8/14/2019 MWCC Information Security
1/26
How to Identify, Maintain and SafeguardPersonal Information at
Mount Wachusett Community College
Get S.M.A.R.T.
8/14/2019 MWCC Information Security
2/26
GET S.M.A.R.TSecurity MattersAdapt to new policies, procedures
and regulationsRespect the privacy of personal
information
Think ... before accessing or disseminating information
8/14/2019 MWCC Information Security
3/26
What governs how MWCC protects
data?y State and Federal statutes and
regulations regarding privacy andsecurity
y Contracts between state agencies anddata providers (e.g., Social Security
Administration)y ITD security polices, standards and
guidelinesy MWCC security policies and standards
8/14/2019 MWCC Information Security
4/26
What would YOU do for a candy bar?y A 2007 survey found that more than
70% of people would reveal their computer password in exchange for
a candy bar.y 34% volunteered their password
when asked without even needingto be bribed.
y
A second survey found that 79% of people unwittingly gave awayinformation that could be used tosteal their identity whenquestioned.
8/14/2019 MWCC Information Security
5/26
Consequences of unauthorized use
or access of personal information
Why weprotect!!
y Identity Thefty Many victims suffer $2,000 to $15,000 in
lost wages as a result of identity theft.y Victims have had to declare bankruptcy
because of an identity theft that destroystheir credit and ability to work.y Mitigation Costs
y $230 billion are lost each year, world wide,as a result of identity theft.
y Staff/System downtimey Loss of public confidence and reputationy Legal Issues
y Businesses report that they spend anaverage of $15,000 or more in costs for anidentity theft case.
8/14/2019 MWCC Information Security
6/26
How is Personal Information defined
under MGL 93H, EO504, FIPAy M.G.L. 93H defines Personal Information as aresidents first name and last name or first initial andlast name in combination with one or more of thefollowing:y
Social Security number y Drivers license number or state issued identification
number y Financial account number
y Any information which can be readily associated with
a particular individualy Namey Identifying number y Mark (can be a photo)y Description
8/14/2019 MWCC Information Security
7/26
MWCC Contractual SecurityRequirements
y Payment Card Industry (PCI) Data SecurityStandardsy Certain data security standards mandated by the
credit card industry for all Commonwealth entities
that process, transmit or store cardholder data.y Social Security Administration Information
Exchange Agreementy Governs the transmission of data files received from
and sent to the SSA.y HIPAA Health Insurance Portability and
Accountability Acty FERPA Family Education Rights and Privacy
Act
8/14/2019 MWCC Information Security
8/26
Examples of PersonalInformationy Credit Card Informationy Name and Social Security number y
Health record informationy Student/Employee record informationy Student/Employee IDy Health service or Campus Police
record
8/14/2019 MWCC Information Security
9/26
Ways Personal Information is Stored Non-Electronicallyy What?
y Reportsy Lettersy Faxesy Printoutsy Memosy Notepadsy Sticky notes
y Where/Howy File cabinetsy Desksy Printer/Fax traysy Personal effects
(briefcase/pockets)y Phone callsy Meetings/Conversationsy Recycle binsy Test grades on doorsy Class rosters
8/14/2019 MWCC Information Security
10/26
Ways Personal Information is Stored- Electronicallyy Personal Devices
y Computersy Laptopsy
PDAsy Smart phonesy Cell phonesy Flash drives
y Infrastructurey Email (MWCC and Gmail)y Voicemaily
Local and network drivesy Servers and Hosting
Companiesy Equipment in storage or
awaiting disposaly Backup tapesy Applications that collect or
use personal information
8/14/2019 MWCC Information Security
11/26
Systems that may contain PersonalInformationy Banner WebConnecty Campus Police Logsy
State reports through the HRCMSwarehouse and MMARSy MWCC developed reportsy Fitness & Wellness database
8/14/2019 MWCC Information Security
12/26
Laws and RegulationsM.G.L. 66A Fair InformationPractices Act (FIPA)
M.G.L. 93H/93I SecurityBreaches
y In general, FIPAcreates a non-disclosurerequirement of personal data whensuch information isnot subject todisclosure under theFreedom of Information Act.
y Outlines how thedisclosure is handled,and how events of personal informationor unauthorizedaccess are reported.
8/14/2019 MWCC Information Security
13/26
8/14/2019 MWCC Information Security
14/26
Executive Order 504y Issued in September 2008
y Order regarding the security and confidentiality of personal information
y Enables Security Program Planning and Assurancey Outlines how to identify and protect personal
information.y Utilizes a risk management approach to handling
and securing sensitive informationy State Agencies MUST:
y Develop, implement and maintain written informationsecurity programs which is submitted to theCommonwealth for approval
y Audit and comply with laws, regulations, standards andpolicies as identified in the submitted information
security plan
8/14/2019 MWCC Information Security
15/26
MWCC Information Security Programy The Goal Adopt and implement the maximum
feasible measures reasonably needed to ensurethe security, confidentiality and integrity of personal information.
y Under MWCCs security policy, ALL employees(including contractors) must:y Collect the minimum quantity of personal
information reasonably needed to accomplish thelegitimate purpose for which information is beingcollected.
y Securely store and protect personal informationagainst unauthorized access, destruction, use,modification, disclosure and loss.
8/14/2019 MWCC Information Security
16/26
MWCC Information Security Programy Under MWCCs security policy, ALL employees
(including contractors) must:y Disclose personal information and data only on a
need-to-know basis.y Destroy personal information and data as soon as it
is no longer needed or required to be maintainedunder state or federal law.
y Comply with MWCCs administrative, technical and
physical safeguards and policies for personalinformation and with relevant Federal and Stateprivacy and security laws and regulations.
8/14/2019 MWCC Information Security
17/26
How does this impact my work?y Collect a minimum of information
y If you dont need it, dont ask for ity Rethink current processesy ONLY access information necessary for the proper
performance of you joby Disclose personal information on a need-to-know
basisy If you receive a request for personal information outside the
normal course of business, escalate request beforeresponding.
y Watch for y Non-authorized persons seeking personal informationy Phishing emailsy Shoulder surfing (someone looking over your shoulder while you
are at your computer)y Impersonation via email or phone solicitations
8/14/2019 MWCC Information Security
18/26
How does this impact my work?y Destroy personal information when no longer
needed.y Consider the following before destroying records:
y Active litigationy Records retention requirements for certain programs (HIPAA,
email retention, etc.)
y Methods of Destructiony Shredding paper or documents that contain
personal informationy Electronic information (computers, handheld
devices) ensure proper deletion of files, destroymedia and obtain a Certificate of Destruction.
8/14/2019 MWCC Information Security
19/26
How does this impact my work?y Physical protection of Personal Information
y Information Center Kiosky Have visitors sign in and keep a recordy Periodically review record
y Access ID issue IDs in critical areas and donot allow access without ID and authorization.
y Lock file cabinets in offices that maintainpersonal information.
y
Dont leave personal information unattendedin a non-secure environment.y On desktop, in communal meeting spaces, in a
printer tray or fax machine or on a sticky note inplain site.
8/14/2019 MWCC Information Security
20/26
How does this impact my work?y Keep secure spaces SECURE!
y Dont prop open doors to allow non-authorizedperson entry.
y
In critical spaces, monitor with security cameras.y Oral dissemination of personal information
y Only discuss personal information when appropriateto performing a job function.
y Discuss personal information in private locations(not elevators, cafeterias, hallways).
8/14/2019 MWCC Information Security
21/26
How does this impact my job?y System Security
y Each network device is an entry point.y Employee desktop computers:
y Even if you only used your office computer for email, thatcomputer is part of the MWCC network and is related toYOUR identity on the network.
y Publicly accessible computers at MWCCy Ensure that they are used appropriatelyy Dont walk away without logging off y Dont allow anyone to use your login/password
credentials.
8/14/2019 MWCC Information Security
22/26
Procedures and Policiesy Comply with MWCCs Acceptable Use Policy
http://www.mwcc.edu/iss/policy.phpy Do not access or disseminate personal information
unless required by your job.y Never, ever, ever share your password. The ISS
department may require you to present a passwordto perform services. Change your password after services have been performed.
y
ISS will never ask you to provide your password via email!y Promptly notify ISS if you suspect your password or
a service password has been compromised.
8/14/2019 MWCC Information Security
23/26
Procedures and Policiesy Comply with the password complexity and
expiration policies.y Log off, lock your keyboard or lock your desktop
when you step away from your computer.y Laptop computer drives MUST be encrypted,
desktops will be encrypted soon.y Comply with specific application security
requirements (i.e., MMARS, Banner, etc.)y Use resources appropriately. Do not store
personal information in non-secure applications.
8/14/2019 MWCC Information Security
24/26
Conclusiony Everyone is responsible for safeguarding personalinformation!y THINK before accessing or transmitting personal
information.y Treat all personal information as if it was your own
information.y Do not release personal information to anyone outside the
college without first vetting through a common-senseinternal process.y Check with your manager.y All legal requests get routed through a legal process and
should be handled with the assistance of college lawyers.y Follow all MWCCs privacy and security policies.y Work with your manager to determine what responsibilities
you own.
8/14/2019 MWCC Information Security
25/26
Contacts for Personal InformationQuestions
Ann McDonaldExecutive Vice President(978)630-9164
Susan McHughDirector of Information
Systems and Services(978)[email protected]
Escalate your questionsregardingpersonal
information to:
8/14/2019 MWCC Information Security
26/26
Linksy M.G.L. 93H Massachusetts Data Breach Notification Lawhttp://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm
y Executive Order 504http://www.mass.gov/?pageID=afhomepage&L=1&L0=Home&sid=Eoaf
y
201 CMR 17.00 Standards for the Protection of PersonalInformation of Residents of the Commonwealthhttp://www.mass.gov/?pageID=ocahomepage&L=1&L0=Home&sid=Eoca
y Red Flags Rulehttp://www.ftc.gov/redflagsrule
y Massachusetts Records in Commonhttp://www.sec.state.ma.us/arc/arcrmu/rmurds/adminandpersonel23-89.pdf
y Statewide Records Retentionhttp://www.sec.state.ma.us/arc/arcrmu/rmuidx.htm
y PCI Compliancehttp://www.pcicomplianceguide.org