Office of Compliance Programs

Digital Skull & Crossbones

Information Security Training for LSUHSC Employees and Students

Protecting Yourself and Your University in the Digital World

Revised January 30, 2018


Welcome to the Information Security for Basic End User's training module. It is intended for all personnel who have access to LSUHSC’s computing resources and must be renewed on an annual basis.

Information Security at LSUHSC is everyone’s responsibility! During your workday, you probably engage in various computer related activities (e.g. communicating with others via email, or going to various websites to perform research or access campus resources).

If you don’t follow appropriate security measures during these seemly harmless activities, you can inadvertently leave your personal data, as well as sensitive University data, open to attack from unauthorized users. These attacks can result in the breakdown of your computer, portable device or LSUHSC’s network.


What is an END USER?

An End User is any employee, student or affiliate who uses the LSUHSC computer infrastructure in the course of work or studies.


What You Need to Know


Goals for Training

End Users Have Responsibilities

What is Information Security?

Information Security is the protection of computing resources and the data that they store or access.

Why is Information Security Important?

Information Security allows the University to carry out its mission by:

Security violations have serious consequences.


Password Lock


If Someone Knows Your Username and Password They Can….

Identity Theft

Woman Board Breaking

Strong Passwords

Passwords Under Attack

Because passwords are the most common method used to allow users access to computer networks, cracking passwords has become a top priority not only for the independent hacker, but also for foreign governments, organized crime and other organizations seeking unauthorized access to online information.

Recent developments have aided these groups in their quest to illicitly obtain passwords.

The Best Defense

Remembering Passwords

The Characteristics of a Strong Password

Password Examples

How To Create a Strong Password

The “strength” of a password is based upon the number of combinations possible:

Which password is stronger?

Which password is easier to remember?

Tips on using phrases or sentences as passwords:

How To Make YOUR Password Stronger

You can test the strength of your Password by going to

Can You Make a Stronger Password than the LSUHSC-NO Compliance Officer?


(Click or tap image for expanded view)

The above image shows how long it would take to crack one of the passwords used by the LSUHSC-NO Compliance Officer, Roy Clay. Can you make a password that takes longer to crack? If you can, take a screenshot of the screen and email it as an attachment to

LSUHSC Password Policy

Information Security Polices

LSUHSC-NO has two Information Security policies. You should familiarize yourself with both of them.

Chancellor's Memorandum 42 (CM-42) Definitions


Applies to any person using, or any device that Connects to the LSUHSC IT Infrastructure.

A device is considered Connected to the LSUHSC IT Infrastructure if it is plugged into a wired network jack on campus, connects to the LSUHSC wireless network on campus, remotely connects to the LSUHSC network via the Internet, telephone connection, or other remote mechanism.

Examples of remotely connecting include, but are not limited to:

Not Connected

Methods of accessing the LSUHSC network that do NOT meet the definition of Connected include, but are not limited to:


Data is defined as any information residing on the University’s IT Infrastructure or held on any other IT Infrastructure on behalf of the University. These data includes files, documents, messages in any format, including e-mail messages and posts made on any Social Media site maintained by/for the University.

All University data created and/or maintained by a User are also subject to this Policy, even if the data are created and/or stored on the User’s own personal computer, smartphone, or other personal device.

Courts have ruled that for purposes of e-discovery or public records requests, whether the information resides on the agency’s own devices or those of its employees. LSUHSC bears the responsibility for producing the information under penalty of law.

Therefore, faculty, staff and students must understand that there is no expectation of privacy regarding LSUHSC Data, even if it resides on one’s personally owned device.


Acceptable Use

End Users are accountable for any violations associated with their User IDs.

The IT infrastructure must only be used in the furtherance of the user’s work as an employee, student or affiliate.

All computer equipment purchased with LSUHSC funds and the electronic data created by it are LSUHSC property.

End Users are not allowed to store personal files on LSUHSC equipment.

End Users must exhibit responsible behavior by complying with:

Proper authorization must be obtained from the supervisor (if an employee) or dean (if a student):

Police Man

Unacceptable Use

End Users shall NOT:

Permanent Memorandum 36 (PM-36)

PM -36 is the LSU System Information Security Plan. It provides for three classes of information:

PM-36 Definitions

Protected Information

Protected Information includes, but is not limited to:

Restricted Information

Restricted information is limited to a few individuals. It includes but is not limited to:

Public Records

Any email or other electronic file, produced in connection with your employment or education at LSUHSC that does not meet the definition of protected or restricted information is considered to be a public record under State law and must be made available to any citizen within 72 hours of the request.

For that reason, any email or other electronic file created or received in connection with your work at LSUHSC must be kept on LSUHSC servers so as to be available in the event of a public records request.

Any email or other electronic file created or received in connection with your work at LSUHSC that resides on your personal device may need to be produced in order to satisfy a public records request.


Contingency Plans

All Protected and Restricted information must have a contingency plan that covers the possible loss of the information due to fire, equipment failure, data corruption, weather, power failure, accidental erasure, etc.

Data Breaches

A Data Breach occurs when sensitive information is accessed by unauthorized persons.

Federal and State laws require that persons whose personal, financial, or health information is compromised by a data breach must be notified that their information has been disclosed.

Information that is encrypted is exempt from these notification requirements.

Data Breaches can expose LSUHSC and its employees to civil and criminal penalties.

Civil monetary penalties for data breaches range from $100 to $50,000 per record.

Criminal penalties include imprisonment for up to ten years.

Examples of Data Breaches

Breaches and Consequences

In 2017, Anthem Inc., the largest U.S. health insurance company, agreed to settle litigation over hacking in 2015 that compromised about 79 million people’s personal information for $115 million, the largest settlement for a data breach to date.

April 6, 2017: The IRS revealed that up to 100,000 taxpayers may have had their personal information stolen in a scheme involving the IRS Data Retrieval Tool, which is used to complete the Free Application for Federal Student Aid (FAFSA). In March 2017, federal officials observed a potential data breach and took the tool down. The IRS said it shut down the Data Retrieval Tool because identity thieves that had obtained some personal information outside of the tax system were possibly using the tool to steal additional data. The agency suspects that less than 8,000 fraudulent returns were filed, processed, and returns issued, costing $30 million. 52,000 returns were stopped by IRS filters and 14,000 illegal refund claims were halted as well.

Yahoo announced that an email hack that occurred in August 2013 compromised over three billion of its user accounts.

On January 7, 2011 Tulane University announced that a university owned laptop was stolen December 29, 2010 that had a file containing private information of each person employed at the university in the past year, according to school officials.

In 2010, New York Presbyterian Hospital and Columbia University Medical Center agreed to pay $4.8 million in monetary payments to DHHS after a faculty member exposed records of 6800 patients to the Internet while operating a file server without appropriate technical safeguards.

Mitigating a Breach

Mitigation of a Breach includes but is not limited to:

The employee’s department or student's school will be held responsible for any data breaches that occur and will bear the expenses incurred in mitigating a breach.

Prevention is The BEST Approach

Data Breaches can be prevented by ensuring that the appropriate safeguards are in place and followed. For example:

Portable Devices

Add extra security measures to prevent device theft by:

Portable Devices

Employees who use University owned portable devices should:


Confidentiality/ Safeguards

Additional precautions must be taken when protected information (health or financial information) is stored on a local computer or portable device:

Additional precautions must be taken when protected information (health or financial information) is sent to another location.


Data Security When Traveling

Additional precautions must be taken when accessing protected information (employee, student, health, financial, etc.) from a remote location.


An easy way to ensure that you do not leave any sensitive data on a public computer is to use Citrix. It provides access to published Windows desktop environments. These environments have pre-configured applications which may be run without the need to install, configure or update applications on your local workstations. Citrix can be accessed from the Internet and stores information on your “O” drive.

Logon to LSU’s Remote Access Portal select the Citrix Web Interface option.

Data Hoarding

Data Hoarding

Another way to reduce the possibility of a breach is to store as little information as possible on your desktop or laptop computer or portable device (smartphone, tablet, thumbdrive). With storage capacities allowing you to keep billions of pages of information on something the size of a postage stamp, there is a tendency to simply allow information to accumulate like the stuff in the spare room of your home.

This accumulation occurs whether the device is a smartphone, laptop, or USB or portable hard drive.

What happens when that device is lost or stolen?

If all that was on the device was your e-books or contact list or a copy of your dissertation, then your biggest problem is how to reconstruct the data.

But what if those billions of pages of storage contain patient, student or employee information?

Now you are required to notify each of your patients that you allowed their medical information to be breached. If 500 or more patients are affected, you must also notify the news media.

Don’t Be a Data Hoarder

Review the data on your portable devices periodically and remove anything that you don’t need on a day-to-day basis. If there is a need to retain certain information even though you are not using it frequently, keep it on your O drive.

When a Breach is Suspected

When a breach occurs or is thought to have occurred contact the Office of Compliance Programs immediately:

Compromised Accounts

Indications that your account has been compromised include:

You should contact your computer supporter or the Help Desk if you suspect that someone has tampered with your account.

What Do I Do if I Think my Password Has Been Compromised?

Notify the Help Desk or your computer support personnel.

Change your password immediately. If you need assistance changing your password, ask your computer supporter or the Help Desk or go online to reset your password.

Remember: You are responsible for all activities occurring under your LSU User ID unless you have notified the Helpdesk or your computer supporter that you have been compromised.

Incident Reporting

Cyber Hacker Attack

Notify your local computer supporter or the Help Desk if:

Why Should I Take These Precautions if I Only Use my PC for Reading Email?

Hackers use a technique called “Escalating Privilege” which enables them to turn ANY user account into an administrator account that gives them unrestricted access to our network. All they need is an account to get past the firewall.

Violations Have Consequences

Getting Help

If you have any questions, please contact the Office of Compliance Programs by: