Maintaining Security While Using Computers What all of Our Computer Users Need to Know.

Maintaining Security Maintaining Security While Using ComputersWhile Using Computers

What all of Our What all of Our Computer Users Computer Users Need to KnowNeed to Know

What You Need to KnowWhat You Need to Know

ALLALL staff - even those that don’t use staff - even those that don’t use computers - need to know some computers - need to know some things about securitythings about securityWhat “Data Stewardship” meansWhat “Data Stewardship” meansNew Information Security Policies New Information Security Policies and Procedures mean and Procedures mean new rulesnew rules for for computer userscomputer usersHow to fulfill your responsibility to How to fulfill your responsibility to help keep our computers safe from help keep our computers safe from computer virusescomputer viruses and worms and worms

What Staff Who Don’t Use the What Staff Who Don’t Use the Computer Need to KnowComputer Need to Know

There is a federal lawThere is a federal law (HIPAA) which (HIPAA) which requires that all our staff learn to protect requires that all our staff learn to protect our informationour informationYou mustYou must not use our computers not use our computers unless unless you have been authorized to do soyou have been authorized to do soIf you findIf you find any computer printout, floppy any computer printout, floppy disk, or computer CD, turn it in to your disk, or computer CD, turn it in to your supervisorsupervisorIf you suspectIf you suspect a security violation, report it a security violation, report it to your supervisorto your supervisor

Data StewardshipData StewardshipFirst – Some DefinitionsFirst – Some Definitions

Facility DataFacility Data – data which is acquired, – data which is acquired, developed, or maintained by our staff in developed, or maintained by our staff in performance of their dutiesperformance of their duties

ApplicationApplication – a purchased, shared, or – a purchased, shared, or developed set of files which maintain developed set of files which maintain Facility DataFacility Data

Application OwnerApplication Owner – a single, designated – a single, designated person, responsible for this application person, responsible for this application and the data it maintainsand the data it maintains

Some More DefinitionsSome More Definitions

Data FileData File – a computer file (often in Word, – a computer file (often in Word, Excel, or Access format) which contains Excel, or Access format) which contains Facility DataFacility DataComputer UserComputer User – staff who use a Facility – staff who use a Facility computer in performance of their assigned computer in performance of their assigned dutiesdutiesData OwnerData Owner – the person who created and – the person who created and saved a file which contains facility data, or saved a file which contains facility data, or in the case of an application, the in the case of an application, the application ownerapplication owner

Network Files are Classified Network Files are Classified According to Security LevelAccording to Security Level

Public FilesPublic Files – – Usually on our internet site, not protectedUsually on our internet site, not protected

Private FilesPrivate Files – – Usually store on S:, shared among all Usually store on S:, shared among all network users, protected by Network login requirementnetwork users, protected by Network login requirement

Secure FilesSecure Files – – Except for Application Software and Except for Application Software and Secure Systems, all files NOT stored on the S: Shared folder. Secure Systems, all files NOT stored on the S: Shared folder. Secure files are protected by network rightsSecure files are protected by network rights

Application SoftwareApplication Software – – Things like Word and ExcelThings like Word and Excel

Secure SystemsSecure Systems – – Those systems (like HEARTS) which Those systems (like HEARTS) which have been classified as needing MORE than standard file have been classified as needing MORE than standard file access rights to protect the dataaccess rights to protect the data

Data StewardshipData Stewardship

All data on the LAN is “owned” by a single All data on the LAN is “owned” by a single member of our staffmember of our staffThe Data Owner must protect the dataThe Data Owner must protect the dataIf the data belongs to one of our If the data belongs to one of our “applications”, then the data is owned by “applications”, then the data is owned by the application ownerthe application ownerIf the data is not part of an application, the If the data is not part of an application, the data is owned by the person who created data is owned by the person who created the filethe file

Files Must be Stored inFiles Must be Stored in Secure Network Folders Secure Network Folders

All files on the Local Area Network are All files on the Local Area Network are kept in folderskept in foldersIf the folder is the S: (S for Shared), then If the folder is the S: (S for Shared), then the files are the files are privateprivate, but not confidential, , but not confidential, and can be seen by all computer users. and can be seen by all computer users. No PHI should be stored hereNo PHI should be stored hereAll other folders are for All other folders are for Secure FilesSecure Files, and , and cannot be seen by anybody unless they cannot be seen by anybody unless they have been granted network rights. PHI can have been granted network rights. PHI can be storedbe stored

New ResponsibilitiesNew Responsibilities for all Supervisors for all Supervisors

Ensuring that employees are aware of and Ensuring that employees are aware of and observe all computer security observe all computer security requirementsrequirements

Monitoring employee activities to ensure Monitoring employee activities to ensure compliance with all software legal compliance with all software legal requirementsrequirements

Ensuring that only authorized software Ensuring that only authorized software runs on State computersruns on State computers

Rules for Computer UsersRules for Computer Users

Data Ownership and LAN StructureData Ownership and LAN StructureRequesting Network RightsRequesting Network RightsMaking Changes in Network RightsMaking Changes in Network RightsPassword RulesPassword RulesMobile DevicesMobile DevicesPersonal UsePersonal UseUser “Don'ts”User “Don'ts”Maintaining SecurityMaintaining Security

Data OwnerData Owner Responsibilities Responsibilities

UnderstandingUnderstanding the LAN Rights Structure the LAN Rights Structure

StoringStoring their files only in appropriately their files only in appropriately secure areassecure areas

PreventingPreventing non-Public files from being non-Public files from being copied to moveable mediacopied to moveable media

KeepingKeeping Protected Health Information Protected Health Information (PHI) secure(PHI) secure

Rights on the LAN - Rights on the LAN - #1#1

All users have a All users have a privateprivate file storage area. file storage area. This is their “H Drive”, or “Home”.This is their “H Drive”, or “Home”.

Many users also have rights to a Many users also have rights to a sharedshared folder (typically, the “G Drive”, along with folder (typically, the “G Drive”, along with others in their others in their departmentdepartment

The “S Drive”, or Shared area, can be The “S Drive”, or Shared area, can be used for exchanging files between staff, used for exchanging files between staff, but but cannotcannot be used if the file contains PHI be used if the file contains PHI

Rights on the LAN - Rights on the LAN - #2#2

Rights to “Applications” that run on the Rights to “Applications” that run on the network are granted by the Application network are granted by the Application OwnerOwner

If rights to use an application are granted If rights to use an application are granted by any person other than the Application by any person other than the Application Owner, the person granting those rights Owner, the person granting those rights must send email to the Application Owner must send email to the Application Owner notifying them what rights were grantednotifying them what rights were granted

New Computer Users Must . .New Computer Users Must . .

Complete General Security TrainingComplete General Security Training

Read and sign our Computer User’s Read and sign our Computer User’s AgreementAgreement

Fill out a Network Rights Request formFill out a Network Rights Request form

Get any necessary Data Owner signaturesGet any necessary Data Owner signatures

Get their Supervisor’s signature on the Get their Supervisor’s signature on the Network Rights Request formNetwork Rights Request form

Turn the form in to Computer ServicesTurn the form in to Computer Services

Users must read and sign the Computer User’s Agreement before they can be given rights to the Local Area Network.

Users must complete the Network Security Rights Request form

Your Supervisor’s signature goes here

If you need rights to a home’s PPS, you must get the Home Coordinator’s signature here

You sign here

Making Changes in Network RightsMaking Changes in Network Rights

The same Network Security Rights Request The same Network Security Rights Request form is used to change network rights for an form is used to change network rights for an existing userexisting userWhen the form is used to remove rights, the When the form is used to remove rights, the applicant’s signature and the Data Owner’s applicant’s signature and the Data Owner’s signature are not required, but the signature are not required, but the Supervisor’s signature is requiredSupervisor’s signature is requiredThe Data Owner does NOT need to use this The Data Owner does NOT need to use this form to request the total removal of rights; form to request the total removal of rights; they may use Email to the Help Desk insteadthey may use Email to the Help Desk instead

Password RulesPassword Rules

Your network password must be changed Your network password must be changed every every 90 days90 days

Network users must select and change Network users must select and change their own passwordstheir own passwords

Users will be allowed Users will be allowed three “grace” loginsthree “grace” logins when their password expireswhen their password expires

All passwords must be at least eight All passwords must be at least eight characters, and must not be “guessable”characters, and must not be “guessable”

You must not tell your password to You must not tell your password to anybody, even your supervisoranybody, even your supervisor

Password “Dos”Password “Dos”

Mix upper and lower case lettersMix upper and lower case letters

Mix letters and numbersMix letters and numbers

Pick a password you can rememberPick a password you can remember

Choose a completely new password each Choose a completely new password each time you changetime you change

Include non-alphanumeric characters, such Include non-alphanumeric characters, such as &, $, and >as &, $, and >

Pick a password with at least 8 charactersPick a password with at least 8 characters

Password “Don’ts”Password “Don’ts”

Do not use recognizable words that might Do not use recognizable words that might appear in a dictionaryappear in a dictionaryDo not use proper namesDo not use proper namesDo not use words in other languages, such Do not use words in other languages, such as “bonjour”as “bonjour”Do not use your personal information, Do not use your personal information, such as the names of your pets or your such as the names of your pets or your childrenchildren

Mobile Computing DevicesMobile Computing Devices

PDAs will be issued only where there is a PDAs will be issued only where there is a critical need, and their use must be critical need, and their use must be approved by the Security Officialapproved by the Security Official

The use of removable storage devices The use of removable storage devices such as USB flash drives or CD R/W such as USB flash drives or CD R/W drives are not permitted without the drives are not permitted without the express permission of the Security Officialexpress permission of the Security Official

Mobile computing devices must never be Mobile computing devices must never be left in unsecured areasleft in unsecured areas

Personal Use ofPersonal Use of Computers Computers

Personal projects may be permitted on the Personal projects may be permitted on the employee’s own time, but written employee’s own time, but written supervisor permission is requiredsupervisor permission is requiredAn employee may make personal use of An employee may make personal use of internet searches only with the approval of internet searches only with the approval of their supervisortheir supervisorAn employee may not use instant An employee may not use instant messaging or download music files without messaging or download music files without permission from both their supervisor and permission from both their supervisor and the LAN Managerthe LAN Manager

User “Don’ts” - User “Don’ts” - #1#1

Users must not change their hardware Users must not change their hardware configuration or physical location without the configuration or physical location without the permission of the Workstation Managerpermission of the Workstation Manager

Downloading software from the internet and Downloading software from the internet and bringing software from home are forbiddenbringing software from home are forbidden

An employee may not use our information, An employee may not use our information, applications, or equipment for personal applications, or equipment for personal commercial gaincommercial gain


Users must identify themselves clearly and Users must identify themselves clearly and correctly when using emailcorrectly when using email

Any type of mass mailing by one of our Any type of mass mailing by one of our workforce members that does not pertain to workforce members that does not pertain to governmental business is forbiddengovernmental business is forbidden

Circumventing user authentication or Circumventing user authentication or security is forbidden. A user must be logged security is forbidden. A user must be logged in to the LAN as themselves before in to the LAN as themselves before operating any computer softwareoperating any computer software


Staff must not provide information about, or Staff must not provide information about, or lists of, employees or consumers to parties lists of, employees or consumers to parties outside this organizationoutside this organization

Staff must not post to non-work related Staff must not post to non-work related public discussion groups or forums on the public discussion groups or forums on the internetinternet

Users must not access, or attempt to gain Users must not access, or attempt to gain access to, any computer account to which access to, any computer account to which they are not authorizedthey are not authorized

Maintaining Security - Maintaining Security - #1#1

In order to maintain confidentiality of In order to maintain confidentiality of protected health information (PHI), protected health information (PHI), workstations should be set up so that the workstations should be set up so that the screen is not visible by people standing at screen is not visible by people standing at the door or entering the roomthe door or entering the room

If you are viewing PHI, and a person If you are viewing PHI, and a person unauthorized to see the PHI enters the unauthorized to see the PHI enters the room, you should minimize the application room, you should minimize the application or turn off the computer monitoror turn off the computer monitor


Sensitive paper and computer media Sensitive paper and computer media should be stored in locked cabinets when should be stored in locked cabinets when not in usenot in use

Protected or sensitive information, when Protected or sensitive information, when printed to a shared printer, should be printed to a shared printer, should be retrieved immediatelyretrieved immediately

Sensitive information should not be stored Sensitive information should not be stored at the home of an employee without at the home of an employee without appropriate supervisor authorizationappropriate supervisor authorization


Any activity conducted using the State’s Any activity conducted using the State’s computers, including email and the use of computers, including email and the use of the internet, may be logged, monitored, the internet, may be logged, monitored, archived or filtered, either randomly or archived or filtered, either randomly or systematicallysystematically

Both this Facility and the Division reserve Both this Facility and the Division reserve the right to perform these actions without the right to perform these actions without specific notice to the userspecific notice to the user


All users are responsible for helping to All users are responsible for helping to prevent the introduction and spread of prevent the introduction and spread of computer viruses and other “malware”computer viruses and other “malware”

All files received from any source external All files received from any source external to this Division must be scanned for to this Division must be scanned for computer viruses before openingcomputer viruses before opening

Users must immediately contact their Users must immediately contact their supervisor or the Help Desk when a virus supervisor or the Help Desk when a virus is suspected or detectedis suspected or detected


Employees must report all information Employees must report all information security violations to either the Computer security violations to either the Computer Help Desk or the Security OfficialHelp Desk or the Security OfficialUsers must notify the Help Desk Users must notify the Help Desk immediately if they know or suspect that immediately if they know or suspect that their network account or workstation has their network account or workstation has been compromised by a virus or been compromised by a virus or unauthorized accessunauthorized accessUsers should not attempt to remove Users should not attempt to remove viruses themselves without permission viruses themselves without permission from the Help Deskfrom the Help Desk


Users should not stay logged in to the LAN Users should not stay logged in to the LAN if they are going to leave the room for if they are going to leave the room for more than 15 minutes, even if it is lockedmore than 15 minutes, even if it is lockedDuring the day, workstations should be left During the day, workstations should be left at the Netware Login screen. At night, at the Netware Login screen. At night, computers should be powered downcomputers should be powered downAll network accounts and workstation hard All network accounts and workstation hard drives are subject to periodic audit for the drives are subject to periodic audit for the purpose of maintaining security and purpose of maintaining security and license requirementslicense requirements

Engaging in “Safe” ComputingEngaging in “Safe” Computing

All users must protect against virusesAll users must protect against viruses

Do not bring software from homeDo not bring software from home

Do not download software from the internetDo not download software from the internet

Do not open email attachments that you Do not open email attachments that you were not expecting to receivewere not expecting to receive

Only operate computers which are running Only operate computers which are running virus protection softwarevirus protection software

When in doubt, call and askWhen in doubt, call and ask

Complete the Test Now!Complete the Test Now!

All computer users All computer users mustmust complete complete this testthis test

Here is the test. Take it now!Here is the test. Take it now!

http://http://www.JIRDC.org/SecTest.pdfwww.JIRDC.org/SecTest.pdf

Maintaining Security While Using Computers What all of Our Computer Users Need to Know.

Documents

Transcript of Maintaining Security While Using Computers What all of Our Computer Users Need to Know.