Information Security Training Budget Officers 2015 | Computer Services – Information Security Goals of This Training • Update staff on security threats to information and funds. • To promote awareness of Information Security issues that affect staff. • To make staff aware of Information Security Policy, and how it affects our work. 2015 | Computer Services – Information Security What are the Consequences for Security Breaches? • Risk to security and integrity of personal or confidential information. • Loss of employee and public trust resulting in embarrassment and bad publicity. • Costly reporting requirements in case of compromise of sensitive information. • Security breaches hurt our students and colleagues. 2015 | Computer Services – Information Security Phishing “Phishing” is an attack on your computer using email or malicious websites to solicit personal information – often financial. Typically in the form of an email seemingly from a reputable credit card company or financial institution that requests account information and often suggests that there is a problem with the account. • Be suspicious! Never automatically assume an email is legitimate – even if it is from MSU! • Do not reveal personal or financial information over email. Reputable companies will never ask you for this information via email. • Pay attention to the URL of a web site. Look for a variation of the real name or a different domain (.com vs .net). • Type URLs in manually. 2015 | Computer Services – Information Security 2015 | Computer Services – Information Security Glen, I have assigned you to manage file T521. This is a strictly confidential financial operation, to which takes priority over other tasks. Have you already been contacted by Steven Shapiro (attorney from KPMG)? This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations. Please do no speak with anyone by email or phone regarding this. Regards, Gean Stalcup. 2015 | Computer Services – Information Security Protect your Passwords • Do not share your password. • Avoid common words: Hackers use programs that can try every word in the dictionary. • Change passwords regularly (minimum of every 120 days). • Do not use the same password more than once. 2015 | Computer Services – Information Security Passwords Weak • Ilovemypiano • Ihateliverandonions Strong • ILov3MyPi@no • 1Hat3liver@Onions! Try a Passphrase • Four score and seven years ago, our forefathers… • 4scan7yeag,oufo 2015 | Computer Services – Information Security Keep a clean machine! The absolute best defense against Malware is to make sure your computer stays current on the latest software/updates, especially anti-virus software. To verify the windows updates on your computer are current, click the Start button, click All Programs, and then click Windows Updates. 2015 | Computer Services – Information Security Using USB Drives Safely • Use an encrypted USB drive when storing private or restricted data. • Remember to remove the drive from your computer before walking away – tethering the USB to a lanyard or keychain will help keep the USB visible at all times. 2015 | Computer Services – Information Security Other Mobile Devices • Employ all security practices on your laptop that you would on your desktop. • Encrypt your laptop. • If it is essential that you link your university email to your phone or tablet, always use a passcode. • Always be aware of apps on your mobile devices – they can provide a point of vulnerability if not monitored. 2015 | Computer Services – Information Security Physical Safeguards • Store paper records in a locked room, cabinet, or other container. • Use password-activated screensavers. • Ensure that storage areas are protected against destruction or potential damage from physical hazards, like fire and floods. • Dispose of customer information appropriately. • Dispose of hard drives in a safe manner – we can do this for you! 2015 | Computer Services – Information Security Technical Safeguards • Avoid transmitting sensitive data by email. • If you need to transmit sensitive data, use Voltage, an email encryption provided by the university. • Erase all data when disposing of computers, hard drives or any other electronic media that contains customer information. • Promptly dispose of outdated customer information. • Store electronic customer information on a secure server provided by Computer Services. 2015 | Computer Services – Information Security Op.12.07-14 Information Security Data Classification • Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the University should that data be disclosed, altered or destroyed without authorization. • Classification helps determine what baseline security controls are appropriate for safeguarding that data. • There are three data classifications: • Restricted data, private data, and public data 2015 | Computer Services – Information Security Op12.07-14 Restricted Data Definition Examples • Data should be classified as Restricted when the unauthorized disclosure, alteration, or destruction of that data could cause a significant level of risk to the University or its affiliates. • The highest level of security controls should be applied to Restricted data. • • • • • Social Security Numbers Personnel records Credit card numbers Medical records BearPass Login with password • Academic records (grades, transcripts, etc.) 2015 | Computer Services – Information Security Op12.07-14 Private Data Definition Examples • • • • • • • Data should be classified as Private when the unauthorized disclosure, alteration, or destruction of that data could result in a moderate level of risk. This is the “default” category. Acquisition or distribution of Private data by or between University agents or employees for legitimate purposes is allowed. Budget Information BearPass Number Documentation Research not yet completed or published • Vendor documentation • Contracts 2015 | Computer Services – Information Security Op12.07-14 Public Data Definition • • Data should be classified as Public when the unauthorized disclosure, alteration, or destruction of that data would result in little or no risk. Some level of control is required to prevent unauthorized modification or destruction. Examples • Directory information • Email addresses (directory) • Course catalog information • Data often found on university website 2015 | Computer Services – Information Security Op.12.07-3 Information Management Information that is Private or Restricted: • Should not be transmitted to recipients external to MSU network unless approved by Records Custodian. • Should not be posted to cloud services like Dropbox or Google Drive. • Should not be carried on mobile electronic devices unless the data is encrypted. 2015 | Computer Services – Information Security In summary… • Remember – Information security starts with you! • Keep a clean machine. • Never assume – prove to yourself that sensitive links and phone calls are legitimate. • Don’t save sensitive university information to portable devices. • Learn more on the Information Security website and blog at: • http://cio.missouristate.edu/ISO/ 2015 | Computer Services – Information Security