COMPUTER SECURITY GUIDE FOR FACULTY West Chester University Summer 2009

COMPUTER SECURITY
GUIDE FOR FACULTY
West Chester University
Summer 2009
TOPICS
•
•
•
•
•
•
•
User Account Request
Policies on Campus
Confidentiality
Protecting Identity
Passwords
Secure Documents
Finding Help
To return to this screen (#2) at any time, type 2 and press Enter!
How to apply for an account
• Go to WCUPA Homepage (Information
Resources > Information Services > Account
Applications)
or use the following url:
http://www.wcupa.edu/infoservices/noc/ap
plications/
• Forms should be completed, approved
and returned to: Information Security,
Allegheny Hall, Room
– University Systems Personal Account Application
– WCU Confidentiality Statement
OF COURSE, YOU WILL
• Be aware of the computer security policies
and practices already in place on your
campus
– (http://www.wcupa.edu/infoservices/is_policies_and_procedures.asp)
• Remember – access to computers and
university data is a privilege
• Follow the general guidelines common to
– Faculty
– Staff
– Students
Keep
It
Confidential
Data Confidentiality
• What data is considered confidential?
– Data Classification
• Sensitive
– Contractual obligation to protect
– Right to Know
• Public
– Campus maps
– Restricted
• Required by law
– HIPAA
– FERPA
05/15/2009
6
Data Confidentiality
• Remember the 3R’s
– Roles
– Rules
– Responsibility
05/15/2009
7
Roles
•
•
•
•
•
System Administrator/Technical
Management
Faculty
Student
Staff
05/15/2009
8
Rules
•
•
•
•
PASSHE Policy
Employment Contract
Confidentiality Policy
Risk Assessment
05/15/2009
9
Responsibility
• Everyone
05/15/2009
10
Responsibility
• Individual accountability
• Faculty
– Responsible for confidential data to which they have access
• Bio/Demo data (including DOB and SSN)
• Student Grades and historical data
• Students
– Responsible for managing their own confidential data
• Log out of session
• Do not share passwords
• Staff
– Responsible for confidential data to which they have access
• Bio/Demo data (including DOB and SSN)
• Student Grades and historical data
• Salary Information
05/15/2009
11
User Security Awareness
• Know the policies regarding:
–
–
–
–
–
–
–
Password use and management
Virus protection
Phishing/Spam
Laptop/Handheld Device
Access privileges
Data backup and storage
Incident response
• Security Breaches
– Follow designated policies and procedures
05/15/2009
12
Misuse Penalties
• Civil and Criminal
• Conflict of Interest
• Disciplinary Action
05/15/2009
13
Checklist
 Data submissions are fully protected
Data encryption
Data transfer agreement
 Employees sign and understand
confidentiality agreement
 Notation on all records containing identifiable
data (e.g. confidentiality reminder)
 Secure transport from one location to another
05/15/2009
14
Checklist
 Open-access area security
Written data not left out in the open
Log out of sessions
 Fax/Copy machines
Secure area
Cover sheets
De-program to recover confidential information
 Protection of hard copy information
 Written consent to release to outside
agencies
Double check before providing information
05/15/2009
15
PROTECT IDENTITY and ID
NUMBERS!
READ ON…
CLASS GRADES
NEVER…
ALWAYS…
Email or post
grades on a
website for the
entire class to be
viewed by the
entire class!
Use a Course
Management System to
post grades – so that
each student can only
view his/her grades and
ID numbers
ID
HOMEWORK
MIDTERM
FINAL
TOTAL
GRADE
0123456
90
88
93
90
A-
0789789
85
86
91
87
B+
0232323
95
92
93
93
A
0345345
75
84
78
79
C+
If Name is Hidden, Who Cares?
• Lists are normally in alphabetic
order by name
• When attendance is called in class,
students get used to this order
• Students will NOT remember the
entire class list by name, but they
can remember the numerical
position of a particular student
• Several students at the top of the
list are particularly vulnerable
INCLUDE ID IN EMAIL?
OK If Secure University Webmail
NOTE: https in the URL (Web Address)
OK If Secure On-Campus Outlook
Requires Authentication Login On Campus
NOT OK If Insecure “Home” Email
NOTE: no s after http in the URL (Web Address)
Avoid Email If Possible
• Use university email addresses for students
when email is needed
• Avoid email altogether whenever possible
– Use Classroom management systems, such as
• Blackboard
• myitlab
– Use Digital Dropbox/gradebook links for assignments
PASSWORDS
• Don’t use the same passwords for http accounts as for
https accounts
• Use different passwords for home and university
accounts
• Since some university accounts require periodic
password changes, cycle through a list that you can
remember
• Go to http://www.wcupa.edu/infoservices/is-g-1-3.asp for
WCUPA minimum standards for User IDs and
Passwords
Secure Documents
• Secure pdf files electronically distributed
– To assure fair use of copyrighted materials
• Secure file to prohibit altering, copying, printing
• Secure web pages received from students
– Use secure web browser, such as Firefox
– Use No-Script option, which warns of scripts
• Script could be malicious, but can unblock
Where to Go for Help?
• Campus Help Desk
• Websites
– www.wcupa.edu/sact
– http://www.getsafeonline.org/
– http://www.computerworld.com/securitytopics/security
• National Centers of Academic Excellence in Information
Assurance Education (an NSA designation) with the
PASSHE system
– East Stroudsburg University
– Indiana University of Pennsylvania
– West Chester University
• Books
– Is It Safe?, Michael Miller
– Blown to Bits, Abelson, Ledeen, & Lewis