Sensitive DataAccessibilityFinancial Management

College of EducationMichigan State University

Agenda for today

Sensitive data management Basic computer security issues Financial management Physical Security

Q: What are examples of security threats? Q: What does information security mean to you?

Q: Why do we need to know this?

Levels of sensitivity for data

Public Sensitive Confidential

Institutional data: all of the data held by MSU, in any form or medium, for normal business operations.

Public data

Not protected and generally made publically available, without restriction or limitation

Directories Library card catalogs Course catalogs Institutional policies

Sensitive data

Protected by institutional policy, guidelines, or procedures – may be public/FOI-able (freedom of information)

Salary data Detailed institutional accounting

and budget data Personally restricted directory data

Confidential data

1. Institutional data that could be used for identity theft

2. Protected by law, contract, or University policy

3. Records of the university security measures

SSN payment/credit card health records student records

Sensitive data management at MSU

PCI DSS - Payment Card Industry Data Security Standard – Fine up to $500,000

MSU’s Managing Sensitive Data site at http://eis.msu.edu/sid/

Sensitive data management at MSU

Use Institutional Data only for University purposes.

Minimize the potential for their

improper disclosure or misuse. Individually responsible for the

security and integrity of Institutional

Where to look for confidential data

Digital Laptop computers, Desktop computers Phones, thumb drives Network drives, web and file servers Email attachments, social networking sites

Paper Sticky notes, notepads, paper files Receipts PAN forms and other official documents Travel documentation

“Do I absolutely need this data?” If not, get rid of it.

As soon as you no longer need the data, delete it. Don’t leave sensitive data on computers or PDAs

that can be stolen. Make sure the computer, where the data is stored,

is protected against viruses, worms, etc. Be careful distributing the data via email or paper

forms.

Q: What should you do if an incident occurs on your computer?

Q: what should you do if you find a thumb drive in the hall way?

College Policy

College policy can be found from this website

http://education.msu.edu/csg/

All college staff are required to attend sensitive data awareness seminar every three years.

No one should keep SSN and credit card number on your computer and shared drive.

In practical terms, this means?

No confidential data on college servers or computers There is no reason to store SSNs on a computer, so don’t. If you need to use SSNs at all, work with us to make sure they are handled with a minimum of risk.

If you absolutely must have SSNs, credit card numbers, or any other sensitive data on paper, destroy paper sheets as soon as you don’t need the data anymore. If you need to keep the data, lock the papers up, then destroy them as soon as you can.

Most important: Know the policy, be aware of how you can minimize exposure.

Q: what should you do when your salvage your PC?

Internet use security When you browse Internet

Set your browser security to medium/medium-high Add safe sites to trusted sites Block pop-up windows in your browser Clear cookies and cache for browser periodically Log out of secure apps when not in use use screen saver to lock the screen Do not write down passwords Be aware when use Instant messenger, chatting

Video: SpywareVideo: Do not leave your computer unlocked

Strong password, but easy to remember Install anti virus program and update automatically Updates Windows system automatically Turn on Windows built-in firewall Set the Internet browser security medium-high Do not download free programs from internet Do not use flash drive as your main storage Salvage computer only after clean the hard drive

Basic computer use protection

Email Phishing

Phishing (use of e-mail messages that appear to be sent from a trusted source.)

Spelling Mistakes Incorrect Graphics Personal Information The URL

Video: Email hoax

File management Manage by folders Save on the server (\\edshare.educ.msu.edu) Name files properly (do not use space or #, $, ~, !) View files with different layout Stop using floppy disks; use thumb drive to transfer

file

Email management Organize by folders and sub-folders

Financial Management Oversight

Segregation of duties: More than one person needed to complete a record transaction. Implement mitigating controls if staffing resources do not permit desired segregation of duties.

Adequate oversight: at least take samples. Pay attention to high risk areas: cash and

inventories. Take periodic inventory. Monthly reconciliation of P-card statement is

required.

Physical Security

Protect valuables (yours and others) Be aware of and report suspicious

activity Good descriptions NOT heroics Keys Doors

Please remember to take the survey after you receive the email with a link. Thanks.