Embed Size (px)
DESCRIPTION
NDSU 2009 Fall Conference general session PowerPoint.
Citation preview
Managing IT Security for Extension and Outreach Offices
Theresa Semmens NDSU Chief IT Security Officer
October, 2009
Presentation Outline
• Security Guidelines– Email– Workstation– Wireless– External Mobile Device Security
• Protection of Confidential and Private Data• Online Financial Transactions• Those *!@&$ NDSU network services• Dual Support with the ND Association of Counties
NDSU E-mail
• What is secure– Encrypted User name and password
• Email messages and attachments– Subject to privacy laws
• HIPAA• GLBA• FERPA• ND Public Open Records Century Code
• Using personal e-mail address and equipment for NDSU Business– Can be subject to ND Public Open Records Century Code
Workstation
• Users must have unique login and password• Operating system and office software current with
latest patches • Anti-virus software and firewall installed, enabled
and active• Confidential/private data is not accessible or
viewable by public• Log off computer when done or away from desk• Set a password protected screensaver
Workstation Area
• Confidential/sensitive information not available for public view
• Protected hard copy documentation stored in locked file cabinet– Manipulated hard copy documentation
• Tidy desk area
Wireless Access
• Wireless access in the office– Open vs. Secured– Access available only to those who need it
• Wireless access outside of the office– Public access
• Not recommended – Working with confidential private data– Use for personal banking– Purchasing merchandise online
• Use NDSU Webmail client to send and receive email – do not send attachments, message body should not contain sensitive information
Laptop Security
• Maintain copies of important data somewhere other than the laptop. Consider using an external portable storage device.
• Back up all data, and make use of encryption features when you do so.
• Hard drive and external storage is encrypted.
• Laptop must be labeled and identified
External Media
Definition –external hard drives, flash drives, CDROM, DVDR
• When not in use, keep in safe place.• Dispose of properly.• Encrypt sensitive data.• Share only with those who have a “need to
know”.
Phlushing the Phish!
What is NDSU doing?What can you do?
Recent Spear Phishing Attacks
Confidential/Private Data
• Defined and classified in NDUS 1901.2• Examples: – Pesticide Program– Master Gardeners– 4-H– Research
• What is allowable for use and storage
Employees & Volunteers
• Must sign confidentiality agreements• Background checks required*• Receive formal, documented training
*Above point required if handling electronic financial transactions
Social Security Numbers
• Do not use as an identifier on – Files– Spread sheets– Data bases– Correspondence
• Any files/documents containing SSN data must be secured and available only to those who have a need to know
Credit Card Information
• Do not store– Full credit card number (only last four digits)– CVV2 number– Exp. Date
• Receipts– Only allow last four digits on receipt– No CVV2 number– No exp. Date
• Do not accept credit card transactions over email• If received over voice mail, delete immediately• Must have separation of duties for acceptance of credit cards
More Safeguards
• Non-disclosure (suppression)– Farmers/Ranchers– Parents– Children– Requests for lists of members
• Health questionnaires (4-H)• Date of Birth combined with name• Information posted to Web sites
Use & Disposal of Protected Data• Encrypt or password protect on electronic
devices• Back up regularly• Allow only those who have a need to know
access to data• Use only where necessary• Dispose of properly
Personnel & Volunteer Files
• Stored in locked cabinet not in public area• If request is made to view personnel file– Dean and General Counsel to approve request– Log request, date, time– Viewer must sign log form– Only allow what is considered public information to be
viewed• Purge according to data retention policies– Shred with cross cut shredder, burn, using document
destruction service
Suspected Data Breach
• For computer related security issues contact your supervisor
• Document reasons you suspect breach of data• Do not move, touch, alter equipment or
anything related to the breach • Do not attempt to do your own investigation
NDSU network services
• E-mail accounts– Alias– Shared
• E-mail box space• Changing electronic ID• Non-employee accounts• Affiliate vs. Guest accounts
Alias E-mail Account
Sender Alias
Recipient RecipientRecipient
•E-mail message automatically dropped into multiple users e-mail boxes•Does not require password•Owner responsible for removing and adding users
Shared E-mail Account
Sender Shared
Recipient Recipient Recipient
•Requires use of Webmail•Requires shared password•Owner required to change password when users leave or are added to group
Electronic ID
• Official Format = FirstName.LastName• Full-time employees and Students can change EID at
http://enroll.nodak.edu• Non-employees/students must request change• Change subject to previous ownership of “name
space.”• Name change due to marriage/divorce – must go
through HR with proper documentation• Employees have 500 MB e-mail box. Request to
increase must be sent through Helpdesk.
Affiliate vs. Guest Accounts
• Services available: desktop_auth, Blackboard, Library, Wireless
• Must be “sponsored” by department• Affiliate accounts for periods longer than one
week• Guest accounts for periods less than one week• E-mail requires completion of Non-employee
ID form
Managing IT Security for Extension and Outreach Offices
Theresa Semmens NDSU Chief IT Security Officer
October, 2009
