hr wcu general security awareness training ed01
Post on 05-Jul-2015
530 Views
Preview:
TRANSCRIPT
Video: educ_con_least
Or
Educ_con_avinfec
WCUSecurity Awareness
Protecting Sensitive Information
(Data Security)
Western Carolina University
Objectives
3
Why is security awareness and protecting sensitive information (data) so important?
What types of sensitive information should you watch for?
What areas of compliance do you need to know about?
How can sensitive information be compromised?
What can you do to protect sensitive information?
What are the consequences for data breach at WCU?
What are University Policy #97 and NC ITPA?
What’s So Important? Why should you care?
4
Universities hold massive quantities of personal, confidential data.
Universities are traditionally seen as easy targets for data theft.
Universities AND Individuals can be held liable for non-compliance.
Compliance
5
Universities are required to comply with federal & state laws and regulations regarding the way they use, transmit & store sensitive information, and to meet payment card industry contractual obligations
HIPAA (federal law) – Health Insurance Portability and Accountability Act (health data)
GBLA (federal law) – Gramm Leach Bliley Act (financial data)
FERPA (federal law) – Family Educational Rights & Privacy Act (education records)
NC ITPA (state statute) – NC Identity Theft Protection Act (personal data, especially SSN)
PCI Data Security Standards (federal law) – payment card industry (Master Card, VISA, American Express, etc)
Sensitive Information
6
Social Security number (SSN) Credit/debit card #s/bank account #s/PINs Drivers license and passport numbers Personally identifiable health information Personally identifiable student education records Proprietary research data Confidential/privileged legal data Third party confidential data that should not be
shared with the public Other confidential data (e.g., personnel records)
Good Data Practice
7
If you don’t need it, don’t collect it If you need it only once, don’t save it If you don’t need to save it, dispose of it
properly If you have to save it, store it securely If you have to transmit it, transmit securely Don’t give out information without
knowing the recipient/positive confirmation
What to do with Sensitive Information
8
If you don’t need it for business purposes, don’t collect it
If you do need to collect it, maintain it securely
If you need to share it, transmit it securely
Sensitive InformationSecurity Tips
9
Confidential data should NEVER be located on a web server
Use a secure WCU server (H: drive) to store confidential data. DO NOT maintain data on a local disk (C: drive)
Do not create or maintain “shadow data” (duplicate data) – if you must maintain it, keep it on the H: drive
Encrypt confidential data whenever possible
Redact confidential data whenever possible (last four digits of a SSN, partial credit card numbers, etc)
Identity Theft
10
Video: educ_con_least
Identity Theft
11
Approximately 10 million ID theft victims nationally per year – 19 people per minute
Identity theft is now passing drug trafficking as the number one crime in the nation according to the Department of Justice
In NC, the number of identity theft crimes reported to the FTC jumped from 1,656 cases in 2001, to 5,830 in 2005
How is Information Stolen?
12
Phishing Malware Hacking Unauthorized physical access to
computing devices Lost/stolen computing devices Social engineering Lost/stolen paper records
Phishing
13
Video: sec0601d.wmv
Phishing
14
The practice of acquiring personal information on the Internet by masquerading as a trustworthy business
Hacking
15
Video: educ_con_hacker_ipodv.m4v
Hacking
16
Unauthorized and/or illegal computer trespass executed remotely via some form of communication network (the Internet, LAN or dial-up network)
Malware
17
Video: sec0601h.wmv
Or
educ_con_webris
Malware
18
Usually installed onto a computer by downloading other programs such as screensavers, games, and “free” software
Trojans – malicious programs disguised or embedded within legitimate software
What Can Malware Do?
19
Capture and send sensitive information from your workstation to the hacker (key loggers)
Download other malware
Crash your workstation
Be used to perform attacks from inside WCU’s network
Steer Clear of Malware
20
Avoid using Instant Messaging and Chat software
Avoid using Peer to Peer file sharing software
Don’t download or install unauthorized programs
Keep your computer up to date with the latest antivirus definitions and security patches
Unauthorized Physical Access to Computing Devices
21
Video: sec0601p.wmv
Unauthorized Physical Access to Computing Devices
22
Unsecured work stations, offices, desks, files
Unattended computing devices
Securing Your Workstation
23
Log off or lock your workstation when you leave (CTRL-ALT-DEL)
Use a screensaver with a password enabled
Turn your computer off when you go home
Practice a “Clean Desk” Policy
24
Don’t leave confidential data unattended on your desk, FAX, printers or copiers
Keep confidential data stored in a locked desk drawer or file cabinet
Shred confidential data for disposal (in compliance with the NC Records Retention and Disposition Schedule)
Which Way Did It Go?
25
Licensed cab drivers in London reported that 4,973 laptops, 5,939 Pocket PCs, and 63,135 mobile phones were left in cabs over a 6 month period.
Lost/Stolen Computing Devices
26
Video: educ_con_inconv
Lost/Stolen Computing Devices
27
LaptopsPCsBlackBerry/Smart phonesPDAsRemovable memory devices (thumb drives, flash cards, etc)
Social Engineering
28
Video: psa_gold.mp4
Social Engineering
29
A hacker’s favorite tool—the ability to extract information from computer users without having to touch a computer
Tricking people to give out information is known as “social engineering” and is one of the greatest threats to data security
Social Engineering (cont.)
30
Despite security controls, a university is vulnerable to an attack if an employee unwittingly gives away confidential data:
1. In an email,
3. By answering questions over the phone with someone they don't know
5. Failing to ask the right questions
Password Security
31
Video: sec0601g.wmv
Password Security
32
NEVER GIVE YOUR PASSWORD TO ANYONE
Don’t use the same password on multiple systems
Use a strong password (e.g., a combination of alpha, upper/lower case, numeric characters, special characters) on all your computer systems and change them regularly
Avoid using the “auto complete” option to remember your password
Avoid storing passwords (e.g., “Check box to remember this password”)
Safe Email Practices
33
Don’t open unscanned, unknown or unexpected email attachments
If you receive an email with a hyperlink, don’t open it in the email – open a web browser and type the link in manually
Email is sent in plain text and should never be used to send confidential data
Sensitive Information (Data) Breach Consequences
34
HIPAA (federal law) – significant financial penalties per violation; imprisonment for intentional disclosure of protected health information
ITPA (North Carolina statute) – data security breach requires notification of affected persons-cost up to $250,000 to be borne by department
Data Security Breach Consequences (cont.)
35
PCI $500,000 per incident if there is a
compromise on the network resulting in loss or theft of cardholder data, and the network was subsequently found to be non-compliant
$100,000 per incident if a merchant fails to immediately notify payment card companies of suspected or confirmed loss or theft of transaction information
Data Security Breach Consequences (cont.)
36
GLBA – Imposition of civil money penalties of up to $250,000 for individuals, and $500,000 for organizations and/or imprisonment up to 5 years for intentional fraudulent access to financial information
State & University Policies for Data Security
University Policy #97:Data Security and Stewardship (http://www.wcu.edu/25380.asp)
NC Identity Theft Protection Act (ITPA): Protects individuals from identity theft by mandating that businesses and government agencies safeguard Social Security numbers and other personal information (student data)
If You Suspect a Problem
38
IMMEDIATELY notify your supervisor
top related