PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public...
Transcript of PROTECTION OF NON-PUBLIC UNIVERSITY INFORMATION and...NON-PUBLIC UNIVERSITY INFORMATION Non-Public...
PROTECTION OF NON-PUBLIC UNIVERSITY
INFORMATION
INFORMATION TECHNOLOGY SECURITY PROCEDURES
All users with access to University information available in University files and
systems are continually responsible for maintaining the integrity, accuracy, and
privacy of this information.
Loss of data integrity, theft of data, and unauthorized or inadvertent disclosure
could lead to significant exposure of the college and its constituents, as well as
those directly responsible for the loss, theft, or disclosure.
NON-PUBLIC UNIVERSITY INFORMATION
Non-Public University Information means Personally Identifiable Information (PII)
that an individual can use directly, or in connection with other data to identify,
contact, or locate a person and can include:
Social Security Number
Driver’s license number or non-driver identification card number
Account numbers, credit card and debit card numbers combined with any security code,
access code, or password that would permit access to financial information.
Personal email address
Birthdate
REMEMBER:
Unless otherwise required by law, users of University files and systems must not disclose
any Non-Public University Information to the general public or any unauthorized users.
http://www.cuny.edu/about/administration/offices/CIS/security/pnp/SecurityProcedures032609.pdf
ACCESS TO UNIVERSITY INFORMATION
Access to University information available in its files and systems, whether in
electronic or hard copy form, must be restricted to the following individuals and
must be consistent with their job responsibilities:
Full time and regular part time employees of the college
Adjunct faculty
Employees of the University’s contractors who have been permitted such access under a
written agreement with the University
CUNY students may not be permitted to access Non-Public University Information
unless they are
Students who are also University adjunct faculty
Employees of the University or its related entities who are taking a Continuing Education
course at the University
Employees of the University or its related entities who are taking a credit bearing course at
the College other than the one they are employed at, unless it is part of the tuition waiver
program.
http://www.cuny.edu/about/administration/offices/CIS/security/pnp/SecurityProcedures032609.pdf
BEST PRACTICES FOR TECHNICAL SECURITY OF PII
Always ensure that your computer is logged off when you are not present.
Please keep in mind that logged on and powered on are different. You may leave your
computer powered on but not necessarily logged onto your account.
Putting your computer to sleep will leave it logged on, while logging out will log you out of your
account and will require your username and password to sign back in.
Set a moderately strong password. Do not share your passwords.
Strong passwords entail using 12 or more characters
Using punctuations and spaces (! ? * & $)
Using case sensitive alphanumeric characters
BEST PRACTICES FOR TECHNICAL SECURITY OF PII
Social security numbers must not be stored, transported, or taken home on
portable devices (e.g. laptops, flash drives) of any type without specific approval
of both the Vice President of Administration or the equivalent at the College of in
the Central Office department and the University Information Security Officer.
Where approval is granted, the information must be encrypted and password
protected.
Users are responsible for engaging in safe computing practices such as:
Guarding and not sharing their passwords
Changing passwords regularly
Logging out of systems at the end of use
Protecting Non-Public University Information
http://www.cuny.edu/about/administration/offices/CIS/policies/ComputerUsePolicy.pdf
BEST PRACTICES FOR PHYSICAL SECURITY OF PII
Only ask for PII when absolutely necessary to conduct the business of the
College. When doing so, make sure that:
All documents containing PII are stored in locked cabinets and drawers.
If individuals supply supplemental PII that is not necessary redact it immediately. Do
not keep it.
Do not email or fax documents containing PII.
As a general rule, whenever possible, do not share PII.
SPECIAL RULES FOR SOCIAL SECURITY NUMBERS
Unless required by law, users of University files and systems must not:
Intentionally communicate to the general public or otherwise make available to the
general public in any manner an individual’s SSN.
Publicly post or display an individual’s SSN or place SSN in files of unrestricted access.
Require an individual to transmit their SSN over the Internet unless the connection is
secure or the SSN is encrypted.
http://www.cuny.edu/about/administration/offices/CIS/security/pnp/SecurityProcedures032609.pdf
Require an individual to use his or her SSN to access an Internet website, unless a
password or unique personal identification number or authentication device is also
required to access the Internet website.
Include an individuals SSN, except for the last four digits, on any materials that are
mailed to the individual, or in any electronic mail that is copied to third parties, unless
state and federal law requires the SSN to be on the document to be mailed.
Transmit an individuals SSN onto portable devices without encryption.
http://www.cuny.edu/about/administration/offices/CIS/security/pnp/SecurityProcedures032609.pdf
SPECIAL RULES FOR SOCIAL SECURITY NUMBERS
STUDENT INFORMATION PROTECTED BY FERPA
The Family Educational Rights and Privacy Act (FERPA) protects personally
identifiable information from student’s education records from unauthorized
disclosure.
Information that makes an education record “personally identifiable” to a particular
student includes:
The student’s name;
The name of the student’s parent or other family member;
The address of the student or other family member;
A personal identifier, such as the student’s SSN or student number or biometric record;
A list of personal characteristics that would make the student’s identity easily traceable;
Other information that alone or in combination, is linked or linkable to a specific student, and
which would allow a reasonable person to identify the student; or
Information requested by a person who the educational agency or institution reasonably
believes knows the identity of the student to whom the record relates.
http://www.cuny.edu/about/administration/offices/la/Guidelines-for-implementation-of-the-Student-Records-Access-FERPA.pdf
STUDENT INFORMATION PROTECTED BY FERPA
Colleges are required to have appropriate controls in place to limit the accessibility of
student records to those college officials who legitimately need them.
FERPA makes it clear that we cannot designate a SSN as directory information, and NY law
prohibits the use of a student’s SSN for any public identification purpose such as posting
of grades.
The Family Policy Compliance Office of the US Department of Education which enforces
FERPA has also made it clear that it is a violation of FERPA to disclose information
containing the last four digits of the student’s SSN.
CUNY BREACH REPORTING PROCEDURE
When a possible privacy breach has occurred, immediate action should be taken:
Step 1: Confirm and Contain
Confirm the validity of the suspected information breach.
Containment should occur immediately. This includes, but is not limited to disconnection of the host (server
or device) from the network or shutting down an application.
Care should be taken to not destroy the data, but preserve it without any form of network connection.
Step 2a: Report- The following individuals should be informed immediately:
The College President or Central Office Vice President for the affected area
The College Legal Affairs Department and Central Office, Office of General Counsel
The College or Central Office department head from which the information was breached.
The College Chief Information Officer
University Chief Information Office
University Chief Information Security Office
http://www.cuny.edu/about/administration/offices/CIS/security/pnp/BreachReportingProcedureV07182006.pdf
CUNY BREACH REPORTING PROCEDURE
Step 2b: Report- The report should indicate the following information:
Whose personal information was disclosed
To whom it was disclosed to
When it was disclosed
How it was disclosed/accessed
What steps have been taken in response to the disclosure
Step 3a: Retrieve
Any documents or contents of electronic documents that have been disclosed to, or taken by, an
unauthorized recipient should immediately be retrieved and/or secured or taken offline.
Documents, in any form, should not be destroyed until specific instruction is received.
Step 3b: Remove
Private information taken offline may still be accessible and discoverable on the Internet via Internet
Search engines (i.e. Google)
Requests must be made as quickly as possible to remove the information from search engine indexes and
cache directly to the Internet Search engines companies.
This step will be coordinated with the University Chief Information Security Officer.
http://www.cuny.edu/about/administration/offices/CIS/security/pnp/BreachReportingProcedureV07182006.pdf
CUNY BREACH REPORTING PROCEDURE
Step 4: Notify
In cases where breach results in the disclosure of personal information, New York law may require you to
notify the individuals affected.
Determination of the reporting requirements will be made by the Office of the General Counsel with the
College Legal Affairs designee on a case by case basis.
Step 5: Investigate
The College’s Legal Affairs Department, the Vice President for the affected area, the College’s CIO, and
The University Chief Information Security Officer will investigate the details of the breach for the
purpose of determining and recording all the relevant facts concerning the breach and making
recommendations.
Objectives of the investigation will include a review of circumstances surrounding the event as well as
the adequacy of existing policies and procedures in protecting PIIs.
Step 6: Management Review
The College Legal Affairs department with the Vice President of the affected area will document and
report the detail of the breach and remedial steps to the President of the College.
The Legal Affairs Department in collaboration with the University CIO will report on recommendations
and actions to the appropriate parties within the Chancellor’s office.
http://www.cuny.edu/about/administration/offices/CIS/security/pnp/BreachReportingProcedureV07182006.pdf
COMPUTER RESOURCES
Users may not install, use, or develop programs intended to infiltrate or
damage CUNY computer resources, or lead to theft of confidential data.
Such programs include, but are not limited to, computer viruses, Trojan horses, and
worms.
Users should always consult with the Chief Information Officer before installing
any programs on CUNY computer resources if they are unsure of their safety or
the strain they may cause.
http://www.cuny.edu/about/administration/offices/CIS/policies/ComputerUsePolicy.pdf
COMPUTER RESOURCES
CUNY Computer Resources must not be used in a manner that could cause,
directly or indirectly, unsolicited interference with the activities of other users.
This includes:
Chain letters, virus hoaxes, or other emails that disrupt normal email service
Spamming, junk mail, or unsolicited mail that is not relative to the CUNY business
and is sent without reasonable expectation
The inclusion on email lists of individuals who have not requested to be on those lists
Downloading of large video files or files for personal use.
CUNY has the right to require users to limit from other specific uses if the CIO of
the college sees it as an interference of efficient operations of the system.
http://www.cuny.edu/about/administration/offices/CIS/policies/ComputerUsePolicy.pdf
SECURITY TIPS
DO NOT send personal information over public Wi-Fi.
Wireless networks can be easily intercepted and you are better off using your carrier (3G or
4G) to transmit sensitive information.
DO create strong passwords.
It is always a good idea to use a combination of capital and lower case letters and numbers
when creating a password.
Creating different passwords for each of your accounts gives you the added safety that if one of
your accounts are breached, the hacker will not be able to get into all of them.
NEVER send out ANY personal information over email which includes attachments.
Emails can easily be hacked and you do not want to make it any easier for someone to find
more information about you.
ANY QUESTIONS?
Contact the Training & Technology Solutions Office:
• Office: I-214
• Ext: 74875
• Email: [email protected]
• Facebook: www.facebook.com/QC.Training
• Tumblr: http://qc-tech.tumblr.com/