Workforce Security Awareness Training
Download
Report
Transcript Workforce Security Awareness Training
1
Information Security Awareness:
Building a Culture of Commitment to Security
2
• Security Awareness is the knowledge and
attitude members of an organization
possess regarding the protection of the
physical and, especially, information assets
of that organization
3
UW Medicine IT Resources
• IT Services
▫ ITS provides information systems support for UW Medicine. Its
core mission is to make a difference through the use of
information technology for teaching, research and patient
care.
▫ A few services ITS provides are Help Desk support, work
station support, account support, and clinical systems
administration.
▫ The ITS Help Desk can be reached at 206-543-7012 or
[email protected]
4
Other IT Resources
• UW Technology – www.washington.edu/uwtech
or 206-221-5000
• Departmental IT
▫ Provide local support for computing devices
distributed by the department
• You
▫ If there is no assigned IT staff for a device then
you are responsible for it’s security
5
Information Security Principles
UW Medicine computers and data need
protection
Protection is based on the needs to preserve
Confidentiality, Integrity and Availability
Security is everyone’s responsibility
6
Data Classification
Public = This is information that is either approved for general
access, or by its nature, is not necessary to protect, and can
be shared with anyone.
Restricted = This is information which is intended strictly for
use by designated parties and requires careful management.
Confidential = This classification of information is very
sensitive in nature, and requires careful controls and
protection. Examples of confidential data include PHI, PII, and
passwords
7
STRONG Passwords
• Why is it important to use strong passwords?
▫ Password guessing tools guess in 7 character sets. Lengths of 8
characters or more make it more difficult to guess
▫ An apparent random set of characters makes it more difficult for
a hacker to guess. !@#$%&*, ABCD, abcd, 1234
Where supported a “pass phrase” should
be used. They are easier to remember
and much harder to break.
8
User ID and Password Management
▫ Your manager is responsible for making sure your access rights
are correctly assigned initially and to update your access upon
role changes, transfer or termination.
▫ Each workforce member is assigned a unique User ID and must
not share it with anyone.
▫ Each system that a user has access to will be logged and tracked.
▫ All passwords must be changed every 120 days. It is the user’s
responsibility to do this.
http://myuw.washington.edu
UW Medicine Account
or
AMC Login
9
Email Security
▫ Always be aware of phishing and social engineering scams,
dangerous attachments, viruses, embedded links to malicious
websites and social engineering
▫ All UW Medicine email is open to public disclosure
▫ Delete confidential emails as soon as they are no longer needed
▫ DO NOT forward confidential emails to a third party email system
e.g., hotmail, yahoo, aol, gmail
▫ Check and double-check all messages containing restricted or
confidential information for proper recipient email addresses
▫ Encrypt email messages when sending confidential information to
email systems outside of UW Medicine
10
Mobile Device Security
▫ Mobile devices include laptops, Blackberries,
smart phones, or any portable device capable
of storing and interpreting data.
▫ Mobile devices are of special concern because
they are easily lost and attractive to thieves.
▫ Personally owned mobile devices must comply with UW
Medicine policies and standards when used for work
purposes. The owner of the device is responsible.
Encryption required when storing PHI, PII or passwords
No automatic login, require password to log on to the device
Passwords on these devices must be changed every 120 days
Patched and up to date operating system
11
Data Transmission Security
▫ There are many other ways to transmit data electronically.
They also require encryption as a protection in certain
cases.
▫ Examples of other forms of transmission include faxes,
instant messaging, text messaging, smart phones and
other file sharing mechanisms.
▫ PII, PHI or passwords transmitted by any mechanism or
device across non-UW Medicine networks or any wireless
networks, must be encrypted.
12
Wireless Security
▫ Throughout UW Medicine, wireless networks are provided by UW Technology.
These wireless networks are labeled “University of Washington”.
▫ UW Technology does not provide encryption for transmission of data on their
wireless networks.
▫ When using wireless networks you must use encryption when transmitting
PHI, PII or passwords.
▫ Always disable your wireless when not in use.
Windows will automatically scan for known (trusted)
wireless networks.
▫ Wireless networks are easily monitored by
unauthorized individuals. Users should be aware that
any transmitted data could be stolen unless
encrypted.
13
Workstation/Work Area Security
▫ Workstations must be locked or logged out of when not in use or
unattended.
▫ Never enter passwords or conduct UW Medicine business from 3rd
party kiosks, such as an Internet café computer.
▫ Workforce members that use their personal computer for work
must comply with the minimum computer security standard.
▫ Restricted or Confidential information in your work area must be
secured when not in use.
▫ Always clear Restricted or Confidential information from printers
immediately.
14
Risks of Web Browsing
▫ Users should be aware that even “trusted” websites can house
malicious software.
▫ Clicking links on WebPages can download and run programs on
your computer.
▫ Plug-ins should only be downloaded if absolutely necessary and
after they are used should be removed.
▫ Where technically feasible an alternate
web browser i.e. – Firefox, Opera, Safari
should be used to conduct sensitive
business.
15
Remote Access
▫ UW Medicine provides SSL VPN (encrypted transmission) for it’s
remote access purposes.
▫ VPN access can be requested through IT Services Help Desk. Have
your supervisor contact the Help Desk for the request form.
▫ Remote Access is only provided to conduct official UW Medicine
business that is part of the requestors job function.
▫ Any transmission of PHI, PII, or passwords from a remote site to a
UW Medicine site must be encrypted. This protection can be
provided by the application, e.g. an SSL protected web
application, or by VPN.
16
Copying of Data and Media Disposal
▫ Media is any portable device that is capable of storing
electronic data. Examples include USB drives, CD/DVD,
external hard drives, tapes, flash memory cards, etc.
▫ Once a workforce member removes data from a
controlled system it becomes their responsibility to
ensure the protection of the data.
▫ PHI, PII and passwords stored on media must
be encrypted.
▫ Media containing restricted or confidential
information must be destroyed in such a way
to make the data unrecoverable when no
longer needed.
17
Security Incident and Complaint Response
▫ Security Incidents are any event involving a breach or potential breach of a
UW Medicine computing device or data.
▫ Security Complaints are a report of a suspected violation of UW Medicine
policy, state or federal law, or other regulation.
▫ All UW Medicine workforce members must report security incidents and
complaints to the ITS Help Desk.
▫ If you suspect a security incident has occurred on a UW Medicine
computing device then you must not alter the state of the device. You
should unplug the network cable and leave it powered on.
▫ A UW Medicine ITS or Compliance member will contact you once you
report an incident or complaint.
Questions
http://security.uwmedicine.org
Brad Peda
[email protected]
206-616-5829