security awareness protecting sensitive information l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Security Awareness Protecting Sensitive Information PowerPoint Presentation
Download Presentation
Security Awareness Protecting Sensitive Information

Loading in 2 Seconds...

play fullscreen
1 / 37

Security Awareness Protecting Sensitive Information - PowerPoint PPT Presentation


  • 164 Views
  • Uploaded on

Security Awareness Protecting Sensitive Information. East Carolina University ITCS/IT Security . Objectives. Why protecting data is important How data can be compromised Describe some “best practices” for keeping the data entrusted to us secure. Why Should You Care?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Security Awareness Protecting Sensitive Information' - ksena


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
security awareness protecting sensitive information

Security AwarenessProtecting Sensitive Information

East Carolina University

ITCS/IT Security

objectives
Objectives
  • Why protecting data is important
  • How data can be compromised
  • Describe some “best practices” for keeping the data entrusted to us secure
why should you care
Why Should You Care?
  • Universities hold massive quantities of sensitive data
  • Universities are traditionally seen as easy targets
  • We must understand the types of data that we hold, and the business processes that surround it
sensitive data
Sensitive Data
  • Social Security Number (SSN)
  • credit card number
  • drivers license number
  • personally identifiable patient information
  • personally identifiable student information
  • proprietary research data
  • confidential legal data
  • proprietary data that should not be shared with the public
compliance
Compliance

The University is required to comply with Federal and State Legislations regarding the way we use and store sensitive information

  • HIPAA- Health Insurance Portability and Accountability Act
  • GBLA- Gramm-Leach Bliley Act
  • FERPA- Family Rights to Privacy Act
  • NC Identity Theft Protection Act
nc identity theft protection act
NC Identity Theft Protection Act
  • The Identity Theft Protection Act is designed to protect individuals from identity theft by mandating that businesses and government agencies take steps to safeguard social security numbers and other personal information
identity theft
Identity Theft
  • Approximately 10 million ID theft victims nationally per year – 19 people per minute
  • Identity Theft is now passing drug trafficking as the number one crime in the nation-DOJ
  • In NC, identity theft reported to the FTC jumped from 1,656 cases in 2001, to 5,830 in 2005
the nc id theft act and ecu
The NC ID Theft Act and ECU
  • Effective: December 1, 2005
  • § 132‑1.8.  Social security numbers and other personal identifying information.
  • Unless disclosure is necessary to perform clearly defined duties and responsibilities or required by law the following is prohibited: 
  • 1.      Collection of social security numbers
  • 2.      Failing to segregate social security numbers from the rest of the record
  • 3.      Failing to provide Statement of Purpose when collecting social security number
  • 4.      Use of social security number for other purpose not stated
  • 5.      Intentionally disclose to public
the nc id theft act and ecu9
The NC ID Theft Act and ECU
  • Effective: July 1, 2007
  • § 132‑1.8.  Social security numbers and other personal identifying information.
  • State and local government agencies should minimize the instances where social security numbers and personal identifying information is disseminated internally or externally.
  • No Agency of the State, or any agent or employee shall: (unless exception is made)
  • 6.      Print or imbed social security numbers in a card required for access to services
  • 7.      Require a person to transmit their social security number over the Internet unless the internet is secured or the number is encrypted.
  • 8.      Require social security number to access and Internet Web site without other authentication
  • 9.      Print and mail social security number, unless required by law
how is information stolen
How is Information Stolen?
  • Phishing
  • Malware
  • Hacking
  • Stolen/Lost Computers
  • Social Engineering
phishing
Phishing
  • A type of Social Engineering
  • The practice of acquiring personal information on the internet by masquerading as a trustworthy business
malware
Malware
  • Usually installed onto a computer by downloading other programs such as screensavers, games, and “free” software
  • Trojans –malicious programs disguised or embedded within legitimate software
what can malware do
What Can Malware Do?
  • Download other malware
  • Crash your workstation
  • Capture and send sensitive information from your workstation to the hacker
  • Be used to perform attacks from inside our network
social engineering
Social Engineering
  • A hacker’s favorite tool—the ability to extract information from computer users without having to touch a computer
  • Coercing people to give out information is known as “social engineering” and is one of the greatest security threats out there
social engineering17
Social Engineering
  • Social engineers prey on some basic human tendencies….
    • The desire to be HELPFUL
    • The tendency to TRUSTpeople
    • The FEAR of getting into trouble
social engineering18
Social Engineering
  • Despite all our security controls, we are wide open to an attack if an employee unwittingly gives away key information in an email, by answering questions over the phone with someone they don't know or failing to ask the right questions
hacking
Hacking
  • Compromising a computer, server, or network by means of software exploits or operator negligence/ignorance
lost stolen computers
Lost/Stolen Computers

What could the loss of one laptop containing sensitive information cost?

Thousands, maybe millions-WHY?

  • Fines
  • Public Relations Damage Control
  • Class Action Litigation
which way did it go
Which Way did it Go?
  • Licensed cab drivers in London, reported that 4973 laptops, 5939 Pocket PCs, and 63135 mobile phones were left in cabs over a 6 month period
examine your business processes
Examine Your Business Processes
  • WHAT-data
  • WHO-has access to the data
  • WHERE-it originates, resides, goes
  • HOW-it gets where its going
what data where is it
What data, Where is it?
  • Search your workstation for sensitive data
    • Can it be deleted?
    • Can it be moved to PirateDrive?
  • If you MUST store sensitive information locally ENCRYPT it
data security
Data Security
  • Data should not be copied or downloaded from the university’s administrative systems to a PC, PDA, Laptop, etc unless required by your department
  • Piratedrive is a secure storage location which meets the requirements for storing sensitive information, it is available to individuals anddepartments
data security26
Data Security
  • Sensitive information should never be located on a web server
  • Use a secure server to store sensitive data
  • Use an encrypted database, such as SQL or Oracle to store sensitive information
  • Remove the confidential part of the information from the data if this is possible (e.g., SSN)
data security27
Data Security
  • Be careful to whom you give sensitive information.
  • Do you know who they are?
  • Do they have a need to know?
  • Do they have the proper authorization?
your pirateid and passphrase
YourPirateID and Passphrase
  • Never allow others to use your PirateID or other logins –this includes your supervisor!
  • Use a strong passphrase on all your computer systems and change them regularly
  • Never give your passphrase out to anyone
passphrase security
Passphrase Security
  • Use a different passphrase on your university and home workstations or programs
  • Avoid using the “auto complete” option to remember your passphrase
securing your workstation
Securing Your Workstation
  • Log off or lock your workstation when you leave (ALT-CTRL-DEL)
  • Use a screensaver with a password enabled
  • When you go home, turn the computer off
steer clear of malware
Steer Clear of Malware
  • Avoid using Instant Messaging and Chat Software
  • Avoid using Peer to Peer file sharing software
  • Don’t download or install unauthorized programs
  • Keep your computer up to date with the latest A/V definitions and security patches
safe email practices
Safe Email Practices
  • Don’t open unscanned, unknown or unexpected email attachments
  • If you receive an email with a hyperlink, don’t open it in the email –open a web browser and type the link in manually
  • Email is not secure and should not be used to send sensitive information. If you must use email ALWAYS encrypt sensitive data
practice a clean desk policy
Practice a “Clean Desk” policy
  • Don’t leave unattended sensitive data on your desk, FAX, printers or copiers
  • Keep sensitive data stored in a locked desk, drawer or cabinet
  • Shred sensitive data for disposal
basic business rules
Basic Business Rules
  • If you don’t need it, don’t collect it
  • If you need it only once, don’t save it
  • If you don’t need to save it, dispose of it properly
  • If you have to save it, encrypt it, or lock it
  • Don’t give out information without positive conformation
if you suspect a problem
If You Suspect a Problem

Notify the ITCS Help Desk at 328-9866

IF you’ve been hacked, or think you have, change the passphrase to ALL systems you have access to (and not from the hacked workstation either)

If you have received a threat notify the

ECU Campus Police

slide36
Security Awareness mindset :

“I understand that there is the potential for some people to deliberately or accidentally steal, damage or misuse the data that is stored within my computer systems and throughout our University. Therefore, it would be prudent for me to stop that from happening.”

SEC Y

U - R - IT

for more information
For More Information

Please visit the IT Security website at

WWW.ECU.EDU/ ITSecurity