MWCC Information Security

8/14/2019 MWCC Information Security

1/26

How to Identify, Maintain and SafeguardPersonal Information at

Mount Wachusett Community College

Get S.M.A.R.T.


2/26

GET S.M.A.R.TSecurity MattersAdapt to new policies, procedures

and regulationsRespect the privacy of personal

information

Think ... before accessing or disseminating information


3/26

What governs how MWCC protects

data?y State and Federal statutes and

regulations regarding privacy andsecurity

y Contracts between state agencies anddata providers (e.g., Social Security

Administration)y ITD security polices, standards and

guidelinesy MWCC security policies and standards


4/26

What would YOU do for a candy bar?y A 2007 survey found that more than

70% of people would reveal their computer password in exchange for

a candy bar.y 34% volunteered their password

when asked without even needingto be bribed.

y

A second survey found that 79% of people unwittingly gave awayinformation that could be used tosteal their identity whenquestioned.


5/26

Consequences of unauthorized use

or access of personal information

Why weprotect!!

y Identity Thefty Many victims suffer $2,000 to $15,000 in

lost wages as a result of identity theft.y Victims have had to declare bankruptcy

because of an identity theft that destroystheir credit and ability to work.y Mitigation Costs

y $230 billion are lost each year, world wide,as a result of identity theft.

y Staff/System downtimey Loss of public confidence and reputationy Legal Issues

y Businesses report that they spend anaverage of $15,000 or more in costs for anidentity theft case.


6/26

How is Personal Information defined

under MGL 93H, EO504, FIPAy M.G.L. 93H defines Personal Information as aresidents first name and last name or first initial andlast name in combination with one or more of thefollowing:y

Social Security number y Drivers license number or state issued identification

number y Financial account number

y Any information which can be readily associated with

a particular individualy Namey Identifying number y Mark (can be a photo)y Description


7/26

MWCC Contractual SecurityRequirements

y Payment Card Industry (PCI) Data SecurityStandardsy Certain data security standards mandated by the

credit card industry for all Commonwealth entities

that process, transmit or store cardholder data.y Social Security Administration Information

Exchange Agreementy Governs the transmission of data files received from

and sent to the SSA.y HIPAA Health Insurance Portability and

Accountability Acty FERPA Family Education Rights and Privacy

Act


8/26

Examples of PersonalInformationy Credit Card Informationy Name and Social Security number y

Health record informationy Student/Employee record informationy Student/Employee IDy Health service or Campus Police

record


9/26

Ways Personal Information is Stored Non-Electronicallyy What?

y Reportsy Lettersy Faxesy Printoutsy Memosy Notepadsy Sticky notes

y Where/Howy File cabinetsy Desksy Printer/Fax traysy Personal effects

(briefcase/pockets)y Phone callsy Meetings/Conversationsy Recycle binsy Test grades on doorsy Class rosters


10/26

Ways Personal Information is Stored- Electronicallyy Personal Devices

y Computersy Laptopsy

PDAsy Smart phonesy Cell phonesy Flash drives

y Infrastructurey Email (MWCC and Gmail)y Voicemaily

Local and network drivesy Servers and Hosting

Companiesy Equipment in storage or

awaiting disposaly Backup tapesy Applications that collect or

use personal information


11/26

Systems that may contain PersonalInformationy Banner WebConnecty Campus Police Logsy

State reports through the HRCMSwarehouse and MMARSy MWCC developed reportsy Fitness & Wellness database


12/26

Laws and RegulationsM.G.L. 66A Fair InformationPractices Act (FIPA)

M.G.L. 93H/93I SecurityBreaches

y In general, FIPAcreates a non-disclosurerequirement of personal data whensuch information isnot subject todisclosure under theFreedom of Information Act.

y Outlines how thedisclosure is handled,and how events of personal informationor unauthorizedaccess are reported.


13/26


14/26

Executive Order 504y Issued in September 2008

y Order regarding the security and confidentiality of personal information

y Enables Security Program Planning and Assurancey Outlines how to identify and protect personal

information.y Utilizes a risk management approach to handling

and securing sensitive informationy State Agencies MUST:

y Develop, implement and maintain written informationsecurity programs which is submitted to theCommonwealth for approval

y Audit and comply with laws, regulations, standards andpolicies as identified in the submitted information

security plan


15/26

MWCC Information Security Programy The Goal Adopt and implement the maximum

feasible measures reasonably needed to ensurethe security, confidentiality and integrity of personal information.

y Under MWCCs security policy, ALL employees(including contractors) must:y Collect the minimum quantity of personal

information reasonably needed to accomplish thelegitimate purpose for which information is beingcollected.

y Securely store and protect personal informationagainst unauthorized access, destruction, use,modification, disclosure and loss.


16/26

MWCC Information Security Programy Under MWCCs security policy, ALL employees

(including contractors) must:y Disclose personal information and data only on a

need-to-know basis.y Destroy personal information and data as soon as it

is no longer needed or required to be maintainedunder state or federal law.

y Comply with MWCCs administrative, technical and

physical safeguards and policies for personalinformation and with relevant Federal and Stateprivacy and security laws and regulations.


17/26

How does this impact my work?y Collect a minimum of information

y If you dont need it, dont ask for ity Rethink current processesy ONLY access information necessary for the proper

performance of you joby Disclose personal information on a need-to-know

basisy If you receive a request for personal information outside the

normal course of business, escalate request beforeresponding.

y Watch for y Non-authorized persons seeking personal informationy Phishing emailsy Shoulder surfing (someone looking over your shoulder while you

are at your computer)y Impersonation via email or phone solicitations


18/26

How does this impact my work?y Destroy personal information when no longer

needed.y Consider the following before destroying records:

y Active litigationy Records retention requirements for certain programs (HIPAA,

email retention, etc.)

y Methods of Destructiony Shredding paper or documents that contain

personal informationy Electronic information (computers, handheld

devices) ensure proper deletion of files, destroymedia and obtain a Certificate of Destruction.


19/26

How does this impact my work?y Physical protection of Personal Information

y Information Center Kiosky Have visitors sign in and keep a recordy Periodically review record

y Access ID issue IDs in critical areas and donot allow access without ID and authorization.

y Lock file cabinets in offices that maintainpersonal information.

y

Dont leave personal information unattendedin a non-secure environment.y On desktop, in communal meeting spaces, in a

printer tray or fax machine or on a sticky note inplain site.


20/26

How does this impact my work?y Keep secure spaces SECURE!

y Dont prop open doors to allow non-authorizedperson entry.

y

In critical spaces, monitor with security cameras.y Oral dissemination of personal information

y Only discuss personal information when appropriateto performing a job function.

y Discuss personal information in private locations(not elevators, cafeterias, hallways).


21/26

How does this impact my job?y System Security

y Each network device is an entry point.y Employee desktop computers:

y Even if you only used your office computer for email, thatcomputer is part of the MWCC network and is related toYOUR identity on the network.

y Publicly accessible computers at MWCCy Ensure that they are used appropriatelyy Dont walk away without logging off y Dont allow anyone to use your login/password

credentials.


22/26

Procedures and Policiesy Comply with MWCCs Acceptable Use Policy

http://www.mwcc.edu/iss/policy.phpy Do not access or disseminate personal information

unless required by your job.y Never, ever, ever share your password. The ISS

department may require you to present a passwordto perform services. Change your password after services have been performed.

y

ISS will never ask you to provide your password via email!y Promptly notify ISS if you suspect your password or

a service password has been compromised.


23/26

Procedures and Policiesy Comply with the password complexity and

expiration policies.y Log off, lock your keyboard or lock your desktop

when you step away from your computer.y Laptop computer drives MUST be encrypted,

desktops will be encrypted soon.y Comply with specific application security

requirements (i.e., MMARS, Banner, etc.)y Use resources appropriately. Do not store

personal information in non-secure applications.


24/26

Conclusiony Everyone is responsible for safeguarding personalinformation!y THINK before accessing or transmitting personal

information.y Treat all personal information as if it was your own

information.y Do not release personal information to anyone outside the

college without first vetting through a common-senseinternal process.y Check with your manager.y All legal requests get routed through a legal process and

should be handled with the assistance of college lawyers.y Follow all MWCCs privacy and security policies.y Work with your manager to determine what responsibilities

you own.


25/26

Contacts for Personal InformationQuestions

Ann McDonaldExecutive Vice President(978)630-9164

[email protected]

Susan McHughDirector of Information

Systems and Services(978)[email protected]

Escalate your questionsregardingpersonal

information to:


26/26

Linksy M.G.L. 93H Massachusetts Data Breach Notification Lawhttp://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm

y Executive Order 504http://www.mass.gov/?pageID=afhomepage&L=1&L0=Home&sid=Eoaf

y

201 CMR 17.00 Standards for the Protection of PersonalInformation of Residents of the Commonwealthhttp://www.mass.gov/?pageID=ocahomepage&L=1&L0=Home&sid=Eoca

y Red Flags Rulehttp://www.ftc.gov/redflagsrule

y Massachusetts Records in Commonhttp://www.sec.state.ma.us/arc/arcrmu/rmurds/adminandpersonel23-89.pdf

y Statewide Records Retentionhttp://www.sec.state.ma.us/arc/arcrmu/rmuidx.htm

y PCI Compliancehttp://www.pcicomplianceguide.org

MWCC Information Security

Documents