Managing It Security
Upcoming SlideShare
Loading in...5
×
 

Managing It Security

on

  • 769 views

NDSU 2009 Fall Conference general session PowerPoint.

NDSU 2009 Fall Conference general session PowerPoint.

Statistics

Views

Total Views
769
Views on SlideShare
769
Embed Views
0

Actions

Likes
0
Downloads
9
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Managing It Security Managing It Security Presentation Transcript

  • Managing IT Security for Extension and Outreach Offices
    Theresa Semmens NDSU Chief IT Security Officer
    October, 2009
  • Presentation Outline
    Security Guidelines
    Email
    Workstation
    Wireless
    External Mobile Device Security
    Protection of Confidential and Private Data
    Online Financial Transactions
    Those *!@&$ NDSU network services
    Dual Support with the ND Association of Counties
  • NDSU E-mail
    What is secure
    Encrypted User name and password
    Email messages and attachments
    Subject to privacy laws
    HIPAA
    GLBA
    FERPA
    ND Public Open Records Century Code
    Using personal e-mail address and equipment for NDSU Business
    Can be subject to ND Public Open Records Century Code
  • Workstation
    Users must have unique login and password
    Operating system and office software current with latest patches
    Anti-virus software and firewall installed, enabled and active
    Confidential/private data is not accessible or viewable by public
    Log off computer when done or away from desk
    Set a password protected screensaver
  • Workstation Area
    Confidential/sensitive information not available for public view
    Protected hard copy documentation stored in locked file cabinet
    Manipulated hard copy documentation
    Tidy desk area
  • Wireless Access
    Wireless access in the office
    Open vs. Secured
    Access available only to those who need it
    Wireless access outside of the office
    Public access
    Not recommended
    Working with confidential private data
    Use for personal banking
    Purchasing merchandise online
    Use NDSU Webmail client to send and receive email – do not send attachments, message body should not contain sensitive information
  • Laptop Security
    • Maintain copies of important data somewhere other than the laptop. Consider using an external portable storage device.
    • Back up all data, and make use of encryption features when you do so.
    • Hard drive and external storage is encrypted.
    • Laptop must be labeled and identified
  • External Media
    Definition –external hard drives, flash drives, CDROM, DVDR
    When not in use, keep in safe place.
    Dispose of properly.
    Encrypt sensitive data.
    Share only with those who have a “need to know”.
  • Phlushing the Phish!
    What is NDSU doing?
    What can you do?
    Recent Spear Phishing Attacks
  • Confidential/Private Data
    Defined and classified in NDUS 1901.2
    Examples:
    Pesticide Program
    Master Gardeners
    4-H
    Research
    What is allowable for use and storage
  • Employees & Volunteers
    Must sign confidentiality agreements
    Background checks required*
    Receive formal, documented training
    *Above point required if handling electronic financial transactions
  • Social Security Numbers
    Do not use as an identifier on
    Files
    Spread sheets
    Data bases
    Correspondence
    Any files/documents containing SSN data must be secured and available only to those who have a need to know
  • Credit Card Information
    Do not store
    Full credit card number (only last four digits)
    CVV2 number
    Exp. Date
    Receipts
    Only allow last four digits on receipt
    No CVV2 number
    No exp. Date
    Do not accept credit card transactions over email
    If received over voice mail, delete immediately
    Must have separation of duties for acceptance of credit cards
  • More Safeguards
    Non-disclosure (suppression)
    Farmers/Ranchers
    Parents
    Children
    Requests for lists of members
    Health questionnaires (4-H)
    Date of Birth combined with name
    Information posted to Web sites
  • Use & Disposal of Protected Data
    Encrypt or password protect on electronic devices
    Back up regularly
    Allow only those who have a need to know access to data
    Use only where necessary
    Dispose of properly
  • Personnel & Volunteer Files
    Stored in locked cabinet not in public area
    If request is made to view personnel file
    Dean and General Counsel to approve request
    Log request, date, time
    Viewer must sign log form
    Only allow what is considered public information to be viewed
    Purge according to data retention policies
    Shred with cross cut shredder, burn, using document destruction service
  • Suspected Data Breach
    For computer related security issues contact your supervisor
    Document reasons you suspect breach of data
    Do not move, touch, alter equipment or anything related to the breach
    Do not attempt to do your own investigation
  • NDSU network services
    E-mail accounts
    Alias
    Shared
    E-mail box space
    Changing electronic ID
    Non-employee accounts
    Affiliate vs. Guest accounts
  • Alias E-mail Account
    • E-mail message automatically dropped into multiple users e-mail boxes
    • Does not require password
    • Owner responsible for removing and adding users
    Sender
    Alias
    Recipient
    Recipient
    Recipient
  • Shared E-mail Account
    • Requires use of Webmail
    • Requires shared password
    • Owner required to change password when users leave or are added to group
    Sender
    Shared
    Recipient
    Recipient
    Recipient
  • Electronic ID
    Official Format = FirstName.LastName
    Full-time employees and Students can change EID at http://enroll.nodak.edu
    Non-employees/students must request change
    Change subject to previous ownership of “name space.”
    Name change due to marriage/divorce – must go through HR with proper documentation
    Employees have 500 MB e-mail box. Request to increase must be sent through Helpdesk.
  • Affiliate vs. Guest Accounts
    Services available: desktop_auth, Blackboard, Library, Wireless
    Must be “sponsored” by department
    Affiliate accounts for periods longer than one week
    Guest accounts for periods less than one week
    E-mail requires completion of Non-employee ID form
  • Managing IT Security for Extension and Outreach Offices
    Theresa Semmens NDSU Chief IT Security Officer
    October, 2009