign (@) Dollar sign ($) Exclamation point (!) Comma ( , ) Asterisk ( * ) Percent sign ( % )
42
Banner Signatures Required for Access
43
Banner Access Signatures Required
Student ModuleUndergraduate Admissions Jocelyn FoyRegistrar Jerome GoodwinFinancial Aid Sharon OliverStudent Billing Yolanda Banks DeaverResidential Life Jennifer WilderAuxiliary Services Tim MooreUniversity College Dr. Bernice Johnson
FinanceAdministration & Finance Dr. Alan RobertsonPurchasing Danielle HearstComptroller Yolanda Banks Deaver
Human ResourcesAdministration & Finance Dr. Alan RobertsonEPA Services Daphine RichardsonSPA Services Laurie Charest
Institutional AdvancementChief of Staff Susan HesterDirector of Stewardship LaMissa McCoy
Today’s Agenda
Information Security in Higher Education
NCCU Information Security Policies & Best Practices
Banner Security
Top 10 Reminders
44
Top 10 Concerns / Reminders
45
Top 10 Information Security Reminders
10. Know University IS Policies & Procedures
11. NCCU e-Mail is the “official” university provided e-Mail system
12. Don’t open SPAM e-Mail – just delete
13. When you put your names on listservs and other distribution list outside the university – you are setting your self up for SPAM e-Mail – vendors sell their distribution list
46
Top 10 Information Security Reminders
6. Passwords should not be written on “sticky notes” placed on your computer or other locations within your office
Passwords should not be your first initial, last name Passwords should be a minimum of 8-characters Passwords should be changed minimum every 60-days Do not share passwords with Admin Assistants or
Workaid Students
7. Phishing e-Mails – ITS will NEVER ask for any personal information (userID, passwords, etc.) via e-Mail (watch out for e-Mails that appear to come from someone on campus asking for personal info)
47
Top 10 Information Security Reminders
4. All units should have a SHREDDER – no personal or student information should ever be dropped in the garbage (same practice at home).
5. Access to University data is provided to University employees for the conduct of University business only. Faculty and staff must follow data privacy laws (FERPA).
6. Do not share Banner Passwords or Account Information. Follow Banner Data Standards when putting data into Banner.
48
Top 10 Information Security Reminders
1. Be conscious of Information Security concerns and report any incidents immediately:
Banner employee access should be terminated if an employee job changes
Laptops – passwords & security tracking software installed
Memory sticks / thumb drives (sensitive data) Blackberries / Cellphones
49
NCCU IT Security Training
In closing Keep the intellectual and private information of
North Carolina Central University the private and intellectual property of North Carolina Central University
Here to Serve
50
NCCU IT Security Training
And remember!
There may be a Pop Quiz soon!
Steve Ornat
Extension X 7171
51
52
Thank you!Thank you!
QUESTIONS