Transcription
Information Security Awareness - Print VersionLast updated: 06/20191. IntroductionTitle SlideThis course has audio and closed captioning. This course can take 60-90minutes to complete. You can pick up where you left off when you return.Navigation Instructions You can adjust the audio level at any time.Play and pause the audio.Click the Resources link for a print version and all resourcesmentioned in this course.Closed Captioning can be turned on and off at any time.Navigate the course by using the PREVIOUS and NEXT buttons or usethe left and right arrow keys on your keyboard.Replay the slide.Slide 1 of 5: What Could Go Wrong?How serious is the risk if your identity is stolen?How does it impact other people?How does it affect your organization?Slide 2 of 5: About This CourseThere are people trying to steal any confidential data you have access to, andthey bet they can outsmart you. But, don’t get tricked!Information security is about protecting your data, accounts, and devicesfrom unauthorized access, disclosure, modification, destruction, ordisruption.It’s your job to prevent illegal access to confidential information.This course will identify the tools you’ll need to protect you and yourorganization from data theft.
Slide 3 of 5: Course ObjectivesBy the end of this course, you’ll be able to: Classify the types of data you are required by law to keep confidentialProtect your confidential data from theft or lossExplain your responsibilities for using and protecting your useraccounts and your organization’s computing resourcesIdentify methods criminals use to access your confidential data orcomputer systemsApply strategies to prevent unauthorized access to your computingdevices and confidential dataSlide 4 of 5: Course OutlineThis course is divided into five sections: The Data You Need to Protect,Protect Your Data,Protect Your Accounts,Protect Yourself, andProtect Your Devices.Slide 5 of 5: Course OutlineYou will have an opportunity to test out of each section. Or, you can vieweach section, and pass the quiz at the end in order to advance.Once you pass all five sections, you’ll read and verify you agree with theterms in the A&M System Data User Agreement to receive a completion forthe course.Section 1: The Data You Need to ProtectThis section covers information about the Family Educational Rights andPrivacy Act, the Texas Public Information Act, and information about exportcontrol laws.Slide 1 of 14: The Data You Need to ProtectThere are several federal and state laws that determine what types ofinformation are considered confidential and therefore must be protected.This section focuses on the laws most employees of higher education andgovernment agencies should be familiar with. 2019, The Texas A&M University SystemPage 2 of 30
Slide 2 of 14: Family Education Rights and Privacy ActWhen it comes to student confidentiality, the Family Education Rights andPrivacy Act, also known as FERPA, is a federal law that protects the privacy ofstudent education records, and bans the release of those records withoutthe student’s written consent.If you have access to student education records, you need to know threethings: What is considered an education recordThe difference between directory and non-directory informationTo whom and when you can give out informationSlide 3 of 14: What is an Education Record or Student Record?So, what is an education record or student record? It is any record, with some exceptions, directly related to a studentthat is maintained by an institution or by an agent acting directly forthe institution.It may be maintained in any medium. For example, it could be in printform, film, handwriting, or electronic text. This includes ANYinformation displayed on a computer screen.Examples include transcripts, grade reports, class rosters, schedules, or ANYdocuments containing information related to a student.Slide 4 of 14: Directory vs. Non-directory InformationStudent information contained in education records is categorized as eitherdirectory or non-directory information.Directory information includes information that would not be consideredharmful or an invasion of privacy if disclosed. Check with your local Registrarto see what is considered directory information at your institution.Any information that is not specifically categorized as directory information isconsidered non-directory information. Directory information specificallywithheld by the student is treated as non-directory information. 2019, The Texas A&M University SystemPage 3 of 30
Slide 5 of 14: Disclosing Student InformationDirectory information may be made public unless specifically withheld by thestudent.Non-directory information may not be released without the prior writtenconsent of the student. However, there are some exceptions allowed byFERPA, and they are defined by the institution.Slide 6 of 14: Non-directory ExceptionsExamples of exceptions include, but are not limited to: School officials, third-party contractors, or organizations withlegitimate educational interest in a student’s record. An example of anorganization would be the National Student Clearinghouse.Parents of students who are claimed as dependents* on federalincome tax forms.Compliance with judicial orders or lawfully issued subpoenasFinancial aid processing*Spouses have no rights to access student records even if they are claimedas a dependent on federal income tax forms.Seek guidance from your local Registrar’s office for your institution’s FERPApolicies.Slide 7 of 14: Texas Public Information ActAnother law all state employees need to be aware of is the Texas PublicInformation Act (TPIA). Formerly known as the Open Records Act, it basicallyspecifies that all recorded information owned or accessed by a governmentalbody is presumed to be public information. Except for the following Slide 8 of 14: Items Not Considered Public InformationItems not considered public information include: Student education recordsRestricted employee information (for example, a home address orphone number)Audit working papersSelect personal information withheld from disclosure by the owner 2019, The Texas A&M University SystemPage 4 of 30
Medical recordsInformation related to technological and scientific products, devices, orprocesses (including computer programs), that were developed at astate institution of higher education, and have a potential for beingsold, traded, or licensed for a feePersonally Identifiable Information, which is information that that canbe used to identify an individual such as name, social security number,financial account number, or date of birthSlide 9 of 14: Export ControlsIn today’s world, the collaboration of ideas and information is easier thanever before. However, there are some types of information, technologies,and goods and services that may be restricted by United States exportcontrol laws.Slide 10 of 14: What are Export Controls?What are export control laws?Export control laws and regulations restrict or prohibit the transaction ofbusiness with certain countries, persons, and entities that have beensanctioned by federal agencies as a threat to important U.S. interests.They also regulate the conditions under which certain information,technologies, and goods and services can be shared with foreign persons orentities in the United States or abroad.Slide 11 of 14: What are Export Controls?Most exports do not require specific approval from the federal government.Certain exports, however, require a license, and others are prohibited.All Texas A&M System employees must conduct their affairs in accordancewith United States export control laws and regulations.Slide 12 of 14: How Might This Apply to Me?Ok, so how does this apply to you?Traveling outside the United States may trigger export control issues if youtake your computer or other similar equipment with you. 2019, The Texas A&M University SystemPage 5 of 30
Why? Because your computer may contain export-controlled encryptionsource code, or information related to an export-controlled research projectyou may have worked on. Additionally, the computer itself may be controlleddepending on the country.Slide 13 of 14: What can I do?To avoid an unintentional violation of the law, you should familiarize yourselfwith export control requirements. Additionally, consult your institution’sexport control office for guidance when hiring foreign persons, speaking atmultinational conferences, shipping items out of the country, and/orconducting business with international entities or foreign persons.Slide 14 of 14: Who's my Export Control representative?If you are not sure who your Export Controls representative is, the A&MSystem Research Security Office (979-458-6094) can assist in directing you tothe appropriate contact.Additional information can be found on the Research Security Office ExportControls page.Section 2: Protect Your DataThis section gives guidelines for protecting your confidential data, as well astips to backing up your data.Slides 1-4 of 26: Take It From Me.It was the busiest time of year, and the number of requests were piling up.Our office was doing our best to meet the demand.One day, I was tasked with sending out the department newsletter to ourfaculty, staff, and donors. Well, in a rush, I accidentally sent out the list of ouremployees. It contained social security numbers, addresses, and dates ofbirth.As soon as I sent it out, I realized what I had done.I couldn't believe it! I felt so horrible. The file wasn't even encrypted. Icontacted IT immediately.Our department worked with university officials, the Office of GeneralCounsel, and contacted all those effected. 2019, The Texas A&M University SystemPage 6 of 30
People were rightly upset.And because the list was sent to several donors outside the university, thedepartment had to offer all the employees free identity protection services,which really cut into our budget. There was even mention of it in the localnewspaper.I felt so guilty and ashamed. I'm lucky I still have my job, but it just hasn'tbeen the same around the office.If only I had encrypted that information on a regular basis.Now I double-check to make sure I’m sending confidential documents to theright people, and that I have the right documents.Slide 5 of 26: Your ResponsibilitiesAs an employee of the Texas A&M University System, you or your accountsmay have access to confidential information, and you are obligated toprotect the privacy of that information.Slide 6 of 26: ConsequencesThe unauthorized or unintended release of confidential information can havea serious impact on you and your institution. Effects could include a loss infederal funding, negative publicity for your institution, and personalembarrassment.If you know or suspect that confidential information has been accessed by,or released to an unauthorized party, report it to the appropriate person ordepartment immediately.Slide 7 of 26: Guidelines for Protecting Confidential DataAccidents can happen, but there are actions you can take in order to ensurethat you are keeping confidential information safe at work. The followingguidelines apply to all types of confidential information. 2019, The Texas A&M University SystemPage 7 of 30
Slides 8-17 of 26: Guidelines for Protecting Confidential Data Err on the side of caution. When in doubt, don’t give it out!Do not post grades publicly unless you can guarantee absoluteanonymity.Hold phone conversations and meetings in areas where confidentialinformation cannot be overheard.Be careful what you send by email. Email is not considered private,and it can also be forged.Plan Ahead: Make arrangements to pick up confidential documentsimmediately from office printers, scanners, copiers, and fax machines.Position your computer screen so it’s not visible to anyone but you inorder to prevent shoulder surfing.Don’t leave confidential information lying out on your desk. Instead,store documents or physical media containing sensitive data in alocked file cabinet or drawer. Store the keys in a secure area, and keepthem from plain view or in a locked desk drawer.Lock your computer anytime you are going to be away from your desk.Properly shred paper documents and/or CDs containing confidentialinformation before disposal.Encrypt confidential data stored on computers, portable computingdevices such as laptop and tablets, or portable media such as thumbdrives, CDs, DVDs, or external hard drives.Slides 18-19 of 26: EncryptionEncryption is the process of transforming plain text so that it is completelyunreadable to anyone but you, or your intended recipient.The recipient can access your data only if you give them the password or key.Proper encryption prevents your data from being viewed if it is ever lost orstolen.Slide 20 of 26: Encryption ResourcesSo, protect your confidential data. Encrypt anytime you need to store orshare it with others.Consult your IT staff with specific questions or assistance with encryption. 2019, The Texas A&M University SystemPage 8 of 30
Video Transcript: About EncryptionMany hotels, coffee shops, airports and other places offer free Wi-Fihotspots. They’re convenient. Unfortunately, they often aren’t secure.That could make it easy for someone else to access your online accounts orsteal your personal information. So, what can you do to reduce your risk?Encryption is the key to keeping your information secure online. Wheninformation is encrypted, it’s scrambled into a code so others can’t get it.How can you be sure your information is encrypted?Two ways: one, use a secure network to access the internet. Don’t assumethat a public Wi-Fi network uses encryption. In fact, most don’t. You can onlybe sure that a network uses effective encryption if it asks you to provide aWPA or WPA2 password. If you aren’t sure, it’s best to assume the network isnot secure.The second way to protect your information is to send it through a securewebsite. A secure site will encrypt your information—even if the networkdoesn’t. If the web address starts with “https,” then your information isencrypted before it’s sent. The “s” stands for “secure.” Look for the “https” onevery page you visit, not just when you log in.If you use an unsecured Wi-Fi network to login to an unencrypted website,strangers using that network can hijack your account and steal your privatedocuments, contacts, family photos, even your user name and password. Ifthat happens, an imposter could use your email, or social networkingaccount to pretend to be you and scam people you care about. Or, a hackercould use your password from one website to try to login to a differentaccount and access your personal or financial information.Here are some steps you can take to protect yourself when you use a publicWi-Fi hotspot: Only log in or enter personal information on secure sites that useencryption. Again, look for a web address that begins with “https”Don’t use the same user name and password for different sites. Itcould give someone who gains access to one of your accounts accessto many of your accounts. 2019, The Texas A&M University SystemPage 9 of 30
Never email financial information including credit card, Social Security,and checking account numbers, even if the network and website aresecure.Don’t stay permanently signed in to accounts.When you’ve finished using a site, log out.The bottom line? Secure Wi-Fi hotspots require a password. Secure websitesstart with https.And remember: it’s easy to find trusted information about computer security.Just visit OnGuardOnline.gov, the federal government’s site to help you besafe, secure and responsible online.Video Transcript: How to Encrypt a Microsoft Word DocumentThis video demonstrates how to encrypt and add a password to files inMicrosoft Office 2013. The process is the same across the Office Suite. Thisexample uses Word 2013. Click NEXT to view the video.1.2.3.4.In Word, open your document. Select File.From the Info tab, select Protect Document.Select Encrypt with Password.The Encrypt Document dialog window appears. Type in a strongpassword and then select OK.5. Re-enter your password in the Confirm Password window and selectOK.6. Your document is now encrypted and password protected.Slide 21 of 26: Sensitive Personal InformationIn addition to the types of confidential information previously mentioned,there is another type of data that you must always encrypt. SensitivePersonal Information, also known as “SPI”, is defined by the State of Texas asan individual’s first name or first initial and last name in combination withany one or more of the following items: Social Security number, date of birth, or government issuedidentification number;Driver’s license number; orAccount number or credit or debit card number in combination withany required security code, access code, or password that wouldpermit access to an individual’s financial account. 2019, The Texas A&M University SystemPage 10 of 30
Slide 22 of 26: EncryptionAll SPI should be encrypted, and unneeded SPI should be eliminated.Social Security numbers should be replaced with another means ofidentification, such as the Universal Identification Number, or UIN. Checkyour institution’s rules and administrative procedures for specificinstructions on use and retention of Social Security numbers.Slides 23-24 of 26: Data BackupData and applications can get lost or corrupted due to problems such as usererror, hardware faults, power failures, malware, or theft. So, have a goodbackup procedure in place to assist you in recovering your data.Trying to recreate data because you didn’t have a backup can be timeconsuming and frustrating.It is essential that you or your IT staff back up all your important informationand plan for how to recover from a system failure. Contact your unit’s ITstaff to find out whether they are backing up your data, or if you areexpected to do it.Slides 25-26 of 26: Guidelines for Backing up DataBack up important information to at least two different forms of media. Forexample, you can make a paper copy or save your data on CDs, DVDs, thumbdrives, USB sticks, or approved online storage. Store them in separate,secure locations.Backups should be made periodically based on how often data changes. Youshould also back up data before major changes such as upgrading youroperating system, editing files or documents, or upgrading applications orprograms.Routinely test backup procedures to ensure that individual files anddirectories are not corrupted and can be restored. Nothing will deflate youmore than finding out your backed up files are not readable.Remember: Make sure any backups that contain confidential data areencrypted and kept physically secure. 2019, The Texas A&M University SystemPage 11 of 30
Section 3: Protect Your AccountsThis section covers your responsibilities to protecting your computingaccounts, and password tips to prevent unauthorized access.Slides 1-2 of 22: Protect Your AccountsAssigning individual computing accounts to people helps ensure that onlyauthorized individuals have the appropriate access to various computingresources.Your computing account uniquely identifies you.Any activity generated by your computing account such as accessing files,changing passwords or deleting information, can be traced back to you. Assuch, you are responsible for that activity.To comply with state law and protect yourself, safeguard computingaccounts such as your SSO login or institution-specific accounts. Protectthem and keep them private because someone else gaining access to youraccount could pose a serious security concern not only for your institution,but for you too!Slide 3 of 22: Your ResponsibilitiesSo, what are your responsibilities? Comply with federal, state, and local laws, Texas A&M System policies& regulations, university or agency rules, license agreements, andcontracts.Use computing resources only for thei
Information Security Awareness - Print Version Last updated: 06/2019 1. Introduction Title Slide This course has audio and closed captioning. This course can take 60-90 minutes to complete. You can pick up where you left off when you return. Navigation Instructions You can adju
