View
0
Download
0
Category
Preview:
Citation preview
SECURITY AWARENESS&
PROTECTION OF NON-PUBLIC UNIVERSITY
INFORMATION
UNDERSTANDING INFORMATION SECURITY
Information Security
Information security refers to safeguarding information from misuse and theft, caused accidentally or
otherwise.
Information may be accessed or stored in devices like telephones, fax machines, and computers.
Cyber Security
Pertains to the protection of data and systems that are connected to the Internet.
Cyber security calls for steps to prevent, detect, and defend against potential information theft
attacks.
Confidentiality
Pertains to protecting private and sensitive information from falling into the hands of the
unauthorized.
Poor Information Security
Can result in identity theft that can occur due to loss of personal information.
INFORMATION TECHNOLOGY SECURITY PROCEDURES
All users with access to University information available in University files and systems are
continually responsible for maintaining the integrity, accuracy, and privacy of this
information.
Loss of data integrity, theft of data, and unauthorized or inadvertent disclosure could lead
to significant exposure of the college and its constituents, as well as those directly
responsible for the loss, theft, or disclosure.
NON-PUBLIC UNIVERSITY INFORMATION
Non-Public University Information means Personally Identifiable Information (PII) that an
individual can use directly, or in connection with other data to identify, contact, or locate a
person and can include:
Social Security Number
Driver’s license number or non-driver identification card number
Account numbers, credit card and debit card numbers combined with any security code, access code, or
password that would permit access to financial information.
Personal email address
Birthdate
REMEMBER:
Unless otherwise required by law, users of University files and systems must not disclose
any Non-Public University Information to the general public or any unauthorized users.
NON-PUBLIC UNIVERSITY INFORMATION
Within the College, Non- Public University Information may be collected during but is not
limited to:
Registration
During registration, users are prompted to enter their name and email address for authentication
and verification purposes.
Creation of class lists and grade reports
Ordering and Billing
When you place an order (transcript, tuition payment) users will need to supply their credit card
information along with their mailing information.
Customer Service Interactions
Under the IT Security Procedures, access to Non-Public University Information must be restricted to
individuals on a need to know basis who are full-time and regular part-time employees (with
certain limited exceptions). However, in the course of assisting users, PII’s may be exposed and
care must be taken to prevent unauthorized disclosure.
ACCESS TO UNIVERSITY INFORMATION
Access to University information available in its files and systems, whether in electronic or
hard copy form, must be restricted to the following individuals and must be consistent with
their job responsibilities:
Full time and regular part time employees of the college
Adjunct faculty
Employees of the University’s contractors who have been permitted such access under a written
agreement with the University
CUNY students may not be permitted to access Non-Public University Information unless
they are
Students who are also University adjunct faculty
Employees of the University or its related entities who are taking a Continuing Education course at the
University
Employees of the University or its related entities who are taking a credit bearing course at the
College other than the one they are employed at, unless it is part of the tuition waiver program.
BEST PRACTICES FOR TECHNICAL SECURITY OF PII
Always ensure that your computer is logged off when you are not present.
Note: Logged on and powered on are different. You may leave your computer powered on but not
necessarily logged onto your account.
Set a moderately strong password. Do not share your passwords.
Strong passwords entail using 12 or more characters
Using punctuations and spaces
Using case sensitive alphanumeric characters
Social security numbers must not be stored, transported, or taken home on portable
devices (e.g. laptops, flash drives) of any type without specific approval of both the Vice
President of Administration or the equivalent at the College of in the Central Office
department and the University Information Security Officer.
Where approval is granted, the information must be encrypted and password protected.
Users are responsible for engaging in safe computing practices such as guarding and not
sharing their passwords, changing passwords regularly, logging out of systems at the end
of use, and protecting Non-Public University Information.
BEST PRACTICES FOR PHYSICAL SECURITY OF PII
Only ask for PII when absolutely necessary to conduct the business of the College. When
doing so, make sure that:
All documents containing PII are stored in locked cabinets.
If individuals supply supplemental PII that is not necessary, shred it or redact it immediately. Do not
keep it.
All documents containing PII must be destroyed when no longer needed.
Do not email or fax documents containing PII.
As a general rule, whenever possible, do not share PII.
SPECIAL RULES FOR SOCIAL SECURITY NUMBERS
Unless required by law, users of University files and systems must not:
Intentionally communicate to the general public or otherwise make available to the general public in
any manner an individual’s SSN.
Publicly post or display an individual’s SSN or place SSN in files of unrestricted access.
Require an individual to transmit their SSN over the Internet unless the connection is secure or the SSN
is encrypted.
Require an individual to use his or her SSN to access an Internet website, unless a password or unique
personal identification number or authentication device is also required to access the Internet
website.
Include an individuals SSN, except for the last four digits, on any materials that are mailed to the
individual, or in any electronic mail that is copied to third parties, unless state and federal law
requires the SSN to be on the document to be mailed.
Transmit an individuals SSN onto portable devices without encryption.
STUDENT INFORMATION PROTECTED BY FERPA
The Family Educational Rights and Privacy Act (FERPA) protects personally identifiable
information from student’s education records from unauthorized disclosure.
Information that makes an education record “personally identifiable” to a particular student
includes:
The student’s name;
The name of the student’s parent or other family member;
The address of the student or other family member;
A personal identifier, such as the student’s SSN or student number or biometric record;
A list of personal characteristics that would make the student’s identity easily traceable;
Other information that alone or in combination, is linked or linkable to a specific student, and which
would allow a reasonable person to identify the student; or
Information requested by a person who the educational agency or institution reasonably believes
knows the identity of the student to whom the record relates.
STUDENT INFORMATION PROTECTED BY FERPA
Colleges are required to have appropriate controls in place to limit the accessibility of
student records to those college officials who legitimately need them.
FERPA makes it clear that we cannot designate a SSN as directory information, and NY law
prohibits the use of a student’s SSN for any public identification purpose such as posting
of grades.
The Family Policy Compliance Office of the US Department of Education which enforces
FERPA has also made it clear that it is a violation of FERPA to disclose information
containing the last four digits of the student’s SSN.
CUNY BREACH REPORTING PROCEDURE
When a possible privacy breach has occurred, immediate action should be taken:
Step 1: Confirm and Contain
Confirm the validity of the suspected information breach.
Containment should occur immediately. This includes, but is not limited to disconnection of the host
(server or device) from the network or shutting down an application.
Care should be taken to not destroy the data, but preserve it without any form of network connection.
Step 2a: Report- The following individuals should be informed immediately:
The College President or Central Office Vice President for the affected area
The College Legal Affairs Department and Central Office, Office of General Counsel
The College or Central Office department head from which the information was breached.
The College Chief Information Officer
University Chief Information Office
University Chief Information Security Office
CUNY BREACH REPORTING PROCEDURE
Step 2b: Report- The report should indicate the following information:
Whose personal information was disclosed
To whom it was disclosed to
When it was disclosed
How it was disclosed/accessed
What steps have been taken in response to the disclosure
Step 3a: Retrieve
Any documents or contents of electronic documents that have been disclosed to, or taken by, an
unauthorized recipient should immediately be retrieved and/or secured or taken offline.
Documents, in any form, should not be destroyed until specific instruction is received.
Step 3b: Remove
Private information taken offline may still be accessible and discoverable on the Internet via Internet
Search engines (i.e. Google)
Requests must be made as quickly as possible to remove the information from search engine indexes
and cache directly to the Internet Search engines companies.
This step will be coordinated with the University Chief Information Security Officer.
CUNY BREACH REPORTING PROCEDURE
Step 4: Notify
In cases where breach results in the disclosure of personal information, New York law may require you
to notify the individuals affected.
Determination of the reporting requirements will be made by the Office of the General Counsel with the
College Legal Affairs designee on a case by case basis.
Step 5: Investigate
The College’s Legal Affairs Department, the Vice President for the affected area, the College’s CIO,
and The University Chief Information Security Officer will investigate the details of the breach for the
purpose of determining and recording all the relevant facts concerning the breach and making
recommendations.
Objectives of the investigation will include a review of circumstances surrounding the event as well as
the adequacy of existing policies and procedures in protecting PIIs.
Step 6: Management Review
The College Legal Affairs department with the Vice President of the affected area will document and
report the detail of the breach and remedial steps to the President of the College.
The Legal Affairs Department in collaboration with the University CIO will report on
recommendations and actions to the appropriate parties within the Chancellor’s office.
SECURITY THREATS
Security threats come from many sources. By being vigilant in identifying potential attacks, you
can protect yourself and any sensitive information against unauthorized access.
Pharming
Is a fraudulent website that contains copies of pages from a legitimate website, to capture confidential
information from users.
Users tend to end up on the bogus site on their own and are not suspicious because the page looks similar
to the original site.
Bookmark known good sites to prevent landing on a fraudulent website through a typo or other error.
Spoofing
Is impersonating something else in order to trick your target into doing something that they may not
ordinarily do.
Example: A spoofed email can appear to come from an online bank that is asking you to confirm information
that can then be used for fraudulent actions. If you have any suspicion, verify with the bank.
Phishing
Is an attack wherein the sender tries to trick the target into giving up sensitive information, such as
financial information.
These internet messages should be IGNORED and you should NEVER click on any of the links provided.
Note: If you are compromised, go to the legitimate website or contact the vendor and
change your password, PIN, etc.
SECURITY MEASURES
DO NOT send personal information over public Wi-Fi. Wireless networks can be easily
intercepted and you are better off using your carrier (3G or 4G) to transmit sensitive
information.
DO create strong passwords. It is always a good idea to use a combination of capital
and lower case letters and numbers when creating a password. And while it can be
annoying, creating different passwords for each of your accounts gives you the added
safety that if one of your accounts are breached, the hacker will not be able to get into
all of them.
NEVER send out ANY personal information over email which includes attachments.
Emails can easily be hacked and you do not want to make it any easier for someone to
find more information about you.
MAINTAINING FILE SECURITY
In some security attacks, files on your hard drive can be corrupted or deleted and that is why
protecting your files from catastrophes is important. If you have backed up your files, you can
recover them without having to re-create them.
Data backup
Is a type of information protection scheme that enables you to store copies of critical files and folders
for safekeeping.
Regular backups provide safety of information.
Data restoration
Is a type of information protection scheme that enables you to recover stored copies of critical files
and folders.
A restore protects you against loss of data due to a security disaster.
File sharing
Involves making files or data available to members on a network.
You can control access to your files by limiting the users. By allowing only authorized users to access
the content, it protects it from being altered.
MAINTAINING FILE SECURITY
File transfer
Is the process of copying files from one computer to another on a network, including the Internet.
With the implementation of security measures, you can prevent unauthorized people from
downloading files.
File encryption
Is a type of file protection that disguises the data within a file or message so that the specific
information included within the file or message cannot be read or understood by an unauthorized
user.
A key can be used to encode the data, so neither the file nor the key can be read by anyone who does
not have access.
File decryption
Is a type of file protection that decodes the data within an encrypted file.
Decryption goes hand in hand with encryption, and the tool that was used to encrypt the data will be
needed, along with the key to decrypt the data.
GUARDING AGAINST ATTACKS
In the cyber world, many of the security breaches occur with email attachments. By
defending yourself and your organization against these types of attacks, you can protect your
system.
Malware
Performs actions that cause damage to data contained on a system, or prevents the system from being
used in its normal way.
Virus
Computer programs that can attach to files and replicate themselves, often without your knowledge.
Virus Hoax
An email message that warns of a fake virus threat and urges the recipient to forward the message to
everyone he knows.
Example: An email might warn you of a new virus and tell you to spread the word to your friends and give a link to
a dangerous website.
GUARDING AGAINST ATTACKS
Spam
Is a type of email message that is unsolicited and unwanted. Most spam includes at least one link to
redirect the user to a different website, which may or may not be a legitimate commercial site.
Trojans
Are malicious programs that masquerade themselves as harmless applications and purposefully do
things that the user does not expect
Hacking
Is a process of illegally accessing other people's computer systems for destroying or disrupting
normal activity
VIRUS PROTECTION
Modern anti-virus programs, such as McAfee which is used on campus, protects against the previously
mentioned attacks such as malware and viruses.
Virus Protection Software
Is a type of computer program that enables you to identify and remove malware from a computer. In some
instances, the virus protection software might be able to repair damage done by a malicious piece of code.
Modern anti-virus programs, such as McAfee which is used on campus, protects against the previously
mentioned attacks such as malware, viruses and spyware.
Virus Definition Updates
Are files that identify and deal with known malware that was discovered after the initial installation of virus
protection software. Virus definition files need to be updated constantly to include protection against newly
discovered threats.
Virus Scans
Are activities that use the software engine and virus definition files to check a computer for the presence of
malware. You can also manually force the virus protection software to scan for viruses at any time or set up an
automated time.
Email Filter
Is a software application that categorizes email according to specified rules or instructions. Filters can sort
incoming mail into different folders that are set up, including the folder that holds deleted items.
BLOCK SPYWARE
Spyware is a malicious software designed to intercept or take control of a computer’s
operation without consent.
Spyware gains information about the user and silently tracks its surfing behavior to create a
marketing profile.
When you have spyware on your computer, you will see pop-up advertisements, even when
you are not surfing the Internet. You will also observe other odd behavior such as slow downs
and crashes.
Using anti-spyware programs such as popup blockers and adjusting security settings can
help in counteracting the increasing cases of spyware.
Note:
All computers given to staff and faculty by QC have the McAfee anti-virus software already
installed. It is your responsibility to update the software when prompted.
ANY QUESTIONS?
• Feel free to contact the Training & Technology Solutions:
• Office: I-214
• Ext: 74875
• Email: Training@qc.cuny.edu
• Facebook: www.facebook.com/QC.Training
• Tumblr: http://qc-tech.tumblr.com/
Recommended