Maria Hishikawa MSIX Technical Lead Sarah Storms MSIX Contractor Security

Similar documents
Webinar will start soon

How to Build a Culture of Security

How To Complete Your Own GSA Schedule GovernmentContractingTips.com

Employee Security Awareness Training

Integrated Access Management Solutions. Access Televentures

SHS Annual Information Privacy and Security Training

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

Access Control Policy

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Leveraging the LincPass in USDA

Cyber security tips and self-assessment for business

Frequently Asked Questions (FAQ)

Password Standard Version 2.0 October 2006

Employee Security Awareness Training Program

Cyber Security Guide. For Politicians and Political Parties

Virtual Product Fair. Protect your agency data protect your business

ANNUAL SECURITY AWARENESS TRAINING 2012

Cybersecurity in Higher Ed

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Cyber Hygiene Guide. Politicians and Political Parties

BEST PRACTICES FOR PERSONAL Security

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

Secure Web Fingerprint Transaction (SWFT) Access, Registration, and Testing Procedures

Cyber Security Guide for NHSmail

How NOT To Get Hacked

No More Excuses: Feds Need to Lead with Strong Authentication!

IS-906: Workplace Security Awareness. Visual 1 IS-906: Workplace Security Awareness

UTAH VALLEY UNIVERSITY Policies and Procedures

The State of Privacy in Washington State. August 16, 2016 Alex Alben Chief Privacy Officer Washington

Security Awareness & Best Practices Best Practices for Maintaining Data Security in Your Business Environment

Table of Contents. PCI Information Security Policy

Breaches and Remediation

Information Technology Standards

Modern two-factor authentication: Easy. Affordable. Secure.

2 Creating New CCQAS 2.8 User Accounts

2 User Guide. Contents

University of Pittsburgh Security Assessment Questionnaire (v1.7)

FFIEC CONSUMER GUIDANCE

Remote Access Policy

ADOPTED STANDARDS/POLICIES. Information Technology Security Policy

Restech. User Security AVOIDING LOSS GAINING CONFIDENCE IN THE FACE OF TODAY S THREATS

HMIS (HOMELESS MANAGEMENT INFORMATION SYSTEM) SECURITY AWARENESS TRAINING. Created By:

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

Security Awareness. Presented by OSU Institute of Technology

Secure access to your enterprise. Enforce risk-based conditional access in real time

Cyber Security Updates and Trends Affecting the Real Estate Industry

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

FERPA & Student Data Communication Systems

Paystar Remittance Suite Tokenless Two-Factor Authentication

MODULE NO.28: Password Cracking

Cyber Security Program

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

State of Colorado Cyber Security Policies

Protecting Your Gear, Your Work & Cal Poly

Security Specification

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

Keep the Door Open for Users and Closed to Hackers

PII Policies and Procedures

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

Information Security Policy

InterCall Virtual Environments and Webcasting

USER MANUAL ID PROOFING AND TWO-FACTOR AUTHENTICATION THROUGH FALCON PHYSICIAN TABLE OF CONTENTS

TABLE OF CONTENTS. Lakehead University Password Maintenance Standard Operating Procedure

FFIEC CONSUMER GUIDANCE

Auditing Bring Your Own Devices (BYOD) Risks. Shannon Buckley

NMHC HIPAA Security Training Version

GLOBAL PAYMENTS AND CASH MANAGEMENT. Security

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

North Carolina Health Information Exchange Authority. User Access Policy for NC HealthConnex

Train employees to avoid inadvertent cyber security breaches

Signing up for My Lahey Chart

Manual: Create a Staff Posting Initiator

Best Practices Guide to Electronic Banking

LifeWays Operating Procedures

Authentication Methods

Handbook Webinar

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

How Cyber-Criminals Steal and Profit from your Data

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Red Flags/Identity Theft Prevention Policy: Purpose

QuickBooks Online Security White Paper July 2017

NYSED Teacher Student Roster Verification (TSRV) system

Enviro Technology Services Ltd Data Protection Policy

Table of Contents. Blog and Personal Web Site Policy

Securing Network Devices with the IEC Standard What You Should Know. Vance Chen Product Manager

IMPORTANT INFORMATION

Data Privacy Breach Policy and Procedure

Table of Contents. Overview of the TEA Login Application Features Roles in Obtaining Application Access Approval Process...

Quick recap on ing Security Recap on where to find things on Belvidere website & a look at the Belvidere Facebook page

Who We Are! Natalie Timpone

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

BISHOP GROSSETESTE UNIVERSITY. Document Administration. This policy applies to staff, students, and relevant data subjects

PASSWORD SECURITY GUIDELINE

ISSUE N 1 MAJOR MODIFICATIONS. Version Changes Related Release No. PREVIOUS VERSIONS HISTORY. Version Date History Related Release No.

Transcription:

Migrant Student Information Exchange (MSIX) Security, Privacy and Account Management Webinar Deloitte Consulting LLP. February 22, 2018 Maria Hishikawa MSIX Technical Lead Sarah Storms MSIX Contractor Security 0

Introductions Agenda: This Webinar is being recorded. MSIX Account Management Improvements/Changes Part 1: Security and Privacy Awareness Training for All MSIX Users Part 2: User Administration Role-Based Training for User Administrators and State Migrant Education Program (MEP) Directors 1 You are invited to attend the Part(s) that pertains to your role within MSIX.

Account Management Improvements/Changes Shorter-Term Updated Account Application with Intended Use section Automatic disabling of unused accounts Longer-Term Streamlined new user application and registration Self-service account/password management Enhanced user login experience Enhanced security for privileged users 2

Part 1: 2018 Security and Privacy Awareness Training Objectives: MSIX Users will: Understand laws, policies and procedures that govern MSIX Accounts Management Understand current cyber security threats Understand accounts management terminology Understand Do s and Don ts of accounts management Identify suspicious email messages Understand proper handling of Privacy information and Personal Identifiable Information (PII) while using MSIX 3

Federal and ED Cybersecurity References 4 Federal Government Wide Federal Information System Modernization Act of 2014 (FISMA) National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53A Revision 4 US Department of Education US Department of Education (ED) Office of Chief Information Officer (OCIO) OCIO-01 Information Assurance / Cybersecurity Policy (Jan. 2017) MSIX Specific MSIX System Security Plan MSIX Privacy Impact Assessment

Cyber Security Threats in the News EQUIFAX Breach OPM Hacked YAHOO Accounts Stolen ANTHEM PII Stolen In 2016: Real Threats to MSIX 81% of breaches leveraged stolen or weak passwords 43% were social engineering attacks Key Logger Email Phishing 75% perpetrated by outsiders 25% involved internal actors 27% of breaches were discovered by third parties 5

Cybersecurity Terminology Identification - a user claims or professes an identity with a username, a process ID, a smart card, or anything else that can uniquely identify a subject Authentication a user provides appropriate credentials to prove an identity Something you have: smartcard or RSA key Something you know: password Something you are: biometric (fingerprint) Authorization a user is granted access to a system Role-Based Access Control a user is granted access to resources based on his role Separation of Duties more than one person is responsible for a task Least Privilege user s role matches assigned job functions 6

Account Management Do s and Don ts DON T share your user ID and password with anyone else. DON T write your password down or keep it in an area where it can be easily discovered. DON T use the remember password feature. DO remember that user accounts are disabled after three (3) consecutive invalid attempts. DO register with official work email; not unofficial/free email accounts. DO follow the MSIX Password Policy A password must: 7 Be changed upon initial login to MSIX; Contain at least eight (8) characters; Contain a mix of letters (upper and lower case), numbers, and special characters (#, @, etc.); Be changed at least every ninety (90) days; Not be one of user s previous six (6) passwords.

POP-Quiz #1: Password Rules Q&A Beth is trying to log into MSIX but isn t sure of her password. Q1: Should she try to guess the password to sign-in? Q2: She is embarrassed to ask her user administrator to reset the password. Should she ask her teammate to share their password with her? Q3: Who should Beth contact to have her password reset? Q4: Should Beth be embarrassed? 8

POP-Quiz #1: Password Rules Q&A Beth is trying to log into MSIX but isn t sure of her password. Q1: Should she try to guess the password to sign-in? A1: Yes, she can make up to 3 attempts before her account gets locked. Q2: She is embarrassed to ask her user administrator to reset the password. Should she ask her teammate to share their password with her? A2: No, never log in with another person s password. Q3: Who should Beth contact to have her password reset? A3: Beth should contact her User Administrator. They can be contacted through the MSIX login page. The MSIX Help Desk cannot assist with password resets. Q4: Should Beth be embarrassed? A3: No. Resetting passwords frequently is a very good practice. 9

Email Best Practices Do not open unexpected attachments Do not click on suspicious links within emails Install and update anti-virus software on all devices Learn how to recognize phishing Messages that contain threats to shutdown accounts or devices Requests for personal information (passwords or Social Security Numbers) Words like Urgent Forged email addresses Poor writing or bad grammar 10 Don t give your email address to sites you don t trust Suspicious emails must be reported as an incident to your IT office and to MSIX Help Desk

POP-Quiz #2: Email Phishing David receives the email message below. Is this legitimate? From: IT Support Help Desk mvivisel@xcvb.com To: David.Smith@ed.state.gov Subject: Password Security Check Attachment: passwordhack.exe URGENT! REQUIRED! You re IT support desk is providing a service to all users so you have good passwrods. click on attachment to check your passsword. OR you can click on this link: http://passwordcollector.hax.com Your account will be locked if you do not act now. 11 Password Team

POP-Quiz #2: Email Phishing David receives the email message below. Is this legitimate? From: IT Support Help Desk mvivisel@xcvb.com To: David.Smith@ed.state.gov Subject: Password Security Check Attachment: passwordhack.exe URGENT! REQUIRED! Answer 1: Address doesn t match name Answer 2: Suspicious attachment Answer 3: False sense of urgency Answer 4: Poor grammar and misspellings You re IT support desk is providing a service to all users so you have good passwrods. click on attachment to check your passsword. 12 OR you can click on this link: http://passwordcollector.hax.com Your account will be locked if you do not act now. Password Team Answer 6: Threat of account lock-out encourages action Answer 5: Suspicious hyperlink

MSIX Privacy Protections Lock your computer when leaving computer unattended Media (including reports) containing MSIX information should be stored in locked container during non-business hours Do not leave paper media with MSIX information in public areas Store digital information in an encrypted format where technically possible Media containing MSIX information should be properly cleansed or destroyed If the access which you have been granted within MSIX is more than required to fulfill your job duties, it should be reported to your MSIX User Administrator Do not disclose MSIX information to individuals without a need-toknow of the information in the course of their business 13

POP-Quiz #3: TRUE or FALSE - Privacy and PII 1. Comment fields in MSIX can be used to share information that we collect through MDEs, like address or phone number. 2. MSIX IDs can be shared through email since only MSIX users can get more personal information on that student. 3. Comment fields are inside MSIX so it s safe to write-in SSN, medical conditions and disciplinary records. 4. Screenshots from MSIX can be emailed to MSIX Help Desk since they already have access to the data. 14

POP-Quiz #3: TRUE or FALSE - Privacy and PII 15 1. Comment fields in MSIX can be used to share information that we collect through MDEs, like address or phone number. TRUE: MDE lists are approved list of data collected within MSIX. 2. MSIX IDs can be shared through email since only MSIX users can get more personal information on that student. TRUE: MSIX IDs are only accessible by authorized MSIX users. 3. Comment fields are inside MSIX so it s safe to write-in SSN, medical conditions and disciplinary records. FALSE: Only MDE lists are approved. If it s not an approved data element, MSIX is not authorized to collect the data anywhere. 4. Screenshots from MSIX can be emailed to MSIX Help Desk since they already have access to data. FALSE: Emails can be intercepted by hackers.

Certificate of Completion 2018 MSIX Security and Privacy Awareness Training (0.5 hour) Completed on (date) I certify attendance and completion for this training. Attendee Name Printed Attendee Signature I have verified completion of the training by the attendee. Supervisor Name Printed Supervisor Signature 16 Certificate is valid only when completed by both the attendee and their supervisor.

BREAK Part 2: User Administrator Role-Based Training Non-User Administrators may drop off at this time. 17

Part 2: User Administrator Role-Based Training Objectives: MSIX User Administrators will: Understand each stage of the Account Management Cycle Identify their role in the Account Management Process Understand the difference between Privileged vs. Non- Privileged User Roles Understand important principles of User Administration Identify MSIX Report(s) available for periodic Account Reviews 18

Account Management Cycle 19

Initial Account Management Process 1. Account creation, modification and disablement are all handled by State or Regional User Administrator(s). 2. All request forms are maintained by the State. 3. Password resets are handled by State or Regional User Administrator(s). 20

Privileged vs. Non-Privileged Accounts Privileged User Roles able to perform user account management functions including creating, modifying and disabling or deactivating State User Administrators Regional User Administrators State Batch Submitters can upload files to MSIX Non-privileged User Roles unable to perform user account management functions or upload files MSIX Primary MSIX Secondary State Data Administrator Regional Data Administrator District Data Administrator State Region Administrator 21

User Administration Principles Separation of Duties Having more than one person complete a task Principle of Least Privilege Granting roles to perform only assigned job functions Access Need to know information only Examples Verifying authority and final approving authority should not be same person A user should not have both MSIX primary and MSIX secondary role A user should not be both a User Administrator and Data Administrator Remember Goldilocks? 22

Account Reviews Account Disablement account may be re-enabled Seasonal program employees Employee taking leave of absence Account Deactivation permanent action in MSIX Employee who has left job Ensure that email address is changed upon deactivation All accounts should be reviewed at a minimum annually Is user still employed in your State? Is user still in same position? Do assigned roles still make sense? 23

User Administration Using Reports - Are there accounts created but never logged on? - Are seasonal workers Disabled when not in use? - Are separated users accounts Deactivated? - Are assigned roles appropriate, without unnecessary access? 24

POP-Quiz: TRUE or FALSE User Administration 1. MSIX User Administrators are privileged users because they can change other users passwords, permissions and profile. 2. MSIX user accounts need periodic review. 3. MSIX User Administrators should encourage frequent password resets. 25

POP-Quiz: TRUE or FALSE User Administration 26 1. MSIX User Administrators are privileged users because they can change other users passwords, permissions and profile. TRUE: User Administrators must take extra care when changing user accounts at all times. 2. MSIX user accounts need periodic review. TRUE: User accounts should be reviewed according to your State s MEP program cycles. MSIX Support team doesn t receive notice of changes in users employment status. 3. MSIX User Administrators should encourage frequent password resets. TRUE: Users are often embarrassed to request password resets when they are locked out. Users should be praised for frequent password changes, not shamed or blamed for forgetting it.

Certificate of Completion 2018 MSIX User Administrator Role-Based Training (0.5 hour) I certify attendance and completion for this training. Attendee Name Printed Attendee Signature Completed on (date) I have verified completion of the training by the attendee. Supervisor Name Printed Supervisor Signature 27 Certificate is valid only when completed by both the attendee and their supervisor.

Wrap-Up 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback