210 likes | 218 Vues
Securing Information in the Higher Education Office. Information Security Office. MISSION: Build Security Awareness Maintain and Develop Information Security Policy Investigate Information Security Incidents Protecting Our Constituent Information is a Team Effort.
E N D
Information Security Office MISSION: • Build Security Awareness • Maintain and Develop Information Security Policy • Investigate Information Security Incidents Protecting Our Constituent Information is a Team Effort
Information Security for Your Office • Alphabet Soup • Laws, Rules, Regulations, Policies, Standards • Best Practices • Data Classification • And How to Classify Data • Protecting Information
Information We Keep • Students, Faculty, Staff, Donors, Contractors • Financial Records • Grades • Credit Card Information • Health Care Information • Addresses • Phone Numbers • Insurance Records • Social Security Numbers All Protected By Law!
Alphabet Soup • So Many Laws . . . • FERPA • HIPAA • PCI-DSS • GLB • SOX • “Red Flag” Alerts • California SB 1386§28-51-
Alphabet Soup . . . And Institutional Policy!
Alphabet Soup • P. I. I. • Personally Identifiable Information The One Acronym That Says it All!
Best Practices • Know the Data Your Office Handles • Data Classification • Know How to Safeguard the Data • Protecting Information
Best Practices • Know what to protect • Data Classification • Method to identify the level of protection various kinds of information need or require
Data Classification Example • Data Classification—Level One • Private information that must be protected as required by law, industry regulation, or by contract • Examples? • Consequences of loss • Loss of funding • Fines • Bad Publicity • Expose students, staff, contractors, donors to identity theft
Data Classification Example • Data Classification—Level Two • Protected information that may be available through Freedom of Information Act Requests to Examine or Copy Records. Or, state sunshine laws • Examples? • Consequences of loss • Loss of funding • Fines • Bad Publicity • Expose students, staff, contractors, donors to identity theft
Data Classification Example • Data Classification—Level Three • Public Information • Examples? • Consequences of loss • Loss of personal use of a computer • Loss of personal data with no impact to the university • Bad Publicity
Best Practices • How Can Data be Lost? • Laptop or other data storage system stolen from car, lab, or office. • Research Assistant accesses system after leaving research project because passwords aren't changed. • Unauthorized visitor walks into unlocked lab or office and steals equipment or accesses unsecured computer. • Unsecured application on a networked computer is hacked and data stolen.
Best Practices • Protecting Information • Don’t let personnel issues become security issues • Control access to buildings and work areas • If you print it—go get it right away • Lock up sensitive information—including laptops • Store sensitive information on file servers • Shred it if you can Know Your School’s Information Handling Policies
Best Practices • Protecting Information • Use strong passwords • Change passwords often • Use different passwords on different systems • Never share your password • Password protect your screensaver • Manually lock your screen whenever you leave your desk
Best Practices • Protecting Information • Be sure your office computers’ operating systems and anti-virus software are up-to-date • Remind staff to never open unsolicited email from an unknown source or click on unfamiliar web addresses • Follow computer salvage procedures—for disks, too!
Best Practices • Know who to call! • I think an office computer is infected, what do I do? • I think I lost the USB drive I used to take some sensitive files home to work on, what do I do?