13
Information Security Training 101 March 2011

Information Security Training 101 March 2011. Columbia University’s approach to Information Security Columbia University values the ability to openly

  • View
    213

  • Download
    0

Embed Size (px)

Citation preview

Information Security Training 101

March 2011

Columbia University’s approach to Information Security

• Columbia University values the ability to openly communicate and share information as appropriate. 

• The University information is an important asset that needs to be protected. 

• Any person/organization (i.e., including, but are not limited to staff, faculty, students, those working on behalf of the University, guests, tenants, visitors, and individuals authorized by affiliated institutions and organizations) that uses or provides information resources has a responsibility to maintain and safeguard these assets. 

• Users are required to abide by the Columbia University policies.

2

Columbia University Information Security Office (CISO)Your one stop shop for data security assistance

3

Manages security and access to the HR system (PAC) and mainframe systems

- Monitors network for signs of compromised systems- Investigates security violations- Liaison with law enforcement, General Counsel, Deans

- Manages login services- Manages user account provisioning - Manages user entitlement and privileges - Supports the physical security system (i.e., Lenel)

- Manages security policies, standards, and guidelines - Manages security awareness program

• The CISO defines and implements University-wide policies, procedures, standards, and functions spanning across , IT Governance, Network Security, Application Security, and Identity & Access Management

• The CISO also promotes campus wide security awareness and culture (through participation in technology deployments, trainings, presentations, meetings, and communications with various stakeholders)

CISO Contact info:Email – [email protected]

What is information security?

Information security is protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, reading, inspection, recording or destruction

The core principles of information security are:

• Confidentiality - to prevent the disclosure of information to unauthorized individuals or systems

• Integrity - to ensure that data is accurate and complete and it cannot be modified by unauthorized person(s)

• Availability - to ensure the information is available when it is needed, where it is needed, and by whom it is needed

• Accountability - to ensure users are responsible for their actions

4

Why is information security important?• Information is a valued University asset that needs to be protected

• Federal and state laws mandate the need and level of protection required - Examples of laws applicable to the University’s information are:

o Family Educational Rights and Privacy Act (FERPA) – student privacy protection o Health Insurance Portability and Accountability Act of 1996 (HIPAA) – health information protection o Federal Trade Commission (FTC) “Red Flags Rules” - a program to detect, prevent, and mitigate instances

of identity theft o Payment Card Industry Data Security Standard (PCI DSS) - credit card information protectiono New York State Information Security Breach and Notification Act – requirement to notify NYS Attorney

General Office of Social Security Number (SSN) breach

• Confidential/Sensitive information includes and not limited to:o Personally Identifiable Information (PII) - SSN, credit card, bank account #s o Student and staff records - medical, personnel, payroll recordso University-proprietary data - research, course materials, budgets, strategies

5

The University is committed to safeguarding the security and confidentiality of personal and confidential information in compliance with applicable laws and Columbia University policies

Columbia University’s IT Policies

• Compliance with the Columbia University IT Policies

• You are expected to review and understand all the policies - a few important policies you should read immediately are:

The Acceptable Use of IT Resources (Network and Computing) Policy – proper use of Columbia University’s network and computing technology The Data Classification Policy – confidential/sensitive data types and protection requirements The Social Security Number (SSN) and Unique Person Number (UPN) Usage policy - proper use and protection of Social Security Number The Electronic Data Security Breach Reporting and Response policy - reporting security incidents and breaches The Data Sanitization/Disposal of Electronic Equipment Policy - proper data sanitization and disposal The Desktop and Laptop Security Policy – safe computing standards to provide data protection on desktops and laptops The Remote Access Policy – security measures required to remotely connect to Columbia University's networks

6

Tools available to you from CUIT for data protection

• Symantec Antivirus - to protect a computer from viruses and spyware http://www.columbia.edu/acis/software/nav/

• CUSpider - to detect SSN information saved on your computer http://www.columbia.edu/acis/security/spider/CUSpider/Self-Help-Section-Intro.html

• GuardianEdge – to protect computers that contain sensitive files via full disk encryptionSend request to [email protected]

• Connected Backup – to backup your data http://www.columbia.edu/acis/software/connected/

• Winzip – to password protect sensitive files http://www.columbia.edu/acis/software/winzip

• DBAN - to ensure that all data is securely erased from the computer's hard drive before disposal https://www1.columbia.edu/sec/acis/security/public/dban/index.html

• PC PhoneHome – to assist in the recovery of a lost or stolen laptop http://www.columbia.edu/acis/software/pcphonehome/index.html

7

What you need to know and do?

Your user ID and Password

• Your account is your responsibility - do not share with others

• Make your passwords complex (e.g. combination of alphabets, numbers, and special characters)

• Do not use your user ID (UNI) or your name as your password

• Do not use any dictionary word in any language as your password, a dictionary word followed by or preceded by numbers and other non-alpha characters is NOT accepted

• Protect your passwords and treat them as valuable as the PIN for your ATM card

• Do not use the save password feature on applications because others who have access to your computer will also have access to your account

• Do not use your University ID (UNI) and password for access to third-party systems (e.g., online shopping, newspapers, travel web sites)

• If you must write your password down, never leave the password near your computer and never write your ID and password on the same piece of paper and keep it secure

8

What you need to know and do? (continue)

Safe Computing

• Read and adhere to the Acceptable Use of IT Resources (Network and Computing) Policy and the Desktop and Laptop Security Policy

• Activate and maintain the automatic software updates, anti-virus and anti-malware protection, and firewall on your personal computers

– Ask your IT support if you have a managed computer

• Be aware of information stealing methods such as: social engineering, phishing scams to obtain personal and sensitive information, and shoulder surfing

• Archive and back-up important files and data and protect the backups from theft and physical damage

• Be cautious when using the Internet and visiting any site that could be infected with malware

• Log off after using any applications and close the browser completely if using web application

• Enable password-protected screen savers when leaving your computer even for a short time

• Protect your portable devices (e.g., laptops, PDAs, USB sticks/drives, etc.) from loss or theft

• See http://www.columbia.edu/acis/security/cuit-security/ for more tips on safe computing

9

What you need to know and do? (continue)

Safe Remote Access

• Read and adhere to the Remote Access Policy

• If you are using home machine not managed by Columbia then

– activate and maintain the automatic software updates for anti-virus and malware software to perform continuous and/or scheduled scanning and keep it up-to-date

– enable the built-in firewall that is included in major operating systems (i.e., Windows and Macs)

– activate and maintain the automatic software updates for vendor applications and apply them

– do not install file sharing software on your computer because it will share files on your computer as a defaultif not configured correctly

• Use Columbia University’s VPN (Virtual Private Network) connection when remotely accessing CU’s non Web enabled applications

10

What you need to know and do? (continue)

Safe Email Use

• Read and adhere to the Columbia email policy Email Usage and Retention Policy

• Use your Columbia University email account for all official University correspondence

• Do not open email attachments from unknown sources or unexpected attachments from known sources

• Do not respond to email requests for personal and private information

• Do not type sensitive/confidential information within email text because email is like a “postcard”

• If you need to send sensitive information in an email, it must be sent as an encrypted/password-protected file attachment

• Never include the password in the email – it must be sent separately

• Do not send nuisance email or other online messages such as chain letters or obscene, harassing, offensive or other unwelcome messages

11

What you need to know and do? (continue)

Sensitive Information Handling

• Read and adhere to the Data Classification Policy and the Social Security Number (SSN) and Unique Person Number (UPN) Usage policy

• While granting / approving access to your staff, restrict access based on “need to know and need to do” basis and periodically review

• Educate staff about confidential/sensitive information protection and individual accountability

• Do not copy, reproduce, store any confidential/sensitive information on your desktop, laptop, portable media devices or print form except required in your official job capacity

• Protect all confidential/sensitive information in any format to prevent unauthorized disclosure

• Dispose of sensitive information properly - the Data Sanitization/Disposal of Electronic Equipment Policy

• Handle credit card information properly - the Office of the Treasurer credit card processing website http://finance.columbia.edu/treasury/accepting_payments/creditcardinfo.html

• Handle health care information properly - the CUMC Health Insurance Portability & Accountability Act (HIPAA) Information website http://cumc.columbia.edu/hipaa/index.html

12

A Few Information Security Reminders

13

Maintain Logical Security - Protect Your User Account and Do Not Share Your Password

Use Complex Password

Disposing, Recycling or Donating Computers - Erase All Data from Hard Drives & Destroy CDs, DVDs; Shred Confidential / Sensitive Documents

Encryption - Keep Your Data Private and Protect Your Sensitive Files

Maintain Physical Security - Keep Office, Desk, and Cabinets Locked

and Secured

E-mail Usage - DO NOT Type Sensitive and Confidential Information in Email Text

Computers Usage - Signoff After Using Application and Enable Password

Protected Screen Saver