SCRIPT: Security Training

Transcription

1 SCRIPT: Security Training Slide Name Introduction Overview 1 Overview 2 Overview 3 Text Welcome to the MN WIC Program Security Training Module for all MN WIC Program staff provided by the MN Department of Health WIC Program. The purpose of this training is to review the processes for ensuring "the security of the WIC Information System networks, data and computer equipment". (Ref: MOM, Section 9.3) In order to do this, we must understand and recognize what the expectations are for maintaining participant and data privacy: and what our responsibilities are towards ensuring that we protect ourselves and our participants from security breaches. During this training, we will help identify the security procedures that we can use to protect our computer equipment; along with the system's security features that help us to protect ourselves and our participant's data; Q1 - What do you Data Privacy 1 Lastly, we'll discuss how to identify a security incident and what to do if it occurs. Data Privacy TRUE/FALSE: WIC data is private under Federal WIC Regulation. "WIC data is private under Federal WIC Regulations, Section 246.2(d). This regulation restricts the use and disclosure of information from WIC applicants and participants to persons directly connected with the administration or enforcement of the program..." (Ref. MOM, Section 1.7) Data Privacy 2 It is our responsibility as representatives of the WIC Program to secure access to our participant's private information and to "ensure the security of WIC Information System networks, data and computer equipment". (Ref: MOM, Section 9.3) Q2 - What do you Windows Login Windows Login 1 Full-Disk Encryption Windows Login 2 System Security Features TRUE/FALSE: My Window's login is a system security feature. If you chose TRUE for the answer to that last question, you were right...but probably not only for the reason you were thinking. Let's start with the system's security features. Although our Windows login "unlocks" the computer so that we can use it, which is probably the security reason we are most familiar with, it also functions as a key to unlock the encrypted information on our computer. Our desktops and laptops have something called "full-disk encryption". This is technology that protects information on the computer by converting it into a nonreadable format, making it unreadable or unusable by anyone that does not have the key to unlock it. Our Windows login is the key to unlocking the encryption on our hard drive so that we can access, read and use the information stored on our computer. Page 1 of 7

2 Q3 - What do you HTTPS Q4 - What do you Wireless 1 Wireless 2 Q5 - What do you HuBERT Login 1 HuBERT Login 2 Passwords HuBERT Login 3 Q6 - What do you Passwords 1 TRUE/FALSE: The "s" in " in the URL means the path between the site and your computer is encrypted. The "s" in the in a URL indicates that it is secure. Although the HuBERT application masks the URL so that we don't see it when we open HuBERT, web service uses HTTPS to create a secure, encrypted path between the HuBERT servers and our computers. TRUE/FALSE: Wireless Internet connections can be made secure. The statement in that last question is true. A wireless router can be used to direct information between the HuBERT computers, printers, and the Internet. Wireless connections, that use MDH-owned WIC routers, are encrypted and just as secure as a wired connection, so aren't higher risk. Always be aware of the source of your wireless connection. WIC laptops will automatically connect to an MDH-owned WIC router. The risk with wireless happens when you choose to connect to a network that is run by an unknown entity. There is inherent risk when using a wireless connection when you don't know who is actually running the wireless network. MULTIPLE CHOICE (select one): You are required to login to HuBERT a. As another requirement that just makes your job harder b. As another security measure c. To protect information in HuBERT from unauthorized users d. As an exercise to improve your memory e. Answers B and C The answer to that last question was kind of an easy one, right? As much as it may sometimes feel like all the usernames and passwords that we have to remember to do our job makes it harder, and as potentially advantageous it may be for assisting our memory, logging into HuBERT with our unique username and individual passwords is another security measure that protects information in HuBERT from unauthorized users. We should always make sure to login before making any changes in HUBERT. By logging into HuBERT, we are telling the system that we are responsible for the actions performed on that computer. This is why it is so important to keep our passwords secret. If anyone else were to learn our password, they could perform inappropriate actions in HuBERT for which we could be held responsible. The system uses our username to track the changes we make in HuBERT. It also creates a log to record when each of us logs in, the duration of our session and when we log out to ensure HuBERT isn't being accessed during unexpected days or hours. MULTIPLE CHOICE: How often do our HuBERT passwords expire? a. Every 30 days b. Every 60 days c. Every 90 days d. They don't - we need to remember to change them e. They don t - we never have to change them Our HuBERT passwords expire every 90 days. Page 2 of 7

3 Passphrase 1 Passphrase 2 Passphrase 3 Password Standards Passwords 2 Q7 - What do you Roles 1 Roles 2 Features Roles 3 Q8 - What do you Deactivation 1 Deactivation 2 When we create a new password, we should always try to make them hard to guess but easy for us to remember. Using multiple words to create your password is called a "passphrase". This can help our password be stronger because it's harder to guess. If we use a passphrase near-and-dear to us, it should be easy to remember. Since our HuBERT passwords must be 8-16 characters long, we could use a passphrase such as "candy is my happy". By running the words together, adding some easy to remember capital letters, and swapping out symbols and numbers for a couple of letters......we've made a really strong password (c@ndy1smyh@ppy:)) This passphrase also meets the standards for HuBERT passwords, which are: must be 8-16 characters, include upper and lower case letters, include a number, and include a special character (symbol). It must also be different from the last 9 passwords we've used. If you think your password has been compromised, be sure to change it immediately. Remember, your password protects you. TRUE/FALSE: Users are assigned a specific role in HuBERT, which limits that user's access to certain modules or functions within the HuBERT application. Everyone who uses HuBERT has been assigned a specific role, or roles, that regulates how they can use HuBERT. Most of us who provide services directly to the participant have Role 1. This allows us access to all certification and benefit issuance functionality but doesn't allow us to build the clinic calendar or to perform local admin functions such as maintaining Referral Organizations and our agency's list of medical clinics. Roles 2 and 10 allow us to perform those functions, respectively. We also have a role that only allows us to search for and view information in participant folders; a role that is assigned to peer breastfeeding counselors, which limits their ability to view and input data; and yet another role that allows users access to the Reports Environment. In order to individualize each role, it is assigned certain specific "features". These features are what allows us to do what we can do in HuBERT. In this way, roles increase the system's security by limiting our access to only those functions we need in order to do our job. TRUE/FALSE: If a user leaves unexpectedly, the agency's Coordinator should send in a HuBERT User Request to deactivate the account as soon as possible. According to MOM policy (section 9.3), "In case of unplanned departure of staff, Local Agency Coordinators must call the Help Desk to immediately deactivate the user name account." This is to safeguard against potential malicious activities that could be performed in HuBERT to corrupt data, etc. For users who are leaving on a pre-determined date, the Coordinator should send a HuBERT User Request to deactivate the user's access on their departure date at least 3-5 days before that date. Page 3 of 7

4 Physical Security 1 Physical security is probably the easiest security measure to perform and also one of the easiest to neglect. It is often a matter of practicing common sense. Q9 - What do you TRUE/FALSE: Only laptops (not desktops) need to be locked to a stationary object using a Kensington Lock. Physical Security Our laptops and desktop computers should always be locked to a stationary 2 object using a Kensington lock. Kensington locks connect to the computer so that if someone were to try to pull Kensington Locks the lock out to steal the computer, the hard drive would be damaged and the 1 computer rendered unusable, and its information inaccessible. Kensington Locks 2 Kensington Locks 3 Physical Security Each lock comes with two keys. For desktops, both keys should be stored in a secure location. For laptops, the spare key should be stored in a secure location. Preferably, this location would be separate from where the Kensington lock is used. The second key, which we use to lock our laptop down when not traveling with it, should be kept on our person to keep it secure, and not stored in a desk drawer or bag, where it might be easily found and used to unlock our computer. Data Protectors Q10 - What do you Private Data Locking Computer Q11 - What do you Traveling 1 Physical Security & Data Privacy One purpose of this training is to convey the importance of our roles as data protectors. It is our responsibility to safeguard private data that is entrusted to us as part of our daily work in the WIC Program TRUE/FALSE: Using Ctrl + Alt + Del to lock our computer is one way to protect data privacy. Information on HuBERT screens is private. The fact that a person is on the WIC Program is private information. Leaving screens unlocked to be viewed by anyone walking by is neglecting our responsibility towards our participants not to reveal their personal information. Before we walk away from our computer and leave it unattended, we should always lock it so that information on our desktop cannot be inadvertently viewed by anyone who shouldn't see it. Locking our computer is simply a matter of pressing Control Alt Delete and then the Enter key, which selects the option to lock the computer. A keyboard shortcut for locking our computer is pressing the Windows key and the letter "L". When the computer is locked, only the person currently logged in (or a person with administrative rights) can access the computer. In order to unlock it, we simply enter our password. In order to safeguard against the occasional occurrences whereby we unintentionally leave our computers unlocked, our HuBERT computers are set to auto-lock after 10 minutes of inactivity. TRUE/FALSE: As long as our laptop is in a computer bag, it is OK to leave it on the floor, or seat of our car, when traveling with it. We need to be smart when traveling with our computers. In general, we shouldn't leave our computers in our car. However, there may be instances where we have to, such as if we were to run errands between work and home. In these instances, we should always lock it in the trunk and never leave it sitting out in the open, even if it is in a laptop bag. Page 4 of 7

5 Traveling 2 Q12 - What do you Printing Documents 1 Printing Documents 2 Q13 - What do you Deleting Data Removable Media 1 Removable Media 2 Share Drives If we are using it at a conference or off-site, we need to remember to use our Kensington lock to lock it down. Since we never know who may walk by our computer, whether it is a member of our family, a friend or a stranger, none of whom is privy to the information that may be displayed, we need to make sure we always lock the screen before walking away from it. TRUE/FALSE: Printed materials with private data on them should be stored as securely as our computers. T/F (TRUE) Printed materials with private information should be stored as securely as our computers. They should not be left out in the open or stored where they can be viewed by anybody. Store them in a lockable desk drawer or file cabinet when not using them. Printing information that contains private data is sometimes necessary and unavoidable. However, again, we need to be smart about it. If we print a document or report that has private information, we should immediately go to the printer right after we send it in order to pick it up. It should never sit on the printer where any person passing by might see it or accidentally pick it up. If the printed material is no longer being used and is unnecessary, it should be destroyed as appropriate, by shredding and disposing of it in the same manner as your agency disposes of other private data. TRUE/FALSE: When we delete information from a flash drive or from our computer, it is gone forever. Information that has been deleted from flash drives or computers is not gone forever. It can always be restored or retrieved unless a data wiping process has occurred or the storage media has been physically destroyed. OK. So let's talk about removable storage media. This includes flash drives, CDs, or DVDs. In some cases, we may need to copy documents or print screens from a WIC computer onto a flash drive. However, this kind of data storage is appropriate only for short-term use. If it contains ANY participant information, it should be protected as diligently as our computers. This means, when we aren't actively using it, the removable storage device should be stored in a locked location, such as a locked desk or file cabinet. Once we no longer need the information stored on it, the information should be removed or deleted from the device. The caveat here is that even though we may have deleted the information, it should be treated as if it still contains private information. The reason for this is that even though it may look like the information is gone, it can still be easily recovered. Remember, the only time we can be ensured the information is no longer available on the removable storage device is when it is destroyed. There is one last thing we need to mention. Many of us work in environments where we have Share (or Network) drives. We need to be cognizant of the inherent risk of saving private information from the WIC Program to a Share drive that may be used by other staff within your agency who aren't privy to private WIC data. Always keep in mind when saving information who should be allowed to have access to it and who actually does have, or will have, access to it. Page 5 of 7

6 Q14 - What do you ing Info 1 ing Info 2 FileZilla Q15 - What do you Social Engineering 1 Social Engineering 2 Q16 - What do you Lost/Stolen 1 Electronic Communication TRUE/FALSE: It is OK to send with participant's names because is always secure and encrypted. In this age of constant instant communication, we may not think twice about sending participant information via . In many cases, may be encrypted, but with the multitude of different providers it is impossible to guarantee this and we should never make this assumption. There are methods for sending a secure , and you can contact your county IT if you are interested in finding out if any are available to you. However, in general, best practice is to not send private information via . All participant's have a unique State WIC ID and if it is necessary to send information about participants, then the State WIC ID should be used instead of names. The state often uses the agencygateway on the FileZilla FTP site to post documents or reports that contain private participant data. This is a secure location for storing and transferring documents. When a document is downloaded, it is encrypted during the transfer. Social Engineering TRUE/FALSE: We should never automatically provide personal participant information when requested by , phone or in person. If we receive a request for personal information, we should never automatically provide it. Never provide information unless, or until, we can fully verify who the person is and that we are 100% certain that this person has been authorized to have access to this information. Remember, WIC Federal Regulation "restricts the use and disclosure of information from WIC applicants and participants to person directly connected with the administration or enforcement of the program " We may get requests for information every day via , phone, or in person and it is our responsibility to ensure that it is appropriate for us to provide that information. We must always be very careful with any requests received in regards to a participant. In most cases, we should always contact our supervisor or coordinator, and if necessary our State Program Consultant, if we have any question at all. Lost/Stolen Computers and Media TRUE/FALSE: If a computer or storage media with participant information is lost or stolen, Local Agencies must IMMEDIATELY contact the State WIC Program. Even though our computers are encrypted, if lost or stolen, there is still huge potential for compromising private participant information. It is paramount that we immediately contact our supervisor. The State Office must also be immediately notified, including the WIC Operations Unit Supervisor, WIC Operations Information Technology Specialist, the WIC Program Unit Supervisor and our agency's WIC Program Consultant. Page 6 of 7

7 Lost/Stolen 2 We must also provide the following information: * Our agency's name and ID number * A list of the missing equipment * The location where the loss/theft occurred * The date and time the loss/theft occurred (actual if known or estimated) * The circumstances involved * A copy of the police report (if applicable) Lost/Stolen 3 Lost/Stolen 4 Review Questions References End Slide Lost or stolen equipment and media storage is taken very seriously at the State and needs to be taken just as seriously be each agency and staff person. The repercussions of losing personal or private data is widespread. It is something that affects everyone at your agency, the State Office and above. If data is indeed lost, notifications may need to be made to our participants that their information, however unintentionally, may now be in the hands of persons unknown. Therefore, we must always take the highest care when transporting and using our computers, and removable media storage, to ensure that the information we've been entrusted with is always secure. To test what you've learned by watching this module, please go to the Review Questions module to complete the security training. References: MOM, Section Data Privacy and MOM, Section Data Security. Thank you for reviewing this Security Training module presented to you by the MN Department of Health WIC Program. Page 7 of 7