Sensitive Data Accessibility Financial Management. College of Education Michigan State University. Agenda for today. Q: What are examples of security threats? Q: What does information security mean to you? Q: Why do we need to know this?. Sensitive data management
College of Education
Michigan State University
Q: What are examples of security threats?
Q: What does information security mean to you?
Q: Why do we need to know this?
Sensitive data management
Basic computer security issues
Institutional data: all of the data held by MSU, in any form or medium, for normal business operations.
Not protected and generally made publically available, without restriction or limitation
Library card catalogs
Protected by institutional policy, guidelines, or procedures – may be public/FOI-able (freedom of information)
Detailed institutional accounting and budget data
Personally restricted directory data
Institutional data that could be used for identity theft
Protected by law, contract, or University policy
Records of the university security measures
PCI DSS - Payment Card Industry Data Security Standard – Fine up to $500,000
MSU’s Managing Sensitive Data site at http://eis.msu.edu/sid/
Use Institutional Data only for University purposes.
Minimize the potential for their improper disclosure or misuse.
Individually responsible for the security and integrity of Institutional
Laptop computers, Desktop computers
Phones, thumb drives
Network drives, web and file servers
Email attachments, social networking sites
Sticky notes, notepads, paper files
PAN forms and other official documents
As soon as you no longer need the data, delete it.
Don’t leave sensitive data on computers or PDAs that can be stolen.
Make sure the computer, where the data is stored, is protected against viruses, worms, etc.
Be careful distributing the data via email or paper forms.
Q: what should you do if you find a thumb drive in the hall way?
College policy can be found from this website
All college staff are required to attend sensitive data awareness seminar every three years.
No one should keep SSN and credit card number on your computer and shared drive.
No confidential data on college servers or computers There is no reason to store SSNs on a computer, so don’t. If you need to use SSNs at all, work with us to make sure they are handled with a minimum of risk.
If you absolutely must have SSNs, credit card numbers, or any other sensitive data on paper, destroy paper sheets as soon as you don’t need the data anymore. If you need to keep the data, lock the papers up, then destroy them as soon as you can.
Most important: Know the policy, be aware of how you can minimize exposure.
Video: Do not leave your computer unlocked
Basic computer use protection computer?
Video: Email hoax
Phishing (use of e-mail messages that appear to be sent from a trusted source.)
Segregation of duties: More than one person needed to complete a record transaction. Implement mitigating controls if staffing resources do not permit desired segregation of duties.
Adequate oversight: at least take samples.
Pay attention to high risk areas: cash and inventories. Take periodic inventory.
Monthly reconciliation of P-card statement is required.
Protect valuables (yours and others)
Be aware of and report suspicious activity
Good descriptions NOT heroics
Please remember to take the survey after you receive the email with a link. Thanks.