managing it security
DESCRIPTION
NDSU 2009 Fall Conference general session PowerPoint.TRANSCRIPT
![Page 1: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/1.jpg)
Managing IT Security for Extension and Outreach Offices
Theresa Semmens NDSU Chief IT Security Officer
October, 2009
![Page 2: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/2.jpg)
Presentation Outline
• Security Guidelines– Email– Workstation– Wireless– External Mobile Device Security
• Protection of Confidential and Private Data• Online Financial Transactions• Those *!@&$ NDSU network services• Dual Support with the ND Association of Counties
![Page 3: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/3.jpg)
NDSU E-mail
• What is secure– Encrypted User name and password
• Email messages and attachments– Subject to privacy laws
• HIPAA• GLBA• FERPA• ND Public Open Records Century Code
• Using personal e-mail address and equipment for NDSU Business– Can be subject to ND Public Open Records Century Code
![Page 4: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/4.jpg)
Workstation
• Users must have unique login and password• Operating system and office software current with
latest patches • Anti-virus software and firewall installed, enabled
and active• Confidential/private data is not accessible or
viewable by public• Log off computer when done or away from desk• Set a password protected screensaver
![Page 5: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/5.jpg)
Workstation Area
• Confidential/sensitive information not available for public view
• Protected hard copy documentation stored in locked file cabinet– Manipulated hard copy documentation
• Tidy desk area
![Page 6: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/6.jpg)
Wireless Access
• Wireless access in the office– Open vs. Secured– Access available only to those who need it
• Wireless access outside of the office– Public access
• Not recommended – Working with confidential private data– Use for personal banking– Purchasing merchandise online
• Use NDSU Webmail client to send and receive email – do not send attachments, message body should not contain sensitive information
![Page 7: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/7.jpg)
Laptop Security
• Maintain copies of important data somewhere other than the laptop. Consider using an external portable storage device.
• Back up all data, and make use of encryption features when you do so.
• Hard drive and external storage is encrypted.
• Laptop must be labeled and identified
![Page 8: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/8.jpg)
External Media
Definition –external hard drives, flash drives, CDROM, DVDR
• When not in use, keep in safe place.• Dispose of properly.• Encrypt sensitive data.• Share only with those who have a “need to
know”.
![Page 9: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/9.jpg)
Phlushing the Phish!
What is NDSU doing?What can you do?
Recent Spear Phishing Attacks
![Page 10: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/10.jpg)
Confidential/Private Data
• Defined and classified in NDUS 1901.2• Examples: – Pesticide Program– Master Gardeners– 4-H– Research
• What is allowable for use and storage
![Page 11: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/11.jpg)
Employees & Volunteers
• Must sign confidentiality agreements• Background checks required*• Receive formal, documented training
*Above point required if handling electronic financial transactions
![Page 12: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/12.jpg)
Social Security Numbers
• Do not use as an identifier on – Files– Spread sheets– Data bases– Correspondence
• Any files/documents containing SSN data must be secured and available only to those who have a need to know
![Page 13: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/13.jpg)
Credit Card Information
• Do not store– Full credit card number (only last four digits)– CVV2 number– Exp. Date
• Receipts– Only allow last four digits on receipt– No CVV2 number– No exp. Date
• Do not accept credit card transactions over email• If received over voice mail, delete immediately• Must have separation of duties for acceptance of credit cards
![Page 14: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/14.jpg)
More Safeguards
• Non-disclosure (suppression)– Farmers/Ranchers– Parents– Children– Requests for lists of members
• Health questionnaires (4-H)• Date of Birth combined with name• Information posted to Web sites
![Page 15: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/15.jpg)
Use & Disposal of Protected Data• Encrypt or password protect on electronic
devices• Back up regularly• Allow only those who have a need to know
access to data• Use only where necessary• Dispose of properly
![Page 16: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/16.jpg)
Personnel & Volunteer Files
• Stored in locked cabinet not in public area• If request is made to view personnel file– Dean and General Counsel to approve request– Log request, date, time– Viewer must sign log form– Only allow what is considered public information to be
viewed• Purge according to data retention policies– Shred with cross cut shredder, burn, using document
destruction service
![Page 17: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/17.jpg)
Suspected Data Breach
• For computer related security issues contact your supervisor
• Document reasons you suspect breach of data• Do not move, touch, alter equipment or
anything related to the breach • Do not attempt to do your own investigation
![Page 18: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/18.jpg)
NDSU network services
• E-mail accounts– Alias– Shared
• E-mail box space• Changing electronic ID• Non-employee accounts• Affiliate vs. Guest accounts
![Page 19: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/19.jpg)
Alias E-mail Account
Sender Alias
Recipient RecipientRecipient
•E-mail message automatically dropped into multiple users e-mail boxes•Does not require password•Owner responsible for removing and adding users
![Page 20: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/20.jpg)
Shared E-mail Account
Sender Shared
Recipient Recipient Recipient
•Requires use of Webmail•Requires shared password•Owner required to change password when users leave or are added to group
![Page 21: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/21.jpg)
Electronic ID
• Official Format = FirstName.LastName• Full-time employees and Students can change EID at
http://enroll.nodak.edu• Non-employees/students must request change• Change subject to previous ownership of “name
space.”• Name change due to marriage/divorce – must go
through HR with proper documentation• Employees have 500 MB e-mail box. Request to
increase must be sent through Helpdesk.
![Page 22: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/22.jpg)
Affiliate vs. Guest Accounts
• Services available: desktop_auth, Blackboard, Library, Wireless
• Must be “sponsored” by department• Affiliate accounts for periods longer than one
week• Guest accounts for periods less than one week• E-mail requires completion of Non-employee
ID form
![Page 23: Managing It Security](https://reader034.vdocuments.us/reader034/viewer/2022051818/54b5ebcf4a795949388b45e0/html5/thumbnails/23.jpg)
Managing IT Security for Extension and Outreach Offices
Theresa Semmens NDSU Chief IT Security Officer
October, 2009