Information Security It s Everyone s Responsibility

Transcription

1 Information Security It s Everyone s Responsibility Developed By The University of Texas at Dallas (ISO)

2 Purpose of Training As an employee, you are often the first line of defense protecting valuable information attackers will try to compromise. Every UT Dallas employee is responsible for learning more about information security and participating in risk reduction. Several federal and state laws, as well as UT System and UT Dallas policies, are intended to help protect University Data. The ISO website has more information:

3 What is the Mission of the ISO? The (ISO) supports the mission of UT Dallas by building a culture of security awareness and risk management to protect the confidentiality, integrity, availability, and accountability of information assets. Nate Howe Director of Information Security, CISO The ISO serves UT Dallas as a partner and educator. Risk mitigation is achieved through awareness training, technology solutions, inclusion of security controls in new projects, and regulatory compliance.

4 Information Security Objectives The term information security may mean different things to different audiences, so let s begin by defining the objectives: Confidentiality: Users should only see information needed to do their jobs. Integrity: Information should not be altered unexpectedly. Availability: Information should be available to users when needed and systems should perform as expected. Accountability: It should be clear who accessed information, what was performed, and when it happened.

5 Examples of Information Security Controls Data classification Encryption Malware prevention Physical security Users provided only necessary access Access control File backups / version history File hashing Event logging Individual accounts for each user NetIDplus two-factor authentication Disaster recovery File backups Malware prevention Network drives and CometSpace cloud storage

6 Knowledge Check Match the information security principles to their definitions. 1. Confidentiality 2. Integrity 3. Availability 4. Accountability A. Data should be consistent and accurate. B. Data should be accessible when needed. C. Data modifications should be traceable to an individual. D. Data should not be disclosed to unauthorized parties.

7 Data Classification University Data is classified into three categories based on confidentiality. Higher value data requires more security protection. Data Category Definition Examples Confidential Data Controlled Data Public Data The subset of University Data that is private or confidential by law or otherwise exempt from public disclosure and/or other University Data about an individual likely to expose the individual to identity theft The subset of University Data that is not created for or made available for public consumption but that is subject to release under the Texas Public Information Act or other laws The subset of University Data intended for public consumption Social Security Numbers (SSN) Passport and visa numbers Student grade information Protected Health Information UTD-IDs UT Dallas s Most research data Department address Information on public websites Press releases & marketing Published articles

8 Knowledge Check Match the following types of data with their data categories. 1. Published articles 2. Social Security Numbers (SSN) 3. UTD-IDs A. Confidential Data B. Controlled Data C. Public Data

9 Encryption Can Be Useful How does it work? Encryption uses special math to make data unreadable if it falls into the wrong hands. It is like sending a letter in an envelope, instead of sending a postcard that anyone can read while handling it. Where is encryption used? Adding the [encrypt] trigger to the subject line of outbound prevents attackers on the Internet from observing the while in transit between organizations. Webmail, banking, and shopping websites that use HTTP Secure look for rather than Encrypting a computer s hard drive can protect all of the contents in the event that it is lost or stolen. VPN remote access protects network traffic by encrypting it. What if I am traveling? Some countries will not allow encrypted devices. A list of countries that allow them can be found at The ISO has unencrypted laptops that can be loaned to traveling employees.

10 Encryption Situation Confidential Data Controlled Data Public Data Two or more UT Dallas users all communicating accounts automatically encrypted by UT Dallas mail system automatically encrypted by UT Dallas mail system automatically encrypted by UT Dallas mail system Two or more UT Dallas users communicating, where at least one prefers to use a third-party service etc. Both senders and recipients required to accounts Both senders and recipients required to accounts encryption not required ing anyone who does not have account, such as business partners, colleagues at other universities, incoming students, etc. Sender account must include [encrypt] trigger in subject line Sender account may include [encrypt] trigger in subject line encryption not required Note: Data Owners may require additional encryption methods, even between UT Dallas users. For example, Callier Center has chosen to continue using certificate-based encryption for Protected Health Information (PHI).

11 Passwords and Passphrases Access to most systems and websites is controlled by a username and password. Your password may not be shared with others it is your responsibility to keep it safe. The longer the password, the safer it is. Many users find it easier to remember a passphrase which may be a statement, title of a book, or memorable line from a song. Use different passwords or passphrases on each website. When attackers compromise one website, they next try to use the stolen credentials on other popular websites. If you must write down passwords to remember them, keep your list under your own control. When setting up questions and answers, be careful that the answers you provide are not easily researched on social media.

12 Social Engineering Attackers try to earn your trust so they can steal passwords and other information. They may you and include links to websites that look convincing but are designed to trick you. Attackers may also call you on the phone, send a text message, or visit in person. They attempt to take advantage of your commitment to provide good service. Be skeptical of unusual requests. Hover your mouse over links in to ensure the web address makes sense. Verify the identity of a requester before sharing information. When in doubt, do not respond! Contact your supervisor or the ISO.

13 Knowledge Check You receive an telling you that you have reached your quota, and that you need to click the included link to verify your login credentials to fix the problem. What should you do? A. Click on the link and provide all the requested information. B. Hover your mouse over the link to see if the web address makes sense given the context of the message. C. Recognize this may be a phishing attempt, do not respond, and forward it to the ISO for analysis. D. B and C

14 Desktops and Laptops Here are several recommendations to protect UT Dallas computers. It is important to use approved tools and techniques, so work with your technical support staff and the ISO to ensure systems in your area are protected. Install software updates to the operating system, plus 3 rd party software such as your web browser, to remove vulnerabilities. Run anti-malware software with the latest available threat updates. Use network drives or CometSpace cloud storage rather than local hard drives. Use hard drive encryption to protect data in case the computer is lost or stolen. Lock your screen when you step away from your desk and configure the screensaver to require a password to unlock.

15 Mobile Devices Tablets and smartphones have become essential tools at UT Dallas. If you are conducting UT Dallas business from a mobile device, you are responsible for the following: Require a pin or passcode to unlock the screen. Configure the device to erase automatically after 10 unsuccessful login attempts. Back up your device and keep your software up-to-date. Enable features to locate or erase your missing device. Only install apps from trusted sources.

16 Physical security is often overlooked. Failure to ensure physical security can lead to information risks. Physical Security Be aware of people in your work space. Verify visitors to restricted areas before permitting entry. Ensure valuable electronic and paper records are locked when they are not in use. Ensure records are securely destroyed when no longer needed. If you work in an office, lock the door as you leave. If you work in a cubicle environment, lock cabinets and bins as you leave. When traveling, UT Dallas equipment should be kept in a hotel safe or vehicle trunk where it will not be observed by potential thieves.

17 Knowledge Check Your department has decided to adopt a clean desk environment to better protect the security of Confidential Data. What are some things you can do to make sure you are following the clean desk procedures? A. Lock physical copies of Confidential Data in filing cabinets before you leave your workspace. B. Lock your door, bins, and drawers as you leave. C. Dispose of documents using a shredder or secure recycling bin. D. All of the above.

18 Information Security Incidents An incident includes accidental or deliberate exposure of data to unauthorized parties or disruption of security controls. Type of Issue Security issues Missing / Stolen equipment Noncompliance / Unethical behavior Copyright infringement / DMCA Who to contact? Please [email protected] or call (979) For anonymous reporting, please use the online form to report an incident: Please report missing or stolen computers to the UT Dallas Police Department at (972) UTDPD will notify the ISO if necessary. The Ethics and Compliance Hotline at (888) provides a confidential means to report instances of suspected non-compliance or unethical behavior. This may include financial matters such as fraud, theft of University assets, or conflicts of interest; and other misconduct or violations of UT Dallas / UT System policy. The Digital Millennium Copyright Act (DMCA) requires UT Dallas to investigate illegal file transfer activity and respond accordingly. For questions about this law, please contact Tim Shaw, the university attorney, at [email protected].

19 Knowledge Check You discover that your backpack containing your university-owned laptop and several USB drives containing Confidential Data has been stolen from your workspace. What should you do first? A. Report the theft to the UT Dallas Police Department. B. Report the theft to the (ISO). C. Order a replacement laptop. D. Hope no one notices.

20 How can the ISO help? The ISO s approach is to effectively manage risks, not eliminate risks. Attempts to fully eliminate risks are costly and could cause a disruption in service. It is important to include ISO in conversations across campus to ensure information security risks are discussed and unacceptable risks are avoided. The main goal of the ISO is to help UT Dallas fulfill its mission while protecting information.

21 Service Highlights ISO offers many new services to help UT Dallas manage information security risks: Additional training: Visit our website for more training opportunities. CometSpace secure cloud storage: Powered by Box.com to store large files, share files outside of UT Dallas, collaborate with teammates, and access files from tablets and smartphones. Log in with existing NetID and password. NetIDplus two-factor authentication: Additional security to protect your NetID identity, required to connect to VPN and update direct deposit. Patch management: ISO offers Secunia to patch your computer operating system and third-party applications. Improved antivirus: ISO is migrating from McAfee antivirus to Microsoft s System Center Endpoint Protection. New website testing: Before new UT Dallas websites go live, ISO can perform testing to identify and reduce vulnerabilities. If you are launching a new website, notify the ISO. Vendor evaluation: UT Dallas business partners may need access to UT Dallas data. To ensure their partnership does not introduce unnecessary risk, ISO assists in the evaluation process.

22 Congratulations! You finished the Information Security Module Thank you for taking the time to review this information. This training module will remain available at the Office of Institutional Equity and Compliance website. Call us: (972) us: Visit our website: utdallas.edu/infosecurity Like us on Facebook: facebook.com/utdinfosec