Managing It Security

Managing IT Security for Extension and Outreach Offices
Theresa Semmens NDSU Chief IT Security Officer
October, 2009

Presentation Outline
Security Guidelines
Email
Workstation
Wireless
External Mobile Device Security
Protection of Confidential and Private Data
Online Financial Transactions
Those *!@&$ NDSU network services
Dual Support with the ND Association of Counties

NDSU E-mail
What is secure
Encrypted User name and password
Email messages and attachments
Subject to privacy laws
HIPAA
GLBA
FERPA
ND Public Open Records Century Code
Using personal e-mail address and equipment for NDSU Business
Can be subject to ND Public Open Records Century Code

Workstation
Users must have unique login and password
Operating system and office software current with latest patches
Anti-virus software and firewall installed, enabled and active
Confidential/private data is not accessible or viewable by public
Log off computer when done or away from desk
Set a password protected screensaver

Workstation Area
Confidential/sensitive information not available for public view
Protected hard copy documentation stored in locked file cabinet
Manipulated hard copy documentation
Tidy desk area

Wireless Access
Wireless access in the office
Open vs. Secured
Access available only to those who need it
Wireless access outside of the office
Public access
Not recommended
Working with confidential private data
Use for personal banking
Purchasing merchandise online
Use NDSU Webmail client to send and receive email – do not send attachments, message body should not contain sensitive information

Laptop Security

Maintain copies of important data somewhere other than the laptop. Consider using an external portable storage device.
Back up all data, and make use of encryption features when you do so.
Hard drive and external storage is encrypted.
Laptop must be labeled and identified

External Media
Definition –external hard drives, flash drives, CDROM, DVDR
When not in use, keep in safe place.
Dispose of properly.
Encrypt sensitive data.
Share only with those who have a “need to know”.

Phlushing the Phish!
What is NDSU doing?
What can you do?
Recent Spear Phishing Attacks

Confidential/Private Data
Defined and classified in NDUS 1901.2
Examples:
Pesticide Program
Master Gardeners
4-H
Research
What is allowable for use and storage

Employees & Volunteers
Must sign confidentiality agreements
Background checks required*
Receive formal, documented training
*Above point required if handling electronic financial transactions

Social Security Numbers
Do not use as an identifier on
Files
Spread sheets
Data bases
Correspondence
Any files/documents containing SSN data must be secured and available only to those who have a need to know

Credit Card Information
Do not store
Full credit card number (only last four digits)
CVV2 number
Exp. Date
Receipts
Only allow last four digits on receipt
No CVV2 number
No exp. Date
Do not accept credit card transactions over email
If received over voice mail, delete immediately
Must have separation of duties for acceptance of credit cards

More Safeguards
Non-disclosure (suppression)
Farmers/Ranchers
Parents
Children
Requests for lists of members
Health questionnaires (4-H)
Date of Birth combined with name
Information posted to Web sites

Use & Disposal of Protected Data
Encrypt or password protect on electronic devices
Back up regularly
Allow only those who have a need to know access to data
Use only where necessary
Dispose of properly

Personnel & Volunteer Files
Stored in locked cabinet not in public area
If request is made to view personnel file
Dean and General Counsel to approve request
Log request, date, time
Viewer must sign log form
Only allow what is considered public information to be viewed
Purge according to data retention policies
Shred with cross cut shredder, burn, using document destruction service

Suspected Data Breach
For computer related security issues contact your supervisor
Document reasons you suspect breach of data
Do not move, touch, alter equipment or anything related to the breach
Do not attempt to do your own investigation

NDSU network services
E-mail accounts
Alias
Shared
E-mail box space
Changing electronic ID
Non-employee accounts
Affiliate vs. Guest accounts

Alias E-mail Account

E-mail message automatically dropped into multiple users e-mail boxes
Does not require password
Owner responsible for removing and adding users

Sender
Alias
Recipient
Recipient
Recipient

Shared E-mail Account

Requires use of Webmail
Requires shared password
Owner required to change password when users leave or are added to group

Sender
Shared
Recipient
Recipient
Recipient

Electronic ID
Official Format = FirstName.LastName
Full-time employees and Students can change EID at http://enroll.nodak.edu
Non-employees/students must request change
Change subject to previous ownership of “name space.”
Name change due to marriage/divorce – must go through HR with proper documentation
Employees have 500 MB e-mail box. Request to increase must be sent through Helpdesk.

Affiliate vs. Guest Accounts
Services available: desktop_auth, Blackboard, Library, Wireless
Must be “sponsored” by department
Affiliate accounts for periods longer than one week
Guest accounts for periods less than one week
E-mail requires completion of Non-employee ID form

Managing IT Security for Extension and Outreach Offices
Theresa Semmens NDSU Chief IT Security Officer
October, 2009