MSUTexas

Information Security

Policy and Procedure

Policy and Procedure Resources:


Contact Information:
Jim Hall, Chief Information Security Officer
Memorial Building 207A, 8:00 a.m. - 5:00 p.m. Monday-Friday
Phone: (940)397-4680 Fax: (940)397-4509
jim.hall@mwsu.edu

Security Awareness Training

Security Awareness Training

As you already know, Midwestern State University and the State of Texas place a great deal of importance on information security, and Texas Administrative Code section 202 specifies a requirement for all state agencies to engage in ongoing security awareness training for all people who have an @mwsu.edu email address.

The annual, mandatory training for the 2018-2019 academic year will be available from Wednesday, August 1st to 5:00 pm April 30th to complete the training.


To begin training, go to https://training.knowbe4.com/login and enter your @msutexas.edu email address.  The login page will appear like the example shown below.

 illustration of know be 4 login page

 

If you cannot remember the password you created when you first trained in the KnowBe4 system you can go to https://training.knowbe4.com/users/password/new and enter your @msutexas.edu email address to have password reset instructions sent to you by email.  The “Forgot Your Password?” page will appear like the example shown below.


picture of know be 4 password reset


Once you are logged in, click on the "My Training" tab to see the courses you are required to take. You will click the "Start Course" button next to each course. These courses launch in a separate window, so be sure to turn off your popup blocker for www.knowbe4.com. The courses will take approximately 43 minutes to complete in total. 

Our Information Resources Use and Security Policy can be found on a separate page here.

IMPORTANT NOTE: It is important to close your course browser window to record course completion, or if you need to pause the training for an extended period of time. Once you log back in, it will allow you to resume your training. Upon completion, you do not need to print your certificates, as we track completion electronically.

An added benefit of this program is that home training is made available to us that can be shared with students and family members as you see fit. This is a different training than the modules for campus employees so please do not take this training instead of the official training mentioned above. To provide access to the home training you can share the information below:

Home Internet Security Awareness Training: https://www.knowbe4.com/homecourse
Password: homecourse


Contact Information:

Jim Hall, Chief Information Security Officer
Memorial Building 207A, 8:00 a.m. - 5:00 p.m. Monday-Friday
Phone: (940)397-4680 Fax: (940)397-4509
jim.hall@mwsu.edu

Resources

Report an Incident
Suspicious emails should be sent to phishingreports@mwsu.edu.
If you may have clicked on a suspicious link, or if you get a popup warning you about Malware or Windows Security, please call the Information Technology Helpdesk at (940) 397-4278.

 

Forms

Here you will find several forms pertaining to Information Security and Technology.

Tools

Various tools to help you with information security.

Stop.Think.Connect.

Below you will find links to some signage to help spread awareness about information security best practices.

"Careful" full size

"Cybercrime" full size

"Careful" full size

Protected Health Information (PHI)

PHI, as defined by HIPAA (US & Puerto Rico only) List of 18 identifiers:

  1. Names
  2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  4. Phone numbers;
  5. Fax numbers;
  6. Electronic mail addresses;
  7. Social Security numbers;
  8. Medical record numbers;
  9. Health plan beneficiary numbers;
  10. Account numbers;
  11. Certificate/license numbers;
  12. Vehicle identifiers and serial numbers, including license plate numbers;
  13. Device identifiers and serial numbers;
  14. Web Universal Resource Locators (URLs);
  15. Internet Protocol (IP) address numbers;
  16. Biometric identifiers, including finger and voice prints;
  17. Full face photographic images and any comparable images; and
  18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

There are also additional standards and criteria to protect individual's privacy from re-identification. Any code used to replace the identifiers in datasets cannot be derived from any information related to the individual and the master codes, nor can the method to derive the codes be disclosed. For example, the unique code cannot include the last four digits (in sequence) of the Social Security number. Additionally, the researcher must not have actual knowledge that the research subject could be re-identified from the remaining identifiers in the PHI used in the research study. In other words, the information would still be considered identifiable if there was a way to identify the individual even though all of the 18 identifiers were removed.

Personally Identifiable Information (PII)

or purposes of data governance, personally identifiable information (PII) is defined as follows:

Any instance of an individual’s first name (or first initial) plus the last name and any one or more of the following:

  • Social Security number
  • Driver license or state-issued ID number
  • Military ID number
  • Passport number
  • Credit card (or debit card) number, CVV2, and expiration date
  • Financial account numbers (with or without access codes or passwords)
  • Customer account numbers
  • Unlisted telephone numbers
  • Date or place of birth
  • Mother's maiden name
  • PINs or passwords
  • Password challenge question responses
  • Account balances or histories
  • Wage & salary information
  • Tax filing status
  • Biometric data that can be used to identify an individual, including finger or voice prints, Digital or physical copies of handwritten signature
  • E-mail addresses
  • Medical record numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Medical histories
  • National or ethnic origin
  • Religious affiliations
  • Physical characteristics (height, weight, hair color, eye color, etc)
  • Insurance policy numbers
  • Credit or payment history data
  • Full face photographic images and any comparable images
  • Certificate/license numbers
  • Internet Protocol (IP) address numbers

**In general, personally identifiable information does not include information that is lawfully obtained from publicly available records, or from federal, state or local government records lawfully made available to the general public. **

Handling PII

Phishing Examples This is a collection of phishing emails that will help you practice spotting phishes in action.

Can you spot the red flags in the example below?
Example One: Urgent Messages

phish1.png
Red Flags:

  • IT@mwsu.net is not a valid campus email address. You can check by:
    • Looking in the MSU Directory (use the "Directory" link at the top of the home page)
    • Looking in your Outlook address book
    • Knowing that the university should be using a .edu address
    • Checking the MSU IT webpage for contact information to verify
  • Spelling and Grammatical Errors
    • security "breech"
    • "there" password
  • "Change Password" link
    • It would be highly unusual to receive a link with a label rather than the URL address. (We would say go to webmail.mwsu.edu to change your password, not hide the link behind "Change Password"
    • If you hover over the link in the actual email, you will see that the URL does not match anything belonging to mwsu.edu
  • Urgency
    • Any urgent calls to action should always be viewed with suspicion.If ever in doubt, you may call the IT Helpdesk at (940) 397-4278 to confirm.
  • Signature
    • Not signed by a particular person in our Information Technology department
    • No official signature logo
    • No contact information


Example Two: Social Media
phish2.png
Red Flags:

  • Facebook-notification@facebookuploads.com is not a valid email address. You can check by:
    • Facebook would not be likely to pay for a separate domain. (facebook.com is believable, but they would not have a separate domain of facebookuploads.com)
    • Companies that buy up mulitple domains are often suspect
    • Going to the Facebook webpage in another window so you can verify contact information
    • Google the email address if all else fails
  • "Upload" and "unsubscribe" links
    • It would be highly unusual to receive a link with a label rather than the URL address.
    • If you hover over the links in the actual email, you will see that the URL does not match anything belonging to facebook.com
  • Location and Situation
    • Why would Facebook reach out to your mwsu.edu email address? Personal accounts should never be linked to work information.
    • Facebook does not normally email users about uploads. If you are unsure about your notification settings, log in to facebook in another window and check your account settings.
  • Contact Information
    • The company name is not "Fbook,LLC"
    • There would be no reason for a department to be called "Department 415"
    • The zip code is repeated twice


Example Three: Too Good to be True

phish4.png

Red Flags:

  • promotions@sbuxcoffee.com is not a valid email address. You can check by:
    • It is unlikely that their email address would end in @sbuxcoffee.com as opposed to @starbucks.com, since none of their official branding and signage include the term "sbux."
    • Google the email address if all else fails
  • Links in the Email
    • The address sbux.co is suspicious because ".co" is the country code for Colombia.
  • Location and Situation
    • Why would Starbucks reach out to your mwsu.edu email address? Personal accounts should never be linked to work information.
    • Starbucks does not normally email people about deals unless they have a Starbucks account.
  • Contact Information
    • The company name is not "Fbook,LLC"
    • There would be no reason for a department to be called "Department 415"
    • The zip code is repeated twice


Use this example as practice for spotting the red flags.
phish6.png


If you think your account has been compromised:

  • If you receive an email saying your account has been compromised, do not click a link in the email to reset your password. Instead, log in to your account and reset the password using normal means.
  • Contact your network administrator. For MSU accounts, contact the IT Help Desk Analyst at (940)397-4278 or by sending an email to   helpdesk@mwsu.edu
  • If the compromised account is tied to any other personal information (especially payment methods), you should be sure to monitor your statements for any unauthorized activity.

**In general, personally identifiable information does not include information that is lawfully obtained from publicly available records, or from federal, state or local government records lawfully made available to the general public. ** Handling PII

 

Jim Hall, Chief Information Security Officer

How-To

How to Spot a Suspicious Email


Much like a front door to a house, your email is the first line of online defense to this institution.
Email should raise suspicion if:
  • You do not know the sender or you are not expecting the email.
  • The email contains misspelled words and grammatical errors.
  • The email has an attachment you were not expecting. Do not open suspicious attachments.
  • References to an account that you do not have.
  • References an account that you have, but is not connected to that email address. If you aren't sure, log into your account from a separate window without using links from the email.
  • A call to action: click this link or your data will be compromised, click here to get this great deal.
  • Nosy requests: asking for personal information, passwords, confirmation of an account you did not create.
  • If it sounds too good to be true, it probably is. It is unlikely that you have an inheritance from a relative you never knew, for example.


All suspicious emails should be forwarded to phishingreports@mwsu.edu
Examples of suspicious emails can be found in our Phishing Archive on the Resources page.
Good password creation and protection practices will keep your account secure.

How To create a strong password:

  • Combination of upper case letters, lower case letters, numbers, and special characters (for example: !,@,&, %, +) in all passwords.
  • Use passwords of at least six (6) characters or more (longer is better).
  • Avoid using people's or pet's names, or words found in the dictionary; it's also best to avoid using key dates (birthdays, anniversaries, etc.).
  • Substituting look-alike characters for letters or numbers is no longer sufficient (for example, "Password" and "P@ssw0rd").
  • A strong password should look like a series of random characters.
  • On the web, if you think your password may have been compromised, change it at once and then check our website accounts for misuse. 
  • If you think your MSU network credentials may have been compromised, you should change your password at once and then call the help desk at 4278 on campus or (940) 397-4278 off campus.
  • Protect your password:
    • Keep your passwords private -never give your password to anyone.
    • Do not write down your passwords.
    • Report suspected incidents immediately
    • Do not recycle your password or use it for multiple accounts.


Example

How to Create a Password
Possible Steps to Follow Example
1. Think of a phrase or sentence with at least eight words. It should be something easy for you to remember but hard for someone who knows you to guess. It could be a line from a favorite poem, story, a line from a movie or book, a song lyric, or a quotation you like. It was the best of times, it was the worst of times.
2. Remove all but the first letter of each word in your phrase. Remove spaces and punctuation. iwtbotiwtwot
3. Replace several of the lowercase letters with uppercase ones, at random. iwtBotiWtwoT
4. Now substitute a number for at least one of the letters. (1 or i and ) for o, etc) iwtBot1Wtw0T
5. Finally, use special characters ($, &, +, !, @) to replace a letter or two - preferably a letter that is repeated in the phrase. You can also add an extra character to the mix. (! for I and @ for o, etc) !wtB@t1Wtw0T



How to handle a compromised account:

  • If you suspect your account has been compromised, you should start with changing your password to that account.
  • If you receive an email saying your account has been compromised, do not click a link in the email to reset your password. Instead, log in to your account and reset the password using normal means.
  • Contact the administrator. For MSU accounts, contact the IT Help Desk Analyst at (940)397-4278 or by sending an email to helpdesk@mwsu.edu
  • If the compromised account is tied to any other personal information (especially payment methods), you should be sure to monitor your statements for any unauthorized activity.

How to Encrypt Emails to Offsite Users
Much of the data handled by the university is confidential and must be handled with care. Please use the document linked below for guidance.
How to Encrypt Emails


How to Encrypt Shared Files and Folders
Much of the data handled by the university is confidential and must be handled with care. Please use the document linked below for guidance.
How to Encrypt with 7zip


Contact Information:

Jim Hall, Chief Information Security Officer
Memorial Building 207A, 8:00 a.m. - 5:00 p.m. Monday-Friday
Phone: (940)397-4680 Fax: (940)397-4509
jim.hall@mwsu.edu