Upload
rachael-gorman
View
218
Download
2
Embed Size (px)
Citation preview
Maintaining Security Maintaining Security While Using ComputersWhile Using Computers
What all of Our What all of Our Computer Users Computer Users Need to KnowNeed to Know
What You Need to KnowWhat You Need to Know
ALLALL staff - even those that don’t use staff - even those that don’t use computers - need to know some computers - need to know some things about securitythings about securityWhat “Data Stewardship” meansWhat “Data Stewardship” meansNew Information Security Policies New Information Security Policies and Procedures mean and Procedures mean new rulesnew rules for for computer userscomputer usersHow to fulfill your responsibility to How to fulfill your responsibility to help keep our computers safe from help keep our computers safe from computer virusescomputer viruses and worms and worms
What Staff Who Don’t Use the What Staff Who Don’t Use the Computer Need to KnowComputer Need to Know
There is a federal lawThere is a federal law (HIPAA) which (HIPAA) which requires that all our staff learn to protect requires that all our staff learn to protect our informationour informationYou mustYou must not use our computers not use our computers unless unless you have been authorized to do soyou have been authorized to do soIf you findIf you find any computer printout, floppy any computer printout, floppy disk, or computer CD, turn it in to your disk, or computer CD, turn it in to your supervisorsupervisorIf you suspectIf you suspect a security violation, report it a security violation, report it to your supervisorto your supervisor
Data StewardshipData StewardshipFirst – Some DefinitionsFirst – Some Definitions
Facility DataFacility Data – data which is acquired, – data which is acquired, developed, or maintained by our staff in developed, or maintained by our staff in performance of their dutiesperformance of their duties
ApplicationApplication – a purchased, shared, or – a purchased, shared, or developed set of files which maintain developed set of files which maintain Facility DataFacility Data
Application OwnerApplication Owner – a single, designated – a single, designated person, responsible for this application person, responsible for this application and the data it maintainsand the data it maintains
Some More DefinitionsSome More Definitions
Data FileData File – a computer file (often in Word, – a computer file (often in Word, Excel, or Access format) which contains Excel, or Access format) which contains Facility DataFacility DataComputer UserComputer User – staff who use a Facility – staff who use a Facility computer in performance of their assigned computer in performance of their assigned dutiesdutiesData OwnerData Owner – the person who created and – the person who created and saved a file which contains facility data, or saved a file which contains facility data, or in the case of an application, the in the case of an application, the application ownerapplication owner
Network Files are Classified Network Files are Classified According to Security LevelAccording to Security Level
Public FilesPublic Files – – Usually on our internet site, not protectedUsually on our internet site, not protected
Private FilesPrivate Files – – Usually store on S:, shared among all Usually store on S:, shared among all network users, protected by Network login requirementnetwork users, protected by Network login requirement
Secure FilesSecure Files – – Except for Application Software and Except for Application Software and Secure Systems, all files NOT stored on the S: Shared folder. Secure Systems, all files NOT stored on the S: Shared folder. Secure files are protected by network rightsSecure files are protected by network rights
Application SoftwareApplication Software – – Things like Word and ExcelThings like Word and Excel
Secure SystemsSecure Systems – – Those systems (like HEARTS) which Those systems (like HEARTS) which have been classified as needing MORE than standard file have been classified as needing MORE than standard file access rights to protect the dataaccess rights to protect the data
Data StewardshipData Stewardship
All data on the LAN is “owned” by a single All data on the LAN is “owned” by a single member of our staffmember of our staffThe Data Owner must protect the dataThe Data Owner must protect the dataIf the data belongs to one of our If the data belongs to one of our “applications”, then the data is owned by “applications”, then the data is owned by the application ownerthe application ownerIf the data is not part of an application, the If the data is not part of an application, the data is owned by the person who created data is owned by the person who created the filethe file
Files Must be Stored inFiles Must be Stored in Secure Network Folders Secure Network Folders
All files on the Local Area Network are All files on the Local Area Network are kept in folderskept in foldersIf the folder is the S: (S for Shared), then If the folder is the S: (S for Shared), then the files are the files are privateprivate, but not confidential, , but not confidential, and can be seen by all computer users. and can be seen by all computer users. No PHI should be stored hereNo PHI should be stored hereAll other folders are for All other folders are for Secure FilesSecure Files, and , and cannot be seen by anybody unless they cannot be seen by anybody unless they have been granted network rights. PHI can have been granted network rights. PHI can be storedbe stored
New ResponsibilitiesNew Responsibilities for all Supervisors for all Supervisors
Ensuring that employees are aware of and Ensuring that employees are aware of and observe all computer security observe all computer security requirementsrequirements
Monitoring employee activities to ensure Monitoring employee activities to ensure compliance with all software legal compliance with all software legal requirementsrequirements
Ensuring that only authorized software Ensuring that only authorized software runs on State computersruns on State computers
Rules for Computer UsersRules for Computer Users
Data Ownership and LAN StructureData Ownership and LAN StructureRequesting Network RightsRequesting Network RightsMaking Changes in Network RightsMaking Changes in Network RightsPassword RulesPassword RulesMobile DevicesMobile DevicesPersonal UsePersonal UseUser “Don'ts”User “Don'ts”Maintaining SecurityMaintaining Security
Data OwnerData Owner Responsibilities Responsibilities
UnderstandingUnderstanding the LAN Rights Structure the LAN Rights Structure
StoringStoring their files only in appropriately their files only in appropriately secure areassecure areas
PreventingPreventing non-Public files from being non-Public files from being copied to moveable mediacopied to moveable media
KeepingKeeping Protected Health Information Protected Health Information (PHI) secure(PHI) secure
Rights on the LAN - Rights on the LAN - #1#1
All users have a All users have a privateprivate file storage area. file storage area. This is their “H Drive”, or “Home”.This is their “H Drive”, or “Home”.
Many users also have rights to a Many users also have rights to a sharedshared folder (typically, the “G Drive”, along with folder (typically, the “G Drive”, along with others in their others in their departmentdepartment
The “S Drive”, or Shared area, can be The “S Drive”, or Shared area, can be used for exchanging files between staff, used for exchanging files between staff, but but cannotcannot be used if the file contains PHI be used if the file contains PHI
Rights on the LAN - Rights on the LAN - #2#2
Rights to “Applications” that run on the Rights to “Applications” that run on the network are granted by the Application network are granted by the Application OwnerOwner
If rights to use an application are granted If rights to use an application are granted by any person other than the Application by any person other than the Application Owner, the person granting those rights Owner, the person granting those rights must send email to the Application Owner must send email to the Application Owner notifying them what rights were grantednotifying them what rights were granted
New Computer Users Must . .New Computer Users Must . .
Complete General Security TrainingComplete General Security Training
Read and sign our Computer User’s Read and sign our Computer User’s AgreementAgreement
Fill out a Network Rights Request formFill out a Network Rights Request form
Get any necessary Data Owner signaturesGet any necessary Data Owner signatures
Get their Supervisor’s signature on the Get their Supervisor’s signature on the Network Rights Request formNetwork Rights Request form
Turn the form in to Computer ServicesTurn the form in to Computer Services
Users must read and sign the Computer User’s Agreement before they can be given rights to the Local Area Network.
Users must complete the Network Security Rights Request form
Your Supervisor’s signature goes here
If you need rights to a home’s PPS, you must get the Home Coordinator’s signature here
You sign here
Making Changes in Network RightsMaking Changes in Network Rights
The same Network Security Rights Request The same Network Security Rights Request form is used to change network rights for an form is used to change network rights for an existing userexisting userWhen the form is used to remove rights, the When the form is used to remove rights, the applicant’s signature and the Data Owner’s applicant’s signature and the Data Owner’s signature are not required, but the signature are not required, but the Supervisor’s signature is requiredSupervisor’s signature is requiredThe Data Owner does NOT need to use this The Data Owner does NOT need to use this form to request the total removal of rights; form to request the total removal of rights; they may use Email to the Help Desk insteadthey may use Email to the Help Desk instead
Password RulesPassword Rules
Your network password must be changed Your network password must be changed every every 90 days90 days
Network users must select and change Network users must select and change their own passwordstheir own passwords
Users will be allowed Users will be allowed three “grace” loginsthree “grace” logins when their password expireswhen their password expires
All passwords must be at least eight All passwords must be at least eight characters, and must not be “guessable”characters, and must not be “guessable”
You must not tell your password to You must not tell your password to anybody, even your supervisoranybody, even your supervisor
Password “Dos”Password “Dos”
Mix upper and lower case lettersMix upper and lower case letters
Mix letters and numbersMix letters and numbers
Pick a password you can rememberPick a password you can remember
Choose a completely new password each Choose a completely new password each time you changetime you change
Include non-alphanumeric characters, such Include non-alphanumeric characters, such as &, $, and >as &, $, and >
Pick a password with at least 8 charactersPick a password with at least 8 characters
Password “Don’ts”Password “Don’ts”
Do not use recognizable words that might Do not use recognizable words that might appear in a dictionaryappear in a dictionaryDo not use proper namesDo not use proper namesDo not use words in other languages, such Do not use words in other languages, such as “bonjour”as “bonjour”Do not use your personal information, Do not use your personal information, such as the names of your pets or your such as the names of your pets or your childrenchildren
Mobile Computing DevicesMobile Computing Devices
PDAs will be issued only where there is a PDAs will be issued only where there is a critical need, and their use must be critical need, and their use must be approved by the Security Officialapproved by the Security Official
The use of removable storage devices The use of removable storage devices such as USB flash drives or CD R/W such as USB flash drives or CD R/W drives are not permitted without the drives are not permitted without the express permission of the Security Officialexpress permission of the Security Official
Mobile computing devices must never be Mobile computing devices must never be left in unsecured areasleft in unsecured areas
Personal Use ofPersonal Use of Computers Computers
Personal projects may be permitted on the Personal projects may be permitted on the employee’s own time, but written employee’s own time, but written supervisor permission is requiredsupervisor permission is requiredAn employee may make personal use of An employee may make personal use of internet searches only with the approval of internet searches only with the approval of their supervisortheir supervisorAn employee may not use instant An employee may not use instant messaging or download music files without messaging or download music files without permission from both their supervisor and permission from both their supervisor and the LAN Managerthe LAN Manager
User “Don’ts” - User “Don’ts” - #1#1
Users must not change their hardware Users must not change their hardware configuration or physical location without the configuration or physical location without the permission of the Workstation Managerpermission of the Workstation Manager
Downloading software from the internet and Downloading software from the internet and bringing software from home are forbiddenbringing software from home are forbidden
An employee may not use our information, An employee may not use our information, applications, or equipment for personal applications, or equipment for personal commercial gaincommercial gain
User “Don’ts” - User “Don’ts” - #2#2
Users must identify themselves clearly and Users must identify themselves clearly and correctly when using emailcorrectly when using email
Any type of mass mailing by one of our Any type of mass mailing by one of our workforce members that does not pertain to workforce members that does not pertain to governmental business is forbiddengovernmental business is forbidden
Circumventing user authentication or Circumventing user authentication or security is forbidden. A user must be logged security is forbidden. A user must be logged in to the LAN as themselves before in to the LAN as themselves before operating any computer softwareoperating any computer software
User “Don’ts” - User “Don’ts” - #3#3
Staff must not provide information about, or Staff must not provide information about, or lists of, employees or consumers to parties lists of, employees or consumers to parties outside this organizationoutside this organization
Staff must not post to non-work related Staff must not post to non-work related public discussion groups or forums on the public discussion groups or forums on the internetinternet
Users must not access, or attempt to gain Users must not access, or attempt to gain access to, any computer account to which access to, any computer account to which they are not authorizedthey are not authorized
Maintaining Security - Maintaining Security - #1#1
In order to maintain confidentiality of In order to maintain confidentiality of protected health information (PHI), protected health information (PHI), workstations should be set up so that the workstations should be set up so that the screen is not visible by people standing at screen is not visible by people standing at the door or entering the roomthe door or entering the room
If you are viewing PHI, and a person If you are viewing PHI, and a person unauthorized to see the PHI enters the unauthorized to see the PHI enters the room, you should minimize the application room, you should minimize the application or turn off the computer monitoror turn off the computer monitor
Maintaining Security - Maintaining Security - #2#2
Sensitive paper and computer media Sensitive paper and computer media should be stored in locked cabinets when should be stored in locked cabinets when not in usenot in use
Protected or sensitive information, when Protected or sensitive information, when printed to a shared printer, should be printed to a shared printer, should be retrieved immediatelyretrieved immediately
Sensitive information should not be stored Sensitive information should not be stored at the home of an employee without at the home of an employee without appropriate supervisor authorizationappropriate supervisor authorization
Maintaining Security - Maintaining Security - #3#3
Any activity conducted using the State’s Any activity conducted using the State’s computers, including email and the use of computers, including email and the use of the internet, may be logged, monitored, the internet, may be logged, monitored, archived or filtered, either randomly or archived or filtered, either randomly or systematicallysystematically
Both this Facility and the Division reserve Both this Facility and the Division reserve the right to perform these actions without the right to perform these actions without specific notice to the userspecific notice to the user
Maintaining Security - Maintaining Security - #4#4
All users are responsible for helping to All users are responsible for helping to prevent the introduction and spread of prevent the introduction and spread of computer viruses and other “malware”computer viruses and other “malware”
All files received from any source external All files received from any source external to this Division must be scanned for to this Division must be scanned for computer viruses before openingcomputer viruses before opening
Users must immediately contact their Users must immediately contact their supervisor or the Help Desk when a virus supervisor or the Help Desk when a virus is suspected or detectedis suspected or detected
Maintaining Security - Maintaining Security - #5#5
Employees must report all information Employees must report all information security violations to either the Computer security violations to either the Computer Help Desk or the Security OfficialHelp Desk or the Security OfficialUsers must notify the Help Desk Users must notify the Help Desk immediately if they know or suspect that immediately if they know or suspect that their network account or workstation has their network account or workstation has been compromised by a virus or been compromised by a virus or unauthorized accessunauthorized accessUsers should not attempt to remove Users should not attempt to remove viruses themselves without permission viruses themselves without permission from the Help Deskfrom the Help Desk
Maintaining Security - Maintaining Security - #6#6
Users should not stay logged in to the LAN Users should not stay logged in to the LAN if they are going to leave the room for if they are going to leave the room for more than 15 minutes, even if it is lockedmore than 15 minutes, even if it is lockedDuring the day, workstations should be left During the day, workstations should be left at the Netware Login screen. At night, at the Netware Login screen. At night, computers should be powered downcomputers should be powered downAll network accounts and workstation hard All network accounts and workstation hard drives are subject to periodic audit for the drives are subject to periodic audit for the purpose of maintaining security and purpose of maintaining security and license requirementslicense requirements
Engaging in “Safe” ComputingEngaging in “Safe” Computing
All users must protect against virusesAll users must protect against viruses
Do not bring software from homeDo not bring software from home
Do not download software from the internetDo not download software from the internet
Do not open email attachments that you Do not open email attachments that you were not expecting to receivewere not expecting to receive
Only operate computers which are running Only operate computers which are running virus protection softwarevirus protection software
When in doubt, call and askWhen in doubt, call and ask
Complete the Test Now!Complete the Test Now!
All computer users All computer users mustmust complete complete this testthis test
Here is the test. Take it now!Here is the test. Take it now!
http://http://www.JIRDC.org/SecTest.pdfwww.JIRDC.org/SecTest.pdf