Information Security It s Everyone s Responsibility

Information Security It’s Everyone’s

Responsibility

Developed By

The University of Texas at Dallas

Information Security Office (ISO)

As an employee, you are often the first line of defense protecting valuable information attackers will try to compromise.

Every UT Dallas employee is responsible for learning more about information security and participating in risk reduction.

Several federal and state laws, as well as UT System and UT Dallas policies, are intended to help protect University Data. The ISO

website has more information:

http://www.utdallas.edu/infosecurity

What is the Mission of the ISO?

The Information Security Office (ISO) supports the mission of UT Dallas by building a culture of

security awareness and risk management to protect the confidentiality, integrity, availability, and accountability of information assets.

The ISO serves UT Dallas as a partner and educator. Risk mitigation is achieved through

awareness training, technology solutions, inclusion of security controls in new projects, and regulatory compliance.

Nate Howe

Director of Information Security, CISO

Information Security Objectives

The term “information security” may mean different things to different audiences, so let’s begin by defining the objectives:

• Confidentiality: Users should only see information needed to do their jobs.

• Integrity: Information should not be altered unexpectedly.

• Availability: Information should be available to users when needed and systems should perform as expected.

• Accountability: It should be clear who accessed information, what was

performed, and when it happened.

Examples of Information Security Controls

 Event logging

 Individual accounts for each user

 NetIDplus two-factor authentication

 Access control

 File backups / version history

 File hashing

 Data classification

 Encryption

 Malware prevention

 Physical security

 Users provided only necessary access

 Disaster recovery

 File backups

 Malware prevention

 Network drives and

CometSpace cloud storage

Knowledge Check

Match the information security principles to their definitions.

1. Confidentiality 2. Integrity

3. Availability 4. Accountability

A. Data should be consistent and accurate.

B. Data should be accessible when needed.

C. Data modifications should be traceable to an individual.

D. Data should not be disclosed to unauthorized parties.

Data Classification

University Data is classified into three categories based on confidentiality.

Higher value data requires more security protection.

Data Category Definition Examples

Confidential Data

The subset of University Data that is private or confidential by law or otherwise exempt from public disclosure and/or other University Data about an individual likely to expose the individual to identity theft

• Social Security Numbers (SSN)

• Passport and visa numbers

• Student grade information

• Protected Health Information Controlled Data The subset of University Data that is not created

for or made available for public consumption but that is subject to release under the Texas Public Information Act or other laws

• UTD-IDs

• UT Dallas emails

• Most research data

• Department procedures Public Data The subset of University Data intended for public

consumption

• @utdallas.edu email address

• Information on public websites

• Press releases & marketing

• Published articles

Knowledge Check

Match the following types of data with their data categories.

1. Published articles 2. Social Security

Numbers (SSN) 3. UTD-IDs

A. Confidential Data B. Controlled Data C. Public Data

Encryption Can Be Useful

How does it work?

Encryption uses special math to make data unreadable if it falls into the wrong hands. It is like sending a letter in an envelope, instead of sending a postcard that anyone can read while handling it.

Where is encryption used?

• Adding the [encrypt] trigger to the subject line of outbound email prevents attackers on the Internet from observing the email while in transit between organizations.

• Webmail, banking, and shopping websites that use HTTP Secure – look for https://

rather than http://

• Encrypting a computer’s hard drive can protect all of the contents in the event that it is lost or stolen.

• VPN remote access protects network traffic by encrypting it.

What if I am traveling?

• Some countries will not allow encrypted devices. A list of countries that allow them can be found at http://wassenaar.org/participants. The ISO has unencrypted laptops that can be loaned to traveling employees.

Email Encryption

Situation Confidential Data Controlled Data Public Data

Two or more UT Dallas users all communicating with @utdallas.edu accounts

Email automatically encrypted by UT Dallas mail

system

Email automatically encrypted by UT Dallas mail

system

Email automatically encrypted by UT Dallas mail

system Two or more UT Dallas users

communicating, where at least one prefers to use a third-party email service such as @gmail.com, @hotmail.com, etc.

Both senders and recipients required

to use

@utdallas.edu accounts

Both senders and recipients required

to use

@utdallas.edu accounts

Email encryption not required

Emailing anyone who does not have a

@utdallas.edu account, such as business partners, colleagues at other

universities, incoming students, etc.

Sender using

@utdallas.edu account must include [encrypt]

trigger in subject line

Sender using

@utdallas.edu account may include

[encrypt] trigger in subject line

Email encryption not required

Note: Data Owners may require additional encryption methods, even between UT Dallas users. For example, Callier Center has chosen to continue using certificate-based email encryption for Protected Health Information (PHI).

Passwords and Passphrases

Access to most systems and websites is controlled by a username and password. Your password may not be shared with others – it is your responsibility to keep it safe.

• The longer the password, the safer it is. Many users find it easier to remember a “passphrase”

which may be a statement, title of a book, or memorable line from a song.

• Use different passwords or passphrases on each website. When attackers compromise one

website, they next try to use the stolen credentials on other popular websites.

• If you must write down passwords to remember them, keep your list under your own control.

• When setting up questions and answers, be careful that the answers you provide are not easily researched on social media.

Social Engineering

Attackers try to earn your trust so they can steal passwords and other information. They may email you and include links to websites that look convincing but are designed to trick you. Attackers may also call you on the phone, send a text message, or visit in person. They attempt to take advantage of your commitment to provide good service.

• Be skeptical of unusual requests.

• Hover your mouse over links in e-mail to ensure the web address makes sense.

• Verify the identity of a requester before sharing information.

• When in doubt, do not respond!

Contact your supervisor or the ISO.

Knowledge Check

You receive an email telling you that you have reached

your email quota, and that you need to click the included link to verify your login credentials to fix the problem. What

should you do?

A. Click on the link and provide all the requested information.

B. Hover your mouse over the link to see if the web address makes sense given the context of the message.

C. Recognize this email may be a phishing attempt, do not

respond, and forward it to the ISO for analysis.

D. B and C

Here are several recommendations to protect UT Dallas computers. It is important to use approved tools and techniques, so work with your

technical support staff and the ISO to ensure systems in your area are protected.

• Install software updates to the operating system, plus 3^rd party software such as your web browser, to remove vulnerabilities.

• Run anti-malware software with the latest available threat updates.

• Use network drives or CometSpace cloud storage rather than local hard drives.

• Use hard drive encryption to protect data in case the computer is lost or stolen.

• Lock your screen when you step away from your desk and configure the screensaver to require a password to unlock.

Mobile Devices

Tablets and smartphones have become essential tools at UT Dallas. If you are conducting UT Dallas business from a mobile device, you are

responsible for the following:

• Require a pin or passcode to unlock the screen.

• Configure the device to erase

automatically after 10 unsuccessful login attempts.

• Back up your device and keep your software up-to-date.

• Enable features to locate or erase your missing device.

• Only install apps from trusted sources.

Physical Security

Physical security is often

overlooked. Failure to ensure physical security can lead to information risks.

• Be aware of people in your work space. Verify visitors to restricted areas before permitting entry.

• Ensure valuable electronic and paper records are locked when they are not in use.

• Ensure records are securely destroyed when no longer needed.

• If you work in an office, lock the door as you leave. If you work in a cubicle environment, lock cabinets and bins as you leave.

• When traveling, UT Dallas equipment should be kept in a hotel safe or vehicle trunk where it will not be observed by potential thieves.

Knowledge Check

Your department has decided to adopt a “clean desk”

environment to better protect the security of Confidential Data. What are some things you can do to make sure you are following the “clean desk”

procedures?

A. Lock physical copies of Confidential Data in filing

cabinets before you leave your workspace.

B. Lock your door, bins, and drawers as you leave.

C. Dispose of documents using a shredder or secure recycling bin.

D. All of the above.

Information Security Incidents

An incident includes accidental or deliberate exposure of data to unauthorized parties or disruption of security controls.

Type of Issue Who to contact?

Security issues Please e-mail [email protected]or call (979) 883-6810. For anonymous reporting, please use the online form to report an incident:

https://utdallas.edu/infosecurity/report/.

Missing / Stolen equipment

Please report missing or stolen computers to the UT Dallas Police Department at (972) 883-2222. UTDPD will notify the ISO if necessary.

Noncompliance / Unethical

behavior

The Ethics and Compliance Hotline at (888) 228-7702 provides a confidential means to report instances of suspected non-compliance or unethical behavior. This may include financial matters such as fraud, theft of University assets, or conflicts of interest; and other misconduct or violations of UT Dallas / UT System policy.

Copyright infringement / DMCA

The Digital Millennium Copyright Act (DMCA) requires UT Dallas to investigate illegal file transfer activity and respond accordingly. For questions about this law, please contact Tim Shaw, the university attorney, at [email protected].

Knowledge Check

You discover that your backpack containing your university-owned laptop and several USB drives containing Confidential Data has been stolen from your workspace.

What should you do first?

A. Report the theft to the UT Dallas Police Department.

B. Report the theft to the

Information Security Office (ISO).

C. Order a replacement laptop.

D. Hope no one notices.

How can the ISO help?

The ISO’s approach is to effectively manage risks, not eliminate risks. Attempts to fully eliminate risks are costly and could cause a disruption in service.

It is important to include ISO in

conversations across campus to ensure

information security risks are discussed and unacceptable risks are avoided.

The main goal of the ISO is to help UT Dallas fulfill its mission while protecting

information.

Service Highlights

ISO offers many new services to help UT Dallas manage information security risks:

• Additional training: Visit our website for more training opportunities.

https://utdallas.edu/infosecurity/outreach/

• CometSpace secure cloud storage: Powered by Box.com to store large files, share files outside of UT Dallas, collaborate with teammates, and access files from tablets and smartphones. Log in with existing NetID and password. http://www.utdallas.edu/cometspace/.

• NetIDplus two-factor authentication: Additional security to protect your NetID identity, required to connect to VPN and update direct deposit. http://www.utdallas.edu/netidplus/

• Patch management: ISO offers Secunia to patch your computer operating system and third-party applications.

• Improved antivirus: ISO is migrating from McAfee antivirus to Microsoft’s System Center Endpoint Protection.

• New website testing: Before new UT Dallas websites go live, ISO can perform testing to identify and reduce vulnerabilities. If you are launching a new website, notify the ISO.

• Vendor evaluation: UT Dallas business partners may need access to UT Dallas data. To ensure their partnership does not introduce unnecessary risk, ISO assists in the evaluation process.

http://utdallas.parature.com/link/portal/30075/30104/Article/660/How-do-I-involve-Information-Security- when-evaluating-a-new-vendor

You finished the Information Security Module

Thank you for taking the time to review this information. This training module will remain available at the Office of Institutional Equity and Compliance website.

• Call us: (972) 883-6810

• Email us: [email protected]

• Visit our website: utdallas.edu/infosecurity

• Like us on Facebook:

facebook.com/UTDInfoSec