COMPUTER SECURITY GUIDE FOR FACULTY West Chester University Summer 2009

advertisement

COMPUTER SECURITY

GUIDE FOR FACULTY

West Chester University

Summer 2009

TOPICS

• User Account Request

• Policies on Campus

• Confidentiality

• Protecting Identity

• Passwords

• Secure Documents

• Finding Help

To return to this screen (#2) at any time, type 2 and press Enter!

How to apply for an account

• Go to WCUPA Homepage (

Information

Resources > Information Services > Account

Applications

) or use the following url: http://www.wcupa.edu/infoservices/noc/ap plications/

• Forms should be completed, approved and returned to: Information Security,

Allegheny Hall, Room

– University Systems Personal Account Application

– WCU Confidentiality Statement

OF COURSE, YOU WILL

• Be aware of the computer security policies and practices already in place on your campus

– ( http://www.wcupa.edu/infoservices/is_policies_and_procedures.asp

)

• Remember – access to computers and university data is a privilege

• Follow the general guidelines common to

– Faculty

– Staff

– Students

K

eep

I

t

C

onfidential

Data Confidentiality

• What data is considered confidential?

– Data Classification

• Sensitive

– Contractual obligation to protect

– Right to Know

• Public

– Campus maps

– Restricted

• Required by law

– HIPAA

– FERPA

05/15/2009 6

Data Confidentiality

• Remember the 3R’s

– Roles

– Rules

– Responsibility

05/15/2009 7

Roles

• System Administrator/Technical

• Management

• Faculty

• Student

• Staff

05/15/2009 8

Rules

• PASSHE Policy

• Employment Contract

• Confidentiality Policy

• Risk Assessment

05/15/2009 9

• Everyone

Responsibility

05/15/2009 10

Responsibility

• Individual accountability

• Faculty

– Responsible for confidential data to which they have access

• Bio/Demo data (including DOB and SSN)

• Student Grades and historical data

• Students

– Responsible for managing their own confidential data

• Log out of session

• Do not share passwords

• Staff

– Responsible for confidential data to which they have access

• Bio/Demo data (including DOB and SSN)

• Student Grades and historical data

• Salary Information

05/15/2009 11

User Security Awareness

• Know the policies regarding:

– Password use and management

– Virus protection

– Phishing/Spam

– Laptop/Handheld Device

– Access privileges

– Data backup and storage

– Incident response

• Security Breaches

– Follow designated policies and procedures

05/15/2009 12

Misuse Penalties

• Civil and Criminal

• Conflict of Interest

• Disciplinary Action

05/15/2009 13

Checklist

 Data submissions are fully protected

 Data encryption

 Data transfer agreement

 Employees sign and understand confidentiality agreement

 Notation on all records containing identifiable data (e.g. confidentiality reminder)

 Secure transport from one location to another

05/15/2009 14

Checklist

 Open-access area security

 Written data not left out in the open

 Log out of sessions

 Fax/Copy machines

 Secure area

 Cover sheets

 De-program to recover confidential information

 Protection of hard copy information

 Written consent to release to outside agencies

 Double check before providing information

05/15/2009 15

PROTECT IDENTITY and ID

NUMBERS!

READ ON…

CLASS GRADES

NEVER …

Email or post grades on a website for the entire class to be viewed by the entire class!

ID

0123456

0789789

0232323

0345345

HOMEWORK

90

85

95

75

MIDTERM

88

86

92

84

ALWAYS …

Use a Course

Management System to post grades – so that each student can only view his/her grades and

ID numbers

FINAL

93

91

93

78

TOTAL

90

87

93

79

GRADE

A-

B+

A

C+

If Name is Hidden, Who Cares?

• Lists are normally in alphabetic order by name

• When attendance is called in class, students get used to this order

• Students will NOT remember the entire class list by name, but they can remember the numerical position of a particular student

• Several students at the top of the list are particularly vulnerable

INCLUDE ID IN EMAIL?

OK If Secure University Webmail

NOTE: http s in the URL (Web Address)

OK If Secure On-Campus Outlook

Requires Authentication Login On Campus

NOT OK If Insecure “Home” Email

NOTE: no s after http in the URL (Web Address)

Avoid Email If Possible

• Use university email addresses for students when email is needed

• Avoid email altogether whenever possible

– Use Classroom management systems, such as

• Blackboard

• my it lab

– Use Digital Dropbox/gradebook links for assignments

PASSWORDS

• Don’t use the same passwords for http accounts as for http s accounts

• Use different passwords for home and university accounts

• Since some university accounts require periodic password changes, cycle through a list that you can remember

• Go to http://www.wcupa.edu/infoservices/is-g-1-3.asp

for

WCUPA minimum standards for User IDs and

Passwords

Secure Documents

• Secure pdf files electronically distributed

– To assure fair use of copyrighted materials

• Secure file to prohibit altering, copying, printing

• Secure web pages received from students

– Use secure web browser, such as Firefox

– Use No-Script option, which warns of scripts

• Script could be malicious, but can unblock

Where to Go for Help?

• Campus Help Desk

• Websites

– www.wcupa.edu/sact

– http://www.getsafeonline.org/

– http://www.computerworld.com/securitytopics/security

• National Centers of Academic Excellence in Information

Assurance Education (an NSA designation) with the

PASSHE system

– East Stroudsburg University

– Indiana University of Pennsylvania

– West Chester University

• Books

– Is It Safe?, Michael Miller

– Blown to Bits , Abelson, Ledeen, & Lewis

Download