SECURITY AWARENESS

PROTECTING SENSITIVE INFORMATION

Western Carolina University March 2011

OBJECTIVES

•What types of confidential data should you watch for?

•What areas of compliance do you need to know about?

•How can data be compromised?

•What can you do to protect confidential data?

•Awareness of University Policies #97 and #95

2

WHAT’S SO IMPORTANT?

Universities hold massive quantities of confidential data and are

traditionally seen as easy targets for data theft

We must understand the types of data that we hold and related

business processes

3

CONFIDENTIAL DATA

4

Social Security Numbers (SSN)Credit/Debit Card #s

Drivers License Numbers

Passport Numbers

Bank Account #s

PINs

Personally Health Information

Student Education Records

Proprietary Research Data

Confidential/Privileged Legal Data Personnel Records

UNIVERSITY POLICY #97DATA SECURITY AND STEWARDSHIP

To protect the security and integrity of the University’s data

Applies to all data (paper and electronic records)

Addresses access to and disclosure of data

RESPONSIBILITIES

Members of the Executive Council (Chancellor, Vice Chancellors, Athletic Director, and Legal Counsel) are the designated Data Stewards who are

ultimately responsible for ensuring the appropriate handling of University data

UNIVERSITY POLICY #97DATA SECURITY AND STEWARDSHIP (CONT.)

RESPONSIBILITIESDepartment Managers are responsible for ensuring that employees comply with all

University policies on data security, as well as Information Technology and the Office of

Institutional Research and Planning requirements

All University employees are responsible for complying with University policies on

data security

UNIVERSITY POLICY #97DATA SECURITY AND STEWARDSHIP (CONT.)

DATA CLASSIFICATIONS

Confidential – limited access to and limited disclosure of data

Third Party Confidential – limited access to and limited disclosure of data (usually by contract with non-disclosure agreement)

Internal – limited access

Public – unlimited access and disclosure

UNIVERSITY POLICY #97DATA SECURITY AND STEWARDSHIP (CONT.)

The Information Technology (IT) Division’s Networking &

Communications department has the responsibility for the design,

maintenance and security of the university’s data network.

To insure the integrity of the network the following items must complied

with.9

UNIVERSITY POLICY #95DATA NETWORK SECURITY AND ACCESS CONTROL

1. No device may be added to the network which does not conform to the approved list of devices, maintained and published by the IT Division, without prior approval of Networking & Communications. Rogue network devices will be automatically and immediately disabled upon detection.

2. No individual or office may connect a device to the campus data network that provides unauthorized users access to the network or provides unauthorized IP addresses for users.

3. Networking & Communications has the right to quickly limit network capacity to, or disable, network connections that are overwhelming available network bandwidth to the detriment of the university.

4. Access to networking equipment in wiring closets, etc. is limited to the Networking & Communications staff or their designees.

5. No consideration of changing the architecture of any part of the data network may be undertaken without the early and regular involvement of Networking & Communication Services.

10

UNIVERSITY POLICY #95DATA NETWORK SECURITY AND ACCESS CONTROL

The “Access Control Procedures Checklist” is accessible at the

following link or you may copy and paste the web address.

Policy 95 – Data Network Security and Access Control

http://www.wcu.edu/25378.asp

All persons with access to the university network must sign a Confidentiality Agreement that is

maintained in their personnel records for employees or by the requesting department for

non-employees. Employee supervisors are responsible for having employees sign the

agreement, and requesting departments are responsible for non-employee compliance with the

requirement.

11

UNIVERSITY POLICY #95DATA NETWORK SECURITY AND ACCESS CONTROL

COMPLIANCEUniversities are required to comply with federal & state laws and regulations regarding the way they use, transmit & store sensitive information, and to meet payment card industry contractual obligations

HIPAA – Health Insurance Portability and Accountability Act (health data)

GBLA – Gramm Leach Bliley Act (financial data)

FERPA – Family Educational Rights & Privacy Act (education records)

NC Identity Theft Protection Act (personal data, especially SSN)

PCI Data Security Standards (MasterCard and Visa)

12

NC IDENTITY THEFT PROTECTION ACT

The state’s Identity Theft Protection Act (ITPA) is designed to protect individuals from identity

theft by mandating that businesses and government agencies take steps to safeguard Social Security numbers and other personal

information

13

NC IDENTITY THEFT PROTECTION ACT (CONT.)

State agencies must secure personal identifiers

Encrypt or secure the transmission of SSN

Do not collect SSN unless “imperative”

State agencies must report annually to the General Assembly on security efforts

State agencies must notify affected persons when there is a security breach, and sometimes law enforcement agencies and the Attorney General

14

IDENTITY THEFT

More then 10 million ID theft victims nationally per year – the equivalent of 19 people per

minute

Has surpassed drug trafficking as #1 crime in the nation.

In NC alone, the number of reported identity theft crimes have more then tripled over a 4

year period.

15

Phishing

Malware

Hacking

Unauthorized physical access to computing devices

HOW IS INFORMATION STOLEN?

Lost/stolen computing devices

Social engineering

Lost/stolen paper records

16

PHISHINGThe practice of acquiring personal information

on the Internet by masquerading as a trustworthy business

17

18

www.antiphishing.org

MALWARE

Usually installed onto a computer by downloading other programs such as

screensavers, games, and “free” software

Trojans – malicious programs disguised or embedded within legitimate software

19

Malware can: Capture and send sensitive information from your

workstation to the hacker Download other malware Crash your workstation Be used to perform attacks from inside WCU’s network

20

HACKING

Unauthorized and/or illegal computer trespass executed remotely via some form of

communication network (e.g., the Internet, LAN or dial-up network)

21

UNAUTHORIZED PHYSICAL ACCESS TO COMPUTING DEVICES

Unsecured work stations, offices, desks, files

Unattended computing devices22

LOST/STOLEN COMPUTING DEVICES

23

Removable Memory Devices

PDAs

Laptops

BlackBerry

PCs

Smart phones

Thumb Drives Flash Cards

WHICH WAY DID IT GO?

Cab drivers in one major city reported that; 4,973 laptops, 5,939 PDAs, and 63,135

mobile phones were left in cabs over a 6 month period.

24

SOCIAL ENGINEERING

A hacker’s favorite tool—the ability to extract information from computer

users without having to touch a computer.

Tricking people to give out information is known as “social engineering” and is one of the greatest threats to data

security.

25

SOCIAL ENGINEERING (CONT.)

Social engineers prey on some basic human tendencies….

The desire to be HELPFULThe tendency to TRUST people

The FEAR of getting into trouble

26

SOCIAL ENGINEERING (CONT.)

Despite security controls, a university is vulnerable to an attack if an employee unwittingly gives

away confidential data via email, by answering questions over the phone with someone they don't know,

or by failing to ask the right questions

27

EXAMINE YOUR BUSINESS PROCESSES

WHAT – data type

WHO – has access to the data

WHERE – data originates, resides, goes

HOW – data gets where it’s going

28

WHAT TO DO WITH CONFIDENTIAL DATA

If you don’t need it for business purposes, don’t collect it

If you do need to collect it, maintain it securely

If you need to share it, transmit it securely

29

DATA SECURITY TIPS

Confidential data should never be located on a web server

Use a secure WCU server (H: drive) to store confidential data - do not maintain data on local

disk (C: drive)

Do not create, maintain “shadow data” (duplicate data) – if you must maintain it, keep it on the H:

drive

Encrypt confidential data whenever possible

Redact confidential data whenever possible (e.g., the last four digits of SSNs, partial credit card

numbers) 30

DATA SECURITY (CONT.)Be careful to whom you give sensitive

information.

Ask yourself some questions:

Do you know who they are?

Do they have a need to know?

Do they have the proper authorization?31

PASSWORD SECURITY

Never give your password to anyone

Don’t use the same password on multiple systems

Use a strong password (i.e., 12 alpha, changed case, numeric characters) on all your computer

systems and change them regularly

Avoid using the “auto complete” option to remember your password

Avoid storing passwords (e.g., "check box to remember this password”)

32

SECURING YOUR WORKSTATION

Log off or lock your workstation when you leave (CTRL-ALT-DEL)

Use a screensaver with a password enabled

Turn your computer off when you go home

33

STEER CLEAR OF MALWARE

Avoid using Instant Messaging and Chat software

Avoid using Peer to Peer file sharing software

Don’t download or install unauthorized programs

Keep your computer up to date with the latest antivirus definitions and security patches

34

SAFE EMAIL PRACTICES

Don’t open unknown or unexpected email attachments

If you receive an email with a hyperlink, don’t open it in the email – open a web browser and type the link in manually

Email is sent in clear text and should never be used to send confidential data

35

PRACTICE A “CLEAN DESK” POLICY

Don’t leave confidential data unattended on your desk, FAX, printers or copiers

Keep confidential data stored in a locked desk drawer or file cabinet

Shred confidential data for disposal (in compliance with the NC Records

Retention and Disposition Schedule)

36

If you don’t need it, don’t collect it

If you need it only once, don’t

save it

If you don’t need to save it, dispose of it properly

If you have to save it, store it

securely

If you have to transmit it,

transmit securely

Don’t give out information without

knowing the recipient/positive

confirmation

GOOD BUSINESS PRACTICES

37

IF YOU SUSPECT A PROBLEM

IMMEDIATELY notify your supervisor

41

Security Awareness Mindset:

“I understand that there is the potential for some people to deliberately or accidentally steal, damage or misuse the data that is stored within my computer systems and throughout our university. Therefore, it would be prudent for me to stop that from happening.”

SEC Y

TRAINING ACKNOWLEDGEMENT FORM

Be sure to print and complete the General

Security Awareness Training Form

Return completed forms to Human Resources

220 HFR