Five Important Security Concerns

Five Important Security Concerns for Employees

by Gary W. Farris, BCC IT Security Administrator

1-16-08

As the quarter has now been underway for a couple of weeks now and most of us are settling into a slightly less-stressful period of work, I thought this would be a good time to remind the campus of a few important IT Security policies, standards and procedures which affect most of us, most of the time. The items listed below seem to be the source of consistent confusion and questions, particularly with regard to individual employee responsibilities and expectations.

Many of you will be familiar with this information, but others may not be as aware. Either way, it is always good to have a reminder regarding our expected roles in helping to secure the valuable information technology assets available for use on campus. In the interest of saving some time, I am including only fairly brief bullet points regarding these five areas of particular concern; if you have further questions regarding this or any other technology security information, please feel free to contact either myself or the Help Desk (x4357).

Every BCC employee should know:

1. Login accounts and passwords providing access to BCC IT resources should not be shared. In some cases, groups of individuals may share access to an e-mail account acting as a central unit contact resource for business purposes, but such shared e-mail accounts may never be used to login to computers or the network.

o This also means individuals should never allow anyone else to use a computer into which they’ve logged-in. This is not only a security risk for the network, it is an individual identity protection measure as well. If someone else is logged in as you, everything they do appears to be your doing.

2. BCC policies require that employees secure their workstations if they leave the immediate area (even for a few minutes!). This may mean logging out and shutting down the computer in some cases, but most of the time locking the screen and requiring a password to unlock it is sufficient.

3. All software and technology hardware used at BCC must be properly licensed and processed through Computing Services (CS) for records and auditing purposes. The civil and financial liability to the college and to individuals related to using improperly licensed software is significant, as much as $100,000 for each individual incident!

o In the case of college-owned technology, this requirement includes any hardware and software, whether purchased by unit funds, college funds or professional development funds.

o Personally-owned or purchased software and hardware may be installed on campus, but the same guidelines for licensing apply. In the case of personally-owned hardware, requirements exist for testing for compatibility with the existing BCC technology and network, and for proper security configuration.

4. All communications through the BCC network is logged (recorded in a database), and is publically-disclosable information. This does not mean any individual’s activities are monitored on a routine basis, but it does mean that BCC has an obligation to produce all network records when legally required (either in a criminal investigation or in response to civil litigation). In the case of on-going investigations, this could include real time monitoring, as directed by the HR VP.

o A significant aspect of the public nature of BCC electronic communication is the use of e-mail. All e-mail is potentially disclosable in response to a legal or public disclosure request. A good rule of thumb is not to put something into an e-mail that you would be uncomfortable with being subsequently published in a newspaper.

5. Electronic data is subject to the same privacy restrictions as non-electronic information and data, and requires the same protections. Protection of sensitive data collected and used at BCC is a primary purpose for implementing security measures governing the information technology resources on campus.

o The classification of data used at BCC as public, sensitive or confidential information is not an IT security matter per se, but the storage and transmission of such data using BCC technology is a primary security concern.

o Caution always needs to be used to ensure that protected data is not intentionally disclosed through e-mail, instant messaging, the Web, blogs or podcasts. The physical security of protected data stored on any storage media (tape, disk, thumb drive or hard drive), especially including data stored on BCC laptop computers, is of the highest concern at all times.

These points do not cover all aspects of IT security on campus, but they are perhaps the five areas most misunderstood by employees. If everyone on campus understands these issues and follows the guidelines and procedures related to them, technology security on campus will be significantly increased.

Back