Information Security for Your Office

1
Information Security for Your Office

• Information Security Office
• Bob Henry
• Information Security Officer
• CISSP
• GCIH
• GCFA
• http//boisestate.edu/oit/iso

2
Information Security for Your Office

• Role of Information Security Office
• Mission and Role
• Alphabet Soup
• Laws, Rules, Regulations, Policies, Standards
• Best Practices
• Data Classification
• And How to Classify Data
• Protecting Information

3
Universities in the News!

• University of Idaho
• 70,000 Donor Records
• University of Texas at Austin
• 225,000 Student Records
• UCLA
• 500,000 Student Records

4
University NOT in the News!

• Boise State University
• Zero Lost Records
• So Far!
• Go Broncos!

5
Information Security Office

• MISSION
• Build Security Awareness
• Maintain and Develop Information Security Policy
• Investigate Information Security Incidents
• Protecting Our Constituent Information is a Team
  Effort

6
Information We Keep

• Students, Faculty, Staff, Donors, Contractors
• Financial Records
• Grades
• Credit Card Information
• Health Care Information
• Addresses
• Phone Numbers
• Insurance Records
• Social Security Numbers
• All Protected By Law!

7
Alphabet Soup

• So Many Laws . . .
• FERPA
• HIPAA
• PCI-DSS
• GLB
• SOX
• Red Flag Alerts
• Idaho Code
• 28-51-105
• 28-51-

8
Alphabet Soup

• . . . And Boise State Policy!
• Information Technology Resource Use (8000)
• http//www.boisestate.edu/policy/policy_docs/8000_
  informationtechnologyresourceuse.pdf
• Information Privacy and Security (8060)
• http//www.boisestate.edu/policy/policy_docs/8060_
  InformationPrivacySecurity.pdf
• Cash Handling (6010)
• http//www.boisestate.edu/policy/policy_docs/6010_
  CashHandling.pdf

9
Alphabet Soup

• P. I. I.
• Personally Identifiable Information
• The One Acronym That Says it All!

10
Best Practices

• Know the Data Your Office Handles
• Data Classification
• Know How to Safeguard the Data
• Protecting Information

11
Best Practices

• Data Classification
• Method to identify the level of protection
  various kinds of information need or require
• A rubric of three levels of sensitivity
• Policy is currently in the approval process
• http//boisestate.edu/oit/iso/dataclassification.s
  html

12
Best Practices

• Data ClassificationLevel One
• Private information that must be protected as
  required by law, industry regulation, or by
  contract
• Examples?
• Consequences of loss
• Loss of funding
• Fines
• Bad Publicity
• Expose students, staff, contractors, donors to
  identity theft

13
Best Practices

• Data ClassificationLevel Two
• Protected information that may be available
  through Freedom of Information Act Requests to
  Examine or Copy Records
• Examples?
• Consequences of loss
• Loss of funding
• Fines
• Bad Publicity
• Expose students, staff, contractors, donors to
  identity theft

14
Best Practices

• Data ClassificationLevel Three
• Public Information
• Examples?
• Consequences of loss
• Loss of personal use of a computer
• Loss of personal data with no impact to the
  university
• Bad Publicity

15
Best Practices

• Data ClassificationHow To
• The Big Three of Information Security
• Confidentiality
• the need to strictly limit access to data to
  protect the university and individuals from loss
• Integrity
• data must be accurate and users must be able to
  trust its accuracy
• Availability
• data must be accessible to authorized persons,
  entities, or devices
• http//boisestate.edu/oit/iso/how2classdata.shtml

16
Best Practices

• Data ClassificationHow Can Data be Lost?
• Laptop or other data storage system stolen from
  car, lab, or office.  
• Research Assistant accesses system after leaving
  research project because passwords aren't
  changed.  
• Unauthorized visitor walks into unlocked lab or
  office and steals equipment or accesses unsecured
  computer.  
• Unsecured application on a networked computer is
  hacked and data stolen.

17
Best Practices

• Data ClassificationHow To Protect Systems
• Minimum Security Standard for Systems
• http//boisestate.edu/oit/iso/minsecstdsystems.sht
  ml

18
Best Practices

• Protecting Information
• Dont let personnel issues become security issues
• Control access to buildings and work areas
• If you print itgo get it right away
• Lock up sensitive informationincluding laptops
• Store sensitive information on file servers
• Shred it if you can
• Know Boise State Information Handling Policies

19
Best Practices

• Protecting Information
• Use strong passwords
• Change passwords often
• Use different passwords on different systems
• Never share your password
• Password protect your screensaver
• Manually lock your screen whenever you leave your
  desk

20
Best Practices

• Protecting Information
• Be sure your office computers operating systems
  and anti-virus software are up-to-date
• Remind staff to never open unsolicited email from
  an unknown source or click on unfamiliar web
  addresses
• Follow computer salvage proceduresfor disks,
  too!

21
Best Practices

• Know who to call!
• I think an office computer is infected, what do I
  do?
• Call the Help Desk
• 6-4357
• I think I lost the USB drive I used to take some
  sensitive files home to work on, what do I do?
• Call the Information Security Office
• 6-5501

22
(No Transcript)
23
Information Security for Your Office

• Incident Response Procedure
• http//boisestate.edu/oit/iso/incresponseprocedure
  .shtml
• Presentation available
• http//boisestate.edu/oit/iso/awareness.shtml
• Questions? Suggestions?