Abuse Counseling and Treatment, Inc.

Circle of Support

WELCOME!

Welcome to the Abuse Counseling and Treatment, Inc. This course is meant to remind employees about the departmental policies and procedures regarding computer security and to introduce new topics that may have arisen since our last installment. If you have any questions about the material presented, please contact the Chief Executive Officer.

Security Awareness!Why is security so important?• Our security program is only as strong as its weakest link. We

increasingly use the Internet to share information, conduct business, and communicate globally and we raise concerns on safety. As our use of the Internet increases so do our vulnerabilities. Consequently, security and security awareness is critical in our day to day operations and must heighten our concern on safety, privacy, legality, and security.

• Readily-available hacking tools have increased the risk of hostile hackers breaking into networks and computer systems. Intrusion attempts are growing in number and complexity.

• We can implement great security technologies but if people do not use them, the Agency will be vulnerable.

You are the Key!

• You are the key to IT security.

• The following are ten rules or good habits of IT security.

• Your User ID is how the systems tracks what you do. You will be

held accountable for its use.

• Your password identifies that you are who you are.

• Use screen saver passwords on your PC; always keep your

password a secret.

• Lock your workstation when you step away from your office. Use the Ctrl-Alt-Delete command followed by “K” to lock your workstation.

• Log off of your PC at the end of the day.

• Be sure to lock up your portable media CDs, thumb drives, diskettes, confidential files, and other similar items.

• Always make back-up copies and store them in a separate place also under lock and key.

• Shred sensitive data.

You are the Key!

• Password protect all sensitive files and/or encrypt them.

• Always keep your password a “secret” except from authorized personnel.

Those personnel are:

Jennifer L. Benton

Jill Shaffer

• Never download any software to your desktop.

• Change your settings to never download software to desktop or server without prior Supervisor authorization.

You are the Key!

• There are several key Federal and State IT security laws that the ACT must follow. These include the Computer Related Crimes Act, Chapter 815, Florida Statutes; the Internal Revenue Code, Sections 6103, 7213, 7213A, and 7431; the Health Insurance Portability and Accountability Act, or HIPAA; and the National Institute of Standards and Technology, or NIST.

Key Laws!

• The provisions of the Computer Related Crimes Act shall be known and may be cited as the “Florida Computer Crimes Act.”

• The legislature has determined:

1) Computer-related crime is a growing problem in government as well as in the private sector.

2) Computer-related crime occurs at great cost to the public since losses for each incident of computer crime tend to be far greater than the losses associated with each incident of other white collar crime.

3) The opportunities for computer-related crimes in financial institutions, government records, and other business enterprises through the introduction of fraudulent records into a computer system, the unauthorized use of computer facilities, the alteration or destruction of computerized information or files, and the stealing of financial instruments, data, and other assets are great.

Offenses against intellectual property, against computer equipment or supplies; and against computer users may result in fines and imprisonment.

Computer Related Crimes Act!

The following are the important sections of the Internal Revenue Code that relate to computer security:

• Section 6103 – Confidentiality and Disclosure of Returns and Return Information.

• Section 7213 – Unauthorized Disclosure of Information of Returns and Return Information.

• Section 7213A – Unauthorized Inspection of Returns or Return Information.

• Section 7431 – Civil Damages for Unauthorized Disclosure of Returns and Return Information.

• Certain ACT computer systems use Federal tax information to verify income and Social Security information. Employees that use this information need to be aware of the Federal restrictions on the use and disclosure of any information obtained through these systems.

Internal Revenue Code!

HIPPA!

The Health Insurance Portability and Accountability Act of 1996, often referred to as simply HIPAA, was created to protect the privacy and security of Protected Health Information, or PHI, and promote efficiency through the use of standardized electronic transactions.

• All covered entities have been required to fully comply with the HIPAA Security provisions since April 20, 2005. These provisions apply to electronic protected health information, or EPHI.

• EPHI is accessible only by authorized people and processes and is not altered or destroyed in an unauthorized manner.

• It is the policy of Abuse Counseling and Treatment, Inc. to maintain the confidentiality of all personal information collected from employees, volunteers and clients. This is achieved by the following:

• Only authorized personnel, paid and unpaid, are allowed access to ACT computer workstations. It is also the policy of ACT to provide to all team members with a copy of CFOP 50-6. and to have all employees sign ACT’s Security Agreement.

•  All data reports sent to outside agencies (e.g.: funders) shall not use program participant names or other specific identifying information.

 

ACT Policies

ACT Policy

• Programs, such as our Client Services Network, have built in encryption methods to protect program participants’ names and identity.

• The Chief Executive Officer, Director of Operations and/or the agency Financial Director shall secure all memory system back-up tapes.

• Certain team members are given access to data or information systems. These team members will be provided passwords to access such information and are required to sign confidentiality agreements. Failure of team members to maintain the confidentiality of such information will result in the team member being subject to the disciplinary process up to and including termination. Upon termination for any reason, team members must return copies of all confidential information to ACT. All terminated employees will have user access removed immediately.

Electronic Monitoring

• ACT has provided most team members with personal computers, e-mail and Internet access. All such equipment is provided to permit team members to fully perform their jobs and to meet the demands of the people we serve. While team members have passwords, which are needed to access these devices, ACT maintains these passwords and may monitor any of these electronic devices and messages at any time. Passwords are not to be posted on computers or to be left in plain sight for others to read and are not to be communicated to others within or without the organization .

• Passwords for the Client Services Network and each team members computer are unique to each individually approved team member and it is strictly forbidden to share this password with anyone.

ACT Policy

• Team members should use the ACT equipment for business purposes. Team members should have no expectation of privacy in the use of any such equipment. Further, team members should understand that they have no expectation of privacy in any communication, which is located on ACT equipment and/or storage mechanisms and those communications which may be deleted but restored.

• Team members should understand that while they may delete electronic mail messages or correspondence, this does not necessarily mean that the messages or text are forever deleted. There may be means to electronically recreate or resurrect such documents. Moreover, messages or documents should not be created that, in ACT’s sole discretion, may violate or implicate its Equal Employment Opportunity Policy or No Harassment Policy. There will also be times when computer and/or Internet use will be monitored. Team members have no expectation of privacy in the use of their computer and/or Internet travel.

ACT Policy!

ACT Policy!

Internet Sites• ACT forbids team members to use the Internet to visit explicit X-rated or adult

entertainment sites or any sites that result in a charge to ACT for visiting the site. Should such a site be accidentally visited, a team member should report this information immediately to the Chief Executive Officer. In no case should information be downloaded and sent to other team members, that another team member could reasonably claim was offensive or in violation of ACT’s No Harassment Policy.

•  Internet use should be used for business purposes only. While ACT understands that personal use of the Internet will occur, team members should not abuse this privilege. Such personal use of the Internet should not occur during work time. Team members found spending too much time on the Internet on non-work related matters, either during or after work time, may be disciplined up to and including termination. Such time on the Internet may result in costs to ACT’s Internet account and also clogs its network for productive work.

•  

ACT Policy!

Adding Programs•ACT has multiple information systems that are essential to the successful operations of ACT and into which ACT has invested many resources. Due to the fact that adding personal programs to computers can result in violation of copyright and leasing laws, can slow down the system, import viruses into the system which can cause serious damage and loss of production time, as well as distract team members from their primary focus, no team member may add any computer program to her/his system without first obtaining the permission from the Chief Executive Officer. At no time should any team member download AOL or other internet service. The agency data security officer is the Chief Executive Officer. The Chief Executive Officer may designate responsibilities to assist in the security of all agency data.

• In the event a team member utilizes the computer’s recycle bin when deleting material containing information about a client or client’s children, the team member is required to delete the information from the recycle bin as a final step in the process of deleting confidential files or information.

ACT Policy!

Vital Information!• Information owners are required to remove all sensitive data from IT devices, network

components, operating system or application software, and storage media before it is disposed of. Furthermore, information owners are specifically forbidden to store confidential information on removable media, such as USB drives or Compact Disks.

• Individual users of portable and wireless networking technology should understand the security risks associated with these technologies.

• Additionally, new employees are required to review all applicable State and Federal rules and regulations that pertain to data confidentiality and information security as part of their initial training.

• ACT recognizes and supports the legitimate interests of copyright holders, and prohibits its employees from violating the rights of the copyright holders. All users of commercial software products licensed to ACT are responsible for upholding the terms of the license agreements.

• All users of computers owned, purchased or leased by ACT are expected to adhere to this policy and any related security safeguards. Each supervisor or contract manager must provide a copy of this policy to their staff or contractors who have access to computers owned, purchased, or leased by ACT.

Vital Information!• Violations of this policy will be handled as determined by the

Employee Handbook in accordance with other appropriate recourses.

• Copyright statutes do not preclude the imposition of liability for copyright infringements on governmental agencies and/or their staff.

• As a productivity enhancement tool, ACT encourages the business use of e-mail. Unless third parties have clearly noted copyrights or some other rights on the messages handled by ACT e-mail systems, all messages generated on or handled by these systems are considered to be the property of ACT. Electronic mail shall be considered PUBLIC RECORD unless specifically exempted by Florida Statutes.

• Every department and contract provider employee is responsible for information security, especially involving sensitive and confidential information.

More Vital Information!

• All employees, including provider employees with access to data through computer-related media, must read and sign the ACT Security Agreement/Policy A-23.

• This policy regulates the assignment and use of computer system user IDs and associated passwords and employee responsibilities when granted system access.

Vital Information!

• Electronic mail may contain confidential or sensitive information and at those times proper security should be maintained when using this tool.

• Access to the Internet from an ACT owned/leased facility must only be through a connection approved by ACT information Systems Network Control section and filtered through firewalls at ACT. Remote, out-posted users can use a commercial internet connection provided that they follow all ACT policies for PC remote connection security.

• Any suspicious or unexplained system behavior detected should be reported to the Chief Executive Officer immediately.

• Reporting, tracking, handling, and resolving incidents that result in damage, release of confidential information, and/or electronic denial of data processing services or security violations that could potentially lead to a breach of security.

.

Vital Information!•System managers and owners are responsible for ensuring that their application has documented security guidelines and rules included in a user guide or application manual and that all users of their systems have access to this documentation.•An employee or contracted employee who knows or suspects that a security incident or violation has occurred is responsible for informing their supervisor immediately of the potential problem. Failure to do so may result in disciplinary actions as prescribed in the Employee Handbook.•Supervisors are required to immediately notify the Chief Executive Officer of any security incidents or violations, whether suspected or confirmed. Through coordination with Information Systems personnel at the direction of the Inspector General, Supervisors will immediately ensure the equipment is secured and placed in a locked location. Information Systems personnel will be allowed to examine the equipment, if necessary, with consent from the Chief Executive Officer. Failure to do so may result in disciplinary actions as prescribed in the Employee Handbook.

Security Agreement!• Department security policies and procedures require that personal

passwords are not to be disclosed.

• Each new user of ACT’s computer systems is required to complete the ACT’s Security Awareness training, read the Security Agreement and provide his or her signature on the Security Agreement. This signed document will be placed in the user’s personnel file in Human Resources and it becomes part of the file.

How Can Security be Infected?

• A Logic bomb is a form of sabotage that causes the program to perform a destructive action when some triggering event occurs.

• A Trojan horse usually masquerades as a program that a user would wish to execute. However, the program conceals harmful code.

• ACT encourages the business use of e-mail as a productivity enhancement tool. Only ACT e-mail accounts are to communicate departmental business.

• Unless third parties have clearly noted copyrights or other rights on the messages handled by ACT e-mail systems, all messages generated or handled by these systems are considered to be the property of ACT.

• In addition, all electronic mail shall be considered public record unless specifically exempted by Florida Statutes.

ACT Email Systems

• Appropriate use of ACT’s e-mail system includes sending and receiving well-written, content-appropriate messages for ACT business purposes.

• The following are questions you should ask before sending an e-mail:• Should I encrypt the message?• Is the language and content appropriate?• Should I send the e-mail?• If you are unsure of an email or do not know the sender, do not open it.

• Inappropriate use…

• If you receive an email from an unknown sender or you are unsure about unsolicited attachments – delete it!

• Spam is the mass mailing of information via unwanted e-mail, generally of a bulk or commercial nature. Listserv mailing lists are a popular method of disseminating spam. Chain letters are messages that tell recipients to forward multiple copies of the e-mail, which leads to an exponentially increasing circulation of the message. Chain letters are many times hoaxes and can contain types of viruses.

Use of Email!

.

Proper Use of the Equipment!When using ACT’s equipment,

• Never download or use unauthorized copies of copyrighted material or software. •Never consider installing or running security programs that reveal weaknesses in the Agency’s systems. • Never try to go around the Agency’s security controls to allow unauthorized access to ACT’s systems. •And lastly, never use the Agency’s IT resources for unauthorized personal gain or illegal activities.

Safeguards!• If an employee’s job is to enter client medical information into a medical

database, there are several safeguards he or she can use, such as the following:

• He/She can have a privacy screen on his monitor to keep others from viewing sensitive data;

• He/She should always use strong passwords, keep them secret, and change them often;

• He/She should have a password-protected screen saver;

• When he/she leaves his office, he/she should remember to lock his workstation or log off of his computer.

Sensitive InformationPrinted Information!

• Some employees fail to realize the security risks associated with sensitive documents left at printers, copying machines, and fax machines. Failure to follow these simple rules could result in the unintentional release of confidential information:

• Always verify printer locations before sending documents;

• Pick up sensitive information documents immediately;

• Label sensitive documents and keep them in a secure location;

• Shred or dispose of sensitive documents in appropriate trash receptacles when they are no longer needed.

Wireless Security Precautions!In recent years, wireless access for computers has greatly improved the mobility

of today’s workforce. However, with this improved access, there comes greater risk of security threats being introduced to the ACT Network. Readily available hacker tools, such as packet sniffers make it easy for people to intercept sensitive data from your wireless device as well as introduce intrusion programs to the networks on which that device communicates. If you use a wireless connection to access the Internet or network resources, be aware of the precautions necessary to protect the data and network integrity of the ACT System.

While ACT has taken the necessary precautions to protect wireless communication on its network, it cannot protect your computer from outside attacks when you connect it to foreign wireless networks such as hotel rooms and conference centers while you are traveling on state authorized business. In order to protect ACT equipment, please follow these simple steps:

•Make sure you're connected to a legitimate access point.

•Encrypt files before transferring or emailing them.

•Use a virtual private network (VPN).

•Use a personal firewall.

•Use anti-virus software.

•Update your operating system regularly.

•Be aware of the people around you.

•Use Web-based email that employs secure http (https).

•If you do not know how to implement these precautions, please contact the Chief Executive Officer or Finance Director in order to ensure you are prepared to access outside wireless networks.

Wireless Security Precautions!

Responsibilities of Reporting!•An employee or contracted employee who knows or suspects that a security

violation has occurred is responsible for informing their supervisor immediately of the potential problem. Failure to do so may result in disciplinary actions.

•Users of mobile devices are required to immediately notify their supervisor if the device is lost or stolen.

•Supervisors are required to immediately notify the Chief Executive Officer of any security incidents or violations, whether suspected or confirmed. Through coordination with Information Systems personnel at the direction of the CEO, supervisors will immediately ensure the equipment is secured and placed in a locked location. Information Systems personnel will be allowed to examine the equipment, if necessary, with consent from CEO using the proper Chain of Custody.. Failure to do so may result in disciplinary actions as prescribed in the Employee Handbook.

The following are several of the most common security violations:

•Inappropriate handling of user IDs, passwords, or computer equipment. This includes leaving a terminal turned on and unattended or unsecured; sharing a user ID and/or password with another individual; inappropriate requests to reset a password; requesting others to provide their password; and posting of a password.

•Personal use of system-generated data. This would include information obtained for personal gain and/or not related to state business.

•Revealing of client confidential information. This would be the unauthorized disclosure of confidential information.

•Misuse of Telecommunication Resources. This would include the use of internet or e-mail systems to send data to individuals without a need or right to know; the use of these resources for personal gain; or the use of these resources to access inappropriate sites.

Most Commom Security Violations!

All of these security violations have disciplinary actions associated with them.

Security Resources!

When looking for answers to your security questions, there are several resources on the Intranet and Internet that can help you.

The first place to look is always the ACT Intranet. You can also contact you’re the CEO or Finance Director for assistance with your security questions.

This concludes the Security Awareness Training.

Please sign the training paperwork and forward to the Chief Executive Officer! Thank you.