SECURITY AWARENESS&

PROTECTION OF NON-PUBLIC UNIVERSITY

INFORMATION

UNDERSTANDING INFORMATION SECURITY

Information Security

Information security refers to safeguarding information from misuse and theft, caused accidentally or

otherwise.

Information may be accessed or stored in devices like telephones, fax machines, and computers.

Cyber Security

Pertains to the protection of data and systems that are connected to the Internet.

Cyber security calls for steps to prevent, detect, and defend against potential information theft

attacks.

Confidentiality

Pertains to protecting private and sensitive information from falling into the hands of the

unauthorized.

Poor Information Security

Can result in identity theft that can occur due to loss of personal information.

INFORMATION TECHNOLOGY SECURITY PROCEDURES

All users with access to University information available in University files and systems are

continually responsible for maintaining the integrity, accuracy, and privacy of this

information.

Loss of data integrity, theft of data, and unauthorized or inadvertent disclosure could lead

to significant exposure of the college and its constituents, as well as those directly

responsible for the loss, theft, or disclosure.

NON-PUBLIC UNIVERSITY INFORMATION

Non-Public University Information means Personally Identifiable Information (PII) that an

individual can use directly, or in connection with other data to identify, contact, or locate a

person and can include:

Social Security Number

Driver’s license number or non-driver identification card number

Account numbers, credit card and debit card numbers combined with any security code, access code, or

password that would permit access to financial information.

Personal email address

Birthdate

REMEMBER:

Unless otherwise required by law, users of University files and systems must not disclose

any Non-Public University Information to the general public or any unauthorized users.

NON-PUBLIC UNIVERSITY INFORMATION

Within the College, Non- Public University Information may be collected during but is not

limited to:

Registration

During registration, users are prompted to enter their name and email address for authentication

and verification purposes.

Creation of class lists and grade reports

Ordering and Billing

When you place an order (transcript, tuition payment) users will need to supply their credit card

information along with their mailing information.

Customer Service Interactions

Under the IT Security Procedures, access to Non-Public University Information must be restricted to

individuals on a need to know basis who are full-time and regular part-time employees (with

certain limited exceptions). However, in the course of assisting users, PII’s may be exposed and

care must be taken to prevent unauthorized disclosure.

ACCESS TO UNIVERSITY INFORMATION

Access to University information available in its files and systems, whether in electronic or

hard copy form, must be restricted to the following individuals and must be consistent with

their job responsibilities:

Full time and regular part time employees of the college

Adjunct faculty

Employees of the University’s contractors who have been permitted such access under a written

agreement with the University

CUNY students may not be permitted to access Non-Public University Information unless

they are

Students who are also University adjunct faculty

Employees of the University or its related entities who are taking a Continuing Education course at the

University

Employees of the University or its related entities who are taking a credit bearing course at the

College other than the one they are employed at, unless it is part of the tuition waiver program.

BEST PRACTICES FOR TECHNICAL SECURITY OF PII

Always ensure that your computer is logged off when you are not present.

Note: Logged on and powered on are different. You may leave your computer powered on but not

necessarily logged onto your account.

Set a moderately strong password. Do not share your passwords.

Strong passwords entail using 12 or more characters

Using punctuations and spaces

Using case sensitive alphanumeric characters

Social security numbers must not be stored, transported, or taken home on portable

devices (e.g. laptops, flash drives) of any type without specific approval of both the Vice

President of Administration or the equivalent at the College of in the Central Office

department and the University Information Security Officer.

Where approval is granted, the information must be encrypted and password protected.

Users are responsible for engaging in safe computing practices such as guarding and not

sharing their passwords, changing passwords regularly, logging out of systems at the end

of use, and protecting Non-Public University Information.

BEST PRACTICES FOR PHYSICAL SECURITY OF PII

Only ask for PII when absolutely necessary to conduct the business of the College. When

doing so, make sure that:

All documents containing PII are stored in locked cabinets.

If individuals supply supplemental PII that is not necessary, shred it or redact it immediately. Do not

keep it.

All documents containing PII must be destroyed when no longer needed.

Do not email or fax documents containing PII.

As a general rule, whenever possible, do not share PII.

SPECIAL RULES FOR SOCIAL SECURITY NUMBERS

Unless required by law, users of University files and systems must not:

Intentionally communicate to the general public or otherwise make available to the general public in

any manner an individual’s SSN.

Publicly post or display an individual’s SSN or place SSN in files of unrestricted access.

Require an individual to transmit their SSN over the Internet unless the connection is secure or the SSN

is encrypted.

Require an individual to use his or her SSN to access an Internet website, unless a password or unique

personal identification number or authentication device is also required to access the Internet

website.

Include an individuals SSN, except for the last four digits, on any materials that are mailed to the

individual, or in any electronic mail that is copied to third parties, unless state and federal law

requires the SSN to be on the document to be mailed.

Transmit an individuals SSN onto portable devices without encryption.

STUDENT INFORMATION PROTECTED BY FERPA

The Family Educational Rights and Privacy Act (FERPA) protects personally identifiable

information from student’s education records from unauthorized disclosure.

Information that makes an education record “personally identifiable” to a particular student

includes:

The student’s name;

The name of the student’s parent or other family member;

The address of the student or other family member;

A personal identifier, such as the student’s SSN or student number or biometric record;

A list of personal characteristics that would make the student’s identity easily traceable;

Other information that alone or in combination, is linked or linkable to a specific student, and which

would allow a reasonable person to identify the student; or

Information requested by a person who the educational agency or institution reasonably believes

knows the identity of the student to whom the record relates.

STUDENT INFORMATION PROTECTED BY FERPA

Colleges are required to have appropriate controls in place to limit the accessibility of

student records to those college officials who legitimately need them.

FERPA makes it clear that we cannot designate a SSN as directory information, and NY law

prohibits the use of a student’s SSN for any public identification purpose such as posting

of grades.

The Family Policy Compliance Office of the US Department of Education which enforces

FERPA has also made it clear that it is a violation of FERPA to disclose information

containing the last four digits of the student’s SSN.

CUNY BREACH REPORTING PROCEDURE

When a possible privacy breach has occurred, immediate action should be taken:

Step 1: Confirm and Contain

Confirm the validity of the suspected information breach.

Containment should occur immediately. This includes, but is not limited to disconnection of the host

(server or device) from the network or shutting down an application.

Care should be taken to not destroy the data, but preserve it without any form of network connection.

Step 2a: Report- The following individuals should be informed immediately:

The College President or Central Office Vice President for the affected area

The College Legal Affairs Department and Central Office, Office of General Counsel

The College or Central Office department head from which the information was breached.

The College Chief Information Officer

University Chief Information Office

University Chief Information Security Office

CUNY BREACH REPORTING PROCEDURE

Step 2b: Report- The report should indicate the following information:

Whose personal information was disclosed

To whom it was disclosed to

When it was disclosed

How it was disclosed/accessed

What steps have been taken in response to the disclosure

Step 3a: Retrieve

Any documents or contents of electronic documents that have been disclosed to, or taken by, an

unauthorized recipient should immediately be retrieved and/or secured or taken offline.

Documents, in any form, should not be destroyed until specific instruction is received.

Step 3b: Remove

Private information taken offline may still be accessible and discoverable on the Internet via Internet

Search engines (i.e. Google)

Requests must be made as quickly as possible to remove the information from search engine indexes

and cache directly to the Internet Search engines companies.

This step will be coordinated with the University Chief Information Security Officer.

CUNY BREACH REPORTING PROCEDURE

Step 4: Notify

In cases where breach results in the disclosure of personal information, New York law may require you

to notify the individuals affected.

Determination of the reporting requirements will be made by the Office of the General Counsel with the

College Legal Affairs designee on a case by case basis.

Step 5: Investigate

The College’s Legal Affairs Department, the Vice President for the affected area, the College’s CIO,

and The University Chief Information Security Officer will investigate the details of the breach for the

purpose of determining and recording all the relevant facts concerning the breach and making

recommendations.

Objectives of the investigation will include a review of circumstances surrounding the event as well as

the adequacy of existing policies and procedures in protecting PIIs.

Step 6: Management Review

The College Legal Affairs department with the Vice President of the affected area will document and

report the detail of the breach and remedial steps to the President of the College.

The Legal Affairs Department in collaboration with the University CIO will report on

recommendations and actions to the appropriate parties within the Chancellor’s office.

SECURITY THREATS

Security threats come from many sources. By being vigilant in identifying potential attacks, you

can protect yourself and any sensitive information against unauthorized access.

Pharming

Is a fraudulent website that contains copies of pages from a legitimate website, to capture confidential

information from users.

Users tend to end up on the bogus site on their own and are not suspicious because the page looks similar

to the original site.

Bookmark known good sites to prevent landing on a fraudulent website through a typo or other error.

Spoofing

Is impersonating something else in order to trick your target into doing something that they may not

ordinarily do.

Example: A spoofed email can appear to come from an online bank that is asking you to confirm information

that can then be used for fraudulent actions. If you have any suspicion, verify with the bank.

Phishing

Is an attack wherein the sender tries to trick the target into giving up sensitive information, such as

financial information.

These internet messages should be IGNORED and you should NEVER click on any of the links provided.

Note: If you are compromised, go to the legitimate website or contact the vendor and

change your password, PIN, etc.

SECURITY MEASURES

DO NOT send personal information over public Wi-Fi. Wireless networks can be easily

intercepted and you are better off using your carrier (3G or 4G) to transmit sensitive

information.

DO create strong passwords. It is always a good idea to use a combination of capital

and lower case letters and numbers when creating a password. And while it can be

annoying, creating different passwords for each of your accounts gives you the added

safety that if one of your accounts are breached, the hacker will not be able to get into

all of them.

NEVER send out ANY personal information over email which includes attachments.

Emails can easily be hacked and you do not want to make it any easier for someone to

find more information about you.

MAINTAINING FILE SECURITY

In some security attacks, files on your hard drive can be corrupted or deleted and that is why

protecting your files from catastrophes is important. If you have backed up your files, you can

recover them without having to re-create them.

Data backup

Is a type of information protection scheme that enables you to store copies of critical files and folders

for safekeeping.

Regular backups provide safety of information.

Data restoration

Is a type of information protection scheme that enables you to recover stored copies of critical files

and folders.

A restore protects you against loss of data due to a security disaster.

File sharing

Involves making files or data available to members on a network.

You can control access to your files by limiting the users. By allowing only authorized users to access

the content, it protects it from being altered.

MAINTAINING FILE SECURITY

File transfer

Is the process of copying files from one computer to another on a network, including the Internet.

With the implementation of security measures, you can prevent unauthorized people from

downloading files.

File encryption

Is a type of file protection that disguises the data within a file or message so that the specific

information included within the file or message cannot be read or understood by an unauthorized

user.

A key can be used to encode the data, so neither the file nor the key can be read by anyone who does

not have access.

File decryption

Is a type of file protection that decodes the data within an encrypted file.

Decryption goes hand in hand with encryption, and the tool that was used to encrypt the data will be

needed, along with the key to decrypt the data.

GUARDING AGAINST ATTACKS

In the cyber world, many of the security breaches occur with email attachments. By

defending yourself and your organization against these types of attacks, you can protect your

system.

Malware

Performs actions that cause damage to data contained on a system, or prevents the system from being

used in its normal way.

Virus

Computer programs that can attach to files and replicate themselves, often without your knowledge.

Virus Hoax

An email message that warns of a fake virus threat and urges the recipient to forward the message to

everyone he knows.

Example: An email might warn you of a new virus and tell you to spread the word to your friends and give a link to

a dangerous website.

GUARDING AGAINST ATTACKS

Spam

Is a type of email message that is unsolicited and unwanted. Most spam includes at least one link to

redirect the user to a different website, which may or may not be a legitimate commercial site.

Trojans

Are malicious programs that masquerade themselves as harmless applications and purposefully do

things that the user does not expect

Hacking

Is a process of illegally accessing other people's computer systems for destroying or disrupting

normal activity

VIRUS PROTECTION

Modern anti-virus programs, such as McAfee which is used on campus, protects against the previously

mentioned attacks such as malware and viruses.

Virus Protection Software

Is a type of computer program that enables you to identify and remove malware from a computer. In some

instances, the virus protection software might be able to repair damage done by a malicious piece of code.

Modern anti-virus programs, such as McAfee which is used on campus, protects against the previously

mentioned attacks such as malware, viruses and spyware.

Virus Definition Updates

Are files that identify and deal with known malware that was discovered after the initial installation of virus

protection software. Virus definition files need to be updated constantly to include protection against newly

discovered threats.

Virus Scans

Are activities that use the software engine and virus definition files to check a computer for the presence of

malware. You can also manually force the virus protection software to scan for viruses at any time or set up an

automated time.

Email Filter

Is a software application that categorizes email according to specified rules or instructions. Filters can sort

incoming mail into different folders that are set up, including the folder that holds deleted items.

BLOCK SPYWARE

Spyware is a malicious software designed to intercept or take control of a computer’s

operation without consent.

Spyware gains information about the user and silently tracks its surfing behavior to create a

marketing profile.

When you have spyware on your computer, you will see pop-up advertisements, even when

you are not surfing the Internet. You will also observe other odd behavior such as slow downs

and crashes.

Using anti-spyware programs such as popup blockers and adjusting security settings can

help in counteracting the increasing cases of spyware.

Note:

All computers given to staff and faculty by QC have the McAfee anti-virus software already

installed. It is your responsibility to update the software when prompted.

ANY QUESTIONS?

• Feel free to contact the Training & Technology Solutions:

• Office: I-214

• Ext: 74875

• Email: Training@qc.cuny.edu

• Facebook: www.facebook.com/QC.Training

• Tumblr: http://qc-tech.tumblr.com/