IT Security EssentialsIan Lazerwitz, Information Security Officer

Fundamentals of Security

• Confidentiality

• Integrity

• Availability

Confidentiality

Integrity Availability

Why all the concern about security?

• Computer hacking has become a big business

• We store large amounts of personal data in our systems on students and employees

• We need that data to be accurate and available in order to do our jobs

• We must comply with state and federal regulations

What are we doing about it?

• Constantly monitoring our systems and threats to keep our servers and our network secure

• Implementing policies, procedures and practices to assure only authorized users have access to data

• Educating users

What can you do?

• Security is everyone’s responsibility

• Contact the IT Security Office with any questions or if you suspect there has been a security breach

• Follow some basic guidelines:

Be aware

• Make information security a regular practice

• Recognize poor security practices in your own habits and in your office

• Remain vigilant where information security is concerned

Passwords

• Never share a password– If more than one person needs access work with

DoIT to create a network share so each can use their own password

– Even the DoIT Helpdesk should never ask for your password

Passwords• Choose a strong password

– We recommend that you change your password regularly

– Use a phase that’s easy to remember but hard to guess– Your password must contain 3 of 4

• Uppercase letters

• Lowercase letters

• Numbers

• Special Characters

Password Examples

• Weak Passwords– Fluffy– Password3– Lazerwitz

• Strong Passwords– str0ngPa55– 3plus3=Six– myc@tisf!uffy

Passwords

• Never post your password– On your computer monitor– Under your keyboard– In a desk drawer– Anyplace that someone might look

Passwords

• Never save passwords in applications– E-mail, Web Authoring, Dialup, VPN– Anyone who site at your computer has access

to those applications

– Equally important at home

Personally Identifiable Information

(PII) is information that can be used to steal identities, disrupt University operations and damage Pace’s reputation includes: – Social Security Numbers (SSNs)

– Health Information – including immunization information, FMLA information and

– Credit Card information

– Non public directory information – including student grades

PII Date Handling Best Practices

• Assign a complex password and change it regularly;

• Don’t use Internet files sharing software such as Kazaa or BitTorrent.;

• It is important to treat other people’s information as if it was your own!!!!

PII Date Handling Best Practices

• Delete files from ALL locations (hard drive and network drive) when no longer valid.

• Do not hold on to old queries or reports that contain personal information. Empty your computer’s recycle bin and clear temporary file folders

PII Date Handling Best Practices

• Never share passwords;

• Avoid emailing sensitive files. If email is absolutely necessary, use password protection;

• Use a password protected screen saver;

• Shut down or turn off the computer when not in use;

PII Printing Best Practices

• Printed reports with PII data must contain the creator’s name, date and time, data source and a confidential notice.

• Limit display of personal information. Do not leave paper containing personal information on desks or in open view; avoid printing SSN unless required by law.

PII Printing Best Practices

• Always store paper reports containing PII in a secure location such as a locked filing cabinet and know who has access to the location. Avoid taking PII reports with you to unsecured locations such as your home or car.

PIIPrinting Best Practices

• Limit distribution of documents with PII and know who is receiving the documents and how it will be used.

Physical Security

• Always lock your computer when you leave it unattended (ctrl-alt-del)

• Never leave hard copies with sensitive date in plain view

• Always log out of web applications (Banner, e-mail, calendar) and close the browser

Laptops and Mobile Devices

• Theft

• Access on unsecure networks

• Strong passwords

• Encryption

Did you know? (Antivirus)

• Pace University has a site license to install Symantec Antivirus on all Pace computer

• We also provide Antivirus software for staff, faculty, and student home use

Did you know?

• It is a violation of University policy to share your password

• You should keep your computer operating system and applications patched to protect against unwanted intrusions

Did you know?

• You should make backups of critical files

• At home use a personal firewall

• Do not open unexpected emails

Information Security Office

• Ian Lazerwitz– Information Security Officer

• ilazerwitz@pace.edu

• itsecurity@pace.edu

• Http://www.pace.edu/safecomputing