Office of Compliance Programs
Information Security Training for
LSUHSC Employees and Students
Protecting Yourself and Your
University in the Digital World
Revised January 30, 2017
Welcome to the Information
Security for Basic End User's training
module. It is intended for all personnel who have access
to LSUHSC’s computing resources and must be renewed on an annual basis.
Information Security at LSUHSC is everyone’s responsibility! During
your workday, you probably engage in various computer related
activities (e.g. communicating with others via email, or going to
various websites to perform research or access campus resources).
If you don’t follow appropriate security measures during these
seemly harmless activities, you can inadvertently leave your personal
data, as well as sensitive University data, open to attack from
unauthorized users. These attacks can result in the breakdown of your
computer, portable device or LSUHSC’s network.
What is an END USER?
An End User is any employee, student or affiliate who uses the
LSUHSC computer infrastructure in the course of work or studies.
What You Need to Know
- End User Responsibilities
- Password Management Procedures
- LSUHSC Security Policies
- Confidentiality/ Safeguards
- Compromised Accounts
Goals for Training
- Educate End Users about Information Security.
- Provide information on the role each End User plays in protecting
our network and data.
End Users Have Responsibilities
- Comply with LSUHSC Security Policies (CM-42 & PM-36).
- Use computer resources responsibly.
- Create strong passwords.
- Use the computer for authorized purposes only (e.g. job-related
or school related).
- Participate in the protection of electronic resources and data.
- Take reasonable precautions to avoid introducing computer viruses
into the network.
- Stay up-to-date with your compliance training.
What is Information Security?
Information Security is the protection of computing resources and
the data that they store or access.
Why is Information Security
Information Security allows the University to carry out its mission
- Enabling people to carry out their jobs, education, and research.
- Supporting critical business processes.
- Protecting personal and sensitive information.
Security violations have consequences.
- Risk to integrity of confidential information (e.g. data
corruption, destruction, unavailability of patient information in an
- Risk to security of personal information (e.g. identity theft).
- Loss of confidentiality, integrity & availability of data
- Embarrassment, bad publicity, media coverage, news reports.
- Loss of patients’ trust, employee and public trust.
- Costly reporting requirements.
- Internal disciplinary action(s), termination of employment or
- Penalties, prosecution and potential for sanctions/lawsuits.
- Your use of a strong password is critical to secure Protected and
- Your password is like the lock on your house (you want it to be
as strong as possible).
If Someone Knows Your Username and
Password They Can….
- Read your emails
- Respond to your emails as if they were you
- Have the same access to all the information you have
- Have you blamed for offenses they commit using your User ID
- Execute financial transactions in your name
- Access information on your patients
- Steal your identity
- The action of one person revealing his/her User ID & password
threatens other innocent members of LSUHSC and subject them to Identity
- Identity thieves may rent an apartment, obtain credit, or
establish a telephone account.
- Consumers victimized by Identity Theft may lose out on job
opportunities, or be denied loans for education, housing, or cars
because of negative information on their credit reports.
- Victims are cheated out of millions of dollars and spend months
to years repairing damage to their good name and credit record.
- No password is unbreakable.
- Given enough time and computing power a hacker can crack any
Passwords Under Attack
Because passwords are the most common method used to allow users
access to computer networks, cracking passwords quickly has become a
top priority not only for the independent hacker, but also for
governments, organized crime and other organizations seeking
unauthorized access to online information.
Recent developments have aided these groups in their quest to
illicitly obtain passwords.
- New software that turns computer video cards into password
- Internet search engine software has been turned to cracking
- Breaches of large networks such as Sony, Gawker, and RockYou have
made millions of passwords public, allowing hackers to identify
patterns in how the average network user creates a password.
- Social Engineering scams to trick individuals into revealing
The Best Defense
- Choose passwords that take considerable time to break (given
commonly available computing power).
- Change your password frequently (do not give a would-be hacker
enough time to complete the cracking of your password).
- Never, ever share your password (if someone you don’t know asks
for your password, he/she is up to no good).
- If at all possible, never write down your password.
- As passwords become more complex, it may become necessary to
write down a password to remember it.
- If you must write down your password(s) in order to remember
them, take the following precautions:
- Don’t keep your User ID and its Password together. Store them
separately in a secure location.
- Don’t store your password on or near the computer you use (e.g.
Instead of taping the password to the bottom of your keyboard [really
bad idea], keep it in your glasses case).
- Instead of writing down the password, write down a hint that
remind you of the password.
- Many smartphones have an app for storing passwords securely (but
you need another password to access it).
The Characteristics of a Strong
- Should be long, the longer the better, and difficult to guess.
- Not found in the dictionary.
- Not based on some readily available personal information (e.g.
child’s name, home address, birth date, etc.).
- Contain characteristics from at least three of the four different
case and lower case letters, numbers and special characters).
- Password = “mydogrover”. 10 lower case letters. Ten positions
w/26 possible values for each position or 26 to the 10th power or
- Password = “MyD0gR0ver”. 10 upper and lower case letters and
numbers. Ten positions w/62 possible values for each position or 62 to
the 10th power or
839,299,365,868,340,224 or about 6,000 times as many possible
- Password= “henrysdogrover” 14 lower case letters. Fourteen
positions w/26 possible values for each position or 26 to the 14th
64,509,974,703,297,150,976 possible combinations or 456,000 times as
many possible combinations as “mydogrover”.
- In the first case the number of available characters was more
than doubled from 26 to 62, a difference of 36. The increase resulted
6,000 times as many possible combinations.
- In the second case, the length of the password was increased by
10 characters to 14, a difference of 4. The increase resulted in
456,000 times as many possible combinations.
of a password is based upon the number of combinations possible:
“Eek$_the_beAt1e$@” - 17 characters. U/L case Alphanumeric w/
numbers & special characters or 6617(8,555,529,718,761,317,069,203,003,539.456)
possible combinations.It would take approximately 6 months of
continuous processing to crack
this password using methods described above.
“Alex_hates_avacados$” 20 characters. U/L case Alphabetic and
special characters. 5620
(9.1994219715833035312262062828159 times 10 to the 34th
power) possible combinations. It
would take over twelve years of continuous processing to crack
this password using the methods described above.
easier to remember?
How To Make YOUR Password Stronger
- Make it LONGER – 15
character passwords are much more secure than
10 character passwords.
- Use a larger pool of characters – Passwords containing upper and
lower case letters, numbers and special characters like ‘$’, ‘#’, "@"
‘_’ are more secure than passwords using lower case letters alone for
the same length.
can test the strength of your Password by going to www.passfault.com.
- The password must contain characters from three of the four
- English upper case letters (A-Z)
- English lower case letters (a-z)
- Base 10 digits (0-9)
- Non-alphanumeric characters: ONLY @, #, $ and _
- The first character must be a lower case or an upper case
character (a-z, A-Z).
- The password must be no less than 10 characters (but can be
- The password must be different from the previous 14 passwords
- The password must be changed at least every 70 days, and will
valid for 70 days.
- The password cannot be changed more than once in 24 hours.
- The password cannot contain the User ID as a substring.
- The password cannot contain a string of characters from the
Information Security Polices
LSUHSC-NO has two Information Security policies. You should
familiarize yourself with both of them.
Chancellor's Memorandum 42 (CM-42) Definitions
Applies to any person using, or any device that Connects to the
LSUHSC IT Infrastructure.
A device is considered Connected to the LSUHSC IT Infrastructure if
it is plugged into a wired network jack on campus, connects to the
LSUHSC wireless network on campus, remotely connects to the LSUHSC
network via the Internet, telephone connection, or other remote
Examples of remotely connecting include, but are not limited to:
- Using the remote.lsuhsc.edu VPN “Network Connect” option
- Logging on to Citrix (Desktop-New or PSDesktop) on campus
- Using a mobile device that is on a cellular network and uses
ActiveSync to access email (sometimes called “push” email)
Methods of accessing the LSUHSC network that do NOT meet the
definition of Connected include, but are not limited to:
- Using the remote.lsuhsc.edu VPN with the “Web Connect” option
- Using Outlook Web Access (OWA) off campus
- Logging on to Citrix (Desktop or PSDesktop) off campus
Data is defined as any information residing on the University’s IT
Infrastructure or held on any other IT Infrastructure on behalf of the
University. These data includes files, documents, messages in any
format, including e-mail messages and posts made on any Social Media
site maintained by/for the University.
All University data created and/or maintained by a User are also
subject to this Policy, even if the data are created and/or stored on
the User’s own personal computer, smartphone, or other personal device.
Courts have ruled that for purposes of e-discovery or public records
requests, whether the information resides on the agency’s own devices
or those of its employees. LSUHSC bears the responsibility for
producing the information under penalty of law.
Therefore, faculty, staff and students must understand that there is
no expectation of privacy regarding LSUHSC Data, even if it resides on
one’s personally owned device.
End Users are accountable for any violations associated with their
The IT infrastructure must only be used in the furtherance of the
user’s work as an employee, student or affiliate.
All computer equipment purchased with LSUHSC funds and the
electronic data created by it are LSUHSC property.
End Users are not allowed to store personal files on LSUHSC
End Users must exhibit responsible behavior by complying with:
- All Federal and State laws
- LSUHSC rules and policies
- Terms and computing contracts
- Software licensing rules
Proper authorization must be obtained from the supervisor (if an
employee) or dean (if a student):
- To use LSUHSC computing resources
- Before accessing or sharing data
End Users shall NOT:
- Engage in any activity that jeopardizes the availability,
performance, integrity, or security of the IT infrastructure.
- Use computing resources in a wasteful manner.
- Use IT resources for personal gain or commercial purposes not
directly related to their jobs.
- Use IT resources to store personal files.
- Install, copy, or use any software in violation of licensing
agreements, copyrights, or contracts.
- Obtain or attempt to access the files or electronic mail of
others unless authorized by the owner.
- Harass, intimidate, or threaten others through electronic
- Construct a false communication that appears to be from someone
- Use non-LSUHSC E-mail to conduct official LSUHSC business unless
authorized by the Chancellor.
- Send or forward unsolicited E-mail to lists of people unrelated
to official business.
- Send, forward, or reply to E-mail chain letters.
- “Reply to all” to mass E-mail mailings.
- Create or transmit any offensive, obscene, or indecent images,
data, or other material.
- Retransmit virus hoaxes.
- Using “Napster” clones (Kazaa, Morpheus, BitTorrent, etc.).
- Playing streaming audio or video that is not work or school
- Operating a website on the LSUHSC network for personal use or
business use not related to your job.
- Accessing of websites not related to your job or your studies.
Permanent Memorandum 36 (PM-36)
-36 is the LSU System Information Security Plan. It provides
for three classes of information:
- Protected Information
- Restricted Information
- Public Records
Protected Information includes, but is not limited to:
- Employment records
- Medical records (including research data)
- Student records
- Personal financial information (SSN’s, credit card numbers, etc.)
- Trade secret information
- Classified government information
Restricted information is limited to a few individuals. It includes
but is not limited to:
- Any information related to potential or actual litigation
- Ongoing investigations
- Psychotherapy notes
- Disciplinary actions
Any email or other electronic file, produced in connection with your
employment or education at LSUHSC that does not meet the definition
of protected or restricted information is considered to be a public
record under State law and must be made available to any citizen within
72 hours of the request.
For that reason, any email or other electronic file created or
received in connection with your work at LSUHSC must be kept on
LSUHSC servers so as to be available in the event of a public
Any email or other electronic file created or received in connection
with your work at LSUHSC that resides on your personal device may
need to be produced in order to satisfy a public records request.
All Protected and Restricted information must have a contingency
plan that covers the possible loss of the information due to fire,
equipment failure, data corruption, weather, power failure, accidental
- All data stored on LSUHSC servers are covered by the LSUHSC
- Contingency Plans for Protected and Restricted information stored
on workstations, laptops, external hard drives, flash drives, etc. are
the responsibility of the End User.
A Data Breach occurs when sensitive information is accessed by
Federal and State laws require that persons whose personal,
financial, or health information is compromised by a data breach must
be notified that their information has been disclosed.
Information that is encrypted is exempt from these notification
Data Breaches can expose LSUHSC and its employees to civil and
Civil monetary penalties for data breaches range from $100 to
$50,000 per record.
Criminal penalties include imprisonment for up to ten years.
Examples of Data Breaches
- Lost or stolen laptops storing unencrypted PHI or student data.
- Lost or stolen smart phones with email access.
- Lost or stolen USB “thumb” drives or portable hard drives with
unencrypted PHI or student data.
- Papers, handwritten notes, photographs, images, or other
documents with PHI not disposed of properly.
- CD, DVD, floppies, backup tapes with PHI that have not been
destroyed at end-of-life per University policy.
Breaches and Consequences
On February 24, 2011, Massachusetts General Hospital agreed in a
settlement to pay $1,000,000.00 to the U.S. government for violations
involving the breach of 192 patient records.
On January 7, 2011 Tulane University announced that a university owned
laptop was stolen December 29, 2010 that had a file containing private
information of each person employed at the university in the past year,
according to school officials.
- The computer had W-2 information, names, Social Security numbers,
addresses and salaries for every employee, including student and
part-time employees and anyone who received a 2010 W-2.
- School officials said the laptop, used to process 2010 tax
records during the university's winter break, was not encrypted and was
in a briefcase in the locked automobile of an employee who was out of
town. It was stolen Dec. 29, and school officials were notified the
- The university sent letters to the more than 10,000 affected
individuals and offered them a full year of credit monitoring.
In 2010, New York Presbyterian Hospital and Columbia University
Medical Center agreed to pay $4.8 million in monetary payments to
after a faculty member exposed records of 6800 patients to the Internet
while operating a file server without appropriate technical safeguards.
Mitigating a Breach
Mitigation of a Breach includes but is not limited to:
- Notifying all affected individuals by first class mail.
- Providing all affected individuals with information on protecting
- Offering assistance in protecting their identities, usually in
the form of credit protection services.
The employee’s department or student's
school will be
held responsible for
any data breaches that occur and will bear the expenses incurred in
mitigating a breach.
Prevention is The BEST
Data Breaches can be prevented by ensuring that the appropriate
safeguards are in place and followed. For example:
- Adding extra security measures (e.g. password protection,
encryption, backups) to portable devices (laptop, smartphone, flash
drive, external hard drive).
- Taking precautions when protected information (health or
financial information) is stored on a local computer (e.g. locking
computer, encryption, backups).
- Taking precautions when protected information (health or
financial information) is sent to another location (e.g. encrypting
data or encrypting the transmission or use LSU Health FileS).
- Taking precautions when accessing protected information
(employee, student, health, financial, etc.) from a remote location.
Add extra security measures to prevent device theft by:
- Storing important data separately
- Installing and maintaining anti-virus software
- Activating the password protect feature on your device (This is
required if you connect to the LSUHSC network)
- Encrypting sensitive files
- Backing up your data
Employees who use University owned portable devices should:
- Have a signed receipt on file with the department for LSUHSC
tagged equipment (especially laptops).
- Be aware of requirements for reporting any theft of the
- Have any University owned tablets or smartphones enrolled in the
Additional precautions must be taken when protected information
or financial information) is stored on a local computer or portable
- Data must be encrypted in case your laptop or portable device is
lost or stolen
(contact your supporter for more information).
- Lock your computer if you leave your machine unattended.
- Written backup and disaster plans must be in place. LSUHSC backs
up all files on servers (O, T, U and V drives) daily.
Additional precautions must be taken when protected information
or financial information) is sent to another location.
- Do NOT use any email system other than LSUHSC.EDU to send or
receive protected information. Email sites such as Yahoo or Hotmail do
not have the security features that the LSUHSC email system has to
protect sensitive information.
- Emails from one @LSUHSC.EDU email address to another are
protected by a variety of security measures and are considered safe for
protected and restricted information.
- Do NOT automatically forward LSUHSC.EDU emails to a non-LSU email
system. Email coming to your LSUHSC email box may contain sensitive
information. If it is automatically transferred to a non-LSU email
system that does not have
the security features to protect sensitive
information, a data breach can result.
- Do NOT store files with protected or restricted information on
cloud services such as iCloud or Google Drive. They do not have the
security precautions that are in place on the LSUHSC network. Using
such sites increases the likelihood of a breach.
- Many cloud service providers have facilities in different
countries. If the protected or restricted information on your personal
device is stored on a cloud server in another country, it is no longer
subject to the protections of U.S. law.
- Be aware of any default settings on personally owned devices
that may automatically copy protected or restricted information to a
- Do NOT use Web based file-sharing sites such as YouSendit.Com,
Sharefile.com or Doodle.com to transfer protected or restricted
information. These sites are not secure and have been the source of
data breaches. Instead use LSU Health FileS.
- Do NOT use Internet file-sharing apps like BitTorrent to transfer
protected information. These applications are not secure and have been
the source of data breaches. Instead use LSU Health FileS.
- The employee’s department or student’s school will be held
responsible for any data breaches that occur and will bear the expenses
incurred in mitigating a breach.
Data Security When Traveling
Additional precautions must be taken when accessing protected
(employee, student, health, financial, etc.) from a remote location.
- Make sure your connection is secure by using a VPN (Virtual
Private Network) or SSL (little lock icon at the bottom of your browser
- When accessing email or other files via the World Wide Web from a
computer at a hotel business center or conference:
- When working from home, ensure the computer you are using has
up-to-date anti-virus software and operating system patches.
An easy way to ensure that you do not leave any sensitive data on a
public computer is to use Citrix. It provides access to published
Windows desktop environments. These
environments have pre-configured applications which may be run without
the need to install, configure or update applications on your local
workstations. Citrix can be accessed from the Internet and stores
your “O” drive.
Logon to LSU’s Remote Access Portal select the Citrix Web
Another way to reduce the possibility of a breach is to store as
information as possible on your desktop or laptop computer or portable
device (smartphone, tablet, thumbdrive). With storage capacities
allowing you to keep billions of pages of
information on something the size of a postage stamp, there is a
tendency to simply allow information to accumulate like the stuff in
the spare room of your home.
This accumulation occurs whether the device is a smartphone, laptop,
or USB or portable hard drive.
What happens when that device is
lost or stolen?
If all that was on the device was your e-books or contact list or a
copy of your dissertation, then your biggest problem is how to
reconstruct the data.
But what if those billions of
pages of storage contain patient,
student or employee information?
Now you are required to notify each of your patients that you
allowed their medical information to be breached. If 500 or more
patients are affected, you must also notify the news media.
Don’t Be a Data Hoarder
Review the data on your portable devices periodically and remove
anything that you don’t need on a day-to-day basis. If there is a need
to retain certain information even though you are
not using it frequently, keep it on your O drive.
When a Breach is Suspected
When a breach occurs or is thought to have occurred contact the
Office of Compliance Programs immediately:
- Phone – (504) 568-5135
- Anonymous Hotline – (504) 568-4347
- Email – firstname.lastname@example.org
Indications that your account has been compromised include:
- A locked account
- A password that is no longer accepted
- Missing data
- Computer settings that have unexpectedly changed
transactions you did not authorize
You should contact your computer supporter or the Help Desk if you
suspect that someone has tampered with your account.
What Do I Do if I Think my
Password Has Been Compromised?
Notify the Help Desk or your computer support personnel.
Change your password immediately. If you need assistance changing
your password, ask your computer supporter or the Help Desk or go online
to reset your password.
Remember: You are responsible for all
activities occurring under
your LSU User ID.
Notify your local computer
supporter or the Help Desk if:
- You suspect your password has been compromised.
- You suspect your files have been tampered with.
- Your computer behaves abnormally.
- You suspect someone has obtained or is trying to obtain
- A device or media with protected or restricted information has
been lost or stolen.
- You have been called by someone claiming to be a vendor.
Why Should I Take These
Precautions if I Only Use my PC for Reading
Hackers use a technique called “Escalating Privilege” which enables
them to turn ANY user account into an administrator account that gives
them unrestricted access to our network. All they need is an account to
get past the firewall.
Violations Have Consequences
- Violations of CM-42 or PM-36 will be reported to the appropriate
dean or vice-chancellor.
- Violating CM-42 or PM-36 will result in
disciplinary action up to and including loss of network access,
termination of employment, expulsion and civil or criminal liability.
If you have
any questions, please contact the Office of