Video: educ_con_least

Or

Educ_con_avinfec

WCUSecurity Awareness

Protecting Sensitive Information

(Data Security)

Western Carolina University

Objectives

3

Why is security awareness and protecting sensitive information (data) so important?

What types of sensitive information should you watch for?

What areas of compliance do you need to know about?

How can sensitive information be compromised?

What can you do to protect sensitive information?

What are the consequences for data breach at WCU?

What are University Policy #97 and NC ITPA?

What’s So Important? Why should you care?

4

Universities hold massive quantities of personal, confidential data.

Universities are traditionally seen as easy targets for data theft.

Universities AND Individuals can be held liable for non-compliance.

Compliance

5

Universities are required to comply with federal & state laws and regulations regarding the way they use, transmit & store sensitive information, and to meet payment card industry contractual obligations

HIPAA (federal law) – Health Insurance Portability and Accountability Act (health data)

GBLA (federal law) – Gramm Leach Bliley Act (financial data)

FERPA (federal law) – Family Educational Rights & Privacy Act (education records)

NC ITPA (state statute) – NC Identity Theft Protection Act (personal data, especially SSN)

PCI Data Security Standards (federal law) – payment card industry (Master Card, VISA, American Express, etc)

Sensitive Information

6

Social Security number (SSN) Credit/debit card #s/bank account #s/PINs Drivers license and passport numbers Personally identifiable health information Personally identifiable student education records Proprietary research data Confidential/privileged legal data Third party confidential data that should not be

shared with the public Other confidential data (e.g., personnel records)

Good Data Practice

7

If you don’t need it, don’t collect it If you need it only once, don’t save it If you don’t need to save it, dispose of it

properly If you have to save it, store it securely If you have to transmit it, transmit securely Don’t give out information without

knowing the recipient/positive confirmation

What to do with Sensitive Information

8

If you don’t need it for business purposes, don’t collect it

If you do need to collect it, maintain it securely

If you need to share it, transmit it securely

Sensitive InformationSecurity Tips

9

Confidential data should NEVER be located on a web server

Use a secure WCU server (H: drive) to store confidential data. DO NOT maintain data on a local disk (C: drive)

Do not create or maintain “shadow data” (duplicate data) – if you must maintain it, keep it on the H: drive

Encrypt confidential data whenever possible

Redact confidential data whenever possible (last four digits of a SSN, partial credit card numbers, etc)

Identity Theft

10

Video: educ_con_least

Identity Theft

11

Approximately 10 million ID theft victims nationally per year – 19 people per minute

Identity theft is now passing drug trafficking as the number one crime in the nation according to the Department of Justice

In NC, the number of identity theft crimes reported to the FTC jumped from 1,656 cases in 2001, to 5,830 in 2005

How is Information Stolen?

12

Phishing Malware Hacking Unauthorized physical access to

computing devices Lost/stolen computing devices Social engineering Lost/stolen paper records

Phishing

13

Video: sec0601d.wmv

Phishing

14

The practice of acquiring personal information on the Internet by masquerading as a trustworthy business

Hacking

15

Video: educ_con_hacker_ipodv.m4v

Hacking

16

Unauthorized and/or illegal computer trespass executed remotely via some form of communication network (the Internet, LAN or dial-up network)

Malware

17

Video: sec0601h.wmv

Or

educ_con_webris

Malware

18

Usually installed onto a computer by downloading other programs such as screensavers, games, and “free” software

Trojans – malicious programs disguised or embedded within legitimate software

What Can Malware Do?

19

Capture and send sensitive information from your workstation to the hacker (key loggers)

Download other malware

Crash your workstation

Be used to perform attacks from inside WCU’s network

Steer Clear of Malware

20

Avoid using Instant Messaging and Chat software

Avoid using Peer to Peer file sharing software

Don’t download or install unauthorized programs

Keep your computer up to date with the latest antivirus definitions and security patches

Unauthorized Physical Access to Computing Devices

21

Video: sec0601p.wmv

Unauthorized Physical Access to Computing Devices

22

Unsecured work stations, offices, desks, files

Unattended computing devices

Securing Your Workstation

23

Log off or lock your workstation when you leave (CTRL-ALT-DEL)

Use a screensaver with a password enabled

Turn your computer off when you go home

Practice a “Clean Desk” Policy

24

Don’t leave confidential data unattended on your desk, FAX, printers or copiers

Keep confidential data stored in a locked desk drawer or file cabinet

Shred confidential data for disposal (in compliance with the NC Records Retention and Disposition Schedule)

Which Way Did It Go?

25

Licensed cab drivers in London reported that 4,973 laptops, 5,939 Pocket PCs, and 63,135 mobile phones were left in cabs over a 6 month period.

Lost/Stolen Computing Devices

26

Video: educ_con_inconv

Lost/Stolen Computing Devices

27

LaptopsPCsBlackBerry/Smart phonesPDAsRemovable memory devices (thumb drives, flash cards, etc)

Social Engineering

28

Video: psa_gold.mp4

Social Engineering

29

A hacker’s favorite tool—the ability to extract information from computer users without having to touch a computer

Tricking people to give out information is known as “social engineering” and is one of the greatest threats to data security

Social Engineering (cont.)

30

Despite security controls, a university is vulnerable to an attack if an employee unwittingly gives away confidential data:

1. In an email,

3. By answering questions over the phone with someone they don't know

5. Failing to ask the right questions

Password Security

31

Video: sec0601g.wmv

Password Security

32

NEVER GIVE YOUR PASSWORD TO ANYONE

Don’t use the same password on multiple systems

Use a strong password (e.g., a combination of alpha, upper/lower case, numeric characters, special characters) on all your computer systems and change them regularly

Avoid using the “auto complete” option to remember your password

Avoid storing passwords (e.g., “Check box to remember this password”)

Safe Email Practices

33

Don’t open unscanned, unknown or unexpected email attachments

If you receive an email with a hyperlink, don’t open it in the email – open a web browser and type the link in manually

Email is sent in plain text and should never be used to send confidential data

Sensitive Information (Data) Breach Consequences

34

HIPAA (federal law) – significant financial penalties per violation; imprisonment for intentional disclosure of protected health information

ITPA (North Carolina statute) – data security breach requires notification of affected persons-cost up to $250,000 to be borne by department

Data Security Breach Consequences (cont.)

35

PCI $500,000 per incident if there is a

compromise on the network resulting in loss or theft of cardholder data, and the network was subsequently found to be non-compliant

$100,000 per incident if a merchant fails to immediately notify payment card companies of suspected or confirmed loss or theft of transaction information

Data Security Breach Consequences (cont.)

36

GLBA – Imposition of civil money penalties of up to $250,000 for individuals, and $500,000 for organizations and/or imprisonment up to 5 years for intentional fraudulent access to financial information

State & University Policies for Data Security

University Policy #97:Data Security and Stewardship (http://www.wcu.edu/25380.asp)

NC Identity Theft Protection Act (ITPA): Protects individuals from identity theft by mandating that businesses and government agencies safeguard Social Security numbers and other personal information (student data)

If You Suspect a Problem

38

IMMEDIATELY notify your supervisor