Ivy Tech Community CollegeInformation Security User

Awareness Training

After this training, you should be able to:

List the laws and terms that affect Ivy Tech and how they relate to the privacy of student and employee information

Explain some of the biggest risks that can lead to data being lost or stolen

Follow the processes described if data has been lost and apply practices to improve the security of College data

10/28/2015

Laws and Regulations

Ivy Tech has to follow several laws for privacy, security, and the usage of our information. We will cover a few of these laws.

There are links at the end of this presentation to provide additional information.

10/28/2015

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. Similar to PII, this law also has an acronym for the information. It’s known as "protected health information”, or PHI.

10/28/2015

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

PHI is information, including demographic data, that relates to:

the individual’s past, present or future physical or mental health or condition,

the provision of health care to the individual, or

the past, present, or future payment for the provision of health care to the individual

10/28/2015

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Like PII, PHI could be a single piece of data such as a social security number or a combination of data that can be pieced together.

More information is available at:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/

10/28/2015

FERPA

The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

One part of FERPA is that schools must have written permission from the student in order to release any information from their educational record.

10/28/2015

Personally Identifiable Information

The term “PII” means any information about an individual which can be used to identify that person. PII could be a single piece of data such as a social security number or a combination of data that can be pieced together to identify someone. In the case of a student, this could be their name, C #, address, and the courses they are taking. The College stores PII on students, faculty, and staff.

Exceptions to this would be a small number of common information such as name, address, and phone number.

10/28/2015

Does security affect the College? A recent survey found that the average cost of lost or

stolen data for an educational institution is $111 per record

At 95,000 students (estimated fall enrollment 2013) it would cost the College approximately $10,545,000 – and that’s just for the number of current students.

That would cover a year of salaries for about 263 advisors

PLUS

Higher education institutions generally see an average attendance loss of 2.8% after an incident - that’s about 560 less students

As a side note….over 35% of reported incidents are caused by human error

10/28/2015

Some risks to the security of College data

10/28/2015

Security risk terms you should knowMalware

Malware is software that is intended to damage computers or steal information. This can come through links or attachments in email or from infected web sites. Never allow unknown software to run on your computer – this includes all of your extra toolbars!

10/28/2015

Malware (Continued)One common way data can be stolen from the College is through Malware. Malware is software that is specifically designed to either damage computers or steal information. The information can be stolen directly from the computer or from the person using the computer giving out the information. Malware is able to get around many of the things the College has in place to protect our information because of how it’s designed. Malware can come from emails, web site links, or even flash drives. Some things that are offered for convenience, such as extra toolbars, are often sources of malware. This is one reason why you should never let unknown software run on your PC.

Security risk terms you should know

10/28/2015

Security risk terms you should know

Phishing

Phishing is an attempt to get information such as usernames and passwords, social security numbers, or credit card numbers by trying to look like the request is coming from a trusted source. Most phishing attempts come through emails and many try to get you to take action immediately.

10/28/2015

Watch for Phishing Emails

A typical phishing email has warning signs. See how they are wanting you to act quickly so you don’t lose access to your email. Another way to spot a phishing email is to hover your mouse over the link provided. If the link is all numbers or seems to go to a completely different company than what you would expect, it is probably phishing. Another indication that it may be a phishing email will be poor grammar. See next slide for more details.

10/28/2015

Watch for Phishing Emails (Cont.)

Dear user,

We currently upgraded to 4GB space. Please log-in to your account in order to validate

E-space. Click on faculty and staff email confirmation to confirm details of your email account. Note that failure to confirm your email with this notification, would lead to dismissal of your user account.

Protecting your email account and improving the quality of your email account is our primary concern.

This has become necessary to serve you better.

Copyright ©2014 IT Help desk.

http://9436a1dd6708bf3df308489921272d.bravites.com/gotchaClick to follow link

Hover mouse over the link to find real link

Notice the actual web site – this is definitely SPAM.

Have you ever seen one of these emails?

Here’s the call to act quickly!

10/28/2015

Risks of Social Media

Suspicious LinksIn the same way links in a phishing email can be misleading, so can links on Facebook, YouTube, Pinterest, and other social media sites. As with any links, always check out the link to look at the actual web address before you click on it.

Sharing of InformationThere is a lot of information that can be gathered on social media sites. Always be careful not to put too much work information on these sites that could be used to create phishing attacks or create other risks.

10/28/2015

Here’s how you can help

There are a lot of things that can you can do to personally help with the security of the College data. Many of these things can be done on your home computer as well to keep your personal information safe.

Using these tips will help keep your home PC and personal information safe too!

10/28/2015

Have you accidentally given out information?

Here are some ideas to see if you may have:

Did you just give out your password over the phone or after clicking a link in an email?

Did you just send an email with PII?

Did you just allow software to run from an unknown web site?

10/28/2015

Notify the Help Desk or your local Ivy Tech OIT (Office of Information Technology) staff for any of the following items.Unwanted SoftwareAlways report unusual system behavior such as missing files, prompts to install unknown software or browser toolbars, and other non-standard behavior.

Data LossIf you think that usernames, passwords or other sensitive data are even suspected of being lost or disclosed. This could happen over the phone, on a web site, or a possible misrouted email. Also, if there is a loss of something physical such as a smart phone, laptop, or a flash drive. 10/28/2015

Notify the Help Desk or your local Ivy Tech OIT (Office of Information Technology) staff for any of the following items.

Malware protectionAll PC’s and laptops managed by Ivy Tech have malware detection software that is installed by OIT. You should never try to make any changes to this software. Be aware if the software shows that it’s not running.

10/28/2015

Passwords – the first line of defense

Make your password easy to remember but hard to guess Include upper and lowercase letters, numbers and

special characters such as ($%&+=!?><), at least eight characters

Change your password every 90 days Never user the “Remember password” features of

browsers or applications Don’t reuse the same password for work and personal

sites

10/28/2015

Passwords (Continued)

Users of Ivy Tech systems should never, under any circumstances, give out their user ID and/or password.

And…

No one from the Help Desk nor OIT staff will ever ask you for your password…ever.

10/28/2015

Sharing information should always be done with caution

Any data that can be defined by the laws described, is considered PII should be protected

Physical PII data (paper, DVD, USB drives) must be stored in a secure physical location

PII data must be encrypted when on mobile devices or digital physical media (DVD, USB drives)

Sensitive/confidential physical media must be destroyed appropriately, such as shredding paper documents or DVDs, reference employee handbook, section, for definitions for sensitive/confidential data.

10/28/2015

Mobile Devices

Don’t let your portable devices including laptops, tablets, smartphones, etc., walk away without you. Never leave them unattended. For instance, do not leave your laptop visible in a locked vehicle.

Use a password for access to these devices. On your personal devices, use the disk encryption features available, too. (More information is available on the links provided at the end of this presentation.)

Always use the automatic update features of your mobile device to keep software patched and secure.

10/28/2015

Physical Security

Unattended systems

If you’re going to walk away from your PC, always remember to lock it first

Press the Windows Key and “L” at the same time. or

Press Ctrl + Alt + Del and choose “Lock this computer”

Getting back on the system should always ask for your password.

10/28/2015

Your responsibility as an employee to safeguard College data

As employees, we are obligated to follow these procedures just like we are required to safeguard physical property. For example, compare the act of leaving your laptop open and running in a public area while you leave to go meet a friend for lunch at a restaurant down the street. It’s obvious that this is poor judgment with College property. The same is true for leaving access open for College Data.

10/28/2015

Additional Resources

10/28/2015

Links for information on the laws covered Information for FERPA (20 U.S.C. § 1232g; 34 CFR Part 99) is

available at:

http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

Information for HIPAA is available at:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/

Information for the College’s policy on confidential data is available at:

http://www.ivytech.edu/humanresources/handbook/ft/personnel-policies-and-procedures/computer-resources-policy/#confidential_information/

10/28/2015

Links for information on how to protect your devices

Information for Mac data encryption:

http://support.apple.com/kb/PH13729

Information for iPhone or iPad data encryption:

http://support.apple.com/kb/ht4175

Information for Windows 7/8.1 data encryption:

http://windows.microsoft.com/en-us/windows-8/bitlocker-drive-encryption

10/28/2015

Thank you for your time

10/28/2015

Continue to confirm completion

Read instructions below then click on Information Security User Awareness Confirmation box to continue

Information Security User Awareness Confirmation

Click here to Confirm

Completion of CBT

Log on to TC Exam using your Campus Connect ID and Password

Select “Information Security User Awareness Confirmation”

Select the appropriate response

Click Submit to enter your response

Click Submit again to confirm

Log out of TC Exam and close your browser window when finished

Click here to Confirm

Completion of CBT

Confirmation of Completion