information security guide 2006
TRANSCRIPT
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 1/23
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 2/23
9/28/2010 CASE WESTERN RESERVEUNIVERSITY 2
INFORMATION SECURITY IS A
COLLECTIVE RESPOSIBILITY Case western reserve university is an higher education institute which
encourages active transfer of knowledge for learning, teaching, and
research.
In today¶s technology intensive world, the exchange of information
increasingly takes place through electronic means and extends to
administrative information such as student data, employee records,
grants funding, and other proprietary areas.
With the use of internet, it is critical to protect the integrity and
confidentiality of information resources.
So Case university published information guide to assist activities and
provide safeguards to information systems of Case faculty, students and
staff.
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 3/23
9/28/2010 CASE WESTERN RESERVEUNIVERSITY 3
HANDLING SENSITIVE
INFORMATION For handling sensitive information Case university has provided
certain guidelines to treat the information for faculty, students andstaff in its information guide.
Maintain the confidentiality of the information stored on your
computer by using only Case-approved hardware and software for processing sensitive information.
Lock or log off computers when away from your desk
Use a password-protected screensaver.
Keep sensitive files from inadvertent disclosure by ensuring they
are not on freely accessible servers Report any breach of security in any system that stores sensitive
information (including lost or stolen laptops, access cards, PDAs,etc.) immediately to Campus Security at 368-3333 or InformationSecurity at [email protected].
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 4/23
9/28/2010 CASE WESTERN RESERVEUNIVERSITY 4
HUMAN CAPITAL MANAGEMENT
HCM facilitates human resources functions at Case.
Peoplesoft HCM enables Case employees to easily access payroll
and benefits data and securely manage personal and banking tasks.
This system meets the highest standards for information security. To access HCM safely it is recommended to follow following
guidelines at Case university
Do not share your network password with anyone.
Do not enable automatic login on the HCM website.
Be sure to log out each time you visit the HCM website, no matter
how quickly you plan to log back in.
Avoid using your Case ID and password combination for other
personal accounts
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 5/23
9/28/2010 CASE WESTERN RESERVEUNIVERSITY 5
FERPA
The Family Educational Rights & Privacy Act (³FERPA´) protects the privacy of student
education records.
Persons with access to student data should become familiar with FERPA basics:
Student education records are considered sensitive and may not be released without the
written consent of the student. Case community members have a responsibility and obligation to protect student
education records in their possession. FERPA information is to be stored and transmitted
using practices for sensitive information.
Before releasing any student information, including directory information, one should
consult the University Registrar¶s Office to ascertain whether the information can be
disclosed. Students may request FERPA suppression of their directory information by contacting
the University Registrar¶s office.
Access to student data is restricted to individuals who need this information for
legitimate educational purposes.
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 6/23
9/28/2010 CASE WESTERN RESERVEUNIVERSITY 6
HIPPA Security Rule
HIPAA mandates the protection and privacy of patient health
information at Case University.
HIPAA¶s (Health Insurance Portability and Accountability Act)
security rule requires that everyone with access to electronic personal health information (ePHI) implement safeguards to protect
against inappropriate and unauthorized access to patient health data.
As stipulated in HIPAA rules and regulations:
Protect all ePHI created, received, maintained, or transmited.
Ensure that patient data is safeguarded against potential hacking andunauthorized access.
Partner with HIPAA experts at Case to ensure that they are in
compliance with the requirements of the HIPAA Security Rule.
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 7/23
9/28/2010 CASE WESTERN RESERVEUNIVERSITY 7
PASSWORDS
To access many Case information systems and network services, a
network-ID and password are required.
The Case login process ensures that only authorized individuals can
access the university¶s systems and data. Robust password practicesare important in safeguarding against unauthorized access.
Be creative and careful when selecting a password. Don¶t use
anything that can be easily guessed, including personal information
such as names, hobbies, or commonly used words.
Strong passwords should be at least 12 alphanumeric characters inlength. They should contain a combination of lower and upper case
letters, numbers, and symbols.
Passwords should be changed often
Passwords should not be shared, posted, written down, or recycled.
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 8/23
9/28/2010 CASE WESTERN RESERVEUNIVERSITY 8
EMAIL AND INSTANT MESSAGING
E-mail systems are porous, and typically messages go through multiplemachines before they finally arrive at their intended destination. Caseinformation guide provides following guides for e-mailing.
Be cautious about what you send. Unless the message is encrypted,you should assume that someone other than the intended recipient
could read your mail. Be wary about the actual source of received e-mails. E-mail can be
forged. Treat each e-mail message cautiously and double check withthe sender if you are in doubt.
Do not open an attachment that seems odd or out of context. It mightcontain a virus.
Always check the ³To:´ distribution line before sending a message. Beparticularly careful when using the ³Reply All feature. This can resultin the proliferation of numerous messages or sending messages tounintended recipients.
Case¶s e-mail system is provided for university related purposes;personal usage should be kept to a minimum.
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 9/23
9/28/2010 CASE WESTERN RESERVEUNIVERSITY 9
Computer VirusesViruses have the capability to spontaneously spread throughout thenetwork, often without any intentional action on the part of the victim.
You can mitigate virus infections by following these procedures:
Never open an unexpected e-mail attachment.
Make sure that you understand the source and purpose of any attachment beforeopening it.
When in doubt, you should verify the authenticity of any attachment with the actualsender before opening it.
Do not allow files to execute macro commands without understanding what they do andwhere they originated. Macro commands can propagate viruses and may be embeddedin files.
Make sure that your computers are always running current anti-virus software withroutine virus prevention updates.
Update your virus patches weekly.
Sign-up for automatic online live updates to ensure up-to-date protection. Instructionsare available at http://help.case.edu.
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 10/23
9/28/2010 CASE WESTERN RESERVEUNIVERSITY 10
Spam ProtectionAlso known as UCE(unsolicited commercial mail), spam is not only anuisance, but can transmit viruses, malware, and spyware.
The following tips can assist in reducing spam:
Be careful about giving your email address when completing forms online.
Consider using a separate e-mail address for some public activities such as chat rooms,in order to protect your main e-mail address from spammers. Case users can set up e-mail aliases at http://its-services.case.edu/mailalias.
Never respond to unsolicited e-mail. Spammers will use your reply, even yourunsubscribe messages, as evidence that the e-mail address is valid.
Never buy anything advertised in spam. Most of it is dubious at best.
Never post your e-mail address publicly on the Web. Spammers have ways to collectand use these e-mail addresses.
Always opt-out of company solicitations you do not wish to receive.
Do not use an unsubscribe link from an e-mail as it legitimizes your e-mail address; candownload malware that turns your computer into a proxy for sending spam, or canenable remote access to your computer.
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 11/23
9/28/2010 CASE WESTERN RESERVEUNIVERSITY
11
InternetTo minimize unnecessary and risky exposure while on theInternet, be attentive to the following:
When viewing or requesting web content, programs may beautomatically initiated. Do not choose to execute such programs
without being sure of their source, their function, and their effect onyour machine¶s operation.
Your Internet activities may occasionally cause security warnings toappear. Pay attention to these messages and act cautiously. If youare unsure about how to proceed, go to http://help.case.edu.
Don¶t assume that information found on the Internet is necessarilyaccurate or up to date.
Make sure that all materials you download comply with all
applicable laws, copyright restrictions, and Case policies.
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 12/23
9/28/2010 CASE WESTERN RESERVEUNIVERSITY
12
Public Wireless HotspotsWhile convenient, public access points are ± obviously - public. To protect yourself andyour personal information, take the following precautions with public wireless access.
Use a VPN(virtual private network) encrypted connection when you access proprietaryinformation wirelessly. Also make sure your VPNis configured correctly. For informationon accessing Case information through a VPNconnection, go tohttp://www.help.case.edu/connect/vpn/
Don¶t sign up for wireless service at the hotspot itself especially if the provider requiresthat you create a login and supply personal information. Instead bookmark the sign-uppage and then sign up from a secured location such as your home or office computer.
Pop-ups are a common trick for installing spyware, viruses, and other infections. If youget a pop-up message on your screen while using a public hotspot, read the pop-upcarefully before you click OK. Unless you are confident about the authenticity of thepop-up, close it promptly.
Do not enter sensitive information on the web wirelessly (or otherwise) unless you aresure the information is encrypted. Sometimes this is indicated by the image of a lockusually in the lower right hand corner of your browser or by the letter ³s´ as in https://in the URLof the website.
In public hotspots, it is prudent to be off-line until you actually need to be connected tothe internet. Enable your wireless adapter only when you are ready to be on-line.
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 13/23
9/28/2010 CASE WESTERN RESERVEUNIVERSITY
13
PhishingPhishing is a form of Internet fraud that scams people into unwittinglyproviding sensitive information under false pretenses.
Keep in mind that: Legitimate organizations NEVERrequest personal information in such
a way.
Aphishing e-mail is seldom addressed to you directly but uses ageneral salutation such as ³Dear Valued Customer.´
Aphishing webpage will look authentic. Anyone with a little HTMLcodeexperience can create fradulent sites that look real.
If you are unsure, call the organization to verify that it did indeedsend the e-mail. Do not use the phone number provided in thephishing e-mail. Look up an alternative number in your records or inthe phone book.
Phishing is rooted in information and identity theft, which permitsonline theft of millions of dollars.
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 14/23
9/28/2010 CASE WESTERN RESERVEUNIVERSITY
14
SpywareCombating spyware requires software and vigilence.
Use an anti-spyware product from a trusted vendor. Since no product provides 100%protection, the most prudent strategy is to combine two anti-spyware scanners. Makesure you download from legitimate sites; otherwise you may find yourself installingspyware.
Use a personal firewall product and keep it updated.
Examine your web browser setting for active content controls.
Do not accept downloads from pop-up windows or unknown websites.
Read licensing agreements before installing software, especially freeware, sharewareor peer-to-peer applications.
Be very careful when installing free, ad-supported software and be wary of programsthat flash ads in the user interface.
Be sure to set up file-sharing software correctly. Peer-to-peer file sharing is a source of many spyware programs.
Be aware of your computer¶s performance. Changes in settings, sluggish performance,and instability are signs of spyware. The cumulative effect of spyware can bring a PC toa near standstill.
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 15/23
9/28/2010 CASE WESTERN RESERVEUNIVERSITY
15
Identity Theft
A few safety precautions can help mitigate against identity theft.
1) Never print social security numbers on checks.
2) The next time you order checks, print only your first initial along withyour last name and do not print your home address.
3) When paying your credit card by check, DO NOT put the complete accountnumber on the ³memo´ line.
4) The last four digits will suffice to process your payment.
5) If your wallet is stolen, cancel all credit cards immediately (seeorganizational tip below).
6) File a police report as quickly as possible in the jurisdiction where thetheft occurred.
7) Contact all three national credit reporting organizations and the socialsecurity administration to place a fraud alert on your name and socialsecurity number.
8) Audit your credit report on a regular basis.
9) Photocopy (on one sheet of paper) the front and back of all the credit
cards you regularly carry in your wallet.
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 16/23
9/28/2010 CASE WESTERN RESERVEUNIVERSITY
16
Anti-Hacker Checklist Hackers obtain confidential information by contacting employees
who unintentionally respond, thinking that they are being helpful.
To minimize the potential for unauthorized access to confidentialinformation:
1) Verify the identity of callers requesting information.
2) Don¶t give out information about yourself or other employees.
3) Don¶t discuss about anything unless you verify the person.
4) Don¶t let yourself be pressured or manipulated into giving outinformation. Report the incident immediately to your supervisor.
5) Be wary of phishing techniques.
6) Never respond to online inquiries about any personalinformation.
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 17/23
9/28/2010 CASE WESTERN RESERVEUNIVERSITY
17
Software Piracy and
Copyright The University provides many software programs and packages
generally at no cost to Case faculty, staff, and students.
In general, when downloading software from
http://softwarecenter.case.edu.:
1) Do not install any unauthorized software on your PC.
2) In case of any help, please contact your business manager or
the Help Desk.
3) Avoid using unauthorized copies of software.
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 18/23
9/28/2010 CASE WESTERN RESERVEUNIVERSITY
18
Removable Media Removable media often contain important information and
should be secured.
1) Lock up removable media containing confidential information
when not in use.2) Do not place removable media near magnets or other
magnetic devices.
3) Properly label removable media.
4) Be careful not to damage media.
5) Do not dispose of a disk that contains important data withoutensuring the destruction of that information.
6) Be sure to inventory the contents of your media on a regularbasis.
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 19/23
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 20/23
9/28/2010 CASE WESTERN RESERVEUNIVERSITY
20
Mobile Devices
Mobile devices are a convenient way to take information and databases anywhere yougo. Unfortunately, their portability makes them a popular target for thieves. Sensitiveinformation is often maintained within mobile devices.
For safeguarding mobile devices :
A) Do...
1) Backup your data regularly and keep an updated copy in a separate location.
2) Keep mobile devices out of sight and secure whenever possible.
3) Know what you have stored on your devices.
4) Require passwords to access your mobile devices.
B) Do Not
1) Do not store sensitive information in the device.
2) Do not leave the mobile device unattended.
3) Do not discuss confidential information where others may be able to hear theInformation.
4) Do not cache your Case ID in auto-logins from mobile devices.
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 21/23
9/28/2010 CASE WESTERN RESERVEUNIVERSITY
21
Theft Deterrents Computers are valuable assets with expensive hardware,
valuable software, and, most importantly, proprietary data andinformation. A few common-sense physical security practicescan easily help deter equipment theft.
1) Restrict physical access of machines to trusted and authorizedindividuals. Make sure you are aware of who uses or servicesyour computer.
2) Never leave a laptop unattended and, if you must, make sure itis secured with a cable lock, locked into docking station, or outof sight in a cabinet or drawer.
3) Notify Campus Security at 368-3333 of any suspiciousperson(s) or activity.
8/8/2019 Information Security Guide 2006
http://slidepdf.com/reader/full/information-security-guide-2006 22/23
9/28/2010 CASE WESTERN RESERVEUNIVERSITY
22
Protect your home PC. Step 1: Set Security Configurations
Ensure that security configurations are enabled.
Step 2: Use an Internet Firewall
An Internet firewall can help prevent outsiders from getting access to information
on your computer through the Internet.
Step 3: Update Your Computer
Update your computer regularly by downloading the latest patches.
Step 4: Use Up-to-Date Antivirus Software
Anti-virus software programs will help protect your computer against most viruses,
worms, Trojan horses, and other malicious code.
Step 5: Secure your Home Wireless Network
Make sure you secure your home wireless network is secured against access fromunauthorized users.