INFORMATION SECURITY GUIDE. Employee Teleworking. Information Security Unit. Information Technology Services (ITS) July 2013



Similar documents
General Rules of Behavior for Users of DHS Systems and IT Resources that Access, Store, Receive, or Transmit Sensitive Information

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

The Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015

SAFEGUARDING PRIVACY IN A MOBILE WORKPLACE

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

ALTA OFFICE SECURITY AND PRIVACY GUIDELINES ALTA

NC DPH: Computer Security Basic Awareness Training

Information Security

Computer Security at Columbia College. Barak Zahavy April 2010

Data and Information Security Policy

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

ENISA s ten security awareness good practices July 09

Information Security It s Everyone s Responsibility

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Network Security Policy

National Cyber Security Month 2015: Daily Security Awareness Tips

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

BSHSI Security Awareness Training

Cyber Security Best Practices

HIPAA Security Alert

HELPFUL TIPS: MOBILE DEVICE SECURITY

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

Information Security Policy. Policy and Procedures

Information Security It s Everyone s Responsibility

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Ixion Group Policy & Procedure. Remote Working

Cyber Security Awareness

Safe Practices for Online Banking

HIPAA Privacy & Security Rules

Course: Information Security Management in e-governance

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

All Users of DCRI Computing Equipment and Network Resources

Identity Theft Prevention Program Compliance Model

Policies and Compliance Guide

Basic Computer Security Part 2

Insider Threats in the Real World Eavesdropping and Unauthorized Access

So the security measures you put in place should seek to ensure that:

SCRIPT: Security Training

HIPAA Compliance Annual Mandatory Education

PREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO

A Guide to Information Technology Security in Trinity College Dublin

Business ebanking Fraud Prevention Best Practices

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

A practical guide to IT security

Cyber Security Awareness

Section 12 MUST BE COMPLETED BY: 4/22

HIPAA Training for Staff and Volunteers

Frequently Asked Questions

PS177 Remote Working Policy

Appendix H: End User Rules of Behavior

Peace Corps Office of the OCIO Information and Information Technology Governance and Compliance Rules of Behavior for General Users

Estate Agents Authority

Internet threats: steps to security for your small business

Security awareness training is not a substitute for the LEADS Security Policy.

SECURITY POLICY REMOTE WORKING

Securing Patient Data in Today s Mobilized Healthcare Industry. A Good Technology Whitepaper

Corporate Account Take Over (CATO) Guide

DHHS Information Technology (IT) Access Control Standard

IT Security DO s and DON Ts

Hot Topics in IT Security PREP#28 May 1, David Woska, Ph.D. OCIO Security

HIPAA and Health Information Privacy and Security

Business Internet Banking / Cash Management Fraud Prevention Best Practices

The Hidden Dangers of Public WiFi

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Transcription:

INFORMATION SECURITY GUIDE Employee Teleworking Information Security Unit Information Technology Services (ITS) July 2013

CONTENTS 1. Introduction... 2 2. Teleworking Risks... 3 3. Safeguards for College Owned Technology... 4 4. Safeguards for Personally Owned Technology... 6 1

1. Introduction Many employees use College owned or personally owned computing devices while working at home, other locations or while travelling. This is often referred to as Teleworking or Telecommuting. The College provides various technologies to support Teleworking situations. This includes laptops, tablets and mobile phones if supplied by your department. Some employees use their own home computers to access College IT resources. The College also operates and maintains the Secure Portal for Staff (https://secure2.algonquincollege.com/+cscoe+/portal.html) that provides secure connections to e-mail, central storage drives, commonly used applications and personal desktop computers. Teleworking technologies and environments often need special care and protection because they are often exposed to additional vulnerabilities, threats and risks. Therefore, it is important that staff are aware of the additional safeguards required to protect College assets and sensitive information when working remote. This guide provides an overview of the Teleworking risks as well as the safeguards that should be implemented. Algonquin College s Information Sensitivity and Security Directive, IT-05, provides additional requirements and direction. Questions or suggestions regarding these guidelines should be forwarded to: Manager, Information Security Information Technology Services (ITS) infosec@algonquincollege.com X6491 2

2. Teleworking Risks Teleworking brings increased risks to College technology and most importantly, the sensitive information stored within. These include: Loss or theft of an asset such as a laptop, tablet, or mobile phone. There is a 30% probability that a user will lose a portable device within any given year. The average cost of a stolen laptop is $37,000 which includes loss of the asset, staff time spent investigating the incident, loss of information and breach/lawsuit related costs; Unauthorized use of an asset, due to automatic logoff not being implemented, allowing unauthorized individuals to use the asset; Damage to an asset, due to break and enter crimes, dropping, unauthorized mishandling, and spilling of liquids; Unauthorized disclosure of sensitive information, such as when unauthorized individuals oversee sensitive information on a computer/mobile phone screen at home, in a restaurant or café, in an airport, or while travelling on public transportation. This can also happen when home computers used to access College systems are connected to insecure wireless (Wi-Fi) home routers, or improperly disposed of; Loss or theft of the sensitive information, when an unprotected (i.e. no encryption) computer or USB drive is lost or stolen, leading to legislation (e.g. PIPEDA, FIPPA, PHIPA) breaches as well as breach notification and potential lawsuits; Compromise of login credentials, leading to system hacking, corporate network and application hacking, and identity theft. This can occur when staff use unprotected private or public networks, particularly Wi-Fi networks or use unprotected Bluetooth communications in public areas; and Computer or mobile phone malware, including viruses, worms, and Trojan horses, due to the devices being inappropriately protected. 3

3. Safeguards for College Owned Technology The safest and easiest way to protect College sensitive data is to use ITS approved technology including laptops, tablets, desktops and mobile phones. In is this way, you can be assured that devices are using some of the latest ITS-approved security technologies including full disk and USB drive encryption, anti-malware protection, and have the latest security settings enabled for login, passwords, password enabled screen savers, time-enabled auto logoff and secure network login. The following checklist will help you ensure that College security policies, best practices and a standard of due care are being followed: 1. Use College owned computers wherever possible, and enable the standard, approved set of security safeguards for encryption, anti-malware, password-enabled screen savers and auto logoff. 2. Conduct only College business on College owned computers. 3. Secure your home wireless (Wi-Fi) router using strong passphrases, WPA-2 encryption (do not use insecure WEP encryption) and MAC addressing if possible. 4. Conduct your computing in a private area of your home, away from prying eyes and inadvertent, unauthorized access; 5. Be conscious of individuals that might be shoulder surfing, such as family members or individuals in public places. While at home, use a private place to conduct your computing. 6. Do not use portable computing devices in high risk public areas such as restaurants, coffee houses and airports. 7. If you must lock a portable computing device in a car, place it in a protected, nonvisible location, such as a trunk, for the minimal amount of time possible. 8. If you must secure a portable computing device while at a hotel, lock it up in the room safe or front desk safe. Never leave it unattended in a hotel room. 9. Use a Kensington laptop lock to physically secure portable computers from theft, whenever unattended. These are available from the Technology Store. Tablet computers may not have a locking capability if so, always secure the device when not attended. 10. Limit your use of USB drives generally due to the high risk to information that they bring. Instead, work off of your computer or a Network drive, wherever possible. 11. Never use unapproved, insecure, regular USB drives to store College information. 12. Never use unapproved, portable hard drives to store College information. 13. Never store Health related personally identifiable information (PII) on USB drives or on portable drives, without the explicit written approval of the Manager, Information Security, ITS. 14. Use approved Windows Bitlocker enabled USB drives, as setup by ITS, whenever possible. If unavailable, use ITS-approved, secure USB drives to store College 4

information. These are available from the Information Security Unit, ITS. Make sure to write your USB password down and store it is a secure place in case you forget it. Forgetting your password will lead to permanent loss of information. 15. Use strong passwords: Minimum 8 characters, use upper and lower case letters and include at least one number, don t include personal information, change every 120 days, and don t reuse the same password for 2 years. 16. Shred printouts of all College information in cross-cut shredders, or bring back to the office and shred, or deposit in a secure shredding bin. 17. Turn off Wi-Fi and Bluetooth networking services while not in use or while travelling on public transportation. 18. Immediately report suspicious, suspected and actual security incidents and breaches to the Manager, Information Security, ITS. 5

4. Safeguards for Personally Owned Technology If you do not have access to College owned (and loaned) technology, and you must use your own, be careful of the increased risks to College information. Remember that it is highly likely College information will be stored on your own device(s). Even if you cannot see the information through usual means, it will exist on hard drives and can be accessed through operating system applications or other software. The following checklist will help you ensure that College security policies, best practices and a standard of due care are being followed while using your own technology: 1. Limit the computer to only your use (i.e. do not allow family members or others to use the same device). 2. Implement full disk encryption, in case your computer is stolen or lost. 3. Implement anti-malware software that provides real-time protection as well as (minimum) full disk weekly scans. 4. Use password-enabled screensavers that activate within 30 minutes of user inactivity. 5. Ensure that your operating system and applications are receiving regular patch updates. 6. Turn off Wi-Fi and Bluetooth communications services when not being used. 7. Secure your home wireless (Wi-Fi) router using strong passphrases, WPA-2 encryption (do not use insecure WEP encryption) and MAC addressing if possible. 8. Conduct your computing in a private area of your home, away from prying eyes and inadvertent, unauthorized access. 9. Be conscious of individuals that might be shoulder surfing, such as family members or individuals in public places. 10. Separate College and Personal work storage areas. 11. Do not use portable computing devices in high risk public areas such as restaurants, coffee houses and airports. 12. If you must lock a portable computing device in a car, place it in a protected, nonvisible location, such as a trunk, for the minimal amount of time possible. 13. If you must secure a portable computing device while at a hotel, lock it up in the room safe or front desk safe. Never leave it unattended in a hotel room. 14. Use a Kensington laptop lock to physically secure portable computers from theft, whenever unattended. These are available from the Technology Store. Tablet computers may not have a locking capability if so, always secure the device when not attended; 15. Limit your use of USB drives generally due to the high risk to information that they bring. Instead, work off of your computer or a Network drive, wherever possible. 16. Never use unapproved, insecure, regular USB drives to store College information. 17. Never use unapproved, portable hard drives to store College information. 6

18. Never store Health related personally identifiable information (PII) on USB drives or on portable drives, without the explicit written approval of the Manager, Information Security, ITS. 19. Use ITS-approved, secure USB drives to store College information. These are available from the Information Security Unit, ITS. Make sure to write your USB password down and store it is a secure place in case you forget it. Forgetting your password will lead to permanent loss of information. 20. Use strong passwords: Minimum 8 characters, use upper and lower case letters and include at least one number, don t include personal information, change every 120 days, and don t reuse the same password for 2 years. 21. Shred printouts of all College information in cross-cut shredders, or bring back to the office and shred, or deposit in a secure shredding bin. 22. Do not leave your computer at a service facility where sensitive College data can be accessed and/or copied while not being supervised. Alternatively, bring the computer to work where an ITS client services technician can assist. 23. Turn off Wi-Fi and Bluetooth networking services when not in use or while travelling on public transportation. 24. Immediately report suspicious, suspected and actual security incidents and breaches to the Manager, Information Security, ITS. Acronyms and Definitions ITS Information Technology Services PII Personally Identifiable Information PHI Personal Health Information PHIPA Personal Health Information Protection Act (Ontario) FIPPA Freedom of Information and Protection of Privacy Act (Ontario) PIPEDA Personal Information Protection and Electronic Documents Act (Canada) USB Universal Serial Bus Wi-Fi Wireless WPA Wireless Protected Access WEP Wired Equivalency Protocol 7

Information Security is everybody s business 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information