180 likes | 344 Views
Springfield Technical Community College Security Awareness Training. Why?. Payment Card Industry (PCI) requirement to provide security training to staff on an annual basis Massachusetts General Law (MGL) 93H Security Breaches; must provide breach notice
E N D
Springfield Technical Community CollegeSecurity Awareness Training
Why? Payment Card Industry (PCI) requirement to provide security training to staff on an annual basis Massachusetts General Law (MGL) 93H Security Breaches; must provide breach notice Executive Order (EO) 504 requirement to train all employees in safeguarding personal information Federal Trade Commission Accurate Credit Transactions Act of 2003 (Red Flag Rules) Gramm-Leach-Bliley Act Protection of financial information Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA)
What is personal information? Personal information is defined (MGL 93H) as: A resident’s first name and last name or first initial and last name, in combination with any one or more of the following: Social Security number Driver’s license number State issued ID number Financial account number
PCI Requirements • Credit card numbers should not be stored on campus • The transmission of credit card number information should be treated with the utmost sensitivity
Red Flag Rules • Red Flag = a pattern, practice, or specific activity that indicates the possible existence of Identity Theft • Identity Theft = a fraud committed or attempted using the identifying information of another person without authority.
Red Flags at STCC: • Documentation appears to have been altered or forged • The photograph/ description is inconsistent with the student holding the ID • Documentation inconsistent with existing student information • A request made from a non-College issued E-mail account • A request to mail something to an address not listed on file • Notice received regarding possible identity theft • Information inconsistent with current information • Information inconsistent with other information source • Same Information as shown on known fraudulent documents • Same Social Security Number as is used by another student
Red Flags Responses at STCC: • Deny access to the covered account • Gather information to attempt to authenticate/ determine if attempted transaction was fraudulent or authentic • Contact the student • Change any passwords, security codes or other security devices that permit access • Notify and cooperate with law enforcement • Notify any credit reporting agency or third party, if applicable • Determine no response is warranted under particular circumstances
Maintain, Safeguard Personal Information Collect minimum quantity of information Only access information necessary for the proper performance of your job Disclose only on a “need to know” basis If you receive a request for personal information outside the normal course of program management, escalate the request before responding
Maintain, Safeguard Personal Information (cont.) Beware of non-authorized people seeking information, through: • Phishing • Impersonation • Shoulder surfing • Desk/dumpster retrieval
Maintain, Safeguard Personal Information (cont.) Destroy personal information when no longer needed Each network device is an entry point into the College’s network Ensure publically accessible terminals are used in an authorized manner Each STCC computer is related to an identity on the network
Additional Security Measures • Create strong passwords Strong Password: 3BM3BMShtr! Weak Password: password • Periodically change passwords • Requests for additional access must be approved by supervisors and/or by IT Department
Physical Access Avoid displaying confidential information on desk or computer monitor Lock confidential information in a secure location Store confidential information only on network drives
Other Security Reminders Treat all payment information confidentially Do not email customer payment information Do not download any sensitive information onto laptops, removable disks, flashdrives, etc. Properly secure sensitive information before leaving your desk (lock computer!) Log out when you leave for the day Secure laptops that have Virtual Private Network (VPN) access to the College environment Use common sense!
Data Breach • Definition: The release of secure, personally identifiable information (PII), to an unintended audience. • Information security laws • Data breach notification laws
Data Breach – How does it happen? ~98% of data breaches involve electronic information • Hackers • Malicious insiders (ex. disgruntled employees) • Theft of a device (laptop, pc, thumb/ flash drive, or other storage media) • Through the fault of a 3rd party vendor working with the institution • By the untrained employee
Reporting Security Incidents Change your password immediately and report the incident to the IT Help Desk for assistance for additional access blocking/ review Report loss/theft of door key/ swipe card immediately to Campus Security
Shared Responsibility It is our combined responsibility to prevent data breaches from occurring. It is a costly mistake; the information compromised could be your own. Please take precautions to protect sensitive data in your work environment.
Additional Information Security Resources: • http://www.stcc.edu/it/ (College’s IT web site) • www.educause.edu (web site for Educause, whose mission is to promote the intelligence use of information technology) • http://iso.mwcc.edu/ (information on cyber security for Commonwealth Higher Education institutions) • “Stop. Think. Stay Connected. Stay Safe Online”