Information Security Awareness

Secure Computing

Everyone on campus has access to information. As stewards of this information, we must use and handle the information safely, secure, ethical, and legal manner. The information in this module is designed to provide practical information about information security in today's working environment.

GC Policies

Responsibility for Establishing a Secure Information Environment

Each member of the GC community shall be responsible for the security and protection of information resources over which they utilize or for which they have responsibility. Resources to be protected are networks, computers, software, data, medical records, financial information, identification information, and personal information. These resources' confidentiality, integrity, and availability must be protected against physical and digital threats, including unauthorized intrusion, malicious misuse, inadvertent compromise, force majeure, theft, errors, omissions, or loss of custody and control. Activities outsourced to corporate or other entities must comply with the same security requirements and meet CIO approval.

PCI-DSS (Credit Cards)

Offices at GC desiring an agreement with a third-party service provider/merchant to store, process, or transmit cardholder data must 1) document the business need for accepting credit cards, and 2) meet with the Office of the Controller for justification and approval, and 3) provide evidence of PCI-DSS compliance to both GC Information Technology and the VP of Finance and Administration.

Technology General Acceptable Use

Employees and students of GC may use the University's computing resources, including transmission over the University network, for scholarly purposes, for official university business, and personal use so long as such use does not:

  • Violate any Federal or state law or university policy,
  • Involve significant use of university resources or direct costs,
  • Substantially interfere with the performance of university duties, work, or data communications networks.
  • Conflict with the State policy on Misuse of State Property.

Authorized users of GC's network resources shall not:

  • Create or willfully disseminate computer viruses. Authorized users shall be sensitive to the ease of spreading viruses and shall take steps to ensure computer files are virus-free.
  • Allow non-authorized users access to passwords or share accounts. It is the authorized user's responsibility to protect any account from unauthorized use by following security procedures.
  • Attempt to circumvent system security, guess other passwords, or in any way gain unauthorized access to local or network resources. Users may not use another person's computing account, attempt to forge or use a false account or email address.
  • Transfer copyrighted materials to or from any system or via the University network without the expressed consent of the owner. It may be a violation of Federal or State Law.

GC has campus confidential procedures regarding information security and breaches. If you find insecure handling of sensitive campus information or are aware of lost or compromised campus information, please bring it to the immediate attention of your supervisor or contact the Chief Information Officer (CIO) or Information Security Officer (ISO).

What information is considered "sensitive"?

Most of the information that we deal with daily could be considered sensitive and subject to protection. Additionally, there are new laws passed every year geared towards protecting information and personal identities. A few that directly pertain to Georgia College are:

  • Family Educational Rights and Privacy Act (FERPA) - protection of student records
  • Health Insurance Portability and Accountability Act (HIPAA) - protection of people's health & medical records
  • Gramm-Leach-Bliley Act (GLBA) - protection of people's financial information
  • Red Flag Rule - identity theft protection
  • Georgia Personal Identity Protection Act (GPIPA) - personal identity and account number protection

Aside from legislation, there's ethical handling of information. Suppose you regard the person's information in front of you as if it were your information. If you treat as you would want your information handled, you'll usually err on the side of security and safety.

Collecting and Storing Social Security Numbers

GC converted many years ago away from using the Social Security Number (SSN) as the student identifier to comply with federal and state laws. As a result, there are very few legitimate needs on campus to collect and store SSNs. The combination of an SSN and a name is the cornerstone of assuming someone's identity. This combination should be considered the most sensitive of all personally identifiable information. If you must collect, store, or otherwise use SSNs in your work, please schedule a regular timeline to re-assess the requirement.

Encryption

There are two main types of file encryption that we encourage at GC:

  • file or folder encryption using AxCrypt
  • hard drive encryption

All University laptops and select desktop computers have full hard drive encryption. The encryption requires your GC credentials for access. If your equipment is lost or someone attempts to gain access, the computer will not allow access with your GC credentials and multifactor authentication approval.

All University equipment includes the Axantum AxCrypt option to encrypt files that contain sensitive information. Please remember to follow the GCSU Policy when creating the password and understand you must remember the password for the file. There is no administrator override to remove the encryption.

Storage Options

Acquire and store only the information needed to accomplish the job. If you have to retain files, we recommend using a secure campus drive. This method provides access to your documents if your PC is lost, stolen or suffers an equipment failure. All GC faculty and staff have access to OneDrive file storage. For access to a network shared drive, please contact the Serve Help Desk at x7378 serve@gcsu.edu. If you store SSNs, please use the provided encryption tool.

If you must store the information on your hard drive, know that the password to the computer IS NOT securing the information/data on your desktop computer. If it's not an encrypted laptop, all a criminal has to do is to remove the hard drive and attach it as a secondary drive to another computer and immediately they have access to ALL of the information stored on that disk. Sensitive files on PC's should be encrypted. Encryption prevents the file from being used/read by anyone other than the person who has the password.

Data transmission

University devices are connected to the network using either a wired or wireless connection. Any time you are logged into your computer, accessing online services or using the internet to access your email, communications to and from devices use TCP/IP. TCP/IP is a broadcast protocol that transmits data across the network. The broadcast is similar to a radio signal that follows as unencrypted network traffic. Anyone can see any unencrypted data transmission.

HTTP vs. HTTPS

Most network use is through browsers using URLs that begin with HTTP (HyperText Transfer Protocol). HTTP is unsecured, visible to prying eyes and susceptible to different attacks without you ever knowing. URLs that start with HTTPS are encrypted and secure. Using it provides a private point-to-point conversation between your device and the server that you are accessing.

Any sensitive information should be transmitted through a secure, encrypted method. Always verify by making sure the URL has https:// any time you're accessing a system,

Email

Over the past 15+- years, email and texting have surpassed the telephone to become the standard for communications. As a result, email is now the single most critical system to campus communications. Email within the gcsu.edu domain is encrypted and secured. While your email within the gcsu domain is secure and encrypted, please remember a user may forward the email to other systems that are not encrypted sessions. For this reason, it is better never to send sensitive data that could be used off-campus without encryption.

Hosted Applications and Cloud Resources

As technology changes, many of our services and resources are accessed through hosted applications "in the cloud." Hosted environments provide ease of storage and sharing. Resources for University use require review and approval to ensure security standards for the data, information and campus liability before they are purchased. Vendor contracts must contain specific language and conditions to protect GC information. Contracts require approval through GC Legal Department.

Compromised Data

In the event of comprised data, most federal regulations and the GPIPA require the University to enroll each person in an identity theft prevention and monitoring program. The cost ranges from $150 to $250 per account.

Taking Credit Cards

Departments needing to collect monies using credit cards required approval by the VP of Finance and Administration's Office before entering into any contracts or purchasing card reader devices. Services must meet GC policies and credit card industry standards (PCI-DSS).

Virus Protection and Operating System (OS) Patches

It is crucial to constantly update the anti-virus software on a computer because new viruses regularly threaten computers. The anti-virus updates contain the latest files needed to combat new viruses and protect your computer.

One of the most overlooked features on computers today is the built-in ability to update software automatically. Keeping your OS up-to-date is vital for a healthy computer in today's environment. Software manufacturers are constantly fixing software bugs, updating drivers for new devices, and improving the software you use. If you are running a Windows-based machine, make sure you have automatic updating turned on by going to Start > Control Panel > Automatic Updating. You can select the best time of day to check the Microsoft site for software updates.

Phishing

Since 2016, Information Security Awareness Training has included information about why we are the targets. You WILL receive phishing emails, You ARE a target, and You may be the recipient of a spear-phishing attack.

The email masks themselves under a cloak of legitimacy, often use company images and includes well-written scenarios. While there is no one-size-fits-all solution, identifiers include:

  • using bad or broken English
  • posing a completely illogical scenario
  • create fear or panic
  • posing as an authority figure to use clout or rely on an existing business relationship.
  • includes a URL
  • request you send them money: pay an invoice, need money for travel expenses or purchase gift cards

GC implemented an identifier: [Ext GC] at the beginning of the subject line of an email to help users identify emails sent from off-campus.

If you receive a message and need to verify it, please forward it to the Serve Help Desk or ISO iso@gcsu.edu (that stands for Information Security Officer). Someone will answer your question. If you are reasonably sure it's not real, delete it. If you think it may be valid, use your browser to type the information yourself. Do not use the provided URL. Contact the sender directly to verify they sent you the email.

Best Practices

  • Devices should be kept in secure places.
  • Keep or store only data required to accomplish a business objective.
  • Laptops should use hard-drive encryption so that if they are lost or stolen, any data on them cannot be compromised. University laptops include encryption.
  • Sensitive files should be stored in a locked file cabinet with limited access.
  • Sensitive data that needs to be transmitted should be encrypted so that only the authorized recipient of the data can access the information.
  • Passwords; use them! Don't use guessable passwords. Follow the GC standards, at least 8 characters long (12+ preferable) and a mixture of upper case, lower case, and at least one special character and one numeric character.
  • Look for https:// in URLs. Don't supply sensitive information unless the session is encrypted.

 

Don't

  • Do not leave papers on the top of your desk that contains personally identifiable information on them (or test grades, etc.)
  • Do not leave file cabinets unlocked when leaving.
  • Do not send files through email that aren't encrypted.
  • Do not send personal identification information as part of the body of an email.
  • Do not post (for public view) personally identifiable information.
  • Do not send any passwords or user account information to anyone through email. GC will never ask you to do so.
  • Do not share passwords with anyone.
  • Do not use GCID in public.
  • Do not circulate a printed class list with GCID numbers or grades as an attendance roster.
  • Do not release student addresses or email addresses.
  • Do not release class rosters.