Using Computers at Using Computers at the Riddle Centerthe Riddle Center

What all JIRDC What all JIRDC Computer Users Computer Users Need to KnowNeed to Know

What You Need to KnowWhat You Need to KnowALLALL JIRDC staff - even those that JIRDC staff - even those that don’t use computers - need to know don’t use computers - need to know some things about securitysome things about securityWhat “Data Stewardship” meansWhat “Data Stewardship” meansNew Information Security Policies New Information Security Policies and Procedures mean and Procedures mean new rulesnew rules for for computer userscomputer usersHow to fulfill your responsibility to How to fulfill your responsibility to help keep the JIRDC computers safe help keep the JIRDC computers safe from from computer virusescomputer viruses and worms and worms

What Staff Who Don’t Use the What Staff Who Don’t Use the Computer Need to KnowComputer Need to Know

There is a federal lawThere is a federal law (HIPAA) which (HIPAA) which requires that all JIRDC staff learn to requires that all JIRDC staff learn to protect JIRDC informationprotect JIRDC informationYou mustYou must not use JIRDC computers not use JIRDC computers unless you have been authorized to do sounless you have been authorized to do soIf you findIf you find any computer printout, floppy any computer printout, floppy disk, or computer CD, turn it in to your disk, or computer CD, turn it in to your supervisorsupervisorIf you suspectIf you suspect a security violation, report it a security violation, report it to your supervisorto your supervisor

Data StewardshipData StewardshipFirst – Some DefinitionsFirst – Some Definitions

Facility DataFacility Data – data which is acquired, – data which is acquired, developed, or maintained by JIRDC staff developed, or maintained by JIRDC staff in performance of their dutiesin performance of their dutiesApplicationApplication – a purchased, shared, or – a purchased, shared, or developed set of files which maintain developed set of files which maintain Facility DataFacility DataApplication OwnerApplication Owner – a single, designated – a single, designated person, responsible for this application person, responsible for this application and the data it maintainsand the data it maintains

Some More DefinitionsSome More DefinitionsData FileData File – a computer file (often in Word, – a computer file (often in Word, Excel, or Access format) which contains Excel, or Access format) which contains Facility DataFacility DataComputer UserComputer User – staff who use a JIRDC – staff who use a JIRDC computer in performance of their assigned computer in performance of their assigned dutiesdutiesData OwnerData Owner – the person who created and – the person who created and saved a file which contains facility data, or saved a file which contains facility data, or in the case of an application, the in the case of an application, the application ownerapplication owner

Network Files are Classified Network Files are Classified According to Security LevelAccording to Security Level

Public FilesPublic Files – – Usually on our internet site, not protectedUsually on our internet site, not protected

Private FilesPrivate Files – – Usually store on S:, shared among all Usually store on S:, shared among all JIRDC network users, protected by Network login requirementJIRDC network users, protected by Network login requirement

Secure FilesSecure Files – – Except for Application Software and Except for Application Software and Secure Systems, all JIRDC files NOT stored on the S: Shared Secure Systems, all JIRDC files NOT stored on the S: Shared folder. Secure files are protected by network rightsfolder. Secure files are protected by network rights

Application SoftwareApplication Software – – Things like Word and ExcelThings like Word and Excel

Secure SystemsSecure Systems – – HEARTS, the Pharmacy system, HEARTS, the Pharmacy system, and the Personal Planning System, protected by network and the Personal Planning System, protected by network rights and morerights and more

Data StewardshipData Stewardship

All data on the JIRDC LAN is “owned” by a All data on the JIRDC LAN is “owned” by a single JIRDC staff personsingle JIRDC staff personThe Data Owner must protect the dataThe Data Owner must protect the dataIf the data belongs to one of our If the data belongs to one of our “applications”, then the data is owned by “applications”, then the data is owned by the application ownerthe application ownerIf the data is not part of an application, the If the data is not part of an application, the data is owned by the person who created data is owned by the person who created the filethe file

Files Must be Stored inFiles Must be Stored in Secure Network Folders Secure Network Folders

All files on the JIRDC Local Area Network All files on the JIRDC Local Area Network are kept in foldersare kept in foldersIf the folder is the S: (S for Shared), then If the folder is the S: (S for Shared), then the files are the files are privateprivate, but not confidential, , but not confidential, and can be seen by all JIRDC computer and can be seen by all JIRDC computer users. No PHI should be store hereusers. No PHI should be store hereAll other folders are for All other folders are for Secure FilesSecure Files, and , and cannot be seen by anybody unless they cannot be seen by anybody unless they have been granted network rights. PHI can have been granted network rights. PHI can be storedbe stored

New ResponsibilitiesNew Responsibilities for all JIRDC Supervisors for all JIRDC Supervisors

Ensuring that employees are aware of and Ensuring that employees are aware of and observe all computer security observe all computer security requirementsrequirementsMonitoring employee activities to ensure Monitoring employee activities to ensure compliance with all software legal compliance with all software legal requirementsrequirementsEnsuring that only authorized software Ensuring that only authorized software runs on State computersruns on State computers

Rules for JIRDC Computer UsersRules for JIRDC Computer Users

Data Ownership and JIRDC LAN StructureData Ownership and JIRDC LAN StructureRequesting Network RightsRequesting Network RightsMaking Changes in Network RightsMaking Changes in Network RightsPassword RulesPassword RulesMobile DevicesMobile DevicesPersonal UsePersonal UseUser “Don'ts”User “Don'ts”Maintaining SecurityMaintaining Security

Data OwnerData Owner Responsibilities Responsibilities

UnderstandingUnderstanding the JIRDC LAN Rights the JIRDC LAN Rights StructureStructureStoringStoring their files only in appropriately their files only in appropriately secure areassecure areasPreventingPreventing non-Public files from being non-Public files from being copied to moveable mediacopied to moveable mediaKeepingKeeping Protected Health Information Protected Health Information (PHI) secure(PHI) secure

Rights on the JIRDC LAN - Rights on the JIRDC LAN - #1#1

All JIRDC users have a All JIRDC users have a privateprivate file storage file storage area. This is their “H Drive”, or “Home”.area. This is their “H Drive”, or “Home”.Many JIRDC users also have rights to a Many JIRDC users also have rights to a sharedshared folder (typically, the “G Drive”, folder (typically, the “G Drive”, along with others in their along with others in their departmentdepartmentThe “S Drive”, or Shared area, can be The “S Drive”, or Shared area, can be used for exchanging files between staff, used for exchanging files between staff, but but cannotcannot be used if the file contains PHI be used if the file contains PHI

Rights on the JIRDC LAN - Rights on the JIRDC LAN - #2#2

Rights to “Applications” that run on the Rights to “Applications” that run on the JIRDC network are granted by the JIRDC network are granted by the Application OwnerApplication OwnerIf rights to use an application are granted If rights to use an application are granted by any person other than the Application by any person other than the Application Owner, the person granting those rights Owner, the person granting those rights must send email to the Application Owner must send email to the Application Owner notifying them what rights were grantednotifying them what rights were granted

New Computer Users Must . .New Computer Users Must . .

Complete General Security TrainingComplete General Security TrainingRead and sign the JIRDC Computer Read and sign the JIRDC Computer User’s AgreementUser’s AgreementFill out a Network Rights Request formFill out a Network Rights Request formGet any necessary Data Owner signaturesGet any necessary Data Owner signaturesGet their Supervisor’s signature on the Get their Supervisor’s signature on the Network Rights Request formNetwork Rights Request formTurn the form in to Computer ServicesTurn the form in to Computer Services

Users must read and sign the JIRDC Computer User’s Agreement before they can be given rights to the JIRDC Local Area Network.

Users must complete the Network Security Rights Request form

Your Supervisor’s signature goes here

If you need rights to a home’s PPS, you must get the Home Coordinator’s signature here

You sign here

Making Changes in Network RightsMaking Changes in Network Rights

The same Network Security Rights Request The same Network Security Rights Request form is used to change network rights for an form is used to change network rights for an existing userexisting userWhen the form is used to remove rights, the When the form is used to remove rights, the applicant’s signature and the Data Owner’s applicant’s signature and the Data Owner’s signature are not required, but the signature are not required, but the Supervisor’s signature is requiredSupervisor’s signature is requiredThe Data Owner does NOT need to use this The Data Owner does NOT need to use this form to request the total removal of rights; form to request the total removal of rights; they may use Email to the Help Desk insteadthey may use Email to the Help Desk instead

Password RulesPassword RulesYour network password must be changed Your network password must be changed every every 90 days90 daysJIRDC Network users must now select and JIRDC Network users must now select and change their own passwordschange their own passwordsUsers will be allowed Users will be allowed three “grace” loginsthree “grace” logins when their password expireswhen their password expiresAll passwords must be at least eight All passwords must be at least eight characters, and must not be “guessable”characters, and must not be “guessable”You must not tell your password to You must not tell your password to anybody, even your supervisoranybody, even your supervisor

Password “Dos”Password “Dos”

Mix upper and lower case lettersMix upper and lower case lettersMix letters and numbersMix letters and numbersPick a password you can rememberPick a password you can rememberChoose a completely new password each Choose a completely new password each time you changetime you changeInclude non-alphanumeric characters, such Include non-alphanumeric characters, such as &, $, and >as &, $, and >Pick a password with at least 8 charactersPick a password with at least 8 characters

Password “Don’ts”Password “Don’ts”

Do not use recognizable words that might Do not use recognizable words that might appear in a dictionaryappear in a dictionaryDo not use proper namesDo not use proper namesDo not use words in other languages, such Do not use words in other languages, such as “bonjour”as “bonjour”Do not use your personal information, Do not use your personal information, such as the names of your pets or your such as the names of your pets or your childrenchildren

Mobile Computing DevicesMobile Computing Devices

PDAs will be issued only where there is a PDAs will be issued only where there is a critical need, and their use must be critical need, and their use must be approved by the JIRDC Security Officialapproved by the JIRDC Security OfficialThe use of removable storage devices The use of removable storage devices such as USB flash drives or CD R/W such as USB flash drives or CD R/W drives are not permitted without the drives are not permitted without the permission of the Security Officialpermission of the Security OfficialMobile computing devices must never be Mobile computing devices must never be left in unsecured areasleft in unsecured areas

Personal Use ofPersonal Use of JIRDC Computers JIRDC Computers

Personal projects may be permitted on the Personal projects may be permitted on the employee’s own time, but written employee’s own time, but written supervisor permission is requiredsupervisor permission is requiredAn employee may make personal use of An employee may make personal use of internet searches only with the approval of internet searches only with the approval of their supervisortheir supervisorAn employee may not use instant An employee may not use instant messaging or download music files without messaging or download music files without permission from both their supervisor and permission from both their supervisor and the JIRDC Workstation Managerthe JIRDC Workstation Manager

User “Don’ts” - User “Don’ts” - #1#1

Users must not change their hardware Users must not change their hardware configuration or physical location without the configuration or physical location without the permission of the Workstation Managerpermission of the Workstation ManagerJIRDC forbids downloading software from JIRDC forbids downloading software from the internet and bringing software from homethe internet and bringing software from homeAn employee may not use JIRDC An employee may not use JIRDC information, applications, or equipment for information, applications, or equipment for personal commercial gainpersonal commercial gain

User “Don’ts” - User “Don’ts” - #2#2

Users must identify themselves clearly and Users must identify themselves clearly and correctly when using emailcorrectly when using emailAny type of mass mailing by JIRDC Any type of mass mailing by JIRDC workforce members that does not pertain to workforce members that does not pertain to governmental business is forbiddengovernmental business is forbiddenCircumventing user authentication or Circumventing user authentication or security is forbidden. A user must be logged security is forbidden. A user must be logged in to the JIRDC LAN as themselves before in to the JIRDC LAN as themselves before operating any computer softwareoperating any computer software

User “Don’ts” - User “Don’ts” - #3#3

JIRDC staff must not provide information JIRDC staff must not provide information about, or lists of, JIRDC employees or about, or lists of, JIRDC employees or residents to parties outside the Centerresidents to parties outside the CenterJIRDC staff must not post to non-work JIRDC staff must not post to non-work related public discussion groups or forums related public discussion groups or forums on the interneton the internetJIRDC users must not access, or attempt to JIRDC users must not access, or attempt to gain access to, any computer account to gain access to, any computer account to which they are not authorizedwhich they are not authorized

Maintaining Security - Maintaining Security - #1#1

In order to maintain confidentiality of In order to maintain confidentiality of protected health information (PHI), protected health information (PHI), workstations should be set up so that the workstations should be set up so that the screen is not visible by people standing at screen is not visible by people standing at the door or entering the roomthe door or entering the roomIf you are viewing PHI, and a person If you are viewing PHI, and a person unauthorized to see the PHI enters the unauthorized to see the PHI enters the room, you should minimize the application room, you should minimize the application or turn off the computer monitoror turn off the computer monitor

Maintaining Security - Maintaining Security - #2#2

Sensitive paper and computer media Sensitive paper and computer media should be stored in locked cabinets when should be stored in locked cabinets when not in usenot in useProtected or sensitive information, when Protected or sensitive information, when printed to a shared printer, should be printed to a shared printer, should be retrieved immediatelyretrieved immediatelySensitive information should not be stored Sensitive information should not be stored at the home of an employee without at the home of an employee without appropriate supervisor authorizationappropriate supervisor authorization

Maintaining Security - Maintaining Security - #3#3

Any activity conducted using the State’s Any activity conducted using the State’s computers, including email and the use of computers, including email and the use of the internet, may be logged, monitored, the internet, may be logged, monitored, archived or filtered, either randomly or archived or filtered, either randomly or systematicallysystematicallyBoth JIRDC and the Division reserve the Both JIRDC and the Division reserve the right to perform these actions without right to perform these actions without specific notice to the userspecific notice to the user

Maintaining Security - Maintaining Security - #4#4

All users are responsible for helping to All users are responsible for helping to prevent the introduction and spread of prevent the introduction and spread of computer viruses and other “malware”computer viruses and other “malware”All files received from any source external All files received from any source external to DMH/DD/SAS must be scanned for to DMH/DD/SAS must be scanned for computer viruses before openingcomputer viruses before openingUsers must immediately contact their Users must immediately contact their supervisor or the JIRDC Help Desk when supervisor or the JIRDC Help Desk when a virus is suspected or detecteda virus is suspected or detected

Maintaining Security - Maintaining Security - #5#5Employees must report all information Employees must report all information security violations to either the Computer security violations to either the Computer Help Desk or the JIRDC Security OfficialHelp Desk or the JIRDC Security OfficialUsers must notify the Help Desk (2785) Users must notify the Help Desk (2785) immediately if they know or suspect that immediately if they know or suspect that their network account or workstation has their network account or workstation has been compromised by a virus or been compromised by a virus or unauthorized accessunauthorized accessUsers should not attempt to remove Users should not attempt to remove viruses themselves without permission viruses themselves without permission from the Help Deskfrom the Help Desk

Maintaining Security - Maintaining Security - #6#6

Users should not stay logged in to the LAN Users should not stay logged in to the LAN if they are going to leave the room for if they are going to leave the room for more than 15 minutes, even if it is lockedmore than 15 minutes, even if it is lockedDuring the day, workstations should be left During the day, workstations should be left at the Netware Login screen. At night, at the Netware Login screen. At night, computers should be powered downcomputers should be powered downAll network accounts and workstation hard All network accounts and workstation hard drives are subject to periodic audit for the drives are subject to periodic audit for the purpose of maintaining security and purpose of maintaining security and license requirementslicense requirements

Engaging in “Safe” ComputingEngaging in “Safe” Computing

All users must protect against virusesAll users must protect against virusesDo not bring software from homeDo not bring software from homeDo not download software from the internetDo not download software from the internetDo not open email attachments that you Do not open email attachments that you were not expecting to receivewere not expecting to receiveOnly operate computers which are running Only operate computers which are running virus protection softwarevirus protection softwareWhen in doubt, call 2785 and askWhen in doubt, call 2785 and ask

Complete the Test Now!Complete the Test Now!All JIRDC computer users All JIRDC computer users mustmust complete this complete this training and take this test before using our training and take this test before using our network.network.

Answer the questions on-line, then click the print Answer the questions on-line, then click the print button at the bottom, and mail the printed button at the bottom, and mail the printed completed test to Paul Rasmussen in Computer completed test to Paul Rasmussen in Computer Services (#8). You’ll hear back by email.Services (#8). You’ll hear back by email.

Here is the test. Take it now!Here is the test. Take it now!

http://http://www.JIRDC.org/SecTest.pdfwww.JIRDC.org/SecTest.pdf