Computer Security and Awareness at UT

1
Computer Security and Awareness at UT

• Presented to the Professional Development for
  Academic Administrators (PDAA) committee

2
Why should you care about Information Security at
UT?

• Breaches happen here!
• 2007 Dept Administrator had hard drive stolen
  from her desktop computer in office
• 2006 Professor responds to phishing email
  hacker gains access to his mailbox within 1 hr
• 2005 Faculty posts an Excel file with student
  grades on faculty homepage - 150 UT students
  affected and notified (googled)
• 2005 4 university owned laptops are stolen from
  Registrars office, over 2200 students notified

3
Why should you care about Information Security at
UT?

• Federal and State Laws
• FERPA
• HIPAA
• GLBA
• Ohio Notification Law (HB104 - ORC 1347.12)
• University Policy

4
Why should you care about Information Security at
UT?

• Associated cost to UT
• Time and money to investigate
• Notification Process
• Impact to reputation
• Possible penalties if not reported timely
• Internal depts affected (IT, police, compliance,
  legal, communications, administration, offended
  dept)

5
What is Management responsible for?

• Communicate importance of information security
• Make information security training mandatory for
  staff
• Regular communication of security practices
• Standing agenda item
• Be a Security Aware role-model
• Departmental knowledge of information security
• Know physical and information assets
• Review users permissions
• Implementation of information security
• Implementation of security best practices
• Initiate departmental self-assessments
• Follow separation/transfer guidelines established
  by HR
• Discipline of breaches
• Insure proper security practices are implemented
  over departmentally controlled / hosted systems
  data
• Assign individuals in the department to be the
  information security police

6
What are employees responsible for?

• Know and follow Federal / State Laws and
  University policy
• Employees themselves are personally liable for
  the data that they use
• Prevention
• Perform regular self-assessments
• Inventory of sensitive information
• Audit
• Find and move local data
• Take Information security training
• Regular review of information security best
  practices
• Report all computer security concerns
• Ask questions!
• Help others follow security best practices

7
Breach Response Procedures

• Talk to your supervisor (recommended as first
  step)
• Report incident to the Compliance Office (Lynn
  Hutt)
• Anonymous Reporting is always available!!
• Identify possible data that may have been
  compromised
• Respond to requests of the Response Team
• Establish corrective actions for future
  prevention
• Refer to preventive actions described previously!