LSUHealthLogo

Office of Compliance Programs

Digital Security

Information Security Training for LSUHSC Employees and Students

Protecting Yourself and Your University in the Digital World

Revised January 30, 2017

Introduction

Welcome to the Information Security for Basic End User's training module. It is intended for all personnel who have access to LSUHSC’s computing resources and must be renewed on an annual basis.

Information Security at LSUHSC is everyone’s responsibility! During your workday, you probably engage in various computer related activities (e.g. communicating with others via email, or going to various websites to perform research or access campus resources).

If you don’t follow appropriate security measures during these seemly harmless activities, you can inadvertently leave your personal data, as well as sensitive University data, open to attack from unauthorized users. These attacks can result in the breakdown of your computer, portable device or LSUHSC’s network.

EndUsers

What is an END USER?

An End User is any employee, student or affiliate who uses the LSUHSC computer infrastructure in the course of work or studies.

BattlePlan

What You Need to Know

classroom

Goals for Training

End Users Have Responsibilities

What is Information Security?

Information Security is the protection of computing resources and the data that they store or access.

Why is Information Security Important?

Information Security allows the University to carry out its mission by:

Security violations have consequences.

Consequences

PasswordLock

Passwords

If Someone Knows Your Username and Password They Can….

Identity Theft

BoardBreaking

Strong Passwords

Passwords Under Attack

Because passwords are the most common method used to allow users access to computer networks, cracking passwords quickly has become a top priority not only for the independent hacker, but also for governments, organized crime and other organizations seeking unauthorized access to online information.

Recent developments have aided these groups in their quest to illicitly obtain passwords.

The Best Defense

Remembering Passwords

The Characteristics of a Strong Password

Password Examples

How To Create a Strong Password

The “strength” of a password is based upon the number of combinations possible:

Which password is stronger?

Which password is easier to remember?

How To Make YOUR Password Stronger

LSUHSC Password Policy

Information Security Polices

LSUHSC-NO has two Information Security policies. You should familiarize yourself with both of them.

Chancellor's Memorandum 42 (CM-42) Definitions

Connected

Applies to any person using, or any device that Connects to the LSUHSC IT Infrastructure.

A device is considered Connected to the LSUHSC IT Infrastructure if it is plugged into a wired network jack on campus, connects to the LSUHSC wireless network on campus, remotely connects to the LSUHSC network via the Internet, telephone connection, or other remote mechanism.

Examples of remotely connecting include, but are not limited to:

Not Connected

Methods of accessing the LSUHSC network that do NOT meet the definition of Connected include, but are not limited to:

Data

Data is defined as any information residing on the University’s IT Infrastructure or held on any other IT Infrastructure on behalf of the University. These data includes files, documents, messages in any format, including e-mail messages and posts made on any Social Media site maintained by/for the University.

All University data created and/or maintained by a User are also subject to this Policy, even if the data are created and/or stored on the User’s own personal computer, smartphone, or other personal device.

Courts have ruled that for purposes of e-discovery or public records requests, whether the information resides on the agency’s own devices or those of its employees. LSUHSC bears the responsibility for producing the information under penalty of law.

Therefore, faculty, staff and students must understand that there is no expectation of privacy regarding LSUHSC Data, even if it resides on one’s personally owned device.

Green Light

Acceptable Use

End Users are accountable for any violations associated with their User IDs.

The IT infrastructure must only be used in the furtherance of the user’s work as an employee, student or affiliate.

All computer equipment purchased with LSUHSC funds and the electronic data created by it are LSUHSC property.

End Users are not allowed to store personal files on LSUHSC equipment.

End Users must exhibit responsible behavior by complying with:

Proper authorization must be obtained from the supervisor (if an employee) or dean (if a student):

Red Light

Unacceptable Use

End Users shall NOT:

Permanent Memorandum 36 (PM-36)

PM -36 is the LSU System Information Security Plan. It provides for three classes of information:

PM-36 Definitions

Protected Information

Protected Information includes, but is not limited to:

Restricted Information

Restricted information is limited to a few individuals. It includes but is not limited to:

Public Records

Any email or other electronic file, produced in connection with your employment or education at LSUHSC that does not meet the definition of protected or restricted information is considered to be a public record under State law and must be made available to any citizen within 72 hours of the request.

For that reason, any email or other electronic file created or received in connection with your work at LSUHSC must be kept on LSUHSC servers so as to be available in the event of a public records request.

Any email or other electronic file created or received in connection with your work at LSUHSC that resides on your personal device may need to be produced in order to satisfy a public records request.

Hurricane

Contingency Plans

All Protected and Restricted information must have a contingency plan that covers the possible loss of the information due to fire, equipment failure, data corruption, weather, power failure, accidental erasure, etc.

Data Breaches

A Data Breach occurs when sensitive information is accessed by unauthorized persons.

Federal and State laws require that persons whose personal, financial, or health information is compromised by a data breach must be notified that their information has been disclosed.

Information that is encrypted is exempt from these notification requirements.

Data Breaches can expose LSUHSC and its employees to civil and criminal penalties.

Civil monetary penalties for data breaches range from $100 to $50,000 per record.

Criminal penalties include imprisonment for up to ten years.

Examples of Data Breaches

Breaches and Consequences

On February 24, 2011, Massachusetts General Hospital agreed in a settlement to pay $1,000,000.00 to the U.S. government for violations involving the breach of 192 patient records.

On January 7, 2011 Tulane University announced that a university owned laptop was stolen December 29, 2010 that had a file containing private information of each person employed at the university in the past year, according to school officials.

In 2010, New York Presbyterian Hospital and Columbia University Medical Center agreed to pay $4.8 million in monetary payments to DHHS after a faculty member exposed records of 6800 patients to the Internet while operating a file server without appropriate technical safeguards.

Mitigating a Breach

Mitigation of a Breach includes but is not limited to:

The employee’s department or student's school will be held responsible for any data breaches that occur and will bear the expenses incurred in mitigating a breach.

Prevention is The BEST Approach

Data Breaches can be prevented by ensuring that the appropriate safeguards are in place and followed. For example:

Portable Devices

Add extra security measures to prevent device theft by:

Smart Phone

Employees who use University owned portable devices should:

Safe

Confidentiality/ Safeguards

Additional precautions must be taken when protected information (health or financial information) is stored on a local computer or portable device:

Additional precautions must be taken when protected information (health or financial information) is sent to another location.

Traveling

Data Security When Traveling

Additional precautions must be taken when accessing protected information (employee, student, health, financial, etc.) from a remote location.

Citrix

An easy way to ensure that you do not leave any sensitive data on a public computer is to use Citrix. It provides access to published Windows desktop environments. These environments have pre-configured applications which may be run without the need to install, configure or update applications on your local workstations. Citrix can be accessed from the Internet and stores information on your “O” drive.

Logon to LSU’s Remote Access Portal select the Citrix Web Interface option.

Data Hoarding

Data Hoarding

Another way to reduce the possibility of a breach is to store as little information as possible on your desktop or laptop computer or portable device (smartphone, tablet, thumbdrive). With storage capacities allowing you to keep billions of pages of information on something the size of a postage stamp, there is a tendency to simply allow information to accumulate like the stuff in the spare room of your home.

This accumulation occurs whether the device is a smartphone, laptop, or USB or portable hard drive.

What happens when that device is lost or stolen?

If all that was on the device was your e-books or contact list or a copy of your dissertation, then your biggest problem is how to reconstruct the data.

But what if those billions of pages of storage contain patient, student or employee information?

Now you are required to notify each of your patients that you allowed their medical information to be breached. If 500 or more patients are affected, you must also notify the news media.

Don’t Be a Data Hoarder

Review the data on your portable devices periodically and remove anything that you don’t need on a day-to-day basis. If there is a need to retain certain information even though you are not using it frequently, keep it on your O drive.

When a Breach is Suspected

When a breach occurs or is thought to have occurred contact the Office of Compliance Programs immediately:

Compromised Accounts

Indications that your account has been compromised include:

You should contact your computer supporter or the Help Desk if you suspect that someone has tampered with your account.

What Do I Do if I Think my Password Has Been Compromised?

Notify the Help Desk or your computer support personnel.

Change your password immediately. If you need assistance changing your password, ask your computer supporter or the Help Desk or go online to reset your password.

Remember: You are responsible for all activities occurring under your LSU User ID.

Incident Reporting

Cyber Hacker Attack

Notify your local computer supporter or the Help Desk if:

Why Should I Take These Precautions if I Only Use my PC for Reading Email?

Hackers use a technique called “Escalating Privilege” which enables them to turn ANY user account into an administrator account that gives them unrestricted access to our network. All they need is an account to get past the firewall.

Violations Have Consequences

Getting Help

If you have any questions, please contact the Office of Compliance Programs by: