1 / 34

Maintaining Security While Using Computers

Maintaining Security While Using Computers. What all of Our Computer Users Need to Know. What You Need to Know. ALL staff - even those that don’t use computers - need to know some things about security What “Data Stewardship” means

Donna
Télécharger la présentation

Maintaining Security While Using Computers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Maintaining Security While Using Computers What all of Our Computer Users Need to Know

  2. What You Need to Know • ALL staff - even those that don’t use computers - need to know some things about security • What “Data Stewardship” means • New Information Security Policies and Procedures mean new rules for computer users • How to fulfill your responsibility to help keep our computers safe from computer viruses and worms

  3. What Staff Who Don’t Use the Computer Need to Know • There is a federal law (HIPAA) which requires that all our staff learn to protect our information • You must not use our computers unless you have been authorized to do so • If you find any computer printout, floppy disk, or computer CD, turn it in to your supervisor • If you suspect a security violation, report it to your supervisor

  4. Data StewardshipFirst – Some Definitions • Facility Data – data which is acquired, developed, or maintained by our staff in performance of their duties • Application – a purchased, shared, or developed set of files which maintain Facility Data • Application Owner – a single, designated person, responsible for this application and the data it maintains

  5. Some More Definitions • Data File – a computer file (often in Word, Excel, or Access format) which contains Facility Data • Computer User – staff who use a Facility computer in performance of their assigned duties • Data Owner – the person who created and saved a file which contains facility data, or in the case of an application, the application owner

  6. Network Files are Classified According to Security Level • Public Files – Usually on our internet site, not protected • Private Files – Usually store on S:, shared among all network users, protected by Network login requirement • Secure Files – Except for Application Software and Secure Systems, all files NOT stored on the S: Shared folder. Secure files are protected by network rights • Application Software – Things like Word and Excel • Secure Systems – Those systems (like HEARTS) which have been classified as needing MORE than standard file access rights to protect the data

  7. Data Stewardship • All data on the LAN is “owned” by a single member of our staff • The Data Owner must protect the data • If the data belongs to one of our “applications”, then the data is owned by the application owner • If the data is not part of an application, the data is owned by the person who created the file

  8. Files Must be Stored in Secure Network Folders • All files on the Local Area Network are kept in folders • If the folder is the S: (S for Shared), then the files are private, but not confidential, and can be seen by all computer users. No PHI should be stored here • All other folders are for Secure Files, and cannot be seen by anybody unless they have been granted network rights. PHI can be stored

  9. New Responsibilities for all Supervisors • Ensuring that employees are aware of and observe all computer security requirements • Monitoring employee activities to ensure compliance with all software legal requirements • Ensuring that only authorized software runs on State computers

  10. Rules for Computer Users • Data Ownership and LAN Structure • Requesting Network Rights • Making Changes in Network Rights • Password Rules • Mobile Devices • Personal Use • User “Don'ts” • Maintaining Security

  11. Data Owner Responsibilities • Understanding the LAN Rights Structure • Storing their files only in appropriately secure areas • Preventing non-Public files from being copied to moveable media • Keeping Protected Health Information (PHI) secure

  12. Rights on the LAN - #1 • All users have a private file storage area. This is their “H Drive”, or “Home”. • Many users also have rights to a shared folder (typically, the “G Drive”, along with others in their department • The “S Drive”, or Shared area, can be used for exchanging files between staff, but cannot be used if the file contains PHI

  13. Rights on the LAN - #2 • Rights to “Applications” that run on the network are granted by the Application Owner • If rights to use an application are granted by any person other than the Application Owner, the person granting those rights must send email to the Application Owner notifying them what rights were granted

  14. New Computer Users Must . . • Complete General Security Training • Read and sign our Computer User’s Agreement • Fill out a Network Rights Request form • Get any necessary Data Owner signatures • Get their Supervisor’s signature on the Network Rights Request form • Turn the form in to Computer Services

  15. Users must read and sign the Computer User’s Agreement before they can be given rights to the Local Area Network.

  16. Users must complete the Network Security Rights Request form You sign here If you need rights to a home’s PPS, you must get the Home Coordinator’s signature here Your Supervisor’s signature goes here

  17. Making Changes in Network Rights • The same Network Security Rights Request form is used to change network rights for an existing user • When the form is used to remove rights, the applicant’s signature and the Data Owner’s signature are not required, but the Supervisor’s signature is required • The Data Owner does NOT need to use this form to request the total removal of rights; they may use Email to the Help Desk instead

  18. Password Rules • Your network password must be changed every 90 days • Network users must select and change their own passwords • Users will be allowed three “grace” logins when their password expires • All passwords must be at least eight characters, and must not be “guessable” • You must not tell your password to anybody, even your supervisor

  19. Password “Dos” • Mix upper and lower case letters • Mix letters and numbers • Pick a password you can remember • Choose a completely new password each time you change • Include non-alphanumeric characters, such as &, $, and > • Pick a password with at least 8 characters

  20. Password “Don’ts” • Do not use recognizable words that might appear in a dictionary • Do not use proper names • Do not use words in other languages, such as “bonjour” • Do not use your personal information, such as the names of your pets or your children

  21. Mobile Computing Devices • PDAs will be issued only where there is a critical need, and their use must be approved by the Security Official • The use of removable storage devices such as USB flash drives or CD R/W drives are not permitted without the express permission of the Security Official • Mobile computing devices must never be left in unsecured areas

  22. Personal Use of Computers • Personal projects may be permitted on the employee’s own time, but written supervisor permission is required • An employee may make personal use of internet searches only with the approval of their supervisor • An employee may not use instant messaging or download music files without permission from both their supervisor and the LAN Manager

  23. User “Don’ts” - #1 • Users must not change their hardware configuration or physical location without the permission of the Workstation Manager • Downloading software from the internet and bringing software from home are forbidden • An employee may not use our information, applications, or equipment for personal commercial gain

  24. User “Don’ts” - #2 • Users must identify themselves clearly and correctly when using email • Any type of mass mailing by one of our workforce members that does not pertain to governmental business is forbidden • Circumventing user authentication or security is forbidden. A user must be logged in to the LAN as themselves before operating any computer software

  25. User “Don’ts” - #3 • Staff must not provide information about, or lists of, employees or consumers to parties outside this organization • Staff must not post to non-work related public discussion groups or forums on the internet • Users must not access, or attempt to gain access to, any computer account to which they are not authorized

  26. Maintaining Security - #1 • In order to maintain confidentiality of protected health information (PHI), workstations should be set up so that the screen is not visible by people standing at the door or entering the room • If you are viewing PHI, and a person unauthorized to see the PHI enters the room, you should minimize the application or turn off the computer monitor

  27. Maintaining Security - #2 • Sensitive paper and computer media should be stored in locked cabinets when not in use • Protected or sensitive information, when printed to a shared printer, should be retrieved immediately • Sensitive information should not be stored at the home of an employee without appropriate supervisor authorization

  28. Maintaining Security - #3 • Any activity conducted using the State’s computers, including email and the use of the internet, may be logged, monitored, archived or filtered, either randomly or systematically • Both this Facility and the Division reserve the right to perform these actions without specific notice to the user

  29. Maintaining Security - #4 • All users are responsible for helping to prevent the introduction and spread of computer viruses and other “malware” • All files received from any source external to this Division must be scanned for computer viruses before opening • Users must immediately contact their supervisor or the Help Desk when a virus is suspected or detected

  30. Maintaining Security - #5 • Employees must report all information security violations to either the Computer Help Desk or the Security Official • Users must notify the Help Desk immediately if they know or suspect that their network account or workstation has been compromised by a virus or unauthorized access • Users should not attempt to remove viruses themselves without permission from the Help Desk

  31. Maintaining Security - #6 • Users should not stay logged in to the LAN if they are going to leave the room for more than 15 minutes, even if it is locked • During the day, workstations should be left at the Netware Login screen. At night, computers should be powered down • All network accounts and workstation hard drives are subject to periodic audit for the purpose of maintaining security and license requirements

  32. Engaging in “Safe” Computing • All users must protect against viruses • Do not bring software from home • Do not download software from the internet • Do not open email attachments that you were not expecting to receive • Only operate computers which are running virus protection software • When in doubt, call and ask

  33. Complete the Test Now! • All computer users must complete this test • Here is the test. Take it now!http://www.JIRDC.org/SecTest.pdf

  34. Protect Our Data!

More Related