1 / 23

Information Security for Your Office

Safeguarding sensitive information is crucial for universities and organizations. At Boise State University, we aim for zero lost records by adhering to best practices in information security. We cover the essential data classifications (private, protected, and public) and the implications of data loss. This guide outlines how to efficiently protect personally identifiable information (PII) such as grades, health data, and more, complying with laws like FERPA and HIPAA. Together, we can ensure the integrity and confidentiality of our data.

micah
Télécharger la présentation

Information Security for Your Office

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security for Your Office Created By OIT Information Security Services http://oit.boisestate.edu/security/

  2. Universities in the News! • University of Idaho • 70,000 Donor Records • University of Texas at Austin • 225,000 Student Records • UCLA • 500,000 Student Records

  3. University NOT in the News! Boise State University • Zero Lost Records • So Far! Go Broncos!

  4. Information We Keep Students, Faculty, Staff, Donors, Contractors • Financial Records • Grades • Credit Card Information • Health Care Information • Addresses • Phone Numbers • Insurance Records • Social Security Numbers All Protected By Law!

  5. Alphabet Soup So Many Laws . . . • FERPA • HIPAA • PCI-DSS • GLBA • SOX • “Red Flag” Alerts • Idaho Code • §28-51-105 • §28-51-

  6. Alphabet Soup Information Technology Resource Use (8000) • http://policy.boisestate.edu/wp-content/uploads/2011/05/8000_informationtechnologyresourceuse.pdf Information Privacy and Security (8060) • http://policy.boisestate.edu/wp-content/uploads/2011/05/8060_InformationPrivacySecurity.pdf Cash Handling (6010) • http://policy.boisestate.edu/wp-content/uploads/2011/05/6010_CashHandling.pdf

  7. Alphabet Soup What is PII? • Personally • Identifiable • Information The One Acronym That Says it All!

  8. Best Practices Know the Data Your Office Handles • Data Classification Know How to Safeguard the Data • Protecting Information

  9. Best Practices Data Classification • Method to identify the level of protection various kinds of information need or require • A rubric of three levels of sensitivity Level One - Private Level Two - Protected Level Three - Public http://oit.boisestate.edu/security/it-security-policy-and-procedures/dataclassification/

  10. Best Practices • Data Classification—Level One • Private information that must be protected as required by law, industry regulation, or by contract Examples - Student or employee records; social security numbers; A numbers; grades; employee performance reviews; personnel files; personally identifiable information; • Consequences of loss • Loss of funding • Fines • Bad Publicity • Expose students, staff, contractors, donors to identity theft

  11. Best Practices Data Classification—Level Two • Protected information that may be available through Freedom of Information Act Requests to Examine or Copy Records. Or, Idaho’s Open Records Law • Examples - Internal e-mails; meeting minutes; unit working & draft documents. Consequences of loss • Loss of funding • Fines • Bad Publicity • Expose students, staff, contractors, donors to identity theft

  12. Best Practices Data Classification—Level Three • Public Information • Examples - Standard practice guides and policies; college plan; personal directory; maps; course catalog, public web page, press releases, advertisements, schedules of classes. • Consequences of loss • Loss of personal data with no impact to the university • Bad Publicity

  13. Best Practices Data Classification—How To CIA: The “Big Three” of Information Security • Confidentiality • the need to strictly limit access to data to protect the university and individuals from loss • Integrity • data must be accurate and users must be able to trust its accuracy • Availability • data must be accessible to authorized persons, entities, or devices http://oit.boisestate.edu/security/it-security-policy-and-procedures/dataclassification/how2classdata/

  14. Best Practices Data Classification—How Can Data be Lost? • Laptop or other data storage system stolen from car, lab, or office.   • Research Assistant accesses system after leaving research project because passwords aren't changed.   • Unauthorized visitor walks into unlocked lab or office and steals equipment or accesses unsecured computer.   • Unsecured application on a networked computer is hacked and data stolen.

  15. Best Practices Data Classification—How To Protect Systems • Minimum Security Standard for Systems Click for Next Slide!

  16. Best Practices Protecting Information • Don’t let personnel issues become security issues • Control access to buildings and work areas • If you print it—go get it right away • Lock up sensitive information—including laptops • Store sensitive information on file servers • Shred it if you can Know Boise State Information Handling Policies

  17. Best Practices Protecting Information • Use strong passwords • Change passwords often • Use different passwords on different systems • Never share your password • Password protect your screensaver • Manually lock your screen whenever you leave your desk

  18. Best Practices Protecting Information • Be sure your office computers’ operating systems and anti-virus software are up-to-date • Remind staff to never open unsolicited email from an unknown source or click on unfamiliar web addresses • Follow computer salvage procedures—for disks, too!

  19. Example of Poor Practices • The next two slides show articles from a local newspaper regarding an insurance agency just “Dropping Off” boxes full of personal records at a local recycling center. • These boxes were left after hours when the recycling center was closed. • The article states that it could have been an Identity Thief's “gold mine”

  20. Click for Next Slide!

  21. Click for Next Slide!

  22. What to Do! Know who to call! • I think an office computer is infected, what do I do? • Call the Help Desk @ 6-4357 • I think I lost the USB drive I used to take some sensitive files home to work on, what do I do? • Call Information Security Services -@ 6-5501

  23. Information Security for Your Office • Incident Response Procedure

More Related