Computing Services Information Security Office. Security 101

Similar documents
Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

Information Security Awareness Training Gramm-Leach-Bliley Act (GLB Act)

Network and Workstation Acceptable Use Policy

HIPAA Training for Hospice Staff and Volunteers

Working Practices for Protecting Electronic Information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Common Cyber Threats. Common cyber threats include:

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

The Ministry of Information & Communication Technology MICT

HIPAA Training for Staff and Volunteers

Safe Practices for Online Banking

Course: Information Security Management in e-governance

CYBERSECURITY POLICY

Information Security Policy

Information Security

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange

Cyber Self Assessment

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Supplier Information Security Addendum for GE Restricted Data

Wellesley College Written Information Security Program

Computer Security at Columbia College. Barak Zahavy April 2010

Cyber Security Best Practices

Information Security Program Management Standard

LSE PCI-DSS Cardholder Data Environments Information Security Policy

CBI s Corporate Internet Banking Inquiry Services gives you the ability to view account details and transactions anytime, anywhere.

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Topics. What are privacy and security all about? How can I protect confidential information? What should I do if I see a problem?

For All HIPAA Workforce Members Revised April 2013

Data Management Policies. Sage ERP Online

National Cyber Security Month 2015: Daily Security Awareness Tips

Information Security It s Everyone s Responsibility

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

NC DPH: Computer Security Basic Awareness Training

Information Security Policy Manual

Incident Response Plan for PCI-DSS Compliance

HIPAA Security Training Manual

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Business Internet Banking / Cash Management Fraud Prevention Best Practices

PCI Data Security. Information Services & Cash Management. Contents

Business ebanking Fraud Prevention Best Practices

University of Cincinnati HIPAA Administrative, Physical and Technical Safeguards

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

Policies and Procedures for Electronic Protected Health Information (ephi) and Personally Identifiable Information (PII)

Approved By: Agency Name Management

Authorized. User Agreement

General Security Best Practices

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

HIPAA and Health Information Privacy and Security

PII Compliance Guidelines

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Identity Theft Prevention Program Compliance Model

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

Information Security Plan effective March 1, 2010

Information Resources Security Guidelines

Statement of Policy. Reason for Policy

plantemoran.com What School Personnel Administrators Need to know

Hot Topics in IT Security PREP#28 May 1, David Woska, Ph.D. OCIO Security

CLEAR LAKE BANK & TRUST COMPANY Internet Banking Customer Awareness & Education Program For Businesses

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Caldwell Community College and Technical Institute

Peace Corps Office of the OCIO Information and Information Technology Governance and Compliance Rules of Behavior for General Users

Protecting your business from fraud

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015

Secure Mail Registration and Viewing Procedures

Franciscan University of Steubenville Information Security Policy

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

BERKELEY COLLEGE DATA SECURITY POLICY

How To Protect Decd Information From Harm

Miami University. Payment Card Data Security Policy

How To Protect The Time System From Being Hacked

Advice about online security

SUPREME COURT OF COLORADO OFFICE OF THE CHIEF JUSTICE

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Directory and Messaging Services Enterprise Secure Mail Services

10 Quick Tips to Mobile Security

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

Transcription:

Computing Services Information Security Office Security 101

Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The three objectives of information security are: Confidentiality Integrity Availability

Confidentiality Confidentiality refers to the protection of information from unauthorized access or disclosure. Ensuring confidentiality is ensuring that those who are authorized to access information are able to do so and those who are not authorized are prevented from doing so.

Integrity Integrity refers to the protection of information from unauthorized modification or destruction. Ensuring integrity is ensuring that information and information systems are accurate, complete and uncorrupted.

Availability Availability refers to the protection of information and information systems from unauthorized disruption. Ensuring availability is ensuring timely and reliable access to and use of information and information systems.

Information Security Policy Carnegie Mellon has adopted an Information Security Policy as a measure to protect the confidentiality, integrity and availability of institutional data as well as any information systems that store, process or transmit institutional data. Institutional data is defined as any data that is owned or licensed by the university. Information system is defined as any electronic system that stores, processes or transmits information.

Policies Throughout its lifecycle, all Institutional Data shall be protected in a manner that is considered reasonable and appropriate given the level of sensitivity, value and criticality that the Institutional Data has to the University. Any Information System that stores, processes or transmits Institutional Data shall be secured in a manner that is considered reasonable and appropriate given the level of sensitivity, value and criticality that the Institutional Data has to the University. Individuals who are authorized to access Institutional Data shall adhere to the appropriate Roles and Responsibilities

Your Role in Information Security Three primary roles have been defined in the context of information security: Data Steward Data Custodian User A User is any employee, contractor or third-party affiliate of Carnegie Mellon who is authorized to access institutional data or information systems. Users are responsible for: Adhering to information security policies, guidelines and procedures. Reporting suspected vulnerabilities, breaches and/or misuse of institutional data to a manager, IT support staff or the Information Security Office.

Users Safeguard institutional data Safeguard electronic communications Avoid risky behavior online Report suspected security breaches

Safeguarding Institutional Data Know Your Data Be mindful of what type of data you handle: Public Private Restricted Examples of Restricted data include account passwords, drivers license numbers, education records of students, financial account information, health information and social security numbers. A more complete list of data considered to be Restricted by the institution can be found at: http://www.cmu.edu/iso/governance/guidelines/data-classification.html#appendixa

Protecting Electronic Data Avoid storing Restricted data on mobile computing devices Don't store institutional data on personally owned computing devices Don't store Restricted data on CDs, DVDs, USB thumb drives, etc. Don't transmit Restricted data via email and other insecure messaging solutions Don't use personal email for business communications Use strong passwords or passphrases Secure your computing devices

Safeguard Your Password Use a strong password or passphrase Change your password periodically Avoid using the same password for multiple accounts Don t write your password down or store it in an insecure manner Don t share your password with anyone for any reason Don t use automatic login functionality For more information, review the Guidelines for Password Management http://www.cmu.edu/iso/governance/guidelines/password-management.html

Secure Your Computer Update and patch your operating system Enable automatic software updates where available Update and patch software applications (e.g. browsers, email clients, JAVA, etc.) Install and update antivirus software Install and configure firewall software Do not automatically connect to public wireless networks Disconnect your computer from the wireless network when it is not in use Use caution when enabling browser pop-ups Use caution when downloading and installing software Lock your computer when it is unattended

Protecting Physical Data Close and lock your door when leaving your office unattended Lock file cabinets that store institutional data Don't leave Restricted data in plain view at your desk or on a whiteboard Don't leave Restricted data sitting on a printer, copier, fax machine or other peripheral device Protecting Verbal Communication Be mindful of your surroundings when discussing Restricted data Don't discuss Restricted data with individuals who do not have a need to know

Disposing of Data Dispose of data when it is no longer needed for business purposes Use Identity Finder to securely delete files that contain Restricted data Use the Computer Recycling Program to dispose of electronic media Use a cross shredder to dispose of paper-based and written media For more information on the Computer Recycling Program, visit: http://www.cmu.edu/ehs/waste-environment/computers.html

Safeguarding Electronic Communications Electronic communications can be in the form of email, instant messaging, text messaging, social network, etc. Avoid opening attachments from an untrusted source Avoid clicking on links in electronic communications from an untrusted source Be wary of phishing scams Avoid sending Restricted data through email and other electronic communications

Safeguarding Electronic Communications

Additional Considerations Use an official CMU email account for all university business Avoid using personal accounts for business workflows Save personal communications in a designated folder Organize your communications by project or work type Save copies of important outgoing email For more information regarding electronic discovery, visit: http://www.cmu.edu/iso/compliance/e-discovery/

Avoid Risky Behavior Online Be cautious when using file sharing applications Be cautious when browsing the web Be cautious when clicking on shortened URLs Avoid responding to questions or clicking on links in pop-up windows

Report Any Suspected Security Breach If you detect suspicious behavior or inappropriate use of institutional data, report your concerns to your manager or contact the Information Security Office (ISO) at iso@andrew.cmu.edu. If you suspect your computer has been compromised, take the following steps: 1. Disconnect the computer from the network 2. Contact your department IT staff, DSP or the ISO 3. Notify users of the computer, if any, of a temporary service outage 4. Preserve any log information not resident on the compromised computer 5. Wait for further instructions from your department IT staff, DSP or the ISO Review the Procedure for Responding to a Compromised Computer for more info: http://www.cmu.edu/iso/governance/procedures/compromised-computer.html

Additional Information Guidelines Guidelines for Bulk Email Distribution Guidelines for Data Classification Guidelines for Data Protection Guidelines for Data Sanitization and Disposal Guidelines for Instant Messaging Security and Usage Guidelines for Mobile Device Security and Usage Guidelines for Password Management http://www.cmu.edu/iso/governance/guidelines/

Tools Anti-Phishing Phil http://www.cmu.edu/iso/aware/phil/ Anti-Phishing Phyllis http://www.cmu.edu/iso/aware/phyllis/ Identity Finder http://www.cmu.edu/computing/doc/security/identity/ Patch Check Tool https://www.cmu.edu/iso/patch-check/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information