Information Security Training Budget Officers – Information Security

advertisement
Information
Security Training
Budget Officers
2015 | Computer Services – Information Security
Goals of This Training
• Update staff on security threats to information and
funds.
• To promote awareness of Information Security issues
that affect staff.
• To make staff aware of Information Security Policy,
and how it affects our work.
2015 | Computer Services – Information Security
What are the Consequences
for Security Breaches?
• Risk to security and integrity of personal or confidential
information.
• Loss of employee and public trust resulting in
embarrassment and bad publicity.
• Costly reporting requirements in case of compromise
of sensitive information.
• Security breaches hurt our students and
colleagues.
2015 | Computer Services – Information Security
Phishing
“Phishing” is an attack on your
computer using email or malicious
websites to solicit personal
information – often financial.
Typically in the form of an email
seemingly from a reputable credit
card company or financial institution
that requests account information
and often suggests that there is a
problem with the account.
• Be suspicious! Never
automatically assume an email is
legitimate – even if it is from
MSU!
• Do not reveal personal or
financial information over
email. Reputable companies will
never ask you for this
information via email.
• Pay attention to the URL of a
web site. Look for a variation of
the real name or a different
domain (.com vs .net).
• Type URLs in manually.
2015 | Computer Services – Information Security
2015 | Computer Services – Information Security
Glen,
I have assigned you to manage file T521. This is a
strictly confidential financial operation, to which takes
priority over other tasks. Have you already been
contacted by Steven Shapiro (attorney from KPMG)?
This is very sensitive, so please only communicate
with me through this email, in order for us not to
infringe SEC regulations. Please do no speak with
anyone by email or phone regarding this.
Regards,
Gean Stalcup.
2015 | Computer Services – Information Security
Protect your Passwords
• Do not share your
password.
• Avoid common words:
Hackers use programs
that can try every word
in the dictionary.
• Change passwords
regularly (minimum of
every 120 days).
• Do not use the same
password more than
once.
2015 | Computer Services – Information Security
Passwords
Weak
• Ilovemypiano
• Ihateliverandonions
Strong
• ILov3MyPi@no
• 1Hat3liver@Onions!
Try a Passphrase
• Four score and seven years ago, our forefathers…
• 4scan7yeag,oufo
2015 | Computer Services – Information Security
Keep a clean
machine!
The absolute best defense
against Malware is to make
sure your computer stays
current on the latest
software/updates, especially
anti-virus software.
To verify the windows
updates on your computer
are current, click the Start
button, click All Programs,
and then click Windows
Updates.
2015 | Computer Services – Information Security
Using USB Drives Safely
• Use an encrypted USB drive when storing private or
restricted data.
• Remember to remove the drive from your computer
before walking away – tethering the USB to a lanyard
or keychain will help keep the USB visible at all times.
2015 | Computer Services – Information Security
Other Mobile Devices
• Employ all security practices on your laptop that you
would on your desktop.
• Encrypt your laptop.
• If it is essential that you link your university email to
your phone or tablet, always use a passcode.
• Always be aware of apps on your mobile devices –
they can provide a point of vulnerability if not
monitored.
2015 | Computer Services – Information Security
Physical Safeguards
• Store paper records in a locked room, cabinet, or other
container.
• Use password-activated screensavers.
• Ensure that storage areas are protected against
destruction or potential damage from physical
hazards, like fire and floods.
• Dispose of customer information appropriately.
• Dispose of hard drives in a safe manner – we can do
this for you!
2015 | Computer Services – Information Security
Technical Safeguards
• Avoid transmitting sensitive data by email.
• If you need to transmit sensitive data, use Voltage, an email
encryption provided by the university.
• Erase all data when disposing of computers, hard
drives or any other electronic media that contains
customer information.
• Promptly dispose of outdated customer information.
• Store electronic customer information on a secure
server provided by Computer Services.
2015 | Computer Services – Information Security
Op.12.07-14 Information
Security Data Classification
• Data classification, in the context of information
security, is the classification of data based on its level
of sensitivity and the impact to the University should
that data be disclosed, altered or destroyed without
authorization.
• Classification helps determine what baseline security
controls are appropriate for safeguarding that data.
• There are three data classifications:
• Restricted data, private data, and public data
2015 | Computer Services – Information Security
Op12.07-14 Restricted Data
Definition
Examples
• Data should be classified as
Restricted when the
unauthorized disclosure,
alteration, or destruction of
that data could cause a
significant level of risk to the
University or its affiliates.
• The highest level of security
controls should be applied to
Restricted data.
•
•
•
•
•
Social Security Numbers
Personnel records
Credit card numbers
Medical records
BearPass Login with
password
• Academic records
(grades, transcripts, etc.)
2015 | Computer Services – Information Security
Op12.07-14 Private Data
Definition
Examples
•
•
•
•
•
•
•
Data should be classified as
Private when the unauthorized
disclosure, alteration, or
destruction of that data could
result in a moderate level of
risk.
This is the “default” category.
Acquisition or distribution of
Private data by or between
University agents or employees
for legitimate purposes is
allowed.
Budget Information
BearPass Number
Documentation
Research not yet
completed or published
• Vendor documentation
• Contracts
2015 | Computer Services – Information Security
Op12.07-14 Public Data
Definition
•
•
Data should be classified as
Public when the unauthorized
disclosure, alteration, or
destruction of that data would
result in little or no risk.
Some level of control is
required to prevent
unauthorized modification or
destruction.
Examples
• Directory information
• Email addresses
(directory)
• Course catalog
information
• Data often found on
university website
2015 | Computer Services – Information Security
Op.12.07-3 Information
Management
Information that is Private or Restricted:
• Should not be transmitted to recipients
external to MSU network unless approved
by Records Custodian.
• Should not be posted to cloud services like
Dropbox or Google Drive.
• Should not be carried on mobile electronic
devices unless the data is encrypted.
2015 | Computer Services – Information Security
In summary…
• Remember – Information security starts with you!
• Keep a clean machine.
• Never assume – prove to yourself that sensitive links and phone
calls are legitimate.
• Don’t save sensitive university information to portable devices.
• Learn more on the Information Security website and
blog at:
• http://cio.missouristate.edu/ISO/
2015 | Computer Services – Information Security
Download