Transcript NCCU Police Department Emergency Communications
Creating a Security Risk-Aware Culture at NCCU
Company LOGO Information Technology Services North Carolina Central University September 2008
1
Information Security “Security is a negative deliverable. You don’t know when you have it. You only know when you’ve lost it.”
Cybersecurity - Why Do We Care?
Chancellor – good legislative audits
Provost – academic integrity
Vice Chancellor Research – compliance
HIPAA
FERPA
GLBA
Sarbanes Oxley Act
Grant requirements
Local state and federal regulations
3
Today’s Agenda
Information Security in Higher Education
NCCU Information Security Policies & Best Practices
Banner Security
Top 10 Reminders
4
Information Security
Between February 2005 and July 2006, there were 237 reported security breaches involving the compromise of more than 89 million records containing personal information.
Of these, 83 incidents involved institutions of higher education, including academic medical centers.
EDUCAUSE Review,
vol. 41, no. 5 (September/October 2006): 46 –61
Security Implementation Relies On
Policies must be developed, communicated, maintained and enforced
Process
Technology Systems must be built to technically adhere to policy Processes must be developed that show how policies will be implemented
People
People must understand their responsibilities regarding policy
6
Today’s Agenda
Information Security in Higher Education
NCCU Information Security Policies & Best Practices
Banner Security
Top 10 Reminders
7
NCCU IT Security Training
Outline
NCCU Security Policies
Copyright Laws of the United States Security Incidents – whom to call or a site for security incidents to be reported
8
NCCU IT Security Training
Outline
Introductions
NCCU Security Policies Copyright Laws of the United States Security Incidents – whom to call or a site for security incidents to be reported 9
NCCU IT Security Training
Course Outline
Introductions Steve Ornat IT Audit Compliance and Business Continuity NCCU – Information Technology Services [email protected]
530-7171
10
NCCU IT Security Training
Course Outline
Introductions
NCCU Security Policies
Copyright Laws of the United States Security Incidents – whom to call or a site for security incidents to be reported 11
NCCU IT Security Training
Course Outline, Continued
NCCU Security Policies
Data and Information Policy File Sharing Policy Electronic Mail Policy Responsible Use Policy Wireless and Network Policy Server Policy Software License Policy NCCU Telephone and Cell Policy Documentation of all of NCCU Policies – Version: 1.01-090908 CD
12
NCCU IT Security Training
Data and Information Policy
General guidance on the protection of University data and information being processed by manual as well as automated systems and the protection of the records and reports generated by these information processing systems.
13
Handling of Institutional Data
Guidelines
The Chancellor, Provost, Vice Chancellors, General Counsel, and the Director of Athletics are responsible for ensuring the appropriate handling of Institutional data produced and managed by their division/unit
ITS is responsible for ensuring that the appropriate technologies and system policies and permissions are in place to ensure appropriate access to electronic data.
14
Data Owners
Owners of data are responsible for making decisions about the use
and protection of information in their custody. Areas of concern shall include: 1.
Accuracy and completeness of data and information; 2.
Classification of data as confidential (subject to privacy laws), sensitive (non public salary information) or public; 3.
The authorization process to permit access to the information and to terminate access when necessary; 4.
The identification and minimization of risks and exposures; 5.
The utilization of established procedures designed to protect information from unauthorized access or disclosure, whether accidental or intentional; 6.
7.
8.
9.
Communication of information protection procedures to authorized users; Physical access to hard copy records, computers and other technologies Providing procedural safeguards including backing up information for business Evaluating security control procedures related to information in their custody.
15
NCCU IT Security Training
File Sharing Policy
File sharing applications allow users to download and share electronic files of all types and to use any computer as a server for file sharing requests.
16
H.R. 4137
17
www.ruckus.com
18
NCCU IT Security Training
Electronic Mail Policy
This policy provides guidelines for the responsible and appropriate use of the North Carolina Central University's electronic mail (e-mail) and communication resources and services.
19
NCCU IT Security Training
Responsible Use Policy
Or called by the proper name: “Responsible Use of University Computing and Electronic Communication Resources Policy”
Responsible use includes, but is not limited to, respecting the rights of other users, sustaining the integrity of systems and related physical resources, and complying with all relevant policies, laws, regulations, and contractual obligations.
20
NCCU IT Security Training
Wireless and Network Policy
This policy has been developed to ensure that North Carolina Central University (NCCU) community has a secure and reliable network with access and the performance needed to carry out the goals of the university as well as meet the needs of its constituents.
21
NCCU IT Security Training
Server Policy
Purpose of this policy is to define standards to be met by all servers owned and/or operated by North Carolina Central University (NCCU) on the University’s network.
22
NCCU IT Security Training
Software License Policy (Waiting approval by NCCU Board of Trustees)
All University constituents must respect the rights of software developers and abide by copyright and other intellectual property laws.
23
NCCU IT Security Training
NCCU Telephone and Cell Policy
All University employees are prohibited from misusing University telephones and cellphones for personal calls. Misuse includes the use of office telephones and cell phones for personal long distance calls charged to departmental budgets and excess use of office telephones for local telephone calls.
24
NCCU IT Security Training
Course Outline
Introductions NCCU Security Policies
Copyright Laws of the United States
Security Incidents – whom to call or a site for security incidents to be reported 25
Copyright Laws of The United States of America Title 17
Circular 92
Copyright Law of the United States
and Related Laws Contained in Title 17 of the United States Code October 2007 Contains: ‐ Table of Contents ‐ Chapter 11 – “Sound Recordings and Music Videos” ‐ Appendix A – “The Copyright Act of 1976” ‐ Appendix B – “The Digital Millennium Copyright Act of 1998” 26
Copyright Laws of The United States of America
27
Copyright Laws of The United States of America Chapter 11 – “Sound Recordings and Music Videos” § 1101 · Unauthorized fixation and trafficking in sound recordings and music videos
Definition.
—As used in this section, the term “traffic in” means transport, transfer, or otherwise dispose of, to another, as consideration for anything of value, or make or obtain control of with intent to transport, transfer, or dispose of. 28
Copyright Laws of The United States of America
Appendix A The Copyright Act of 1976
Title I – General Revision of Copyright Law
Sec. 103. This Act does not provide copyright protection for any work that goes into the public domain before January 1, 1978. The exclusive rights, as provided by section 106 of title 17 as amended by the first section of this Act, to reproduce a work in phono- records and to distribute phono-records of the work, do not extend to any non-dramatic musical work copyrighted before July 1, 1909.
29
Copyright Laws of The United States of America
Appendix A The Copyright Act of 1976
Title I – General Revision of Copyright Law
Sec. 113. (a) The Librarian of Congress (hereinafter referred to as the “Librarian”) shall establish and maintain in the Library of Congress a library to be known as the American Television and Radio Archives (hereinafter referred to as the “Archives”). The purpose of the Archives shall be to preserve a permanent record of the television and radio programs which are the heritage of the people of the United States and to provide access to such programs to historians and scholars without encouraging or causing copyright infringement.
30
Copyright Laws of The United States of America Appendix B The Digital Millennium Copyright Act of 1998
Section 1 · Short Title.
This Act may be cited as the “Digital Millennium Copyright Act (DMCA)”.
Title I — WIPO Treaties Implementation Sec. 101 (World
Intellectual Property Organization) Short Title. This title may be cited as the ‘‘WIPO Copyright and Performances and Phonograms Treaties Implementation Act of 1998’’.
31
Copyright Laws of The United States of America Appendix B The Digital Millennium Copyright Act of 1998
Section 1 · Short Title.
This Act may be cited as the “Digital Millennium Copyright Act (DMCA)”.
Title II — Online Copyright Infringement Liability Limitation
Sec. 201 · Short Title. This title may be cited as the ‘‘Online Copyright Infringement Liability Limitation Act’’.
32
NCCU IT Security Training
Course Outline
Introductions NCCU Security Policies Copyright Laws of the United States
Security Incidents – whom to call or a site for security incidents to be reported
33
NCCU IT Security Training
Security Incidents – whom to call or how to report a security violation Reporting an incident via telephone:
Call the Eagle Technical Assistance Center (ETAC)
Extension X 7676
Call Steve Ornat IT Audit Compliance and Business Continuity
Extension X 7171
34
NCCU IT Security Training
Security Incidents – whom to call or how to report a security violation Reporting an incident via email:
Eagle Technical Assistance Center (ETAC)
Steve Ornat IT Audit Compliance and Business Continuity
35
NCCU IT Security Training
Security Incidents – whom to call or how to report a security violation
Reporting an incident via the WEB: To be announced – Coming soon to the NCCU WEB page.
36
NCCU IT Security Training
Course Outline
Introductions NCCU Security Policies Copyright Laws of the United States Security Incidents – whom to call or a site for security incidents to be reported
Documentation of NCCU ITS Employee Information CDVersion: 1.01-090908
37
NCCU IT Security Training
Table of Contents for: ITS Employee Information CD Version: 1.01-090808 File Description
1 - ITS Employee Handbook The July 2008 version of the ITS employee Handbook 38
Today’s Agenda
Information Security in Higher Education NCCU Information Security Policies & Best Practices
Banner Security
Top 10 Reminders 39
Steps To Ensure User Account Security
Every User should have his/her own assigned “USERID”
Each User is accountable for transactions made with the assigned “USERID”
Do not share you password
If you feel your password has been compromised, request your password be reset.
40
Changing Banner Passwords
Attempting to log into Banner more than twice unsuccessfully will cause your account to lock.
Password must be at least “8” eight characters long
Password must include at least “1” one number.
41
Avoid Special Characters
Pound sign (#) Slash (/ ) Plus Hyphen (+) (- ) Ampersand (&) At-sign (@) Dollar sign ($) Exclamation point (!) Comma Asterisk ( , ) ( * ) Percent sign ( % )
42
Banner Signatures Required for Access
Banner Access Signatures Required Student Module
Undergraduate Admissions Registrar Financial Aid Student Billing Residential Life Auxiliary Services University College Jocelyn Foy Jerome Goodwin Sharon Oliver Yolanda Banks Deaver Jennifer Wilder Tim Moore Dr. Bernice Johnson
Finance
Administration & Finance Purchasing Comptroller
Human Resources
Administration & Finance EPA Services SPA Services Institutional Advancement Chief of Staff Director of Stewardship Dr. Alan Robertson Danielle Hearst Yolanda Banks Deaver Dr. Alan Robertson Daphine Richardson Laurie Charest Susan Hester LaMissa McCoy 43
Today’s Agenda
Information Security in Higher Education NCCU Information Security Policies & Best Practices Banner Security
Top 10 Reminders
44
Top 10 Concerns / Reminders
45
Top 10 Information Security Reminders
10. Know University IS Policies & Procedures 9. NCCU e Mail is the “official” university provided e-Mail system 8.
Don’t open SPAM e-Mail – just delete 7. When you put your names on listservs and other distribution list outside the university – you are setting your self up for SPAM e Mail – vendors sell their distribution list
46
Top 10 Information Security Reminders
6.
5.
Passwords should not be written on “sticky notes” placed on your computer or other locations within your office
Passwords should not be your first initial, last name Passwords should be a minimum of 8-characters Passwords should be changed minimum every 60-days Do not share passwords with Admin Assistants or Workaid Students Phishing e-Mails – ITS will NEVER ask for any personal information (userID, passwords, etc.) via e-Mail (watch out for e-Mails that appear to come from someone on campus asking for personal info)
47
Top 10 Information Security Reminders
4.
All units should have a SHREDDER – no personal or student information should ever be dropped in the garbage (same practice at home).
3.
Access to University data is provided to University employees for the conduct of University business only. Faculty and staff must follow data privacy laws (FERPA).
2.
Do not share Banner Passwords or Account Information. Follow Banner Data Standards when putting data into Banner.
48
Top 10 Information Security Reminders
1. Be conscious of Information Security concerns and report any incidents immediately:
Banner employee access should be terminated if an employee job changes Laptops – passwords & security tracking software installed Memory sticks / thumb drives (sensitive data) Blackberries / Cellphones
49
NCCU IT Security Training
In closing
Keep the intellectual and private information of North Carolina Central University the private and intellectual property of North Carolina Central University
Here to Serve
50
NCCU IT Security Training
And remember!
There may be a Pop Quiz soon!
Steve Ornat Extension X 7171 [email protected]
51
QUESTIONS
Thank you!
52