Transcript IT Security Essentials Ian Lazerwitz, Information Security Officer

IT Security Essentials
Ian Lazerwitz, Information Security Officer
Fundamentals of Security
• Confidentiality
Confidentiality
• Integrity
• Availability
Integrity
Availability
Why all the concern about
security?
• Computer hacking has become a big
business
• We store large amounts of personal data in
our systems on students and employees
• We need that data to be accurate and
available in order to do our jobs
• We must comply with state and federal
regulations
What are we doing about it?
• Constantly monitoring our systems and
threats to keep our servers and our network
secure
• Implementing policies, procedures and
practices to assure only authorized users
have access to data
• Educating users
What can you do?
• Security is everyone’s responsibility
• Contact the IT Security Office with any
questions or if you suspect there has been a
security breach
• Follow some basic guidelines:
Be aware
• Make information security a regular
practice
• Recognize poor security practices in your
own habits and in your office
• Remain vigilant where information security
is concerned
Passwords
• Never share a password
– If more than one person needs access work with
DoIT to create a network share so each can use
their own password
– Even the DoIT Helpdesk should never ask for
your password
Passwords
• Choose a strong password
– We recommend that you change your password
regularly
– Use a phase that’s easy to remember but hard to
guess
– Your password must contain 3 of 4
•
•
•
•
Uppercase letters
Lowercase letters
Numbers
Special Characters
Password Examples
• Weak Passwords
– Fluffy
– Password3
– Lazerwitz
• Strong Passwords
– str0ngPa55
– 3plus3=Six
– myc@tisf!uffy
Passwords
• Never post your password
–
–
–
–
On your computer monitor
Under your keyboard
In a desk drawer
Anyplace that someone might look
Passwords
• Never save passwords in applications
– E-mail, Web Authoring, Dialup, VPN
– Anyone who site at your computer has access to
those applications
– Equally important at home
Personally Identifiable Information
(PII) is information that can be used to steal
identities, disrupt University operations and
damage Pace’s reputation includes:
– Social Security Numbers (SSNs)
– Health Information – including immunization
information, FMLA information and
– Credit Card information
– Non public directory information – including student
grades
PII Date Handling Best
Practices
• Assign a complex password and change it
regularly;
• Don’t use Internet files sharing software
such as Kazaa or BitTorrent.;
• It is important to treat other people’s
information as if it was your own!!!!
PII Date Handling Best
Practices
• Delete files from ALL locations (hard drive
and network drive) when no longer valid.
• Do not hold on to old queries or reports that
contain personal information. Empty your
computer’s recycle bin and clear temporary
file folders
PII Date Handling Best
Practices
• Never share passwords;
• Avoid emailing sensitive files. If email is
absolutely necessary, use password
protection;
• Use a password protected screen saver;
• Shut down or turn off the computer when
not in use;
PII
Printing Best Practices
• Printed reports with PII data must contain
the creator’s name, date and time, data
source and a confidential notice.
• Limit display of personal information. Do
not leave paper containing personal
information on desks or in open view; avoid
printing SSN unless required by law.
PII
Printing Best Practices
• Always store paper reports containing PII in
a secure location such as a locked filing
cabinet and know who has access to the
location. Avoid taking PII reports with you
to unsecured locations such as your home or
car.
PII
Printing Best Practices
• Limit distribution of documents with PII
and know who is receiving the documents
and how it will be used.
Physical Security
• Always lock your computer when you leave
it unattended (ctrl-alt-del)
• Never leave hard copies with sensitive date
in plain view
• Always log out of web applications
(Banner, e-mail, calendar) and close the
browser
Laptops and Mobile Devices
•
•
•
•
Theft
Access on unsecure networks
Strong passwords
Encryption
Did you know? (Antivirus)
• Pace University has a site license to install
Symantec Antivirus on all Pace computer
• We also provide Antivirus software for
staff, faculty, and student home use
Did you know?
• It is a violation of University policy to share
your password
• You should keep your computer operating
system and applications patched to protect
against unwanted intrusions
Did you know?
• You should make backups of critical files
• At home use a personal firewall
• Do not open unexpected emails
Information Security Office
• Ian Lazerwitz
– Information Security Officer
• [email protected]
• [email protected]
• Http://www.pace.edu/safecomputing