Securing Information in the Higher Education Office

1
(No Transcript)
2
(No Transcript)
3
Securing Information in the Higher Education
Office
4
(No Transcript)
5
Information Security Office

• MISSION
• Build Security Awareness
• Maintain and Develop Information Security Policy
• Investigate Information Security Incidents
• Protecting Our Constituent Information is a Team
  Effort

6
Information Security for Your Office

• Alphabet Soup
• Laws, Rules, Regulations, Policies, Standards
• Best Practices
• Data Classification
• And How to Classify Data
• Protecting Information

7
Information We Keep

• Students, Faculty, Staff, Donors, Contractors
• Financial Records
• Grades
• Credit Card Information
• Health Care Information
• Addresses
• Phone Numbers
• Insurance Records
• Social Security Numbers
• All Protected By Law!

8
Alphabet Soup

• So Many Laws . . .
• FERPA
• HIPAA
• PCI-DSS
• GLB
• SOX
• Red Flag Alerts
• California SB 138628-51-

9
Alphabet Soup

• . . . And Institutional Policy!

10
Alphabet Soup

• P. I. I.
• Personally Identifiable Information
• The One Acronym That Says it All!

11
Best Practices

• Know the Data Your Office Handles
• Data Classification
• Know How to Safeguard the Data
• Protecting Information

12
Best Practices

• Know what to protect
• Data Classification
• Method to identify the level of protection
  various kinds of information need or require

13
Data Classification Example

• Data ClassificationLevel One
• Private information that must be protected as
  required by law, industry regulation, or by
  contract
• Examples?
• Consequences of loss
• Loss of funding
• Fines
• Bad Publicity
• Expose students, staff, contractors, donors to
  identity theft

14
Data Classification Example

• Data ClassificationLevel Two
• Protected information that may be available
  through Freedom of Information Act Requests to
  Examine or Copy Records. Or, state sunshine laws
• Examples?
• Consequences of loss
• Loss of funding
• Fines
• Bad Publicity
• Expose students, staff, contractors, donors to
  identity theft

15
Data Classification Example

• Data ClassificationLevel Three
• Public Information
• Examples?
• Consequences of loss
• Loss of personal use of a computer
• Loss of personal data with no impact to the
  university
• Bad Publicity

16
Best Practices

• How Can Data be Lost?
• Laptop or other data storage system stolen from
  car, lab, or office.  
• Research Assistant accesses system after leaving
  research project because passwords aren't
  changed.  
• Unauthorized visitor walks into unlocked lab or
  office and steals equipment or accesses unsecured
  computer.  
• Unsecured application on a networked computer is
  hacked and data stolen.

17
Best Practices

• Protecting Information
• Dont let personnel issues become security issues
• Control access to buildings and work areas
• If you print itgo get it right away
• Lock up sensitive informationincluding laptops
• Store sensitive information on file servers
• Shred it if you can
• Know Your Schools Information Handling Policies

18
Best Practices

• Protecting Information
• Use strong passwords
• Change passwords often
• Use different passwords on different systems
• Never share your password
• Password protect your screensaver
• Manually lock your screen whenever you leave your
  desk

19
Best Practices

• Protecting Information
• Be sure your office computers operating systems
  and anti-virus software are up-to-date
• Remind staff to never open unsolicited email from
  an unknown source or click on unfamiliar web
  addresses
• Follow computer salvage proceduresfor disks,
  too!

20
Best Practices

• Know who to call!
• I think an office computer is infected, what do I
  do?
• I think I lost the USB drive I used to take some
  sensitive files home to work on, what do I do?

21
(No Transcript)