COMPUTER SECURITY GUIDE FOR FACULTY West Chester University Summer 2009
COMPUTER SECURITY
GUIDE FOR FACULTY
West Chester University
Summer 2009
TOPICS
• Confidentiality
To return to this screen (#2) at any time, type 2 and press Enter!
How to apply for an account
• Go to WCUPA Homepage (
Information
Resources > Information Services > Account
Applications
) or use the following url: http://www.wcupa.edu/infoservices/noc/ap plications/
• Forms should be completed, approved and returned to: Information Security,
Allegheny Hall, Room
– University Systems Personal Account Application
– WCU Confidentiality Statement
OF COURSE, YOU WILL
• Be aware of the computer security policies and practices already in place on your campus
– ( http://www.wcupa.edu/infoservices/is_policies_and_procedures.asp
)
• Remember – access to computers and university data is a privilege
• Follow the general guidelines common to
– Faculty
– Staff
– Students
K
eep
I
t
C
onfidential
Data Confidentiality
• What data is considered confidential?
– Data Classification
• Sensitive
– Contractual obligation to protect
– Right to Know
• Public
– Campus maps
– Restricted
• Required by law
– HIPAA
– FERPA
05/15/2009 6
Data Confidentiality
• Remember the 3R’s
– Roles
– Rules
– Responsibility
05/15/2009 7
Roles
• System Administrator/Technical
• Management
• Faculty
• Student
• Staff
05/15/2009 8
Rules
• PASSHE Policy
• Employment Contract
• Confidentiality Policy
• Risk Assessment
05/15/2009 9
• Everyone
Responsibility
05/15/2009 10
Responsibility
• Individual accountability
• Faculty
– Responsible for confidential data to which they have access
• Bio/Demo data (including DOB and SSN)
• Student Grades and historical data
• Students
– Responsible for managing their own confidential data
• Log out of session
• Do not share passwords
• Staff
– Responsible for confidential data to which they have access
• Bio/Demo data (including DOB and SSN)
• Student Grades and historical data
• Salary Information
05/15/2009 11
User Security Awareness
• Know the policies regarding:
– Password use and management
– Virus protection
– Phishing/Spam
– Laptop/Handheld Device
– Access privileges
– Data backup and storage
– Incident response
• Security Breaches
– Follow designated policies and procedures
05/15/2009 12
Misuse Penalties
• Civil and Criminal
• Conflict of Interest
• Disciplinary Action
05/15/2009 13
Checklist
Data submissions are fully protected
Data encryption
Data transfer agreement
Employees sign and understand confidentiality agreement
Notation on all records containing identifiable data (e.g. confidentiality reminder)
Secure transport from one location to another
05/15/2009 14
Checklist
Open-access area security
Written data not left out in the open
Log out of sessions
Fax/Copy machines
Secure area
Cover sheets
De-program to recover confidential information
Protection of hard copy information
Written consent to release to outside agencies
Double check before providing information
05/15/2009 15
PROTECT IDENTITY and ID
NUMBERS!
READ ON…
CLASS GRADES
NEVER …
Email or post grades on a website for the entire class to be viewed by the entire class!
ID
0123456
0789789
0232323
0345345
HOMEWORK
90
85
95
75
MIDTERM
88
86
92
84
ALWAYS …
Use a Course
Management System to post grades – so that each student can only view his/her grades and
ID numbers
FINAL
93
91
93
78
TOTAL
90
87
93
79
GRADE
A-
B+
A
C+
If Name is Hidden, Who Cares?
• Lists are normally in alphabetic order by name
• When attendance is called in class, students get used to this order
• Students will NOT remember the entire class list by name, but they can remember the numerical position of a particular student
• Several students at the top of the list are particularly vulnerable
INCLUDE ID IN EMAIL?
OK If Secure University Webmail
NOTE: http s in the URL (Web Address)
OK If Secure On-Campus Outlook
Requires Authentication Login On Campus
NOT OK If Insecure “Home” Email
NOTE: no s after http in the URL (Web Address)
Avoid Email If Possible
• Use university email addresses for students when email is needed
• Avoid email altogether whenever possible
– Use Classroom management systems, such as
• Blackboard
• my it lab
– Use Digital Dropbox/gradebook links for assignments
PASSWORDS
• Don’t use the same passwords for http accounts as for http s accounts
• Use different passwords for home and university accounts
• Since some university accounts require periodic password changes, cycle through a list that you can remember
• Go to http://www.wcupa.edu/infoservices/is-g-1-3.asp
for
WCUPA minimum standards for User IDs and
Passwords
Secure Documents
• Secure pdf files electronically distributed
– To assure fair use of copyrighted materials
• Secure file to prohibit altering, copying, printing
• Secure web pages received from students
– Use secure web browser, such as Firefox
– Use No-Script option, which warns of scripts
• Script could be malicious, but can unblock
Where to Go for Help?
• Campus Help Desk
• Websites
– www.wcupa.edu/sact
– http://www.getsafeonline.org/
– http://www.computerworld.com/securitytopics/security
• National Centers of Academic Excellence in Information
Assurance Education (an NSA designation) with the
PASSHE system
– East Stroudsburg University
– Indiana University of Pennsylvania
– West Chester University
• Books
– Is It Safe?, Michael Miller
– Blown to Bits , Abelson, Ledeen, & Lewis
