Information Security It s Everyone s Responsibility

Similar documents
Information Security It s Everyone s Responsibility

National Cyber Security Month 2015: Daily Security Awareness Tips

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Research Information Security Guideline

BERKELEY COLLEGE DATA SECURITY POLICY

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Responsible Access and Use of Information Technology Resources and Services Policy

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs

Supplier Information Security Addendum for GE Restricted Data

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

Data Access Request Service

Information Security. Louis Morgan, CISSP Information Security Officer

Internet threats: steps to security for your small business

A Guide to Information Technology Security in Trinity College Dublin

So the security measures you put in place should seek to ensure that:

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

Identity Theft Prevention Program Compliance Model

Policy for Protecting Customer Data

Information Technology Security Policies

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

SAFEGUARDING PRIVACY IN A MOBILE WORKPLACE

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

Information Security Policy Manual

DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008

INFORMATION SECURITY GUIDE. Employee Teleworking. Information Security Unit. Information Technology Services (ITS) July 2013

Computer Security at Columbia College. Barak Zahavy April 2010

INFORMATION SECURITY GUIDE FOR STAFF

PHI- Protected Health Information

A practical guide to IT security

Data Protection Act Bring your own device (BYOD)

The following information was provided by SANS and discusses IT Security Awareness. It was last updated in 2015.

Hang Seng HSBCnet Security. May 2016

ALTA OFFICE SECURITY AND PRIVACY GUIDELINES ALTA

Remote Access Securing Your Employees Out of the Office

FileCloud Security FAQ

Basic Security Considerations for and Web Browsing

HIPAA Security Education. Updated May 2016

Computing Services Information Security Office. Security 101

Information Security

Deterring Identity Theft. The Federal Trade Commission estimates that as many as 9 million Americans have their identities stolen each year.

Information Security Policy

The Internet and 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3

HIPAA Security Alert

Fraud Prevention Tips

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Retail/Consumer Client. Internet Banking Awareness and Education Program

Information Security Basic Concepts

How To Protect Decd Information From Harm

STRONGER ONLINE SECURITY

HIPAA Information Security Overview

Online Banking Customer Awareness and Education Program

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

Newcastle University Information Security Procedures Version 3

Network and Workstation Acceptable Use Policy

The Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

General Security Best Practices

Estate Agents Authority

Locking down a Hitachi ID Suite server

Risk Assessment Guide

When enterprise mobility strategies are discussed, security is usually one of the first topics

Identity Theft, Fraud & You. Prepare. Protect. Prevent.

Malware & Botnets. Botnets

CITY OF BOULDER *** POLICIES AND PROCEDURES

Cybercrime and Identity Theft: Awareness and Protection 2015 HLC Conference

CYBERSECURITY POLICY

PREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO

Course: Information Security Management in e-governance

Virginia Commonwealth University School of Medicine Information Security Standard

Did you know your security solution can help with PCI compliance too?

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Why you need. McAfee. Multi Acess PARTNER SERVICES

10 Smart Ideas for. Keeping Data Safe. From Hackers

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Information Security. Annual Education Information Security Mission Health System, Inc.

School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

Transcription:

Information Security It s Everyone s Responsibility Developed By The University of Texas at Dallas (ISO)

Purpose of Training As an employee, you are often the first line of defense protecting valuable information attackers will try to compromise. Every UT Dallas employee is responsible for learning more about information security and participating in risk reduction. Several federal and state laws, as well as UT System and UT Dallas policies, are intended to help protect University Data. The ISO website has more information: http://www.utdallas.edu/infosecurity

What is the Mission of the ISO? The (ISO) supports the mission of UT Dallas by building a culture of security awareness and risk management to protect the confidentiality, integrity, availability, and accountability of information assets. Nate Howe Director of Information Security, CISO The ISO serves UT Dallas as a partner and educator. Risk mitigation is achieved through awareness training, technology solutions, inclusion of security controls in new projects, and regulatory compliance.

Information Security Objectives The term information security may mean different things to different audiences, so let s begin by defining the objectives: Confidentiality: Users should only see information needed to do their jobs. Integrity: Information should not be altered unexpectedly. Availability: Information should be available to users when needed and systems should perform as expected. Accountability: It should be clear who accessed information, what was performed, and when it happened.

Examples of Information Security Controls Data classification Encryption Malware prevention Physical security Users provided only necessary access Access control File backups / version history File hashing Event logging Individual accounts for each user NetIDplus two-factor authentication Disaster recovery File backups Malware prevention Network drives and CometSpace cloud storage

Knowledge Check Match the information security principles to their definitions. 1. Confidentiality 2. Integrity 3. Availability 4. Accountability A. Data should be consistent and accurate. B. Data should be accessible when needed. C. Data modifications should be traceable to an individual. D. Data should not be disclosed to unauthorized parties.

Data Classification University Data is classified into three categories based on confidentiality. Higher value data requires more security protection. Data Category Definition Examples Confidential Data Controlled Data Public Data The subset of University Data that is private or confidential by law or otherwise exempt from public disclosure and/or other University Data about an individual likely to expose the individual to identity theft The subset of University Data that is not created for or made available for public consumption but that is subject to release under the Texas Public Information Act or other laws The subset of University Data intended for public consumption Social Security Numbers (SSN) Passport and visa numbers Student grade information Protected Health Information UTD-IDs UT Dallas emails Most research data Department procedures @utdallas.edu email address Information on public websites Press releases & marketing Published articles

Knowledge Check Match the following types of data with their data categories. 1. Published articles 2. Social Security Numbers (SSN) 3. UTD-IDs A. Confidential Data B. Controlled Data C. Public Data

Encryption Can Be Useful How does it work? Encryption uses special math to make data unreadable if it falls into the wrong hands. It is like sending a letter in an envelope, instead of sending a postcard that anyone can read while handling it. Where is encryption used? Adding the [encrypt] trigger to the subject line of outbound email prevents attackers on the Internet from observing the email while in transit between organizations. Webmail, banking, and shopping websites that use HTTP Secure look for https:// rather than http:// Encrypting a computer s hard drive can protect all of the contents in the event that it is lost or stolen. VPN remote access protects network traffic by encrypting it. What if I am traveling? Some countries will not allow encrypted devices. A list of countries that allow them can be found at http://wassenaar.org/participants. The ISO has unencrypted laptops that can be loaned to traveling employees.

Email Encryption Situation Confidential Data Controlled Data Public Data Two or more UT Dallas users all communicating with @utdallas.edu accounts Email automatically encrypted by UT Dallas mail system Email automatically encrypted by UT Dallas mail system Email automatically encrypted by UT Dallas mail system Two or more UT Dallas users communicating, where at least one prefers to use a third-party email service such as @gmail.com, @hotmail.com, etc. Both senders and recipients required to use @utdallas.edu accounts Both senders and recipients required to use @utdallas.edu accounts Email encryption not required Emailing anyone who does not have a @utdallas.edu account, such as business partners, colleagues at other universities, incoming students, etc. Sender using @utdallas.edu account must include [encrypt] trigger in subject line Sender using @utdallas.edu account may include [encrypt] trigger in subject line Email encryption not required Note: Data Owners may require additional encryption methods, even between UT Dallas users. For example, Callier Center has chosen to continue using certificate-based email encryption for Protected Health Information (PHI).

Passwords and Passphrases Access to most systems and websites is controlled by a username and password. Your password may not be shared with others it is your responsibility to keep it safe. The longer the password, the safer it is. Many users find it easier to remember a passphrase which may be a statement, title of a book, or memorable line from a song. Use different passwords or passphrases on each website. When attackers compromise one website, they next try to use the stolen credentials on other popular websites. If you must write down passwords to remember them, keep your list under your own control. When setting up questions and answers, be careful that the answers you provide are not easily researched on social media.

Social Engineering Attackers try to earn your trust so they can steal passwords and other information. They may email you and include links to websites that look convincing but are designed to trick you. Attackers may also call you on the phone, send a text message, or visit in person. They attempt to take advantage of your commitment to provide good service. Be skeptical of unusual requests. Hover your mouse over links in e-mail to ensure the web address makes sense. Verify the identity of a requester before sharing information. When in doubt, do not respond! Contact your supervisor or the ISO.

Knowledge Check You receive an email telling you that you have reached your email quota, and that you need to click the included link to verify your login credentials to fix the problem. What should you do? A. Click on the link and provide all the requested information. B. Hover your mouse over the link to see if the web address makes sense given the context of the message. C. Recognize this email may be a phishing attempt, do not respond, and forward it to the ISO for analysis. D. B and C

Desktops and Laptops Here are several recommendations to protect UT Dallas computers. It is important to use approved tools and techniques, so work with your technical support staff and the ISO to ensure systems in your area are protected. Install software updates to the operating system, plus 3 rd party software such as your web browser, to remove vulnerabilities. Run anti-malware software with the latest available threat updates. Use network drives or CometSpace cloud storage rather than local hard drives. Use hard drive encryption to protect data in case the computer is lost or stolen. Lock your screen when you step away from your desk and configure the screensaver to require a password to unlock.

Mobile Devices Tablets and smartphones have become essential tools at UT Dallas. If you are conducting UT Dallas business from a mobile device, you are responsible for the following: Require a pin or passcode to unlock the screen. Configure the device to erase automatically after 10 unsuccessful login attempts. Back up your device and keep your software up-to-date. Enable features to locate or erase your missing device. Only install apps from trusted sources.

Physical security is often overlooked. Failure to ensure physical security can lead to information risks. Physical Security Be aware of people in your work space. Verify visitors to restricted areas before permitting entry. Ensure valuable electronic and paper records are locked when they are not in use. Ensure records are securely destroyed when no longer needed. If you work in an office, lock the door as you leave. If you work in a cubicle environment, lock cabinets and bins as you leave. When traveling, UT Dallas equipment should be kept in a hotel safe or vehicle trunk where it will not be observed by potential thieves.

Knowledge Check Your department has decided to adopt a clean desk environment to better protect the security of Confidential Data. What are some things you can do to make sure you are following the clean desk procedures? A. Lock physical copies of Confidential Data in filing cabinets before you leave your workspace. B. Lock your door, bins, and drawers as you leave. C. Dispose of documents using a shredder or secure recycling bin. D. All of the above.

Information Security Incidents An incident includes accidental or deliberate exposure of data to unauthorized parties or disruption of security controls. Type of Issue Security issues Missing / Stolen equipment Noncompliance / Unethical behavior Copyright infringement / DMCA Who to contact? Please e-mail infosecurity@utdallas.edu or call (979) 883-6810. For anonymous reporting, please use the online form to report an incident: https://utdallas.edu/infosecurity/report/. Please report missing or stolen computers to the UT Dallas Police Department at (972) 883-2222. UTDPD will notify the ISO if necessary. The Ethics and Compliance Hotline at (888) 228-7702 provides a confidential means to report instances of suspected non-compliance or unethical behavior. This may include financial matters such as fraud, theft of University assets, or conflicts of interest; and other misconduct or violations of UT Dallas / UT System policy. The Digital Millennium Copyright Act (DMCA) requires UT Dallas to investigate illegal file transfer activity and respond accordingly. For questions about this law, please contact Tim Shaw, the university attorney, at tim.shaw@utdallas.edu.

Knowledge Check You discover that your backpack containing your university-owned laptop and several USB drives containing Confidential Data has been stolen from your workspace. What should you do first? A. Report the theft to the UT Dallas Police Department. B. Report the theft to the (ISO). C. Order a replacement laptop. D. Hope no one notices.

How can the ISO help? The ISO s approach is to effectively manage risks, not eliminate risks. Attempts to fully eliminate risks are costly and could cause a disruption in service. It is important to include ISO in conversations across campus to ensure information security risks are discussed and unacceptable risks are avoided. The main goal of the ISO is to help UT Dallas fulfill its mission while protecting information.

Service Highlights ISO offers many new services to help UT Dallas manage information security risks: Additional training: Visit our website for more training opportunities. https://utdallas.edu/infosecurity/outreach/ CometSpace secure cloud storage: Powered by Box.com to store large files, share files outside of UT Dallas, collaborate with teammates, and access files from tablets and smartphones. Log in with existing NetID and password. http://www.utdallas.edu/cometspace/. NetIDplus two-factor authentication: Additional security to protect your NetID identity, required to connect to VPN and update direct deposit. http://www.utdallas.edu/netidplus/ Patch management: ISO offers Secunia to patch your computer operating system and third-party applications. Improved antivirus: ISO is migrating from McAfee antivirus to Microsoft s System Center Endpoint Protection. New website testing: Before new UT Dallas websites go live, ISO can perform testing to identify and reduce vulnerabilities. If you are launching a new website, notify the ISO. Vendor evaluation: UT Dallas business partners may need access to UT Dallas data. To ensure their partnership does not introduce unnecessary risk, ISO assists in the evaluation process. http://utdallas.parature.com/link/portal/30075/30104/article/660/how-do-i-involve-information-securitywhen-evaluating-a-new-vendor

Congratulations! You finished the Information Security Module Thank you for taking the time to review this information. This training module will remain available at the Office of Institutional Equity and Compliance website. Call us: (972) 883-6810 Email us: infosecurity@utdallas.edu Visit our website: utdallas.edu/infosecurity Like us on Facebook: facebook.com/utdinfosec

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information