Security Awareness
Protecting Sensitive Information
Objectives
• What types of confidential data should you watch for?
• What areas of compliance do you need to know about?
• How can data be compromised?
• What can you do to protect confidential data?
• Awareness of University Policies #97 and #95
2
What’s so important?
Universities hold massive quantities of
confidential data and are traditionally seen
as easy targets for data theft
We must understand the types of data that
we hold and related business processes
3
Confidential Data
Credit/Debit Card #s
Social Security Numbers (SSN)
PINs
Passport Numbers
Bank Account #s
Drivers License Numbers
Personally Health Information
Student Education Records
Proprietary Research Data
Confidential/Privileged Legal Data
Personnel Records
4
University Policy #97
Data Security and Stewardship
To protect the security and integrity of the
University’s data
Applies to all data (paper and electronic
records)
Addresses access to and disclosure of data
University Policy #97
Data Security and Stewardship (cont.)
RESPONSIBILITIES
Members of the Executive Council
(Chancellor, Vice Chancellors, Athletic
Director, and Legal Counsel) are the
designated Data Stewards who are
ultimately responsible for ensuring the
appropriate handling of University data
University Policy #97
Data Security and Stewardship (cont.)
RESPONSIBILITIES
Department Managers are responsible for ensuring that
employees comply with all University policies on data
security, as well as Information Technology and the Office of
Institutional Research and Planning requirements
All University employees are responsible for complying
with University policies on data security
University Policy #97
Data Security and Stewardship (cont.)
DATA CLASSIFICATIONS
Confidential – limited access to and limited disclosure
of data
Third Party Confidential – limited access to and
limited disclosure of data (usually by contract with
non-disclosure agreement)
Internal – limited access
Public – unlimited access and disclosure
University Policy #95
Data Network Security and Access Control
The Information Technology (IT) Division’s Networking
& Communications department has the
responsibility for the design, maintenance and
security of the university’s data network.
To insure the integrity of the network the following
items must complied with.
9
University Policy #95
Data Network Security and Access Control
1. No device may be added to the network which does not conform to the approved
list of devices, maintained and published by the IT Division, without prior approval
of Networking & Communications. Rogue network devices will be automatically
and immediately disabled upon detection.
2. No individual or office may connect a device to the campus data network that
provides unauthorized users access to the network or provides unauthorized IP
addresses for users.
3. Networking & Communications has the right to quickly limit network capacity to, or
disable, network connections that are overwhelming available network bandwidth
to the detriment of the university.
4. Access to networking equipment in wiring closets, etc. is limited to the Networking
& Communications staff or their designees.
5. No consideration of changing the architecture of any part of the data network may
be undertaken without the early and regular involvement of Networking &
Communication Services.
10
University Policy #95
Data Network Security and Access Control
The “Access Control Procedures Checklist” is accessible at the
following link or you may copy and paste the web address.
Policy 95 – Data Network Security and Access Control
http://www.wcu.edu/about-wcu/leadership/office-of-the-chancellor/university-policies/numericalindex/university-policy-95.asp
All persons with access to the university network must sign a Confidentiality
Agreement that is maintained in their personnel records for employees or by the
requesting department for non-employees. Employee supervisors are responsible
for having employees sign the agreement, and requesting departments are
responsible for non-employee compliance with the requirement.
11
Compliance
Universities are required to comply with federal & state laws and
regulations regarding the way they use, transmit & store sensitive
information, and to meet payment card industry contractual
obligations
HIPAA – Health Insurance Portability and Accountability Act (health data)
GBLA – Gramm Leach Bliley Act (financial data)
FERPA – Family Educational Rights & Privacy Act (education records)
NC Identity Theft Protection Act (personal data, especially SSN)
PCI Data Security Standards (MasterCard and Visa)
12
NC Identity Theft Protection Act
The state’s Identity Theft Protection Act (ITPA) is designed to
protect individuals from identity theft by mandating that
businesses and government agencies take steps to
safeguard Social Security numbers and other personal
information
13
NC Identity Theft Protection Act (cont.)
• State agencies must secure personal identifiers
• Encrypt or secure the transmission of SSN
• Do not collect SSN unless “imperative”
• State agencies must report annually to the General
Assembly on security efforts
• State agencies must notify affected persons when there
is a security breach, and sometimes law enforcement
agencies and the Attorney General
14
Identity Theft
More then 10 million ID theft victims nationally per year –
the equivalent of 19 people per minute
Has surpassed drug trafficking as #1 crime in the nation.
In NC alone, the number of reported identity theft crimes
have more then tripled over a 4 year period.
15
How is Information Stolen?
Phishing
Lost/stolen computing devices
Malware
Social engineering
Hacking
Lost/stolen paper records
Unauthorized physical access to computing devices
16
Phishing
The practice of acquiring personal information
on the Internet by masquerading as a
trustworthy business
17
18
Malware
Usually installed onto a computer by downloading other
programs such as screensavers, games, and “free”
software
Trojans – malicious programs disguised or embedded within
legitimate software
19
Malware can:
• Capture and send sensitive information from your workstation to the
hacker
• Download other malware
• Crash your workstation
• Be used to perform attacks from inside WCU’s network
20
Hacking
Unauthorized and/or illegal computer trespass executed
remotely via some form of communication network
(e.g., the Internet, LAN or dial-up network)
21
Unauthorized Physical Access to
Computing Devices
Unsecured work stations, offices, desks, files
Unattended computing devices
22
Lost/Stolen Computing Devices
Laptops
PCs
PDAs
Smart phones
BlackBerry
Removable Memory Devices
Thumb Drives
Flash Cards
23
Which Way Did It Go?
Cab drivers in one major city reported that;
4,973 laptops, 5,939 PDAs, and 63,135
mobile phones were left in cabs over a 6
month period.
24
Social Engineering
A hacker’s favorite tool—the ability to extract
information from computer users without having
to touch a computer.
Tricking people to give out information is known as
“social engineering” and is one of the greatest
threats to data security.
25
Social Engineering (cont.)
Social engineers prey on some basic human
tendencies….
The desire to be HELPFUL
The tendency to TRUST people
The FEAR of getting into trouble
26
Social Engineering (cont.)
Despite security controls, a university is vulnerable to
an attack if an employee unwittingly gives away
confidential data via email,
by answering questions over the phone with
someone they don't know,
or by failing to ask the right questions
27
Examine Your Business Processes
WHAT – data type
WHO – has access to the data
WHERE – data originates, resides, goes
HOW – data gets where it’s going
28
What to do with Confidential Data
If you don’t need it for business purposes,
don’t collect it
If you do need to collect it, maintain it
securely
If you need to share it, transmit it securely
29
Data Security Tips
Confidential data should never be located on a web server
Use a secure WCU server (H: drive) to store confidential data - do
not maintain data on local disk (C: drive)
Do not create, maintain “shadow data” (duplicate data) – if you
must maintain it, keep it on the H: drive
Encrypt confidential data whenever possible
Redact confidential data whenever possible (e.g., the last four
digits of SSNs, partial credit card numbers)
30
Data Security (cont.)
Be careful to whom you give sensitive information.
Ask yourself some questions:
Do you know who they are?
Do they have a need to know?
Do they have the proper authorization?
31
Password Security
Never give your password to anyone
Don’t use the same password on multiple systems
Use a strong password (i.e., 12 alpha, changed case,
numeric characters) on all your computer systems
and change them regularly
Avoid using the “auto complete” option to remember
your password
Avoid storing passwords (e.g., "check box to
remember this password”)
32
Securing Your Workstation
Log off or lock your workstation when you
leave (CTRL-ALT-DEL)
Use a screensaver with a password enabled
Turn your computer off when you go home
33
Steer Clear of Malware
Avoid using Instant Messaging and Chat software
Avoid using Peer to Peer file sharing software
Don’t download or install unauthorized programs
Keep your computer up to date with the latest antivirus
definitions and security patches
34
Safe Email Practices
Don’t open unknown or unexpected email
attachments
If you receive an email with a hyperlink, don’t open
it in the email – open a web browser and type
the link in manually
Email is sent in clear text and should never be used
to send confidential data
35
Practice a “Clean Desk” policy
Don’t leave confidential data unattended on your
desk, FAX, printers or copiers
Keep confidential data stored in a locked desk
drawer or file cabinet
Shred confidential data for disposal (in compliance
with the NC Records Retention and Disposition
Schedule)
36
If you don’t need it,
don’t collect it
Don’t give out
information without
knowing the
recipient/positive
confirmation
If you need it only
once, don’t save it
Good Business Practices
If you have to
transmit it,
transmit securely
If you don’t need
to save it, dispose
of it properly
If you have to
save it, store it
securely
37
If You Suspect a Problem
IMMEDIATELY
notify your supervisor
41
Security Awareness Mindset:
“I understand that there is the potential for some people
to deliberately or accidentally steal, damage or misuse
the data that is stored within my computer systems
and throughout our university. Therefore, it would be
prudent for me to stop that from happening.”
SEC
Y
Training Acknowledgement Form
Be sure to print and complete
the General Security
Awareness Training Form
Return completed forms to
Human Resources
220 HFR