Why Secure Computing Is Your Responsibility
While your department may have staff who provide computer setup and assistance, ultimately you are responsible for taking care of your computer and guarding the information it holds. Following security guidelines and good business practices is part of doing your job. The vast majority of computer breaches that we have investigated over the past few years have been the result of poor personal choices, weak computer practices, and less-than-satisfactory data-handling procedures.
It is the responsibility of everyone who uses a computer at work to protect NYMC data. The data on your computer is university property that has been placed in your care.
Much of the data we work with is sensitive, such as Social Security numbers, payroll information, grades, and more. However, all university data needs to be protected. For more examples of sensitive data see Different Types of Information.
Consequences of Not Practicing Secure Computing
Keeping your computer secure takes vastly less time than recovering from a security problem. If your computer is compromised, you will likely lose access to it for at least a few hours, possibly days. You may also lose any work you did since your computer was last backed up.
If the security problem put sensitive data at risk, or if your computer is lost or stolen, the effects can be far-reaching:
- You may be held accountable for any negligent action, or inaction, that led to the incident.
- The university may suffer financial loss as well as loss of reputation.
- The individuals whose data is compromised could potentially also suffer financial loss, identity theft, and unwanted public exposure of private information.
Recovering from a computer compromise or loss of sensitive data, large or small, can take people many hours and, as a result, is an expensive activity. For details on steps taken, and people involved to investigate an incident, see Protecting University Data, Consequences of Mishandling Sensitive Data.
Consequences of Mishandling Sensitive Data
Mishandling sensitive data can lead to NYMC suffering financial loss or loss of reputation. The possible loss of certain types of data requires NYMC to report the event to government agencies and inform possible affected individuals.
If there is even a possibility of data loss, responding can easily consume hundreds of hours and is, as a result, an expensive activity. It can also involve many people from both within your department and elsewhere around campus and, consequently, can significantly disrupt college business.
Many universities, even NYMC, have experienced the repercussions of losing sensitive data, including:
- Regulatory fines
- Loss of funding from government agencies
- Loss of donations and gifts
- Loss of reputation
What Happens When NYMC Data May have Been Exposed to an Intruder or Malicious Software
If an intruder has gained access to a computer used at NYMC that contains sensitive data, the IT Security Office will lead an investigation of the incident.
- The computerís hard drive will be copied for analysis.
- Information on the computerís hard drive and other data, such as network traffic history, are analyzed to determine whether sensitive data may have been exposed.
- The Collegeís response to the incident is determined by a team whose members include:
The team will also bring in the unit head, IT staff, and other staff from the department where the incident occurred, as well as the college data steward (for example, the Vice President for Student and Academic Services for incidents involving student data, or the Vice President for Human Resources for incidents involving employee data). See College Policy IS-102 for a complete list of data stewards.
- Vice President for Information Technologies (chairs the group)
- IT Policy Office
- IT Security Office
- Audit Office
- College Counsel
- NYMC Security
- College Communications
- Risk Management
- Officers meets to review the incident and determine how the university should respond to it. If there is a reasonable likelihood that sensitive data could have been accessed in an unauthorized fashion, Officers determines which potentially affected parties need to be notified. The Officers also considers what needs to be done to avoid similar incidents in the future.