Security

Data Privacy Month: Are You Smarter Than Your Phone?

Data Privacy Month: Are You Smarter Than Your Phone?

 

Did you know, “Smartphones can predict a user's gender with 71% accuracy, & can distinguish between ‘tall’ and ‘short’ people and ‘heavy’ and ‘light’ people, with about 80% accuracy?” Take a look at this recorded webinar from the January 9 EDUCAUSE Live! Data Privacy Month kickoff event with special guest, Rebecca Herold (the Privacy Professor) to find out just exactly how smart your Smartphone is.

Nearly everyone on a college campus today has a mobile phone, capable of accomplishing amazing tasks while on the go. But, how SHOULD you make use of your smartphone? You are smarter than your phone if you know that you need to make careful choices about using your geo-location feature. You might post a picture to Facebook while on your European trip if there are other people still living at your address back home. But, if your house is empty while you travel, you would be smarter to wait to post until you get home. Do you really want everyone to know you are out alone at midnight by "checking in" at your local donut shop? You are smarter than your phone if you use sound judgment about revealing your location. You’re smarter than your phone if you know you need to think critically about the sensitivity of the data you put on or access through your phone. Do you use your phone for banking, without password protecting the device? Your phone is happy to do it. But you are smarter than your phone if you protect it with a password. If you’re not thinking critically about what you do with your phone, we’ll help you think again!

The webinar covers fun facts as well as 16 ways to mitigate Smartphone security and privacy risks. Topics include tracking, info access, malware, breaches, loss, theft, ID theft, physical security, social media, and apps.

Webinar recording, slides, and chat transcript are available here http://www.educause.edu/library/resources/data-privacy-month-are-you-smarter-your-phone

Requirements for Students

Requirements for Students

 

Standard

When does it apply?

Desktop and Portable Computer Standard

Always

Password Standard

Always

Signature Standard

Always - All authentic RIT communications should include an appropriate signature as per the standard. Make it a habit to check for an authentic signature when receiving messages from RIT.

Web Security Standard

If you have a web page at RIT, official or unofficial, and you:
  • Host or provide access to Confidential information. If you’re hosting or providing access to Private information, contact us at infosec@rit.edu immediately. Private or confidential information is defined in the Information Access and Protection Standard.
  • Use RIT authentication services

Computer Incident Handling Standard

If the affected computer or device:
  • Contains Private or Confidential information
  • Poses a threat to the Institute network

Network Security Standard

If you own or manage a device that:
  • Connects to the centrally-managed Institute network infrastructure
  • Processes Confidential information. If you’re providing access to Private information, contact us at infosec@rit.edu immediately.

Portable Media Standard

If you are storing Private or Confidential information on portable media, such as USB keys, CDs, DVDs, and flash memory.

Networking Devices

  • Currently, personal networking devices used on the RIT residential network (such as routers, switches, etc.) do not need to meet the Network Security Standard. Resnet has created separate guidelines for Using a Router/Wireless Router on the RIT Network.

Safe Practices

  • Visit our Keeping Safe section to find security resources and safe practices and to see our schedule of upcoming workshops.

Questions

If you have questions or feedback about specific information security requirements, please contact us.

Private Information Management Initiative (PIMI) FAQ

Private Information Management Initiative (PIMI) FAQ

What is the Private Information Management Initiative?

Updated 2/14/2013

 

The Private Information Management Initiative (PIMI) is a program where the RIT Information Security Office helps RIT faculty and staff scan their computers and attached drives to determine if they contain private information (PI). When PI is found, each RIT faculty and staff member is responsible for remediating the private information by scrubbing or shredding the files.

The program also includes destruction of hardcopy media containing nonessential PI.

The goals of the program are to identify and reduce the amount of private information at RIT. This reduction will help safeguard the RIT community against identity theft and will help RIT comply with relevant state and federal laws.

What is Private Information?

New York State defines private information (PI) as:

any personal information concerning a natural person combined with one or more of the following data elements: Social Security number (SSN), driver's license number, account number, or credit or debit card number in combination with any required security code. These combinations of information are often used in identity theft. 

The New York State Information Security Breach and Notification Act requires that RIT notify affected consumers if their Private information is compromised.

Why is RIT scanning my computer or drive for Private information?

RIT is scanning your computer or drive because we've found that scans have revealed the presence of Private information on many computers; even when the computer owners do not believe there is any Private information present. We want to reduce the potential for identity theft occurring as a result of information obtained from RIT computers.

How is RIT authorized to scan my computer?

RIT is authorized to scan computers using the RIT network in order to protect the RIT community. See the Computer Code of Conduct and Network Use and the Privacy Policy.

It is important to note that the Information Security Office may inspect the results of the scan only to aid in remediation efforts.

Are other universities doing anything similar?

Many universities are beginning to scan for Private information on computers connected to their networks and have begun remediation of hardcopy and other media containing Private information.

Responsibilities

What are my responsibilities in the Private Information Management Initiative?

Your responsibilities as faculty or staff may be found here.

Scanning and Results

How will RIT scan my system?

Your computer is scanned by Identity Finder (IDF) software installed on your computer. The scans will be initiated from a central scanning server administered by the RIT Information Security Office. Identity Finder also allows you to initiate an on-demand scan. You do not have to be connected to the network to initiate an on-demand scan.

What do I do if the scan is slowing down my computer or I would like to pause it temporarily?

It's easy to Pause Identity Finder so that it doesn't impact your productivity significantly. Go to your system tray, right click on the Identity Finder icon (Ctrl-click for Mac) and choose Maximize. Then click on the Pause button. When you're ready to resume the scan, click on Resume.

What happens when Identity Finder finds Private information?

Identity Finder will generate an interactive report of suspected Private information matches and provide user-friendly tools to erase the information securely or remove the Private information from the files directly from the interactive report. You may also identify "false positives" by choosing "Ignore" within IDF. The Information Security Office will verify that the ignored files do not contain Private information.

I've completed a search and Identity Finder is asking me how to proceed. What should I do?

When Identity Finder completes its search, review the list of results to begin Shredding or Scrubbing Private Information and Ignoring "false positives."

How do I shred, scrub, or ignore a match?

You can choose shred, scrub, or ignore by right-clicking on the check box next to the entry and choosing from the options available. NOTE: not all options are available for all file types.  Process the entire list before closing Identity Finder.

What do I do if Identity Finder doesn't find Private information?

If Identity Finder completes its search and no Private Information is found, close Identity Finder.

I am unable to "shred" a file in Identity Finder. What should I do?

If you are unable to "shred" a file containing Private Information, you may not have permissions in Windows that allows Identity Finder to "shred" it. Contact the Help Desk and ask them to login to Identify Finder as admin and securely "shred" the file.

I am unable to "scrub" a file in Identity Finder. What should I do?

Identity Finder provides a scrub option for specific file types that may not work with all file types. If you need to retain an Office 2003 file on your computer but need to redact the Private information in the file you’ll need to follow a three-step process.
        1. Save a copy of the file in Office 2007 or 2010 format (.docx, xlsx, etc.)
        2. Use Identity Finder to scrub (redact) the Private information from the new file
        3. Use Identity Finder to shred the old file.

What do I do with Private information found on my system?

The RIT Information Security Office has created a Private Information Handling Quick Reference Table to assist you in determining how to handle Private information found on your computer or drives.

If you find Private information on your computer and are not sure whether it should be there, ask your Information Steward/Management Representative.

New York State law does not allow the retention of Social Security Numbers unless there is a clear business need for the information. In general, an RIT employee has a legitimate purpose for having access to the Social Security Numbers of another individual when such number is required for tax or billing purposes, credit authorizations, background checks, or in furtherance of submitting a federal or state governmental application that requires the transmission of an individual's Social Security Number. In addition, social security numbers shall be maintained when required by either court order, subpoena, or by direction of the Office of Legal Affairs.

What is redaction?

Unless required by RIT business processes, files must not contain Private information. Unnecessary information must be sanitized by redacting (removing) the Private information. It is not sufficient to simply obscure or hide the information. Although "redaction" has a broader meaning in editing, in the context of information handling it refers to the removal of information from a document.
If you are redacting a file before the Identity Finder scan, Adobe has provided a guide that instructs readers how to redact Microsoft Word and Adobe PDF files properly. The guide can be found here.

Why is Outlook prompting me for a new profile?

We’ve seen the following a few times
        1. Outlook is closed and you see the Identity Finder results screen.
        2. You try to open Outlook while the Identity Finder Results Screen is open.
        3. Outlook prompts you to create a new profile
    Solution
        1. Exit the Outlook setup wizard
        2. Process the results in the Identity Finder report
        3. Close Identity Finder
        4. Open Outlook

What if the only Private information the scan finds is mine?

Private information should not be stored on an RIT computer unless expressly permitted. (This information is typically found in copies of tax returns and filled-in forms.)

I’m seeing a Delete Database dialog box at the beginning of my Identity Finder session. The dialog box says that AnyFind technology has been updated and asks if I want to perform a full search. Should I answer Yes or No?

You should answer Yes. Identity Finder will conduct a full scan (including items previously ignored.) The scan length may be similar to your initial scan.

Non-Windows Computers

I have a non-Windows computer, will it be scanned?

Currently, only computers with the Microsoft Windows and Mac Operating System will be scanned by Identity Finder. We encourage you to examine the files on your computer and attached drives to identify Private information and handle it accordingly. For Linux, we recommend using Cornell's Spider. You may also work with your systems administrator to scan the Linux drive from Windows.

Questions

Whom do I contact with questions?

Please direct any questions regarding information handling or the Private Information Management Initiative to Infosec@rit.edu or contact your Information Steward/Management Representative.

Exception Process

Exception Process and Compliance

Anyone not in compliance with an Information Security Standard is subject to sanctions including suspension of computer and network privileges and/or the full range of current Institute personnel and student disciplinary processes.

In a small number of circumstances, it may not be possible to comply with an Information Security Standard.   The Information Security Office has provided the following method for obtaining an exception to compliance with a published information security standard.  Exceptions should be approved and signed by the President, a VP or Dean, or the CIO, as appropriate. (An email endorsing the exception request is acceptable.)

An exception MAY be granted by the RIT Information Security Office for non‑compliance with a standard resulting from:

  • Implementation of a solution with equivalent protection.
  • Implementation of a solution with superior protection.
  • Impending retirement of a legacy system.
  • Inability to implement the standard due to some limitation

 

Exceptions are granted for a specific period of time, not to exceed two years and are reviewed on a case-by-case basis and their approval is not automatic.

The Exception Request should include:

  • Description of the non-compliance
  • Anticipated length of non-compliance
  • Proposed assessment of risk associated with non-compliance
  • Proposed plan for managing the risk associated with non-compliance
  • Proposed metrics for evaluating the success of risk management (if risk is significant)
  • Proposed review date to evaluate progress toward compliance
  • Endorsement of the request by the appropriate Information Trustee (VP or Dean, CIO).

 

If the non-compliance is due to a superior solution, an exception will normally be granted until the published standard or procedure can be revised to include the new solution. An exception request should still be submitted.

 

Submit the Exception Request Form to the Information Security Office, infosec@rit.edu, ROS 10-A200.

Plain English Guide to the Information Security Policy

Plain English Guide to the Information Security Policy 

RIT has issued an Information Security Policy. The Policy provides the strategic direction needed to implement appropriate information safeguards for RIT information and the Institute network. This Plain English Guide provides explanation and illustration of the Policy and is provided as an aid to help you understand and implement the requirements of the Policy. The Policy itself is authoritative. The policy is effective immediately.

Why did RIT issue the policy?

The Policy authorizes RIT to take reasonable measures to protect RIT information and computing assets in an age that is both reliant on electronic media and characterized by increasing Internet-borne threats. These measures apply to RIT information and the technology infrastructure.

In recent years, state and federal legislation have mandated specific protections for different types of information, including educational records (FERPA), financial customer information (Gramm-Leach-Bliley Act), health information (HIPAA), and private information (NYS Information Security Breach and Notification Act).

Why is the information lifecycle important?

The information lifecycle concept and its associated stages (creation, storage, transfer, and destruction) provide a useful framework for information handling. For example, during the creation stage, the creator of the information determines who should have access to the information and how that access is to be granted. During the destruction stage, "out-of-date" information or information used only occasionally may be without appropriate protection and be at greater risk.

What are the roles of Safeguards and Controls?

Most of the legislation above requires affected organizations to explain how they know people don’t have unauthorized access to information. Controls provide the best way of ensuring information protection. Controls can be process based (administrative controls), or technology based (technical controls). Controls focus on one or more of the following: problem prevention, problem detection, or problem correction.

How has RIT implemented this policy?

RIT has implemented the Information Security Policy by conducting risk assessments, issuing and enforcing standards, raising awareness of threats, recognizing best practices, and maintaining relationships with a number of security-focused external entities for benchmarking and sharing of resources.

More specifically,

  • RIT has designated specific individuals, including the RIT Information Security Officer, to identify and assess the risks to non-public or business-critical information within the Institute and establish an Institute-wide information security plan
  • The RIT Information Security Office creates and maintains standards to protect RIT information systems and its supporting infrastructure, ensure workforce information security, and guide RIT business associates and outsource partners. The creation of these standards is mandated by policy and is in response to the risks that the Institute faces. They are Institute-wide standards, created with representation from across RIT. See our Policies and Standards page for the list of current standards and information about how standards are developed.
  • The RIT Information Security Office provides awareness and training workshops, including its Digital Self Defense classes to help RIT users in the responsible use of information, applications, information systems, networks, and computing devices.
  • The RIT Information Security Office encourages the exchange of information security knowledge through ongoing engagements with security-focused groups, such as Educause, the New York State Cyber-Security Critical Infrastructure Coordination group, InfraGard, and others.
  • RIT periodically evaluates the effectiveness of information security controls in technology and process through risk assessments.

 

To whom does the policy apply?

The policy applies to the entire RIT community, including RIT employees, student employees, volunteers, and external business associates. Standards articulate how you follow the policy. Each standard has a different scope and may apply to different parts of or activities engaged in by the RIT population.

What do I have to do?

You need to follow all Information Security Policy requirements as articulated in the standards. See our Policies and Standards page for a current list of standards.

Where do I go for more information?

Read the policy and its associated standards. Contact the RIT Information Security at infosec@rit.edu if you have more questions.

 

Pages

Subscribe to RSS - Security