PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public...

18
PROTECTION OF NON - PUBLIC UNIVERSITY INFORMATION

Transcript of PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public...

Page 1: PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public University Information means Personally Identifiable Information (PII) that an individual

PROTECTION OF NON-PUBLIC UNIVERSITY

INFORMATION

Page 2: PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public University Information means Personally Identifiable Information (PII) that an individual

INFORMATION TECHNOLOGY SECURITY PROCEDURES

All users with access to University information available in University files and

systems are continually responsible for maintaining the integrity, accuracy, and

privacy of this information.

Loss of data integrity, theft of data, and unauthorized or inadvertent disclosure

could lead to significant exposure of the college and its constituents, as well as

those directly responsible for the loss, theft, or disclosure.

Page 3: PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public University Information means Personally Identifiable Information (PII) that an individual

NON-PUBLIC UNIVERSITY INFORMATION

Non-Public University Information means Personally Identifiable Information (PII)

that an individual can use directly, or in connection with other data to identify,

contact, or locate a person and can include:

Social Security Number

Driver’s license number or non-driver identification card number

Account numbers, credit card and debit card numbers combined with any security code,

access code, or password that would permit access to financial information.

Personal email address

Birthdate

REMEMBER:

Unless otherwise required by law, users of University files and systems must not disclose

any Non-Public University Information to the general public or any unauthorized users.

http://www.cuny.edu/about/administration/offices/CIS/security/pnp/SecurityProcedures032609.pdf

Page 4: PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public University Information means Personally Identifiable Information (PII) that an individual

ACCESS TO UNIVERSITY INFORMATION

Access to University information available in its files and systems, whether in

electronic or hard copy form, must be restricted to the following individuals and

must be consistent with their job responsibilities:

Full time and regular part time employees of the college

Adjunct faculty

Employees of the University’s contractors who have been permitted such access under a

written agreement with the University

CUNY students may not be permitted to access Non-Public University Information

unless they are

Students who are also University adjunct faculty

Employees of the University or its related entities who are taking a Continuing Education

course at the University

Employees of the University or its related entities who are taking a credit bearing course at

the College other than the one they are employed at, unless it is part of the tuition waiver

program.

http://www.cuny.edu/about/administration/offices/CIS/security/pnp/SecurityProcedures032609.pdf

Page 5: PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public University Information means Personally Identifiable Information (PII) that an individual

BEST PRACTICES FOR TECHNICAL SECURITY OF PII

Always ensure that your computer is logged off when you are not present.

Please keep in mind that logged on and powered on are different. You may leave your

computer powered on but not necessarily logged onto your account.

Putting your computer to sleep will leave it logged on, while logging out will log you out of your

account and will require your username and password to sign back in.

Set a moderately strong password. Do not share your passwords.

Strong passwords entail using 12 or more characters

Using punctuations and spaces (! ? * & $)

Using case sensitive alphanumeric characters

Page 6: PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public University Information means Personally Identifiable Information (PII) that an individual

BEST PRACTICES FOR TECHNICAL SECURITY OF PII

Social security numbers must not be stored, transported, or taken home on

portable devices (e.g. laptops, flash drives) of any type without specific approval

of both the Vice President of Administration or the equivalent at the College of in

the Central Office department and the University Information Security Officer.

Where approval is granted, the information must be encrypted and password

protected.

Users are responsible for engaging in safe computing practices such as:

Guarding and not sharing their passwords

Changing passwords regularly

Logging out of systems at the end of use

Protecting Non-Public University Information

http://www.cuny.edu/about/administration/offices/CIS/policies/ComputerUsePolicy.pdf

Page 7: PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public University Information means Personally Identifiable Information (PII) that an individual

BEST PRACTICES FOR PHYSICAL SECURITY OF PII

Only ask for PII when absolutely necessary to conduct the business of the

College. When doing so, make sure that:

All documents containing PII are stored in locked cabinets and drawers.

If individuals supply supplemental PII that is not necessary redact it immediately. Do

not keep it.

Do not email or fax documents containing PII.

As a general rule, whenever possible, do not share PII.

Page 8: PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public University Information means Personally Identifiable Information (PII) that an individual

SPECIAL RULES FOR SOCIAL SECURITY NUMBERS

Unless required by law, users of University files and systems must not:

Intentionally communicate to the general public or otherwise make available to the

general public in any manner an individual’s SSN.

Publicly post or display an individual’s SSN or place SSN in files of unrestricted access.

Require an individual to transmit their SSN over the Internet unless the connection is

secure or the SSN is encrypted.

http://www.cuny.edu/about/administration/offices/CIS/security/pnp/SecurityProcedures032609.pdf

Page 9: PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public University Information means Personally Identifiable Information (PII) that an individual

Require an individual to use his or her SSN to access an Internet website, unless a

password or unique personal identification number or authentication device is also

required to access the Internet website.

Include an individuals SSN, except for the last four digits, on any materials that are

mailed to the individual, or in any electronic mail that is copied to third parties, unless

state and federal law requires the SSN to be on the document to be mailed.

Transmit an individuals SSN onto portable devices without encryption.

http://www.cuny.edu/about/administration/offices/CIS/security/pnp/SecurityProcedures032609.pdf

SPECIAL RULES FOR SOCIAL SECURITY NUMBERS

Page 10: PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public University Information means Personally Identifiable Information (PII) that an individual

STUDENT INFORMATION PROTECTED BY FERPA

The Family Educational Rights and Privacy Act (FERPA) protects personally

identifiable information from student’s education records from unauthorized

disclosure.

Information that makes an education record “personally identifiable” to a particular

student includes:

The student’s name;

The name of the student’s parent or other family member;

The address of the student or other family member;

A personal identifier, such as the student’s SSN or student number or biometric record;

A list of personal characteristics that would make the student’s identity easily traceable;

Other information that alone or in combination, is linked or linkable to a specific student, and

which would allow a reasonable person to identify the student; or

Information requested by a person who the educational agency or institution reasonably

believes knows the identity of the student to whom the record relates.

http://www.cuny.edu/about/administration/offices/la/Guidelines-for-implementation-of-the-Student-Records-Access-FERPA.pdf

Page 11: PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public University Information means Personally Identifiable Information (PII) that an individual

STUDENT INFORMATION PROTECTED BY FERPA

Colleges are required to have appropriate controls in place to limit the accessibility of

student records to those college officials who legitimately need them.

FERPA makes it clear that we cannot designate a SSN as directory information, and NY law

prohibits the use of a student’s SSN for any public identification purpose such as posting

of grades.

The Family Policy Compliance Office of the US Department of Education which enforces

FERPA has also made it clear that it is a violation of FERPA to disclose information

containing the last four digits of the student’s SSN.

Page 12: PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public University Information means Personally Identifiable Information (PII) that an individual

CUNY BREACH REPORTING PROCEDURE

When a possible privacy breach has occurred, immediate action should be taken:

Step 1: Confirm and Contain

Confirm the validity of the suspected information breach.

Containment should occur immediately. This includes, but is not limited to disconnection of the host (server

or device) from the network or shutting down an application.

Care should be taken to not destroy the data, but preserve it without any form of network connection.

Step 2a: Report- The following individuals should be informed immediately:

The College President or Central Office Vice President for the affected area

The College Legal Affairs Department and Central Office, Office of General Counsel

The College or Central Office department head from which the information was breached.

The College Chief Information Officer

University Chief Information Office

University Chief Information Security Office

http://www.cuny.edu/about/administration/offices/CIS/security/pnp/BreachReportingProcedureV07182006.pdf

Page 13: PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public University Information means Personally Identifiable Information (PII) that an individual

CUNY BREACH REPORTING PROCEDURE

Step 2b: Report- The report should indicate the following information:

Whose personal information was disclosed

To whom it was disclosed to

When it was disclosed

How it was disclosed/accessed

What steps have been taken in response to the disclosure

Step 3a: Retrieve

Any documents or contents of electronic documents that have been disclosed to, or taken by, an

unauthorized recipient should immediately be retrieved and/or secured or taken offline.

Documents, in any form, should not be destroyed until specific instruction is received.

Step 3b: Remove

Private information taken offline may still be accessible and discoverable on the Internet via Internet

Search engines (i.e. Google)

Requests must be made as quickly as possible to remove the information from search engine indexes and

cache directly to the Internet Search engines companies.

This step will be coordinated with the University Chief Information Security Officer.

http://www.cuny.edu/about/administration/offices/CIS/security/pnp/BreachReportingProcedureV07182006.pdf

Page 14: PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public University Information means Personally Identifiable Information (PII) that an individual

CUNY BREACH REPORTING PROCEDURE

Step 4: Notify

In cases where breach results in the disclosure of personal information, New York law may require you to

notify the individuals affected.

Determination of the reporting requirements will be made by the Office of the General Counsel with the

College Legal Affairs designee on a case by case basis.

Step 5: Investigate

The College’s Legal Affairs Department, the Vice President for the affected area, the College’s CIO, and

The University Chief Information Security Officer will investigate the details of the breach for the

purpose of determining and recording all the relevant facts concerning the breach and making

recommendations.

Objectives of the investigation will include a review of circumstances surrounding the event as well as

the adequacy of existing policies and procedures in protecting PIIs.

Step 6: Management Review

The College Legal Affairs department with the Vice President of the affected area will document and

report the detail of the breach and remedial steps to the President of the College.

The Legal Affairs Department in collaboration with the University CIO will report on recommendations

and actions to the appropriate parties within the Chancellor’s office.

http://www.cuny.edu/about/administration/offices/CIS/security/pnp/BreachReportingProcedureV07182006.pdf

Page 15: PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public University Information means Personally Identifiable Information (PII) that an individual

COMPUTER RESOURCES

Users may not install, use, or develop programs intended to infiltrate or

damage CUNY computer resources, or lead to theft of confidential data.

Such programs include, but are not limited to, computer viruses, Trojan horses, and

worms.

Users should always consult with the Chief Information Officer before installing

any programs on CUNY computer resources if they are unsure of their safety or

the strain they may cause.

http://www.cuny.edu/about/administration/offices/CIS/policies/ComputerUsePolicy.pdf

Page 16: PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public University Information means Personally Identifiable Information (PII) that an individual

COMPUTER RESOURCES

CUNY Computer Resources must not be used in a manner that could cause,

directly or indirectly, unsolicited interference with the activities of other users.

This includes:

Chain letters, virus hoaxes, or other emails that disrupt normal email service

Spamming, junk mail, or unsolicited mail that is not relative to the CUNY business

and is sent without reasonable expectation

The inclusion on email lists of individuals who have not requested to be on those lists

Downloading of large video files or files for personal use.

CUNY has the right to require users to limit from other specific uses if the CIO of

the college sees it as an interference of efficient operations of the system.

http://www.cuny.edu/about/administration/offices/CIS/policies/ComputerUsePolicy.pdf

Page 17: PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public University Information means Personally Identifiable Information (PII) that an individual

SECURITY TIPS

DO NOT send personal information over public Wi-Fi.

Wireless networks can be easily intercepted and you are better off using your carrier (3G or

4G) to transmit sensitive information.

DO create strong passwords.

It is always a good idea to use a combination of capital and lower case letters and numbers

when creating a password.

Creating different passwords for each of your accounts gives you the added safety that if one of

your accounts are breached, the hacker will not be able to get into all of them.

NEVER send out ANY personal information over email which includes attachments.

Emails can easily be hacked and you do not want to make it any easier for someone to find

more information about you.

Page 18: PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public University Information means Personally Identifiable Information (PII) that an individual

ANY QUESTIONS?

Contact the Training & Technology Solutions Office:

• Office: I-214

• Ext: 74875

• Email: [email protected]

• Facebook: www.facebook.com/QC.Training

• Tumblr: http://qc-tech.tumblr.com/