Last Updated By:  Information Security Team, October 2019


An Introduction to Information Security and User Awareness Training


The following is an introduction to the fundamentals of Information Security and TMU’s training requirements for its employees. This material is presented in a question and answer format to help you understand the need to protect student and institutional data from unauthorized breach and maintain compliance with FERPA, GLBA, GDPR, and other privacy laws.

 

Q1: What is Information Security?

A: Information Security is the process of: 

  • •  Maintaining the privacy of sensitive student, organizational and personal data 
  • •  Protecting this data from unauthorized modification 
  • •  Ensuring data accessibility when needed

Q2: What are the consequences of an Information Security breach?

A: There are several potential consequences.

  • •  Loss of student or employee data is breach of privacy and could lead to potential identify theft for individuals and fines for the University. The average cost of a data breach in the U.S. education field is $245 per lost record. When Social Security Numbers are involved, the cost jumps to $355 per record lost. 
  • •  Data compromises, including hacked user accounts such as email,                 require TMU to immediately report such incidents to the U.S. Department of Education for review. Fines of up to $54,789 per incident can be levied for not reporting incidents. Patterns of data handling negligence can ultimately result in loss of federal funding for the University. 
  • •  Breaches that involve more than 500 California residents require reporting to the State Attorney General’s Office. 
  • •  Information security breaches can also lead to a loss of reputation to the University and significantly impact current and future business operations.

Q3: What are some threats to TMU’s data?

A: Recent threats include but are not limited to:

  • •  Malware (viruses, ransomware,worms, etc.) 
  • •  Ransomware, where an attacker locks your data and demands a ransom to unlock it
  • •  Outdated software having security vulnerabilities 
  • •  Unencrypted lost computers/devices containing sensitive data 
  • •  Human Error (accidentally emailing sensitive information, lost USB drives, sharing passwords with others, etc.) 
  • •  Social engineering

Q4: What is social engineering?

A: Social Engineering is the art of manipulating people to give up confidential information such as financial account details, passwords, etc.

  • •  Criminals may trick you into giving up sensitive information or installing malware to gain access to your computer. 
  • •  They may accomplish this through fraudulent emails, phones calls, SMS, or other means. 
  • •  Phishing emails are one of TMU’s greatest threats.

Q5: Doesn’t IT utilize email filters that will block all phishing emails?

A: While TMU has several layers of email filtering that will block a majority of malicious emails, a portion still gets through due to constantly evolving tactics and new content used by cyber criminals. Consequently, it’s still very important for all TMU users to carefully process their emails. There have been several incidents where employees have given up their access credentials for important systems by responding to a phishing email.


Q6: What security training is available to TMU employees?

A: The University has partnered with a leading security vendor to provide weekly phishing simulation emails to educate faculty, staff, and student interns on the latest phishing threats impacting universities and companies.

  • •  Some simulation emails will appear to be legitimate emails at first glance. Our intention is not to trick you, but to help you become familiar with what actual threats may look like when they arrive in your TMU inbox and how to respond. 
  • •  Per TMU’s Information Security and Acceptable Use policies, employees will be assigned periodic online interactive training covering various current information security topics and potential threats. These videos will vary in length from 5-15 minutes. Training will vary with different job functions.

Q7: How do I access TMU’s user awareness training portal?

A: Please navigate to www.masters.edu/training.

  • •  At TMU’s Microsoft login page, enter your faculty/staff credentials. 
  • •  You will then be redirected to our training site and you will see the training that has been assigned to you. 
Q8: Is this training required?

A: Yes
  • •  Per TMU's Information Security and Acceptable Use policies, this is required training. 
  • •  Please do not neglect this valuable training. Many TMU employees, quite possibly including yourself, will be handling sensitive data. A single careless data act can result in significant damage to the University.