Information Security and Document Protection

1
Information Security and Document Protection

• California State University, Fullerton
• Employee Training Development
• Last Updated June 2005

2
Why is Information Security and Document
Protection important?

• Data on over 600,000 students and employees was
  lost or stolen in 2004 by California
  Universities. http//www.msnbc.msn.com/id/5905423
  /
• In March 2005, University of California, Berkeley
  had 100,000 student records losthttp//www.msnbc.
  msn.com/id/7320552/
• The incidents of having sensitive personal
  information lost or stolen are on the rise.

3
Why is Information Security and Document
Protection important?

• In May, 2005 CitiBank had 3.9 million current and
  former credit card holders financial data
  stolen.http//www.msnbc.msn.com/id/8119720/
• In 2005, Bank of America has had at least 1.9
  million financial records lost or
  stolen.http//www.msnbc.msn.com/id/7954620/ and
  http//www.msnbc.msn.com/id/7032779/
• These are a few of the known examples of mass
  information theft in the recent past. There are
  probably many more unknown incidents as well.

4
Why is Information Security and Document
Protection important?

• This personal information is highly sought after.
  Personal information on students is particularly
  valuable because they often represent clean or
  empty credit records that new identities can be
  built on.
• California State University, Fullerton has a
  responsibility both under state and federal law
  to take steps to ensure private information is
  kept confidential.

5
Why is Information Security and Document
Protection important?

• State and Federal Laws include the following
• All necessary means must be taken to ensure and
  protect the confidentiality of personal
  information.
• California Statute 1798.29 (e) states For
  purposes of this section, "personal information"
  means an individual's first name or first initial
  and last name in combination with any one or more
  of the following data elements, when either the
  name or the data elements are not encrypted
• (1) Social security number.
• (2) Driver's license number or California ID Card
  number.
• (3) Account number, credit or debit card number,
  in combination with any required security code,
  access code, or password that would permit access
  to an individual's financial account.

6
Why is Information Security and Document
Protection important?

• State and Federal Laws include the following
• When confidential information is lost, the
  persons who are affected must be informed as soon
  as possible.
• When confidential information is stolen, it must
  be reported to law enforcement and the persons
  affected notified as soon as possible.
• The collection and maintaining of confidential
  information should only be done when absolutely
  needed and only kept for as long as absolutely
  needed.
• It is against California law to knowingly conceal
  the loss or theft of confidential personal
  information.
• Confidential information must be destroyed in a
  way that it cannot be recovered.

7
What are some of the ways information is stolen
or lost?

• Storing information in an insecure location or
  careless handling of information
• Open access to computer systems
• Insecure file shares
• Spyware or peer-to-peer file sharing software can
  leave information vulnerable
• Computer systems can be hacked or broken into

8
What kinds of information need to be protected?

• Confidential Information and Sensitive
  Information
• Social Security Numbers and Campus Wide IDs.
• Financial information, including but not limited
  to bank account numbers, insurance policy
  numbers, and credit or debit card numbers.
• Drivers license or state ID numbers.

9
What kinds of information need to be protected?

• Medical information, including but not limited to
  doctors reports, prescriptions, and medical
  history.
• Private student information including but not
  limited to grades and performance measures.
• Employee and Student records containing personal
  information.

10
What kinds of information need to be protected?

• Employee performance information including but
  not limited to performance evaluations and
  discipline letters.
• Dates of birth when it includes the year.
• Login information, passwords, pin numbers, and
  account numbers.
• Any information that if published could damage
  the university, its employees or students.

11
How is information secured?

• Four Areas of concern for Information Security
• Creation and Access Control both print and
  electronic media.
• Workstation Security
• Document Protection
• Proper Disposal of Information

12
How is information secured?

• Four Areas of concern for Information Security

13
Creation and Access Control for both printed
and electronic media

• Does the information really need to be created-
  Limit the number of documents that have
  confidential information to an absolute minimum.
• Limit the number of copies of a file that
  contains confidential information.
• Limit the transportation of the information.
• Make sure proper permission levels are maintained
  on any network file shares.

14
Creation and Access Control for both printed
and electronic media
(Continued)

• Remove unneeded confidential information from
  documents if or when possible. You might need the
  confidential information in one copy, but be able
  to remove the information prior to transferring
  it somewhere.
• Who has access to the information?Know who has
  access to the information and who has copies of
  what.

15
Creation and Access Control for both printed
and electronic media
(Continued)

• Retain information only as long as there is an
  immediate need or as required by statute.
• Limit access to information for only as long as
  an individual has need.
• Departments should establish guidelines for who
  has access to what kinds of information and
  guidelines for how it is created, handled and
  transferred.
• Email is not a secure way to send unencrypted
  confidential data

16
Workstation Security

• Do not leave computers logged in and unattended.
  Either lock the workstation or log out when you
  leave and restart your workstation at the end of
  the day.
• Do not install software from unknown sources.
• Make sure you computer and its applications are
  properly patched.
• Do not install peer-to-peer file sharing software

17
Workstation Security (continued)

• Do not open attachments in email you are unsure
  of. It is better to delete the message with an
  attachment you are uncertain of
• Use virus protection and spyware protection
  software. Have Campus Information Technology
  (x7777) Check you computer for spyware
• Use complex passwords and never share passwords
  or log in information.

18
Document Protection and Encryption

• File Share Permissions
• Document Protection and Passwords
• File System level encryptionTutorial
  http//etd.fullerton.edu/cbt/windows/Campus_File_E
  ncryption.htm
• Document level encryptionTutorial
  http//etd.fullerton.edu/cbt/windows/WinZip_Encr
  yption.htm

19
Proper Disposal of Information

• Information should be disposed of when it is not
  longer needed.
• Proper disposal of printed materials Destroy
  all unneeded printed materials completely and in
  accordance with state and federal law.
• Use a Confetti Shredder or a document destruction
  company.
• Proper disposal of removable electronic media
  Floppy Disks, CD-ROMs, etc.

20
Proper Disposal of Information (continued)

• Proper disposal of confidential information
• In some cases this will mean deleting the
  confidential information from a document and
  retaining the document itself
• In other cases the whole document will be
  destroyed
• Deleting a file does not remove it from a disk.
  Use file shredding software.
• File Shredder for Windows http//etd.fullerton.
  edu/cbt.htm
• Wipe Hard Drives that have had confidential
  information on them, prior to them leaving your
  control. Contact Campus IT

21
Thank you for your participation in our seminar

• If you have further questions or need additional
  assistance, please call x4178 to setup an
  appointment for help