IT Related Policies Password Policy Information Security Policy

  • Slides: 25
Download presentation
IT- Related Policies (Password Policy, Information Security Policy, Appropriate Use Policy) August 2015

IT- Related Policies (Password Policy, Information Security Policy, Appropriate Use Policy) August 2015

Password Policy l l l LENGTH: COMPLEXITY: Minimum of 8 characters Must contain at

Password Policy l l l LENGTH: COMPLEXITY: Minimum of 8 characters Must contain at least 1 upper case letter Must contain 1 lower case letter Must contain one number OR – 1 “special character” May not include the login name May not include personal information HISTORY: Passwords may not be reused for 5 years MAXIMUM AGE: Passwords must be reset every 120 days. PROTECTION: Sharing Is Not Permissible l Users may NEVER share a password with ANY other person, including supervisors and ITS Personnel. l Users may NEVER write their password down on a piece of paper or “post-it” note in an effort to keep from forgetting it.

Information Security Policy

Information Security Policy

Information Security Policy l WHY? ? ? l Legislation & Industry “Best Practices” l

Information Security Policy l WHY? ? ? l Legislation & Industry “Best Practices” l l l Gramm Leach Bliley Act (GLBA) Family Education Rights and Privacy Act (FERPA) Payment Card Industry Data Security Standard (PCI-DSS) Fair and Accurate Credit Transactions Act (FACTA) Communications Assistance for Law Enforcement Act (CALEA)

Information Security Policy l Primary Goal l To ensure all Confidential and Sensitive Information

Information Security Policy l Primary Goal l To ensure all Confidential and Sensitive Information (CSI) maintained by the College is protected in a manner that is in compliance with all relevant legislation, industry best practices, and the values of the College

Information Security Policy l Other Goals l l l Define what information is confidential

Information Security Policy l Other Goals l l l Define what information is confidential and sensitive Define what information is considered public Outline employee responsibilities when working with “CSI” Provide a process for reporting a security breach related to “CSI” Provide guidelines on how to communicate information security requirements to vendors Summarize the laws and other guidelines that impact the Information Security Policy

Types of Information l Electronic Information l l Stored on network servers, PC workstations,

Types of Information l Electronic Information l l Stored on network servers, PC workstations, or magnetic or optical storage media Hard Copy (Paper) Information l Stored in file cabinets

Confidential and Sensitive Information (CSI) l l l l Social Security Number Social Insurance

Confidential and Sensitive Information (CSI) l l l l Social Security Number Social Insurance Number (Medicare #) Date of Birth Driver’s License Number Customer Identifiers Employee ID (EMPL ID) Library ID l Credit Card Number l l l l PAN, CVV, Expiration date Bank Account Numbers Tax ID Passwords Medical Records Doctor names Insurance Policy/Claim Information

Public Information l Also called “Directory Information” may be shared with the general public.

Public Information l Also called “Directory Information” may be shared with the general public. l l l l Name (First, Middle, Last) Local Address Local Telephone Number HCC E-Mail Address Photograph (of Athletes) Dates of Attendance (at HCC) Major Field of Study Participation in officially recognized activities, organizations, and teams Weight/Height of Athletic Team Members Degrees, certificates, honors received at HCC Enrollment Status (FT/PT) Institutions Previously Attended Student Login Name

Employee Responsibilities l l l May not divulge, copy, release, review, or destroy CSI

Employee Responsibilities l l l May not divulge, copy, release, review, or destroy CSI unless properly authorized as part of official job duties Properly authorized employees MUST destroy CSI that is no longer needed. Must protect CSI regardless of its location or format (electronic or paper) Must safeguard all types of access to CSI(Keys, ID cards, passwords) Required to report suspicious activity regarding CSI to their supervisor as soon as possible

Information Security Do’s l l l l Do keep your computer’s operating system and

Information Security Do’s l l l l Do keep your computer’s operating system and other software updated with the latest security patches Be wary of unsolicited messages (Phishing) Use a SPAM filter to keep unwanted email out of your inbox Be sure you are connected to a certified, encrypted web site when transmitting any sensitive information (“https: ” in the URL and padlock in the lower right corner of the browser) Do shred all hard copy CSI when it is no longer needed Scan your computer from Spyware regularly Lock your computer with a password protected screen saver when you leave your computer during the workday. Lock or log off your computer when you leave work for the day

Information Security Don’ts l l l l Don’t click on links or attachments in

Information Security Don’ts l l l l Don’t click on links or attachments in e-mails when the source is not known to you Don’t use forms embedded in the body of an e-mail Don’t download and install freeware without having IT staff investigate it first. Don’t share your password with others Don’t leave CSI out in the open (on your desk) Don’t store CSI on thumb drives, laptops, or other mobile devices that can easily be lost or stolen Don’t use any illegal file sharing web sites

Appropriate Use Policy Purpose: to safeguard the technology infrastructure at the College for all

Appropriate Use Policy Purpose: to safeguard the technology infrastructure at the College for all users of College technology resources.

Access to Technology l l All employees are given a network account, e -mail

Access to Technology l l All employees are given a network account, e -mail account, and individual storage space on the network. All employees are allowed to use computers in offices or labs. All employees have the ability to use the College’s wi-fi network. Sharing of network accounts and/or passwords is NOT PERMISSABLE!

Account Deactivation l l Any employee account can be deactivated at the request of

Account Deactivation l l Any employee account can be deactivated at the request of the employee’s supervisor, the Executive Director of HR, or a member of the Senior Leadership Team. When HR notifies the IT Department that an employee has been terminated, their network account is demoted to “Student Level” authorization l If there is no activity on the account for one year, the account is removed.

Use of Resources for Profit l 4. 4 Use of HCC Technology resources for

Use of Resources for Profit l 4. 4 Use of HCC Technology resources for commercial purposes (such as operating a privately owned business) is strictly prohibited

4. 5 - Install/Remove Software l 4. 5. 3 – Installing Software on Computers

4. 5 - Install/Remove Software l 4. 5. 3 – Installing Software on Computers l l Unless authorization is obtained from IT, employees are prohibited from installing software on HCC computers 4. 5. 4 – Removal of Software l The IT Dept. retains the right to remove any personally owned software or shareware/freeware software as necessary l l l Troubleshooting License compliance Copyright

4. 6 - Hardware Install/Removal l l The IT Dept is responsible for acquiring,

4. 6 - Hardware Install/Removal l l The IT Dept is responsible for acquiring, installing, moving and removing hardware devices in classrooms/labs and offices. Please get permission to add/remove hardware in your office area. l l l Call the IT Hotline. We will assist. Make sure we know who owns equipment IT retains the right to disconnect personally owned equipment if necessary.

4. 7 - Electronic Comm. Use l l All e-mail communication is subject to

4. 7 - Electronic Comm. Use l l All e-mail communication is subject to disclosure to the public under the Illinois Freedom of Information Act. Please refrain from inappropriate electronic communication l l l Fraudulent Harassment Mass Communication (hoax/chain letters, etc. . )

Check Your E-mail l 4. 7. 1 – Electronic Communication Responsibilities l l All

Check Your E-mail l 4. 7. 1 – Electronic Communication Responsibilities l l All employees are required to check their e-mail for distribution of College information at least one time per week unless off-campus due to official leave Why? ? ? l HCC uses e-mail as a primary method of communication to all employees.

4. 8 - Internet Use l l Be sensitive to others when viewing or

4. 8 - Internet Use l l Be sensitive to others when viewing or listening to Internet Content Downloading/uploading copyrighted content outside the “Fair Use” rules is prohibited Peer-to-Peer file sharing technology should not be used to distribute or acquire copyrighted content (music, movies, etc. ) Uploading/downloading/viewing pornographic materials is prohibited. l Legal, sexually explicit (literary/artistic) materials that are relevant to courses are not considered pornographic in purpose. Use discretion.

4. 12 - Cloud Services l Cloud Storage – Dropbox, Google Drive… l Employees

4. 12 - Cloud Services l Cloud Storage – Dropbox, Google Drive… l Employees may use these services, however no “Confidential and Sensitive Information” may be stored in these types of storage services

4. 13 BYOD l l Personal devices such as smart phones and tablets may

4. 13 BYOD l l Personal devices such as smart phones and tablets may be used on the HCC network. Employees are allowed to synchronize their calendar and email on these devices. l All Personal Devices that are synchronized to Heartland services must have a screen lock password or PIN enabled.

Activity Monitoring l Resource Activity Monitoring l HCC reserves the right to monitor its

Activity Monitoring l Resource Activity Monitoring l HCC reserves the right to monitor its computing resources. l l The interest of maintaining the integrity of the College outweighs privacy and confidentiality interests Employees DO NOT have a privacy expectation in any technology resources including e-mail

Access Without Consent l l l File access without the consent of the employee

Access Without Consent l l l File access without the consent of the employee may occur. l Authorized by Cabinet member or CIO l Conducted by an IT employee & documented l Employee notified (before, during, or after depending on circumstances) Why? l Emergency – virus l Reasonable Cause – violation of HCC policies, federal/state laws Deleted files are not necessarily “gone”