Maintaining Security While Using Computers What all of Our Computer Users Need to Know
What You Need to Know ALL staff - even those that don’t use computers - need to know some things about security What “Data Stewardship” means New Information Security Policies and Procedures mean new rules for computer users How to fulfill your responsibility to help keep our computers safe from computer viruses and worms
What Staff Who Don’t Use the Computer Need to Know There is a federal law (HIPAA) which requires that all our staff learn to protect our information You must not use our computers unless you have been authorized to do so If you find any computer printout, floppy disk, or computer CD, turn it in to your supervisor If you suspect a security violation, report it to your supervisor
Data Stewardship First – Some Definitions Facility Data – data which is acquired, developed, or maintained by our staff in performance of their duties Application – a purchased, shared, or developed set of files which maintain Facility Data Application Owner – a single, designated person, responsible for this application and the data it maintains
Some More Definitions Data File – a computer file (often in Word, Excel, or Access format) which contains Facility Data Computer User – staff who use a Facility computer in performance of their assigned duties Data Owner – the person who created and saved a file which contains facility data, or in the case of an application, the application owner
Network Files are Classified According to Security Level Public Files – Usually on our internet site, not protected Private Files – Usually store on S:, shared among all network users, protected by Network login requirement Secure Files – Except for Application Software and Secure Systems, all files NOT stored on the S: Shared folder. Secure files are protected by network rights Application Software – Things like Word and Excel Secure Systems – Those systems (like HEARTS) which have been classified as needing MORE than standard file access rights to protect the data
Data Stewardship All data on the LAN is “owned” by a single member of our staff The Data Owner must protect the data If the data belongs to one of our “applications”, then the data is owned by the application owner If the data is not part of an application, the data is owned by the person who created the file
Files Must be Stored in Secure Network Folders All files on the Local Area Network are kept in folders If the folder is the S: (S for Shared), then the files are private, but not confidential, and can be seen by all computer users. No PHI should be stored here All other folders are for Secure Files, and cannot be seen by anybody unless they have been granted network rights. PHI can be stored
New Responsibilities for all Supervisors Ensuring that employees are aware of and observe all computer security requirements Monitoring employee activities to ensure compliance with all software legal requirements Ensuring that only authorized software runs on State computers
Rules for Computer Users Data Ownership and LAN Structure Requesting Network Rights Making Changes in Network Rights Password Rules Mobile Devices Personal Use User “Don'ts” Maintaining Security
Data Owner Responsibilities Understanding the LAN Rights Structure Storing their files only in appropriately secure areas Preventing non-Public files from being copied to moveable media Keeping Protected Health Information (PHI) secure
Rights on the LAN - #1 All users have a private file storage area. This is their “H Drive”, or “Home”. Many users also have rights to a shared folder (typically, the “G Drive”, along with others in their department The “S Drive”, or Shared area, can be used for exchanging files between staff, but cannot be used if the file contains PHI
Rights on the LAN - #2 Rights to “Applications” that run on the network are granted by the Application Owner If rights to use an application are granted by any person other than the Application Owner, the person granting those rights must send to the Application Owner notifying them what rights were granted
New Computer Users Must.. Complete General Security Training Read and sign our Computer User’s Agreement Fill out a Network Rights Request form Get any necessary Data Owner signatures Get their Supervisor’s signature on the Network Rights Request form Turn the form in to Computer Services
Users must read and sign the Computer User’s Agreement before they can be given rights to the Local Area Network.
Users must complete the Network Security Rights Request form Your Supervisor’s signature goes here If you need rights to a home’s PPS, you must get the Home Coordinator’s signature here You sign here
Making Changes in Network Rights The same Network Security Rights Request form is used to change network rights for an existing user When the form is used to remove rights, the applicant’s signature and the Data Owner’s signature are not required, but the Supervisor’s signature is required The Data Owner does NOT need to use this form to request the total removal of rights; they may use to the Help Desk instead
Password Rules Your network password must be changed every 90 days Network users must select and change their own passwords Users will be allowed three “grace” logins when their password expires All passwords must be at least eight characters, and must not be “guessable” You must not tell your password to anybody, even your supervisor
Password “Dos” Mix upper and lower case letters Mix letters and numbers Pick a password you can remember Choose a completely new password each time you change Include non-alphanumeric characters, such as &, $, and > Pick a password with at least 8 characters
Password “Don’ts” Do not use recognizable words that might appear in a dictionary Do not use proper names Do not use words in other languages, such as “bonjour” Do not use your personal information, such as the names of your pets or your children
Mobile Computing Devices PDAs will be issued only where there is a critical need, and their use must be approved by the Security Official The use of removable storage devices such as USB flash drives or CD R/W drives are not permitted without the express permission of the Security Official Mobile computing devices must never be left in unsecured areas
Personal Use of Computers Personal projects may be permitted on the employee’s own time, but written supervisor permission is required An employee may make personal use of internet searches only with the approval of their supervisor An employee may not use instant messaging or download music files without permission from both their supervisor and the LAN Manager
User “Don’ts” - #1 Users must not change their hardware configuration or physical location without the permission of the Workstation Manager Downloading software from the internet and bringing software from home are forbidden An employee may not use our information, applications, or equipment for personal commercial gain
User “Don’ts” - #2 Users must identify themselves clearly and correctly when using Any type of mass mailing by one of our workforce members that does not pertain to governmental business is forbidden Circumventing user authentication or security is forbidden. A user must be logged in to the LAN as themselves before operating any computer software
User “Don’ts” - #3 Staff must not provide information about, or lists of, employees or consumers to parties outside this organization Staff must not post to non-work related public discussion groups or forums on the internet Users must not access, or attempt to gain access to, any computer account to which they are not authorized
Maintaining Security - #1 In order to maintain confidentiality of protected health information (PHI), workstations should be set up so that the screen is not visible by people standing at the door or entering the room If you are viewing PHI, and a person unauthorized to see the PHI enters the room, you should minimize the application or turn off the computer monitor
Maintaining Security - #2 Sensitive paper and computer media should be stored in locked cabinets when not in use Protected or sensitive information, when printed to a shared printer, should be retrieved immediately Sensitive information should not be stored at the home of an employee without appropriate supervisor authorization
Maintaining Security - #3 Any activity conducted using the State’s computers, including and the use of the internet, may be logged, monitored, archived or filtered, either randomly or systematically Both this Facility and the Division reserve the right to perform these actions without specific notice to the user
Maintaining Security - #4 All users are responsible for helping to prevent the introduction and spread of computer viruses and other “malware” All files received from any source external to this Division must be scanned for computer viruses before opening Users must immediately contact their supervisor or the Help Desk when a virus is suspected or detected
Maintaining Security - #5 Employees must report all information security violations to either the Computer Help Desk or the Security Official Users must notify the Help Desk immediately if they know or suspect that their network account or workstation has been compromised by a virus or unauthorized access Users should not attempt to remove viruses themselves without permission from the Help Desk
Maintaining Security - #6 Users should not stay logged in to the LAN if they are going to leave the room for more than 15 minutes, even if it is locked During the day, workstations should be left at the Netware Login screen. At night, computers should be powered down All network accounts and workstation hard drives are subject to periodic audit for the purpose of maintaining security and license requirements
Engaging in “Safe” Computing All users must protect against viruses Do not bring software from home Do not download software from the internet Do not open attachments that you were not expecting to receive Only operate computers which are running virus protection software When in doubt, call and ask
Complete the Test Now! All computer users must complete this test Here is the test. Take it now!