NDSU 2009 Fall Conference general session PowerPoint.

1. Managing IT Security for Extension and Outreach Offices Theresa Semmens NDSU Chief IT Security Officer October, 2009

2. Presentation Outline Security Guidelines Email Workstation Wireless External Mobile Device Security Protection of Confidential and Private Data Online Financial Transactions Those *!@&$ NDSU network services Dual Support with the ND Association of Counties

3. NDSU E-mail What is secure Encrypted User name and password Email messages and attachments Subject to privacy laws HIPAA GLBA FERPA ND Public Open Records Century Code Using personal e-mail address and equipment for NDSU Business Can be subject to ND Public Open Records Century Code

4. Workstation Users must have unique login and password Operating system and office software current with latest patches Anti-virus software and firewall installed, enabled and active Confidential/private data is not accessible or viewable by public Log off computer when done or away from desk Set a password protected screensaver

5. Workstation Area Confidential/sensitive information not available for public view Protected hard copy documentation stored in locked file cabinet Manipulated hard copy documentation Tidy desk area

6. Wireless Access Wireless access in the office Open vs. Secured Access available only to those who need it Wireless access outside of the office Public access Not recommended Working with confidential private data Use for personal banking Purchasing merchandise online Use NDSU Webmail client to send and receive email – do not send attachments, message body should not contain sensitive information

8. Back up all data, and make use of encryption features when you do so.

9. Hard drive and external storage is encrypted.

11. Phlushing the Phish! What is NDSU doing? What can you do? Recent Spear Phishing Attacks

12. Confidential/Private Data Defined and classified in NDUS 1901.2 Examples: Pesticide Program Master Gardeners 4-H Research What is allowable for use and storage

13. Employees & Volunteers Must sign confidentiality agreements Background checks required* Receive formal, documented training *Above point required if handling electronic financial transactions

14. Social Security Numbers Do not use as an identifier on Files Spread sheets Data bases Correspondence Any files/documents containing SSN data must be secured and available only to those who have a need to know

15. Credit Card Information Do not store Full credit card number (only last four digits) CVV2 number Exp. Date Receipts Only allow last four digits on receipt No CVV2 number No exp. Date Do not accept credit card transactions over email If received over voice mail, delete immediately Must have separation of duties for acceptance of credit cards

16. More Safeguards Non-disclosure (suppression) Farmers/Ranchers Parents Children Requests for lists of members Health questionnaires (4-H) Date of Birth combined with name Information posted to Web sites

17. Use & Disposal of Protected Data Encrypt or password protect on electronic devices Back up regularly Allow only those who have a need to know access to data Use only where necessary Dispose of properly

18. Personnel & Volunteer Files Stored in locked cabinet not in public area If request is made to view personnel file Dean and General Counsel to approve request Log request, date, time Viewer must sign log form Only allow what is considered public information to be viewed Purge according to data retention policies Shred with cross cut shredder, burn, using document destruction service

19. Suspected Data Breach For computer related security issues contact your supervisor Document reasons you suspect breach of data Do not move, touch, alter equipment or anything related to the breach Do not attempt to do your own investigation

20. NDSU network services E-mail accounts Alias Shared E-mail box space Changing electronic ID Non-employee accounts Affiliate vs. Guest accounts

22. Does not require password

23. Owner responsible for removing and adding usersSender Alias Recipient Recipient Recipient

25. Requires shared password

26. Owner required to change password when users leave or are added to groupSender Shared Recipient Recipient Recipient

27. Electronic ID Official Format = FirstName.LastName Full-time employees and Students can change EID at http://enroll.nodak.edu Non-employees/students must request change Change subject to previous ownership of “name space.” Name change due to marriage/divorce – must go through HR with proper documentation Employees have 500 MB e-mail box. Request to increase must be sent through Helpdesk.

28. Affiliate vs. Guest Accounts Services available: desktop_auth, Blackboard, Library, Wireless Must be “sponsored” by department Affiliate accounts for periods longer than one week Guest accounts for periods less than one week E-mail requires completion of Non-employee ID form

29. Managing IT Security for Extension and Outreach Offices Theresa Semmens NDSU Chief IT Security Officer October, 2009