IT Security Information Security & Appropriate Use of Information Resources
Dec 16, 2015
IT Security
Information Security &
Appropriate Use of Information Resources
Information Security
Understanding…• Who’s responsible?• What’s information security?• Why do we need information security?• What do I need to protect?• How do I protect information?• What’s appropriate use?• What are the important policies and
laws?• Where do I find out more?
Information SecurityWho’s Responsible?
• Students?• Faculty?• Staff?• Security administrators?
The Answer = All of the above, security is everyone’s responsibility!
Information SecurityWhat’s Information Security?
• The protection of data against unauthorized access. This includes: – How we access, process, transmit, and store
information– How we protect devices used to access information – How we secure paper records, telephone
conversations, and other types of digital media
Information SecurityWhy Do We Need Information
Security?
• Confidential information is entrusted to us
• Laws and regulations govern the use of some of this confidential information
• We have an ethical obligation to protect this information from unauthorized access
• Failure to do so could leave others vulnerable to fraud and other exploits
Information SecurityWhat’s Confidential and What’s
Not?
IMPORTANT NOTE: If you receive a request for information from any external party, and you aren’t certain that the information can be released, refer them to the Office of the University Attorney for further action.
Information and Records What Do I Need to Protect?
Information SecurityHow Do I Protect
Information?• Share confidential information only with other
employees who have a need for the information• When in doubt, don't give it out! If you are
unsure whether or not to disclose certain information, err on the side of caution and don't release it
• Keep confidential phone conversations and dictation from being overheard
• Quickly retrieve or secure any document containing protected information that you have printed, scanned, copied, faxed, etc.
Information SecurityHow Do I Protect Information?
• Delete and write over (i.e., "wipe") data from any electronic media before transferring or disposing of it. Ask your IT support person for assistance
• Position computer screens so they're not visible to anyone but the authorized user(s)
Information SecurityHow Do I Protect Information?
• Shred paper documents and/or CDs containing confidential information before disposal, and secure such items until shredding
• Store documents or physical media containing confidential information in locking file-cabinets or drawers
• Be alert to fraudulent attempts to obtain confidential information and report these to management for referral to appropriate authorities
Information SecurityHow Do I Protect Information?
• Log out or lock your workstation when you walk away from your work area
• Use strong passwords; don’t share them– At least 8 or more characters long– Mix alpha, numeric, & special characters; upper &
lower case – Don’t include dictionary words or proper names– Don’t re-use all or a major portion of a prior
password
Information SecurityHow Do I Protect Information?
• Use anti-virus software and leave auto-update enabled or update your virus definitions regularly
Appropriate Use of Information Resources
Appropriate Use of Information Resources –
Policy
Appropriate Use of Information Resources –
Policy
Appropriate Use of Information Resources –
Policy
Appropriate Use of Information Resources –
Copyright Protection
• The University respects copyright protections
• Licensed software may be copied only as permitted by the license, and license agreements vary in their terms of use
• Employees may not use unauthorized copies
• Any such use is without the consent of Texas State
Appropriate Use of Information Resources -
Privacy
• Don’t think of your e-mail as private• Email can be viewed by authorized staff
such as System Administrators• Files may be subject to open records
requests• Employee privacy may be limited by:
– Evidence of fraud– Harassment– Other illegal conduct or rule violations
Appropriate Use of Information Resources –
FAQs
Information SecurityWhat Are the Rules and
Laws?• FERPA – Federal Educational Rights &
Privacy Act– is a federal law that protects the privacy of student
educational records, and prohibits the University from disclosing information from those records without the written consent of the student
– http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
• HIPAA – Health Insurance Portability & Accountability Act– is a federal law that: – Protects the privacy and security of Protected Health
Information (PHI) and Electronic Protected Health Information (ePHI)
– Gives patients more control over their health records– Sets limits on the accessibility and disclosure of patient
health information– http://www.cms.hhs.gov/HIPAAGenInfo/
Information SecurityWhat Are the Rules and Laws?
• Gramm-Leach-Bliley Act (GLBA)– includes provisions to protect the security and
confidentiality of a consumers' personal financial information held by financial institutions - in any form or medium
– Universities/agencies must not disclose any non-public, financial information to anyone except as permitted by law
– http://www.ftc.gov/privacy/privacyinitiatives/glbact.html
• TPIA – Texas Public Information Act– formerly known as the Open Records Act, specifies that all
recorded information owned or accessed by a governmental body is presumed to be public information, with certain exceptions
– http://www.oag.state.tx.us/AG_Publications/txts/2004publicinfohb_toc.shtml
Information SecurityWhat Are the University
Policies?• Texas State University Policies
– Appropriate Use of Information Resources (UPPS 04.01.07)• http://www.txstate.edu/effective/upps/upps-04-01-07.html
– Security of Texas State Information Resources (UPPS 04.01.01)
• http://www.txstate.edu/effective/upps/upps-04-01-01.html
– Appropriate Release of Information (UPPS 01.04.00)• http://www.txstate.edu/effective/upps/upps-01-04-00.html
– Texas State policy requires that information resources be used only in support of University missions
Information SecurityHow Do I Find Out More?
• Texas State Sites– IT Security - http://www.vpit.txstate.edu/security
– Privacy Rights Notice - http://www.tr.txstate.edu/privacy-notice.html
– Identity theft - http://webapps.tr.txstate.edu/security/identity.html
– FERPA at Texas State - http://www.registrar.txstate.edu/persistent-links/ferpa.html
• Contacts– Information Technology Security
512-245-HACK(4225), [email protected] – Information Technology Assistance Center
512-245-ITAC(4822), [email protected]