Securing Information in the Higher Education Office

Information Security Office

MISSION:– Build Security Awareness

– Maintain and Develop Information Security Policy

– Investigate Information Security Incidents

Protecting Our Constituent Information is a Team Effort

Information Security for Your Office

• Alphabet Soup– Laws, Rules, Regulations, Policies, Standards

• Best Practices– Data Classification• And How to Classify Data

– Protecting Information

Information We Keep• Students, Faculty, Staff,

Donors, Contractors

– Financial Records– Grades– Credit Card Information– Health Care Information– Addresses– Phone Numbers– Insurance Records– Social Security Numbers

All Protected By Law!

Alphabet Soup

• So Many Laws . . .– FERPA– HIPAA– PCI-DSS– GLB– SOX– “Red Flag” Alerts– California SB 1386§28-

51-

Alphabet Soup

. . . And Institutional Policy!

Alphabet Soup

• P. I. I.

– Personally Identifiable Information

The One Acronym That Says it All!

Best Practices

• Know the Data Your Office Handles– Data Classification

• Know How to Safeguard the Data– Protecting Information

Best Practices

• Know what to protect

– Data Classification• Method to identify the level of protection various kinds

of information need or require

Data Classification Example

• Data Classification—Level One– Private information that must be protected as required by

law, industry regulation, or by contract• Examples?

– Consequences of loss• Loss of funding• Fines• Bad Publicity• Expose students, staff, contractors, donors to identity

theft

Data Classification Example

• Data Classification—Level Two– Protected information that may be available through

Freedom of Information Act Requests to Examine or Copy Records. Or, state sunshine laws• Examples?

– Consequences of loss• Loss of funding• Fines• Bad Publicity• Expose students, staff, contractors, donors to identity

theft

Data Classification Example

• Data Classification—Level Three– Public Information• Examples?

– Consequences of loss• Loss of personal use of a computer• Loss of personal data with no impact to the university• Bad Publicity

Best Practices

• How Can Data be Lost?• Laptop or other data storage system stolen from car,

lab, or office. • Research Assistant accesses system after leaving

research project because passwords aren't changed. • Unauthorized visitor walks into unlocked lab or office

and steals equipment or accesses unsecured computer. • Unsecured application on a networked computer is

hacked and data stolen.

Best Practices

• Protecting Information– Don’t let personnel issues become security issues– Control access to buildings and work areas– If you print it—go get it right away– Lock up sensitive information—including laptops– Store sensitive information on file servers– Shred it if you can

Know Your School’s Information Handling Policies

Best Practices

• Protecting Information– Use strong passwords– Change passwords often– Use different passwords on different systems– Never share your password– Password protect your screensaver• Manually lock your screen whenever you leave your

desk

Best Practices

• Protecting Information– Be sure your office computers’ operating systems

and anti-virus software are up-to-date– Remind staff to never open unsolicited email from

an unknown source or click on unfamiliar web addresses

– Follow computer salvage procedures—for disks, too!

Best Practices

• Know who to call!– I think an office

computer is infected, what do I do?

– I think I lost the USB drive I used to take some sensitive files home to work on, what do I do?