A Note from UHD Interim President Michael A. Olivas: Securing the Human
I recently saw the Oliver Stone movie "Snowden," a wonderfully-rendered film about the fascinating story of Edward Snowden and the question of whether or not he was a cyber-hero for revealing classified U.S. intelligence secrets of government spying perfidy, or a traitorous hacker who put our country at risk by his dangerous actions. Any of you who have seen any other Stone movie, such as "JFK," "Platoon," or "Wall Street" know he is a very powerful storyteller who picks important subjects. This film still left me vexed over the tug-of-war between my admiration for Snowden and my disdain for his methods, which I believe far exceeded what he needed to do as a whistleblower. Weeks later, I still have not resolved this dilemma.
But when I recently reviewed our UHD protocols and our annual Information Security Risk Management Plan, required as part of our ongoing compliance with TAC (Texas Administrative Code) 202 - Information Security Standards, I was reminded of the Snowden movie. Earlier this year, a TAC 202 audit was performed by the UH System Internal Audit of our UHD information security program. The audit demonstrated full compliance with TAC 202 Information Security Standards. I was also reminded of how vulnerable we are all, and our dependence on secure cyber and IT practices. (I also had flashbacks to our family having been "Target-ed" by breached consumer information by Target hackers, necessitating our having to change out our credit cards and worse, our auto-pays and credit reports.)
As some of you may know, October is recognized as National Cyber Security Awareness Month. In today's digital world, it is important for us to recognize the role and responsibility each of us has when handling sensitive data of UHD and its students. The term "sensitive data" refers to data that if leaked may have serious adverse effect on the university's reputation, resources, services or individuals. Data protected under federal or state regulations or due to proprietary, ethical or privacy consideration will typically be classified as sensitive. Handling sensitive university data properly and securely is one of our most important responsibilities as UHD employees.
According to the latest Verizon Data Breach Investigations Report, nearly 30 percent of Phishing messages were opened by targeted email recipients. With numbers that high, it won't take long for these bad actors to gain access to our network. Unfortunately, no technological defense is perfect, which leads us straight to people. This is why it is each UHD employee's responsibility to take special care when handling sensitive data. When performing your job, you will likely come into contact with many types of information or data. Some of which may be considered sensitive (i.e., student grades, Social Security numbers, health information, financial or credit information). It is important to understand your responsibilities for identifying, transmitting, storing, or disposing of this kind of sensitive information. To handle data properly you need to know what kind of data they are and what laws or standards might govern their use (or misuse). For example, some data must be kept private under laws such as FERPA (which protects student education records), HIPAA (which protects personal health information, and PCI (which protects credit card holder information).
Here are some best practices when handling the university's sensitive data:
- Avoid copying or downloading sensitive data from university administrative systems to your desktop computer, laptop, USB drive, etc. unless absolutely required. Ensure you have permission from your department administrator before downloading.
- If downloading is unavoidable:
- Remove the confidential part of the information from the data if possible (e.g., SSN).
- Store the data on a secure server if available. Contact the IT security personnel if you are unsure.
- Encrypt data.
- Password-protect data.
- Physically protect devices that can be easily moved such as a USB drive or laptop.
- Do not send unencrypted sensitive data via email. Email messages can be intercepted by third parties or inadvertently forwarded to those who have no authorization to view the data.
- Do not download or copy sensitive data to your home computer or other personal computer or device.
- Never store unencrypted sensitive data on a portable device.
- Protect printed sensitive data in a locked desk, drawer, or cabinet. Do not leave unattended sensitive data on a copier, fax machine, or printer. Shred sensitive data that need to be discarded.
- Don't leave data-storing devices in cars, lockers, purses, or other places.
In other words, be smart and careful about these issues and practices. If one of us carelessly lets outsiders into our system or compromises UHD data and information, we are all harmed. IT professionals call this the need to "secure the human."
These simple tips can help ensure the integrity and confidentiality of university data. For more information, please contact UHD IT Security at firstname.lastname@example.org . Once again, a clean audit has been achieved by UHD in an important function, a significant achievement for our hardworking IT staff.
We must all be vigilant and care for each other. We must secure the human. And I urge you to go see "Snowden," an important movie that is about one of the most important subjects of our difficult times.