Information Security

Transcription

1 Information Security

2 Table of Contents Statement of Confidentiality and Responsibility... 2 Policy and Regulation... 2 Protect Our Information... 3 Protect Your Account... 4 To Change Your Password... 5 Secure Your Desktop... 6 Stay Safe Online... 6 Exercises... 8 Information Security - Introduction 1

3 Statement of Confidentiality and Responsibility I understand that this administrative office account is assigned to me at the request of the Department Head to be used only in connection with my assigned duties as an employee of the University and may be revoked without notice upon the request of this administrator. I understand and accept the following terms and conditions: I am aware that passwords are the first line of security on BANNER. I agree not to reveal my password nor allow anyone to use the account assigned to me. I am responsible for any changes made to the database under my user name. I agree to abide by the Family Education Rights and Privacy Act of 1974 (FERPA) regulations. Under this act, information about current and former MSU students is legally designated as private. I agree to refer all outside request for student information to the Office of the Registrar, unless I have been authorized by the Registrar to release pre-designated information. I must maintain the confidentiality of any and all data that I retrieve from BANNER in the course of my job duties, including data that I use for reporting purposes or in other software products. Access to administrative data will be determined by the requirements of my job, and therefore I am only authorized to retrieve this data on a need to know basis. I agree to comply with all institutional policies on security, computer access, confidentiality of data, data standards, and data integrity. I am aware that any violation of these policies may lead to the immediate suspension of my computer privileges. I understand that unauthorized release of sensitive or restricted information is a breach of data security and may be cause for disciplinary action, which could include dismissal. Policy and Regulation Policies are the foundation on which all standards and guidelines are based. It is the responsibility of all members of the University community to have an understanding of the security policies that are currently in place. Board of Regents (BOR) Policies The BOR has published several policies governing information technology for the Montana University System. These can be found in Section 1300 of the Board of Regents Policy and Procedures Manual available on the Web at: Information Security - Introduction 2

4 Montana State University Policies MSU continues to develop information technology related policies. The following policies exist to address the address the growing threat to information security: o Campus Network Policy o Network Connected Device Standards o Network Acceptable Use Policy (under development) The policies can be reviewed on the MSU Web site at: Many of the policies governing information technology practices have been developed in direct response to the government regulations that the University must abide by. These regulations help protect the privacy and integrity of personal information about University constituents. It is not only in our best interest to comply with these guidelines, it is also required by law. The University has published policies and guidelines to ensure compliance with the following regulations: Family Education Rights and Privacy Act (FERPA) - Addressing the privacy of student education records. o Protects the privacy of student educational records, requiring written permission in order to release information. - Contact the Registrar s office (x2601) if you ever have any questions about FERPA Gramm-Leach-Bliley (GLB) - Addressing the privacy of personal financial information. o Requires limits and controls on sharing financial information, allowing customers to restrict such activity. Protect Our Information As a user of the Banner system, you have access to sensitive information that is protected under these policies and regulations. This information should be considered a vital asset of the University and as such must be protected. There are several considerations that must be taken into account for each of the above regulations and policies in order to ensure compliance. The following points outline the areas normally addressed as a starting point for a secure, compliant environment: Documented practices and procedures System and network hardening Physical security Access control Data availability and integrity assurance On-going assessment and auditing Incident handling Information Security - Introduction 3

5 As an individual, you play a role in several of these areas including physical security, access control, and assurance of integrity of the data we seek to protect. Please take the time to review the Data Stewardship Guidelines which outline the appropriate ways to recognize and handle sensitive information: In general, recognizing sensitive information such as social security numbers, student grades, credit card information, or other personally identifiable information and handling this data appropriately is an integral part of your job. Be sure to remember that generated IDs (GIDs) are sensitive information. Take care when printing reports containing this information and be sure to use secure methods for any transmissions containing sensitive data. The IT Center manages Knox, a server that utilizes encryption to protect sensitive data such as student and employee records. Unlike other servers, Knox is centrally funded. For MSU employees, it is free for appropriate use. To request a Knox folder send an to knox@montana.edu. Be sure to include a description of what you will be storing, who will be needing access, and what type of access will be needed by each individual (Read/Write or Read-Only.) You may also include a desired folder name. For employees who work remotely, secure connectivity is provided via the MSU virtual private network (VPN). You can find VPN instructions at: Most exposures of sensitive information occur simply because the individual handling them makes a mistake regarding where they put it, how they store it or where they send it. Remember to always think twice about doing anything with sensitive data, and if you ever have a question about what would constitute sensitive data, how to handle it or where to store it please don t hesitate to contact one of the references listed at the end of this section. Requesting Your Banner Account To request a new Banner account, or to request changes to an existing account, visit and click on the New Banner Account Request link. This will bring you to the request form. Fill out the information relevant to your request and then review and submit the form. Once your request has been completed you will receive notification. Protect Your Account Your Banner USERNAME has two primary functions: It determines your personal authority within the various modules (that is, your access to menus, forms and data elements required for query and maintenance activity). Information Security - Introduction 4

6 It is recorded as an electronic signature on each update transaction completed during your logon session. Because access within Banner forms is based on individual job responsibilities, it is important that only you use your personal electronic signature. To keep that USERNAME secure, when you first receive an assigned password for a Banner instance, use the password-change form described below to change the original assignment to a personal code that cannot be easily guessed by others. Use the password-change form whenever you feel your logon might have been compromised. In addition, it is good practice to change your password periodically (at least once every six (6) months). Consider the following when choosing a password to secure your electronic signature: Passwords must be a minimum of eight (8) characters long. Passwords must contain at least one letter of the alphabet, at least one number (but DO NOT use a number as the first character), and at least one special character listed below. Do not use a dictionary word or something that could be easily associated with you personally (for example, James Bond should not use IAM007). Consider using a pass phrase that will help you remember your password. For example: Bobcats are number one = B0bktzR_nmbr1! (note that the letter o is replaced with the number 0 ) Valid password characters are: All upper and lower case letters All numbers The following five special characters:! + - _ Once you have selected your new password, DO NOT SHARE IT WITH ANYONE. To Change Your Password 1. Access form GUAPSWD (or you can click the Change Password link on the right-hand side of the form you see when you open Banner). 2. Key your old password in the Oracle Password field, and click in the New Oracle Password field. 3. Choose a personal password based on the considerations outlined above 4. Key your new password in both the New Oracle Password and the Verify Password fields. 5. Click the Save button or press the F10 key. 6. Use your new password the next time you log on for a Banner session. Important note: If you forget your password, contact the Banner Security Administrator at bannersecurity@montana.edu. Information Security - Introduction 5

7 Secure Your Desktop Remember to never store any sensitive information on your desktop. You can take several simple steps to ensure the security of your desktop. These include: keep your operating system up to date with current patches and releases run current anti-virus (McAfee) and anti-spyware software (such as Windows Defender) keep your applications up to date enable your personal firewall ensure that you have a password protected screen saver and that you manually lock your screen whenever you leave your area For assistance with any of these items, be sure to contact your Help Desk: Stay Safe Online Using common sense when browsing the Internet, handling , and instant messaging will go a long way to keeping your safe from most exploits but some malicious attacks can be difficult to detect if you don t know what to look for. While logged into Banner Self-Service be sure not to click any links that you receive through , instant messenger or a similar manner. Clicking the link could allow a hacker to execute commands through your account to either change information or receive sensitive data from Banner. Beware if you receive s requesting confirmation of financial account data or other personal information. These phishing scams can appear to be legitimate communications from various institutions (Citibank, ebay, PayPal, etc) but in fact are fraudulent attempts at gaining access to your private information. Legitimate entities will not send messages requesting that you enter personal information. When in doubt, delete the message and initiate the communication with the entity either by phone or by opening a new Web browser and entering the correct URL manually. In addition, use caution when downloading items from the Internet and visiting web sites. Spyware and Malware can not only affect the performance of your desktop but software such as keyloggers can reveal your passwords to others on the Internet. When communicating via , it is important to know that your communications are not secure and can be intercepted. Sensitive information should not be sent via messages or attachments. Information Security - Introduction 6

8 Resources Your Help Desk x1777 Banner Security Justin van Almelo Banner Security Associate x7464 Rich Shattuck Network Security Systems Analyst x7930 Brandon Hardin Web Security Analyst x3271 Adam Edelman Chief Security Officer x5091 Information Security - Introduction 7

9 Exercises 1. Under FERPA, the following activities are permissible: A. Releasing student grades over the telephone when the caller insists. B. Post a report listing student name, social security number, enrollment status, and GPA of all undergraduate students on the MSU Web site. C. Provide student transcripts to anyone without written consent from the student. D. None of the above. 2. When choosing a password, which of the following options describe the best approach? A. Using your dog s name. B. An 8 or more character mix of letters, numbers, and special characters, such as B1rDW!cH C. Any password less than 8 characters. D. Using your phone number. 3. On your Windows XP desktop, if a message pops up stating Updates are Ready for Your Computer. Click Here to Install, you should: A. Go home and take the rest of the week off. B. Ignore the message and continue working. C. Click the icon to install the updates as soon as possible. D. Post student information on the MSU Web site. 4. When storing reports containing sensitive information on your desktop, you should always be sure to: A. Include credit card numbers, social security numbers, student grades, other personally identifiable information. B. Leave your password written on a Post-It on your monitor in case anyone needs access to the information. C. Not tell anyone. D. None of the above. You should never store sensitive information on your desktop. answers: 1. D, 2. B, 3. C, 4. D Information Security - Introduction 8