Office of Compliance Programs

Information Security Training for LSUHSC Employees and Students

Protecting Yourself and Your University in the Digital World

Revised January 30, 2018

Introduction

Welcome to the Information Security for Basic End User's training module. It is intended for all personnel who have access to LSUHSC’s computing resources and must be renewed on an annual basis.

Information Security at LSUHSC is everyone’s responsibility! During your workday, you probably engage in various computer related activities (e.g. communicating with others via email, or going to various websites to perform research or access campus resources).

If you don’t follow appropriate security measures during these seemly harmless activities, you can inadvertently leave your personal data, as well as sensitive University data, open to attack from unauthorized users. These attacks can result in the breakdown of your computer, portable device or LSUHSC’s network.

What is an END USER?

An End User is any employee, student or affiliate who uses the LSUHSC computer infrastructure in the course of work or studies.

What You Need to Know

Goals
End User Responsibilities
Password Management Procedures
LSUHSC Security Policies
Confidentiality/ Safeguards
Compromised Accounts

Goals for Training

Educate End Users about Information Security.
Provide information on the role each End User plays in protecting our network and data.

End Users Have Responsibilities

Comply with LSUHSC Security Policies (CM-42 & PM-36).
Use computer resources responsibly.
Create strong passwords.
Use the computer for authorized purposes only (e.g. job-related or school related).
Participate in the protection of electronic resources and data.
Take reasonable precautions to avoid introducing computer viruses into the network.
Stay up-to-date with your compliance training.

What is Information Security?

Information Security is the protection of computing resources and the data that they store or access.

Why is Information Security Important?

Information Security allows the University to carry out its mission by:

Enabling people to carry out their jobs, education, and research.
Supporting critical business processes.
Protecting personal and sensitive information.

Security violations have serious consequences.

Consequences

Risk to integrity of confidential information (e.g. data corruption, destruction, unavailability of patient information in an emergency).
Risk to security of personal information (e.g. identity theft).
Loss of confidentiality, integrity & availability of data (and time).
Embarrassment, bad publicity, media coverage, news reports.
Loss of patients’ trust, employee and public trust.
Costly reporting requirements.
Internal disciplinary action(s), termination of employment or student enrollment.
Penalties, prosecution and potential for sanctions/lawsuits.

Passwords

Your use of a strong password is critical to secure Protected and Restricted information.
Your password is like the lock on your house (you want it to be as strong as possible).

If Someone Knows Your Username and Password They Can….

Read your emails
Respond to your emails as if they were you
Have the same access to all the information you have
Have you blamed for offenses they commit using your User ID
Execute financial transactions in your name
Access information on your patients
Steal your identity

Identity Theft

The action of one person revealing his/her User ID & password threatens other innocent members of LSUHSC and subject them to Identity Theft.
Identity thieves may rent an apartment, obtain credit, or establish a telephone account.
Consumers victimized by Identity Theft may lose out on job opportunities, or be denied loans for education, housing, or cars because of negative information on their credit reports.
Victims are cheated out of millions of dollars and spend months to years repairing damage to their good name and credit record.

Strong Passwords

No password is unbreakable.
Given enough time and computing power a hacker can crack any password.

Passwords Under Attack

Because passwords are the most common method used to allow users access to computer networks, cracking passwords has become a top priority not only for the independent hacker, but also for foreign governments, organized crime and other organizations seeking unauthorized access to online information.

Recent developments have aided these groups in their quest to illicitly obtain passwords.

New software that turns computer video cards into password cracking supercomputers.
Internet search engine software has been turned to cracking passwords.
Breaches of large networks such as Sony, Gawker, and RockYou have made over a billion passwords public, allowing hackers to identify patterns in how the average network user creates a password.
Social Engineering scams to trick individuals into revealing their passwords.

The Best Defense

Choose passwords that take considerable time to break (given commonly available computing power).
Change your password frequently (do not give a would-be hacker enough time to complete the cracking of your password).
Never, ever share your password (if someone you don’t know asks for your password, he/she is up to no good).

Remembering Passwords

If at all possible, never write down your password.
As passwords become more complex, it may become necessary to write down a password to remember it.
If you must write down your password(s) in order to remember them, take the following precautions:

Don’t keep your User ID and its Password together. Store them separately in a secure location.
Don’t store your password on or near the computer you use (e.g. Instead of taping the password to the bottom of your keyboard [really bad idea], keep it in your glasses case).
Instead of writing down the password, write down a hint that will remind you of the password ( e.g. write down "Fav0rite$andwich" for the password "Fried0y$terP0b0y").

Many smartphones have an app for storing passwords securely (but you need another password to access the passwords stored on the app).

The Characteristics of a Strong Password

Should be long, the longer the better, and difficult to guess.
Not found in the dictionary.
Not based on some readily available personal information (e.g. child’s name, home address, birth date, etc.).
Contain characteristics from at least three of the four different categories (e.g. upper case and lower case letters, numbers and special characters).

Password Examples

Password = “mydogrover”. 10 lower case letters. Ten positions w/26 possible values for each position or 26 to the 10th power or 141,167,095,653,376 possible combinations.
Password = “MyD0gR0ver”. 10 upper and lower case letters and numbers. Ten positions w/62 possible values for each position or 62 to the 10th power or 839,299,365,868,340,224 or about 6,000 times as many possible combinations.
Password= “henrysdogrover” 14 lower case letters. Fourteen positions w/26 possible values for each position or 26 to the 14th power or 64,509,974,703,297,150,976 possible combinations or 456,000 times as many possible combinations as “mydogrover”.
In the first case the number of available characters was more than doubled from 26 to 62, a difference of 36. The increase resulted in 6,000 times as many possible combinations.
In the second case, the length of the password was increased by 40% from 10 characters to 14, a difference of 4. The increase resulted in 456,000 times as many possible combinations.

How To Create a Strong Password

The “strength” of a password is based upon the number of combinations possible:

Password= “Eek$_the_beAt1e$@” - 17 characters. U/L case Alphanumeric w/ numbers & special characters or 66¹⁷(8.6 times 10³⁰) possible combinations.It would take approximately 6 months of continuous processing to crack this password using methods described above.
Password= “Alex_hates_avacados$” 20 characters. U/L case Alphabetic and special characters. 56²⁰ (9.2 times 10³⁴) possible combinations. It would take over twelve years of continuous processing to crack this password using the methods described above.

Which password is stronger?

Which password is easier to remember?

Tips on using phrases or sentences as passwords:

Avoid well known phrases like book or movie titles or quotes of your favorite characters or historical figures. Hackers collect lists of such phrases to try first before switching to brute force techniques. Instead build sentences about your everyday life (e.g. “GeorgehasaCamaro@” or “Tom_likes_Mustangs_better”).
Avoid using pronouns (e.g. I, me, mine, you, yours, he, she, it, etc.) in your sentences. Pronouns make your password vulnerable to a syntax attack. Instead of a password like “I_hate_broccoli” use “Carol_hates_broccoli”. Using proper names also makes the password longer.
You can still include numbers and special characters if you wish. For example, “Bill_is_LSUs_#1_fan@” would take centuries to crack using modern methods.

How To Make YOUR Password Stronger

Make it LONGER – 15 character passwords are much more secure than 10 character passwords.
Use a larger pool of characters – Passwords containing upper and lower case letters, numbers and special characters like ‘$’, ‘#’, "@" and ‘_’ are more secure than passwords using lower case letters alone for the same length.

You can test the strength of your Password by going to www.passfault.com.

Can You Make a Stronger Password than the LSUHSC-NO Compliance Officer?

(Click or tap image for expanded view)

The above image shows how long it would take to crack one of the passwords used by the LSUHSC-NO Compliance Officer, Roy Clay. Can you make a password that takes longer to crack? If you can, take a screenshot of the www.passfault.com. screen and email it as an attachment to rclay1@lsuhsc.edu.

LSUHSC Password Policy

The password must contain characters from three of the four following categories:

English upper case letters (A-Z)
English lower case letters (a-z)
Base 10 digits (0-9)
Non-alphanumeric characters: ONLY @, #, $ and _

The first character must be a lower case or an upper case character (a-z, A-Z).
The password must be no less than 10 characters (but can be longer).
The password must be different from the previous 14 passwords used.
The password must be changed at least every 70 days, and will remain valid for 70 days.
The password cannot be changed more than once in 24 hours.
The password cannot contain the User ID as a substring.
The password cannot contain a string of characters from the user’s name.

Information Security Polices

LSUHSC-NO has two Information Security policies. You should familiarize yourself with both of them.

Chancellor's Memorandum 42 (CM-42) Definitions

Connected

Applies to any person using, or any device that Connects to the LSUHSC IT Infrastructure.

A device is considered Connected to the LSUHSC IT Infrastructure if it is plugged into a wired network jack on campus, connects to the LSUHSC wireless network on campus, remotely connects to the LSUHSC network via the Internet, telephone connection, or other remote mechanism.

Examples of remotely connecting include, but are not limited to:

Using the remote.lsuhsc.edu VPN “Network Connect” option
Logging on to Citrix (Desktop-New or PSDesktop) on campus
Using a mobile device that is on a cellular network and uses ActiveSync to access email (sometimes called “push” email)

Not Connected

Methods of accessing the LSUHSC network that do NOT meet the definition of Connected include, but are not limited to:

Using the remote.lsuhsc.edu VPN with the “Web Connect” option
Using Outlook Web Access (OWA) off campus
Logging on to Citrix (Desktop or PSDesktop) off campus

Data

Data is defined as any information residing on the University’s IT Infrastructure or held on any other IT Infrastructure on behalf of the University. These data includes files, documents, messages in any format, including e-mail messages and posts made on any Social Media site maintained by/for the University.

All University data created and/or maintained by a User are also subject to this Policy, even if the data are created and/or stored on the User’s own personal computer, smartphone, or other personal device.

Courts have ruled that for purposes of e-discovery or public records requests, whether the information resides on the agency’s own devices or those of its employees. LSUHSC bears the responsibility for producing the information under penalty of law.

Therefore, faculty, staff and students must understand that there is no expectation of privacy regarding LSUHSC Data, even if it resides on one’s personally owned device.

Acceptable Use

End Users are accountable for any violations associated with their User IDs.

The IT infrastructure must only be used in the furtherance of the user’s work as an employee, student or affiliate.

All computer equipment purchased with LSUHSC funds and the electronic data created by it are LSUHSC property.

End Users are not allowed to store personal files on LSUHSC equipment.

End Users must exhibit responsible behavior by complying with:

All Federal and State laws
LSUHSC rules and policies
Terms and computing contracts
Software licensing rules

Proper authorization must be obtained from the supervisor (if an employee) or dean (if a student):

To use LSUHSC computing resources
Before accessing or sharing data

Unacceptable Use

End Users shall NOT:

Engage in any activity that jeopardizes the availability, performance, integrity, or security of the IT infrastructure.
Use computing resources in a wasteful manner.
Use IT resources for personal gain or commercial purposes not directly related to their jobs.
Use IT resources to store personal files.
Install, copy, or use any software in violation of licensing agreements, copyrights, or contracts.
Obtain or attempt to access the files or electronic mail of others unless authorized by the owner.
Harass, intimidate, or threaten others through electronic messages.
Construct a false communication that appears to be from someone else.
Use non-LSUHSC E-mail to conduct official LSUHSC business unless authorized by the Chancellor.
Send or forward unsolicited E-mail to lists of people unrelated to official business.
Send, forward, or reply to E-mail chain letters.
“Reply to all” to mass E-mail mailings.
Create or transmit any offensive, obscene, or indecent images, data, or other material.
Retransmit virus hoaxes.
Using “Napster” clones (Kazaa, Morpheus, BitTorrent, etc.).
Playing streaming audio or video that is not work or school related.
Operating a website on the LSUHSC network for personal use or business use not related to your job.
Accessing of websites not related to your job or your studies.

Permanent Memorandum 36 (PM-36)

PM -36 is the LSU System Information Security Plan. It provides for three classes of information:

Protected Information
Restricted Information
Public Records

PM-36 Definitions

Protected Information

Protected Information includes, but is not limited to:

Employment records
Medical records (including research data)
Student records
Personal financial information (SSN’s, credit card numbers, etc.)
Trade secret information
Classified government information

Restricted Information

Restricted information is limited to a few individuals. It includes but is not limited to:

Any information related to potential or actual litigation
Ongoing investigations
Psychotherapy notes
Disciplinary actions

Public Records

Any email or other electronic file, produced in connection with your employment or education at LSUHSC that does not meet the definition of protected or restricted information is considered to be a public record under State law and must be made available to any citizen within 72 hours of the request.

For that reason, any email or other electronic file created or received in connection with your work at LSUHSC must be kept on LSUHSC servers so as to be available in the event of a public records request.

Any email or other electronic file created or received in connection with your work at LSUHSC that resides on your personal device may need to be produced in order to satisfy a public records request.

Contingency Plans

All Protected and Restricted information must have a contingency plan that covers the possible loss of the information due to fire, equipment failure, data corruption, weather, power failure, accidental erasure, etc.

All data stored on LSUHSC servers are covered by the LSUHSC Contingency Plan.
Contingency Plans for Protected and Restricted information stored on workstations, laptops, external hard drives, flash drives, etc. are the responsibility of the End User.

Data Breaches

A Data Breach occurs when sensitive information is accessed by unauthorized persons.

Federal and State laws require that persons whose personal, financial, or health information is compromised by a data breach must be notified that their information has been disclosed.

Information that is encrypted is exempt from these notification requirements.

Data Breaches can expose LSUHSC and its employees to civil and criminal penalties.

Civil monetary penalties for data breaches range from $100 to $50,000 per record.

Criminal penalties include imprisonment for up to ten years.

Examples of Data Breaches

Lost or stolen laptops storing unencrypted PHI or student data.
Lost or stolen smart phones with email access.
Lost or stolen USB “thumb” drives or portable hard drives with unencrypted PHI or student data.
Papers, handwritten notes, photographs, images, or other documents with PHI not disposed of properly.
CD, DVD, floppies, backup tapes with PHI that have not been destroyed at end-of-life per University policy.

Breaches and Consequences

In 2017, Anthem Inc., the largest U.S. health insurance company, agreed to settle litigation over hacking in 2015 that compromised about 79 million people’s personal information for $115 million, the largest settlement for a data breach to date.

April 6, 2017: The IRS revealed that up to 100,000 taxpayers may have had their personal information stolen in a scheme involving the IRS Data Retrieval Tool, which is used to complete the Free Application for Federal Student Aid (FAFSA). In March 2017, federal officials observed a potential data breach and took the tool down. The IRS said it shut down the Data Retrieval Tool because identity thieves that had obtained some personal information outside of the tax system were possibly using the tool to steal additional data. The agency suspects that less than 8,000 fraudulent returns were filed, processed, and returns issued, costing $30 million. 52,000 returns were stopped by IRS filters and 14,000 illegal refund claims were halted as well.

Yahoo announced that an email hack that occurred in August 2013 compromised over three billion of its user accounts.

On January 7, 2011 Tulane University announced that a university owned laptop was stolen December 29, 2010 that had a file containing private information of each person employed at the university in the past year, according to school officials.

The computer had W-2 information, names, Social Security numbers, addresses and salaries for every employee, including student and part-time employees and anyone who received a 2010 W-2.
School officials said the laptop, used to process 2010 tax records during the university's winter break, was not encrypted and was in a briefcase in the locked automobile of an employee who was out of town. It was stolen Dec. 29, and school officials were notified the following day.
The university sent letters to the more than 10,000 affected individuals and offered them a full year of credit monitoring.

In 2010, New York Presbyterian Hospital and Columbia University Medical Center agreed to pay $4.8 million in monetary payments to DHHS after a faculty member exposed records of 6800 patients to the Internet while operating a file server without appropriate technical safeguards.

Mitigating a Breach

Mitigation of a Breach includes but is not limited to:

Notifying all affected individuals by first class mail.
Providing all affected individuals with information on protecting their identities.
Offering assistance in protecting their identities, usually in the form of credit protection services.

The employee’s department or student's school will be held responsible for any data breaches that occur and will bear the expenses incurred in mitigating a breach.

Prevention is The BEST Approach

Data Breaches can be prevented by ensuring that the appropriate safeguards are in place and followed. For example:

Adding extra security measures (e.g. password protection, encryption, backups) to portable devices (laptop, smartphone, flash drive, external hard drive).
Taking precautions when protected information (health or financial information) is stored on a local computer (e.g. locking computer, encryption, backups).
Taking precautions when protected information (health or financial information) is sent to another location (e.g. encrypting data or encrypting the transmission or use LSU Health FileS).
Taking precautions when accessing protected information (employee, student, health, financial, etc.) from a remote location.

Portable Devices

Add extra security measures to prevent device theft by:

Storing important data separately
Installing and maintaining anti-virus software
Activating the password protect feature on your device (This is required if you connect to the LSUHSC network)
Encrypting sensitive files
Backing up your data

Employees who use University owned portable devices should:

Have a signed receipt on file with the department for LSUHSC tagged equipment (especially laptops).
Be aware of requirements for reporting any theft of the equipment.
Ensure the device is encrypted.
Ensure the data on the device is backed up regularly (e.g. to OD4B).

Confidentiality/ Safeguards

Additional precautions must be taken when protected information (health or financial information) is stored on a local computer or portable device:

Data must be encrypted in case your laptop or portable device is lost or stolen (contact your supporter for more information).
Lock your computer if you leave your machine unattended.
Written backup and disaster plans must be in place. LSUHSC backs up all files on servers (O, T, U and V drives) daily. (You can also set up an automatic backup to your One Drive for Business (OD4B) cloud storage for your data.)

Additional precautions must be taken when protected information (health or financial information) is sent to another location.

Do NOT use any email system other than LSUHSC.EDU to send or receive protected information. Email sites such as Yahoo or Hotmail do not have the security features that the LSUHSC email system has to protect sensitive information.
Emails from one @LSUHSC.EDU email address to another are protected by a variety of security measures and are considered safe for protected and restricted information.
Do NOT automatically forward LSUHSC.EDU emails to a non-LSU email system. Email coming to your LSUHSC email box may contain sensitive information. If it is automatically transferred to a non-LSU email system that does not have the security features to protect sensitive information, a data breach can result.
Do NOT store files with protected or restricted information on cloud services such as iCloud or Google Drive. They do not have the security precautions that are in place on the LSUHSC network. Using such sites increases the likelihood of a breach.

Many cloud service providers have facilities in different countries. If the protected or restricted information on your personal device is stored on a cloud server in another country, it is no longer subject to the protections of U.S. law.
Be aware of any default settings on personally owned devices that may automatically copy protected or restricted information to a cloud drive.

Do NOT use Web based file-sharing sites such as YouSendit.Com, Sharefile.com or Doodle.com to transfer protected or restricted information. These sites are not secure and have been the source of data breaches. Instead use LSU Health FileS.
Do NOT use Internet file-sharing apps like BitTorrent to transfer protected information. These applications are not secure and have been the source of data breaches. Instead use LSU Health FileS.
The employee’s department or student’s school will be held responsible for any data breaches that occur and will bear the expenses incurred in mitigating a breach.

Data Security When Traveling

Additional precautions must be taken when accessing protected information (employee, student, health, financial, etc.) from a remote location.

Make sure your connection is secure by using a VPN (Virtual Private Network) or SSL (little lock icon at the bottom of your browser screen).
When accessing email or other files via the World Wide Web from a computer at a hotel business center or conference:
- Don’t allow anyone to read your screen over your shoulder.
- Make sure any copies of such files are deleted from the Internet cache on the computer before you leave.
When working from home, ensure the computer you are using has up-to-date anti-virus software and operating system patches.

Citrix

An easy way to ensure that you do not leave any sensitive data on a public computer is to use Citrix. It provides access to published Windows desktop environments. These environments have pre-configured applications which may be run without the need to install, configure or update applications on your local workstations. Citrix can be accessed from the Internet and stores information on your “O” drive.

Logon to LSU’s Remote Access Portal select the Citrix Web Interface option.

Data Hoarding

Another way to reduce the possibility of a breach is to store as little information as possible on your desktop or laptop computer or portable device (smartphone, tablet, thumbdrive). With storage capacities allowing you to keep billions of pages of information on something the size of a postage stamp, there is a tendency to simply allow information to accumulate like the stuff in the spare room of your home.

This accumulation occurs whether the device is a smartphone, laptop, or USB or portable hard drive.

What happens when that device is lost or stolen?

If all that was on the device was your e-books or contact list or a copy of your dissertation, then your biggest problem is how to reconstruct the data.

But what if those billions of pages of storage contain patient, student or employee information?

Now you are required to notify each of your patients that you allowed their medical information to be breached. If 500 or more patients are affected, you must also notify the news media.

Don’t Be a Data Hoarder

Review the data on your portable devices periodically and remove anything that you don’t need on a day-to-day basis. If there is a need to retain certain information even though you are not using it frequently, keep it on your O drive.

When a Breach is Suspected

When a breach occurs or is thought to have occurred contact the Office of Compliance Programs immediately:

Phone – (504) 568-5135
Anonymous Hotline – (504) 568-4347
Email – nocompliance@lsuhsc.edu

Compromised Accounts

Indications that your account has been compromised include:

A locked account
A password that is no longer accepted
Missing data
Computer settings that have unexpectedly changed transactions you did not authorize

You should contact your computer supporter or the Help Desk if you suspect that someone has tampered with your account.

What Do I Do if I Think my Password Has Been Compromised?

Notify the Help Desk or your computer support personnel.

Change your password immediately. If you need assistance changing your password, ask your computer supporter or the Help Desk or go online to reset your password.

Remember: You are responsible for all activities occurring under your LSU User ID unless you have notified the Helpdesk or your computer supporter that you have been compromised.

Incident Reporting

Notify your local computer supporter or the Help Desk if:

You suspect your password has been compromised.
You suspect your files have been tampered with.
Your computer behaves abnormally.
You suspect someone has obtained or is trying to obtain unauthorized access.
A device or media with protected or restricted information has been lost or stolen.
You have been called by someone claiming to be a vendor.

Why Should I Take These Precautions if I Only Use my PC for Reading Email?

Hackers use a technique called “Escalating Privilege” which enables them to turn ANY user account into an administrator account that gives them unrestricted access to our network. All they need is an account to get past the firewall.

Violations Have Consequences

Violations of CM-42 or PM-36 will be reported to the appropriate dean or vice-chancellor.
Violating CM-42 or PM-36 will result in disciplinary action up to and including loss of network access, termination of employment, expulsion and civil or criminal liability.

Getting Help

If you have any questions, please contact the Office of Compliance Programs by:

Email: nocompliance@lsuhsc.edu
Phone: 504-568-5135
In Person: RCB, suite 807
Website