Office of Compliance Programs

Information Security Training for Supervisors

Managing the Human Factor in Information Security

December 6, 2017

Why Do Managers and Supervisors Need Additional Security Training?

Information Security Risks Are Business Issues

Security lapses by employees can exacerbate security risks that can lead to:

• Undetected fraud
• Monetary Loss
• Identity Theft
• Inability to deliver services
• Loss of Public Trust
• Legal Action

Flowers Hospital had a data breach that occurred from June 2013 to February 2014 when one of its employees stole forms containing patient information and possibly used the stolen information to file fraudulent income tax returns.

In 2016, NRAD Medical Associates discovered that an employee radiologist had accessed and acquired protected health information from NRAD’s billing systems without authorization. The breach was estimated to be 97,000 records of patient names and addresses, dates of birth, Social Security information, health insurance, and diagnosis information.

According to Microsoft, more than 75% of all network intrusions can be traced back to compromised credentials. The vast majority of those network openings were created innocently through accidental or inadvertent behavior by insiders without any intention of harming their employer. In a number of cases, that vulnerability was, ironically, the result of a trusted employee doing a seemingly run-of-the-mill task like taking files home to work on in their own spare time.

Managers and Supervisors are uniquely situated to mitigate security risks.

In your role as a manager or supervisor, you are the one who is most familiar with the work carried out by your staff. By familiarizing yourself with the information security issues that are inherent in the work of your area of responsibility, you can become an effective part of LSUHSC-NO's strategy against the threat that is increasingly responsible for the data breaches that occur ever year..... Humans.

"We have met the enemy and he is us." -Pogo

There are three types of risky Behavior, each requiring a different approach:

• Malicious: Malicious insider behavior combines a motive to harm with a decision to act inappropriately. For example, using personally identifiable information to steal someone's identity.
• Negligent: Negligent insider behavior can occur when people look for ways to avoid policies they feel impede their work. While most have a general awareness of security risks and recognize the importance of compliance with security policies, their workarounds can create exposure.
• Accidental: Accidental insider behavior results from employees being careless. Accidents result in more breaches than the two types (listed above) combined.

What Can I do to Improve the Security of the Information in My Area?

1. Understand your data
2. Be familiar with LSUHSC-NO information security policies
3. Know your users
4. Enforcing security policies
5. Know how to respond to a breach or other security incident
6. Be aware of the impact grants and contracts can have on the security of your data and on the LSUHSC-NO I.T. infrastructure.

Understand Your Data

How well do you know the data used in your area by your employees? Ask yourself the following questions:

1. What protected and/or restricted information (e.g. PHI, student information, employee information, intellectual property, etc.) do I have in my area?
2. How does it get to my area? (e.g. email, file transfer, courier, U.S. Mail, interoffice mail, fax, etc.)
3. Which of my employees handles this information?
4. Where is it stored in my area? (e.g. local hard drives on desktops and laptops, tablets, smartphones, server drives like O: and T:, One Drive for Business, file cabinets, desk drawers, etc.)
5. How do my employees access the information?
6. Where does the information go once it leaves my area?
7. If someone wanted steal the data from my area, how could they do it?

Don't overlook information in printed formats. Faxes, reports and other printouts, etc. can also be the source of a breach if they fall into the wrong hands.

LSUHSC-NO Information Security Policies

LSUHSC-NO's information security policies are contained in PM-36 Louisiana State University System Information Security Plan, CM-42 Information Technology (IT) Infrastructure and I.T. department policies. As a manager or supervisor, it is your responsibility to ensure that these policies are followed by your employees. Therefore is is important that you are informed about the policies and how they apply to your area. The best way to familiarize yourself with these policies and their requirements is to complete all of your information security training.

Users

When managing users who have access to LSUHSC-NO's network, it is important to keep the following in mind:

• The Minimum Necessary Principle of granting access
• The different types of users
• Ensuring your users are educated on information security best practices and LSUHSC-NO polices
• Make note of any sudden change in a user's behavior or users exhibiting behavior that may indicate a problem.

The Minimum Necessary Principle

When requesting access for users under your responsibility, it is important to limit their access to information to the minimum amount necessary to perform their duties and no more. If there is any change in the user's duties due to:

• Transfers
• Promotions
• Demotions
• Reorganization
• New Application Programs

then their access should be reviewed and modified as needed to ensure the user only has access to the information required to perform their duties.

Types of Authorized Users

• Employees (faculty and staff)
• Gratis Faculty
• Students
• External Affiliates (e.g. contractors)

Requests for user IDs for new employees, modifying access, or terminating access can be handled by simply emailing the Information Security group.

External Affiliates

External Affiliates are any users who are not faculty, staff or students of LSU. Examples include contractors and employees of other state agencies with a business need to access LSUHSC-NO information systems.

How to Request an External Affiliation

Administration from the sponsoring department must submit the following:

• Description of affiliate relationship with LSU
• How computer access benefits LSU
• Type of computer access required (e.g. email, AR, Payroll, etc.)
• Number of individuals that need access
• The name of the LSU employee sponsoring the affiliation

Acknowledge the following:

• Computer access is suitable so long as access is beneficial to LSU
• Notify I.T. with any status changes immediately
• Verify quarterly the status of each user
• Notify I.T. 30 days prior to account expiration date

Verifying External Users

A request is sent every 90 days to verify any status changes

• All non-active users are terminated
• All active users are extended

If there is no response after 14 days:

• A second request is sent
• Accounts will be suspended in 7 days without a response

User Security Training

Ensure that authorized users in your area understand the importance of:

• Being in compliance with LSU security policies
• Using the LSUHSC information system resources only for authorized purposes
• Using LSUHSC information system resources responsibly
• Participating in the protection of electronic resources and data

The easiest way to ensure users have been properly informed of their information security responsibilities is to ensure that all users have completed their HIPAA Security Training.

• Each department receives monthly reports showing the training status of each employee and student.
• If needed, the Compliance Educator can provide access to the web based View Training Progress page to monitor training status of employees.

Behavior

Take note of any sudden change in an employee's behavior or if the employee's behavior manifests any of the following patterns or traits:

• Social and personal frustrations (family, peer, coworkers)
• Ethical ‘flexibility’ (if it is not secured, then I can use it)
• Reduced loyalty (reductions in force, changing allegiances)
• Entitlement (I’m not getting paid what I should, I don’t get enough recognition for what I do)
• Lack of empathy (anger at authority)

Exhibiting any of the above-listed behaviors may be an indication that an employee may be taking actions that may compromise the security of LSUHSC-NO's information systems and data.

Enforcing Security Policies

Periodically walk through work area looking for:

• Sensitive information left unattended on desks, computer screens, fax machines, printers, wastebaskets, etc.
• Passwords left in the open (e.g. taped to a keyboard or screen)
• Unattended workstation that is enabled (logged in)
• Doors propped open

Enforce policies consistently among employees. Ensure authorized users are aware of guidelines for acceptable computer usage:

• University Policies CM-42 and PM-36
• Restriction against sharing UserIDs
• Distribution of copyrighted material
• Distribution of any offensive, obscene, or indecent images, or material
• Distribution of material that is illegal

Mobile Device Security Issues

A mobile device is any device that is both portable and capable of collecting, storing, transmitting or processing electronic data or images. These include but are not limited to:

• Laptops
• Cell phones (iPhones, Androids, etc.)
• Tablets (iPads, etc.)
• Music players (iPods, MP3 players, etc.)
• External hard drives
• Flash memory (SD cards, USB thumb drives, etc.)

The convenience of their portability also means there is little in the way of physical safeguards that can be implemented to protect them. As a result, these devices are at a much greater risk of being lost or stolen. To prevent a security incident from the loss or theft of such a device:

• Avoid storing any data on the mobile device itself. Instead, store the data on:
• LSUHSC-NO servers (O: drive, T: drive, etc.)
• LSUHSC-NO provided cloud storage (Sharepoint, One Drive for Business)
• If data absolutely must be stored on the device, ensure the device is encrypted and password protected (i.e. lock code).

Disciplinary Actions and Terminations

In the event that an employee must be disciplined or terminated, their computer access must disabled IMMEDIATELY. Contact the Information Security group in the IT department to disable the employee's access before the employee is notified of the disciplinary action to minimize the opportunity for malicious or retaliatory action on the employee's part.

Incident Response

Dealing with a Possible Crime

• Information on the computer or backup tapes can support the case that an employee has committed fraud
• Information on the computer can support the claim that an employee has violated security rules or performed illegal actions
• Browser history (cookies, etc.)
• Files on disk (including deleted files)
• Contents of the computer's RAM
• Modifying information on the computer or just viewing it by executing commands can contaminate evidence
• Modifying information on the computer can implicate supervisor as party to the crime

If you have reason to believe that a computer or mobile device has information or evidence of wrongdoing, simply secure the device by locking it up. Do not power down or power up the device or otherwise attempt to manipulate it.

Once the device is secured, contact the Helpdesk and describe your concerns. Someone from the I.T. department will be sent to examine and collect the device.

Grants and Contracts

Grants

If the deliverable on a grant are such that they could have an impact on the information technology infrastructure (e.g. new cloud based system, new servers, transfers of large amounts of data, etc.), consult I.T. department during the budget preparation process.

Submit a request to I.T. to evaluate any new hardware or software

If the infrastructure (e.g. networks, servers, etc.) is not in place, include costs for infrastructure and extra personnel in the budget

Failure to notify I.T. can result in:

• Delays in purchasing
• Delays in implementation
• Waste of University funds
• Performance issues with new system due to inadequate infrastructure capacity
• Introduction of gaps in the university's information security controls
  

Contracts

Infrastructure

As with grants, contracts whose deliverables impact LSUHSC-NO's information technology infrastructure must be reviewed by the I.T. department to ensure the I.T. infrastructure has the capacity to accommodate the services required by the contract and that the proper information security controls are in place.

Business Associate Agreement

A business associate (BA) agreement must be executed anytime a contract requires the use or disclosure.

Data Sharing Agreement

Anytime protected or restricted data is shared as part of a collaboration (as opposed to a contractor providing services that require access to data) a data use agreement must be in place which outlines the responsibilities each party has with regard to the protection of the data.

Getting Help

If you have any questions, please contact the Office of Compliance Programs by:

• Email: nocompliance@lsuhsc.edu
• Phone: 504-568-5135
• In Person: RCB, suite 807
• Website