Information Security:Everyone is Responsible

Information Security:Everyone is Responsible

Presented by:Information Technology - Information Security Services

University of Oklahoma Health Sciences Center

Presented by:Information Technology - Information Security Services

University of Oklahoma Health Sciences Center

Information Security: New Employee OrientationInformation Security: New Employee Orientation

Information Security: Outcome StatementInformation Security: Outcome Statement

At the conclusion of this presentation you should be able to:

1. Define Information Security

2. Identify threats

3. State safe practices

4. Know where to report an incident

1. Define Information Security

2. Identify threats

3. State safe practices

4. Know where to report an incident

Information Security: What is it? Why?Information Security: What is it? Why?

Information Security is:

• Protection of information from threats

Goals of Information Security:

• Ensure Business Continuity• Minimize Risk• Maximize Return on Investment

Information Security: Three TenantsInformation Security: Three Tenants

• ConfidentialityInformation is disclosed only to those

authorized• Availability

Information is accessible when required• Integrity

Information is accurate, authentic, complete and reliable.

The right data to the right people at the right time

Information Security: What does it Protect…Information Security: What does it Protect…

• Patient Information• Personal Identifiable Information• Our Identity• Our reputation

Information Security: ThreatsInformation Security: Threats

• Malware• Viruses• Worms• Spyware• Trojans

• Social Engineering• Phishing• Spear Phishing• Spam

Information Security: E-mail ThreatInformation Security: E-mail Threat

• 89% of e-mail traffic contains viruses, phishing schemes, or is SPAM

• 27,735,000 malicious e-mails blocked from delivery to OUHSC in a month

Information Security: Safe Practices for E-mailInformation Security: Safe Practices for E-mail

• Do not open unsolicited email or attachments

• Do not reply to SPAM

• Do not use your OUHSC email address in online forms and questionnaires unless it becomes necessary for University related business

• Place a confidentiality notice in your signature block

Information Security: Malicious Software threatInformation Security: Malicious Software threat

• Malicious software downloads from the web– Spyware– Trojan Horse– Key Loggers

• 1 in 10 web sites attempt to download software without permission

Information Security: Safe Practices for the InternetInformation Security: Safe Practices for the Internet

• Set higher security settings in your browser

• Do not install add-ons to your browser(Google tool bar, Comet Curser, Gator, HotBar, etc.)

• Avoid Game Sites and sites that require you to fill out online forms

• Install a spyware removal tool

• Always remember that your computer is a business tool

Information Security: Employee ResponsibilitiesInformation Security: Employee Responsibilities

• Use resources appropriately

• Protect your user-id and system

• Only access information that pertains to your job function

• Policies, Procedures, local, state and federal laws

• Be responsible

Information Security: Password ManagementInformation Security: Password Management

• Protect It! Memorize It!

• Use Strong Passwords• At least 8 characters• No personal information• No dictionary words• Use 3 of 4 character types

• Upper case letters• Lower case letters• Numbers• Special Characters (!@#$%^&*)

Information Security: Password ManagementInformation Security: Password Management

Create “Passphrases” Make it memorable Use a secret code

Examples:“il2pBB@6:30”: I like to play basketball at 6:30

“LMissMs04t”: Little Miss Muffet sat on a tuffet

“RedPensTalk2WhiteG@tors”: made up phrase

Information Security: Regulatory ComplianceInformation Security: Regulatory Compliance

• HIPAA – Healthcare Insurance Portability and Accountability Act

• Protected Health Information “PHI”

• PCI DSS – Payment Card Industry Data Security Standards• Protects cardholder data

• GLBA – Gramm-Leach-Bliley Act• Protects consumers’ personal financial

information

Information Security: Safe Practice- Follow PoliciesInformation Security: Safe Practice- Follow Policies

• Follow policies to help protect your data

• It’s the LAW

• See http://it.ouhsc.edu/policies/

Information Security: Incident ResponseInformation Security: Incident Response

• Types of Incidents• Suspicious email (spam or phishing attacks)• Viruses (usually via email)• Sharing of authentication (passwords or

privileges)• Attempts to gain unauthorized access• Unauthorized modifications of files and records• Attaching unapproved devices to the network• Abuse of authority or privilege• Theft

Information Security: Incident ResponseInformation Security: Incident Response

• How to report an Incident• Information Security Services should be notified

immediately of an information security incident.

• Information Security Incidents can be reported in the following methods:• Contact the Service Desk at 405.271.2203• Email: servicedesk@ouhsc.edu• Contact the Information Security Services office at

405.271.2476• Email: itsecurity@ouhsc.edu• Website: http://it.ouhsc.edu/services/infosecurity/

Information Security: Safe practices summaryInformation Security: Safe practices summary

– Antivirus updates (daily)– Security patches (monthly)– Data backups (daily)– Browser security settings – Avoid unknown software from the Internet– Personal Firewall protection installed– Email caution– Report suspicious activity

Information Security: Stay Safe OnlineInformation Security: Stay Safe Online

• Information Security• http://www.sans.org• http://www.sans.org/tip_of_the_day.php• http://www.microsoft.com/protect/yourself/password/checker.mspx

• Free Anti-Virus and Anti-Spyware Tools• http://free.grisoft.com• http://www.comodo.com• http://www.safer-networking.org/en/index.html

• Online Safety• http://www.staysafeonline.org

• Identity Theft• http://www.privacyrights.org• http://www.usdoj.gov/criminal/fraud/websites/idtheft.html

Information Security: QuizInformation Security: Quiz

Quiz Time…

1. What is Information Security?The protection of information from threats

Information Security: QuizInformation Security: Quiz

Quiz Time…

2. I have a responsibility to protect what two aspects of information security at OUHSC?

a. Confidentiality and Integrityb. Confidentiality and Availabilityc. Integrity and Availabilityd. I am not responsible for information

security at OUHSC

Information Security: QuizInformation Security: Quiz

Quiz Time…

3. When I receive an email with an attachment from someone I do not know, I should…

a. Open it immediately to find out what it saysb. Forward it to my friends and familyc. Just delete itd. Unsubscribe

Information Security: QuizInformation Security: Quiz

Quiz Time…

4. How do I report an incident?

a. Contact the Service Deskb. Contact Information Securityc. Go to Website:

http://it.ouhsc.edu/services/infosecurity/d. All of the above

Information Security: QuizInformation Security: Quiz

Quiz Time…5. What is the best way to remember your

password?

a. Write it down and hide it under the keyboard

b. Share it with a coworker so he/she can help when you forget it

c. Memorize itd. Create a simple password, like abc123

Information Security: QuizInformation Security: Quiz

Quiz Time…Bonus

What are the characteristics of a complex password?

Information Security: Thank YouInformation Security: Thank You