Transcript Ethics and Compliance Program

Introduction to
Information Security
Office of the Vice President for Information Technology
Mr. Corbett Consolvo, IT Security Analyst
Ms. Lori McElroy, IT Security Officer
Agenda
• Introduction
• The State of Texas State’s Information
Security program
• Appropriate Use Policy
• Confidential Information
• Current Threats and Protections
• Best Practices
• Q&A
Information Security
Introduction
What’s Information Security?
• The protection of data against unauthorized
access. This includes:
– How we access, process, transmit, and store
information
– How we protect devices used to access information
– How we secure paper records, telephone conversations,
and various types of digital media
The State of Texas State’s
Information Security Program
• Comprehensive Set of Security
Policies, Practices, and Services
that address:
– Network Access Management
– Threat Management
– Incident Management and Response
Information Security Program
Network Access Management
• Firewall services
• Virtual Private Network (VPN) access
• Host and endpoint security
– Malware protection and remediation
– Patch management
– Encryption (future)
Information Security Program
Threat Management
• Policy Development and Compliance
• Security Awareness Training and Consulting
• Risk Assessment
Information Security Program
Threat Management – Policy Development
• Texas State University Policies
– Appropriate Use of Information Resources (UPPS 04.01.07)
•
http://www.txstate.edu/effective/upps/upps-04-01-07.html
– Security of Texas State Information Resources (UPPS
04.01.01)
•
http://www.txstate.edu/effective/upps/upps-04-01-01.html
– Appropriate Release of Information (UPPS 01.04.00)
•
http://www.txstate.edu/effective/upps/upps-01-04-00.html
Information Security Program
Threat Management – Compliance
•
•
•
Texas Administrative Code, Chapter 202, Information
Security Standards
FERPA – Federal Educational Rights & Privacy Act
–
–
HIPAA – Health Insurance Portability & Accountability
Act
–
•
•
Protects the privacy of student educational records and prohibits the
University from disclosing information from those records without the written
consent of the student
http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
–
Protects the privacy and security of Protected Health Information (PHI) and
Electronic Protected Health Information (ePHI)
http://www.cms.hhs.gov/HIPAAGenInfo/
Gramm-Leach-Bliley Act (GLBA)
–
–
Universities/agencies must not disclose any non-public, financial information to
anyone except as permitted by law
http://www.ftc.gov/privacy/privacyinitiatives/glbact.html
TPIA – Texas Public Information Act
–
–
formerly known as the Open Records Act, specifies that all recorded
information owned or accessed by a governmental body is presumed to be public
information, with certain exceptions
http://www.oag.state.tx.us/AG_Publications/txts/2004publicinfohb_toc.shtml
Information Security Program
Threat Management
Security Awareness Training and Outreach
• IT Security contact points:
–
–
[email protected]
512 245 HACK (4225)
• New Employee Orientation II (NEO II)
• IT Security Website
–
http://www.vpit.txstate.edu/security.html
• Annual Cyber Security Awareness Month-October
• Introductory and technical security classes
• TXState security discussion lists:
[email protected]
[email protected]
Information Security Program
Threat Management – Assessments & Testing
• Information Technology Risk Assessment
– Device Registration application
– Information Security Awareness, Assessment, and
Compliance (ISAAC)
• Vulnerability Assessment
– regular scans of information resources and networks
looking for potential weaknesses in defenses
– employs specialized tools and technologies
• Security Testing
– penetration testing – attempts to exploit vulnerabilities
– policy and compliance review
– security controls review
Information Security Program
Incident Management and Response
•
•
•
•
•
•
Incident investigation
E-discovery
Evidence preservation
Digital forensics
Law enforcement coordination
Reporting an Incident
– Call 245-HACK (4225) or 245-ITAC (4822)
– Email [email protected]
– Contact any IT Security team member
Appropriate Use Policy
•
•
•
•
UPPS 04.01.07
IT Security is responsible for enforcement
Applies to all faculty, staff, and students
Acceptance when you change your password
Appropriate Use Policy
Highlights
• Illegal, threatening or deliberately
destructive use
• Authorized use
• Email use
• Circumventing security procedures
• Protect your identity
• Copyright infringement
Confidential Information
Release Precautions
FACT 1
FACT 2
FACT 3
Texas State is a
public
institution
Texas State is
subject to the
Texas Public
Information Act
TPIA does not make
all Texas State
information freely
available to the public
IMPORTANT NOTE: If you receive a request for information
from any external party, and you aren’t certain that the
information can be released, consult the Office of the
University Attorney before releasing
the information.
Confidential Information
Classes of Information
Public
information
• may be freely disseminated to the public
without potential harm to the University,
individuals, or affiliates, e.g., job postings,
service offerings, published research,
directory information, degree programs.
Sensitive
information
• is limited to those with a need to know;
uncontrolled disclosure might prove harmful
to the University, individuals, or affiliates,
e.g., performance appraisals, dates of birth,
and email addresses), donor information.
Restricted
information
• release of this information is regulated by
legal statutes such as TPIA, HIPAA, FERPA.
Disclosure would seriously harm the
University, individuals, or affiliates. E.g.,
SSN, credit card info, personal health info.
Confidential Information
Protections
• Share confidential information only with those who
are authorized to see it
• When in doubt, don't give it out!
• Prevent eavesdropping - keep confidential phone
conversations from being overheard
• Quickly retrieve and secure any document containing
confidential information that you have printed,
scanned, copied, faxed, etc.
Confidential Information
Protections
• Store media containing confidential information in
locking file-cabinets or drawers
• Delete and write over (i.e., "wipe") data from any
electronic media before transferring or disposing of
• Position computer screens so they're not visible to
anyone but the authorized user(s)
Confidential Information
Protections
• Shred media containing confidential information
and secure such items until shredding
• Be alert to fraudulent attempts to obtain confidential
information and report these immediately
• Lock your workstation
• Use strong passwords; don’t share them
Information Security
Current Threats and Protections- Video
EDUCAUSE Computer Security Awareness Video
Contest 2006 gold winner, Superhighway Safety, by
Nathan Blair, Savannah College of Art and Design
http://www.educause.edu/SecurityVideoContest2006/
7103
Information Security
Current Trends
Symantec – Last six months of 2007
• “Professional” hackers are commercializing
– $ is the motivator
– They are selling our information (medical, credit card, identities)
• The Web as the focal point
– Where we spend our time and divulge our information
• End-users are the primary target
– Phishing, web browsers (plug ins), malware, spam, botnets
– Mobile device security (clever ploys)
• Increasing privacy data breaches
– http://www.privacyrights.org/identity.htm
– https://www.ssnbreach.org/
Information Security
Current Threats and Protections
• SPAM – what is it and how do I protect myself
from it?
– Spamming is the abuse of email to indiscriminately send
unsolicited bulk messages. It can be illegal.
– Protections:
• Do not open emails or attachments from an unknown source
• Use available filtering/blocking tools (see
www.tr.txstate.edu/help/spam-filter-faq.html )
• Don’t click on any links in spam
• Don’t forward spam on to your friends
• Validate hoax email: www.snopes.com, www.hoax-slayer.com
Information Security
Current Threats and Protections
• Phishing – what is it and how do I protect
myself from it?
– Phishing is an attempt to fraudulently acquire sensitive
information by masquerading as a trustworthy entity in an
email or instant message. Spear Phishing-a highly targeted
attempt. Phishing is illegal.
– Valid companies don’t ask you to submit confidential
information via email! If in doubt, contact the company directly
by telephone or independently obtained email address
– http://www.sonicwall.com/phishing/ -- Phishing IQ Test
– Protections:
• Do not submit personal information in response to an email
• Verify the authenticity and security of web sites before
entering your personal information (https, certificates)
Information Security
Current Threats and Protections
• Spyware – what is it and how do I protect
myself from it?
– Spyware is computer software that is installed without your
knowledge and used to intercept or take partial control over
interactions with your computer. Unauthorized access to a
computer is illegal.
– Spyware is often unwittingly downloaded and installed along
with other programs like toolbars and screensavers
– Protections:
• Do not download or install untrusted or unknown programs
• Use anti-spyware software, such as
– Ad-Aware (www.lavasoftusa.com)
– Spybot - Search & Destroy (www.spybot.info)
Information Security
Download Security Video
EDUCAUSE Computer Security Awareness Video
Contest 2006 honorable mention, Act Now - Know
Your Sources by Stephen Hockman, Christina
Manikus, John Sease, & Erin Shulsinger, James
Madison University
http://www.educause.edu/SecurityVideoContest200
6/7103
Information Security
Best Practices
• Data Backup
–
–
–
–
Regular or automatic backups
Protect backup media
Protect sensitive information stored on backup media
Critical data should be backed up frequently to minimize the
amount of data that might be lost if recovery from a backup
becomes necessary
– Recovery procedures should be tested on a regular basis.
Information Security
Best Practices
• System, Software, & Anti-Malware Updates
–
–
–
–
Operating system patches
Anti-Virus and anti-spyware
Host-based firewalls
Application software
• Regularly scheduled or automatic updates
are best
Information Security
Best Practices
• User Accounts and Passwords
– Use separate user accounts
• Administrator accounts for installing software, etc.
• User accounts for normal usage
– Use strong passwords
•
•
•
•
•
Mix upper case, lower case, and numeric characters
The longer the better, but a minimum of 8 characters
Use passphrases
Avoid valid dictionary words and proper names
Avoid re-using passwords
Information Security
Passwords
• Creating strong passwords that are easy to
remember
• Strong password checker websites
– http://www.microsoft.com/protect/yourself/password/checke
r.mspx
– http://strongpasswordgenerator.com/
• Use different passwords for different
functions
– Banking
– Purchasing
– Email
• Password management tools
– Password safe
Information Security
Best Practices
• Mobile computing and portable media
– If you store confidential or Personally Identifiable Information
(PII) on your portable device, it is your responsibility to protect it
• Use Passwords, preferably “power on” passwords
• Use an additional authentication factor, such as a fingerprint
reader on a laptop
- Remove or “shred” all data before turning device over to another
user or to be sold at auction
- Always keep the device with you when you are away from the
office
- E.g. do not leave it unattended in a hotel room, conference, or
your vehicle
- Laptop theft tracker http://adeona.cs.washington.edu/
Information Security
Best Practices
• Wireless network security
– Texas State University's wireless networks
• Open network
• Encrypted network
• http://www.tr.txstate.edu/get-connected/wireless.html
– Wireless network security at home
• Change the router’s default password
• Use strongest available encryption
• If possible, restrict access to authorized devices via MAC
addresses
– Use public wireless networks only for risk-free activities
Information Security
Wireless Security Video
EDUCAUSE Computer Security Awareness Video
Contest 2007 bronze award, When You Least Expect
It, by Nolan Portillo, California State University –
Bakersfield
http://www.educause.edu/SecurityVideoContest2007
/713549
Information Security
Best Practices
• Identity Theft and Credit Card Fraud
– Do not give out your personal information unnecessarily
– Be aware of possible phishing attempts
– Don’t use public computers or networks to check your bank
account, pay credit cards, or submit personal information
– Check your receipts for credit card numbers
– Monitor your bank accounts and credit card balances
– Apply for your free annual credit report from all 3 agencies
– Use anti-spyware software
– http://onguardonline.gov/idtheft.html
– Identity Theft IQ Test
Information Security
Identity Theft Video
EDUCAUSE Computer Security Awareness Video
Contest 2007, Out in the Open, Mark Lancaster,
Texas A&M University
http://www.researchchannel.org/securityvideo2007/
Information Security
Best Practices – Social Networking
• MySpace and Facebook – most popular
– Use caution when posting personal information
– Photos can be used by a stalker to gather information about
you or your family
– Talk about social networking protections with your family and
friends
– Limit access to your personal site
– Remember that pages are cached
Information Security
Best Practices – Useful Links
•
•
Top 20 Vulnerabilities http://www.sans.org/top20/
PII detector
–
•
Identity Theft
–
–
•
http://onguardonline.gov/idtheft.html
http://www.vpit.txstate.edu/security/items_interest/identity.html
Annual Credit Report
–
•
Identity Finder, SERF, Spider (Google these)
https://www.annualcreditreport.com/cra/index.jsp
Best Practices
–
http://www.educause.edu/section_params/security/cd/higher_educatio
n/checklist/Indiana%20Best%20Practices%20for%20Securing%20Tec
hnology%20Resources.html
Information Security
How Do I Find Out More?
• Texas State Sites
– IT Security - http://www.vpit.txstate.edu/security
– Privacy Rights Notice - http://www.tr.txstate.edu/privacynotice.html
– Identity theft –
http://webapps.tr.txstate.edu/security/identity.html
FERPA at Texas State - http://www.registrar.txstate.edu/persistentlinks/ferpa.html
• Contacts
– Information Technology Security
512-245-HACK(4225), [email protected]
– Information Technology Assistance Center (Help Desk)
512-245-ITAC(4822) or 512-245-HELP, [email protected]
Q & A