CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?

pageID=125#view

ID 12745604

Basics of Information Security,

Part 1
Centre College - Information Privacy & Security (IPS)

Switch View

Basics of Information Security,

Part 1

•
Liggett Consulting

This module is based on the original module by Reid Cushman, PhD.

This module is for educational purposes only. It is not designed to provide legal advice
or legal guidance. You should consult with your organization's attorneys if you have
questions or concerns about the relevant laws and regulations discussed in this
module.

1 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view

Privacy protections for sensitive personal

information have many sources in the
United States.

• Federal laws (such as the Family

Educational Rights and Privacy Act
[ ], Gramm-Leach-Bliley Act
[ ], and Health Insurance
Portability and Accountability Act [ ])
• State laws
• Private organizations' certi�cation requirements (such as those of the
)
• Professional codes of ethics (such as the American Medical Association [AMA])

However, those privacy protections are empty promises without e�ective

information security.

Most individuals probably already have a great deal of personal knowledge and
intuition for information security from the routine security practices of their
everyday lives. Much of good security comes from simply applying common sense.
Unfortunately, not all information security practices are simple or
commonsensical, so there is a need for training. Deliberate, malicious activity
causes its share of security di�culties, but nothing presents a greater risk than
simple human error.

Moreover, it is easy to forget common sense when busy and trying to get work
done. Smart people still sometimes make mistakes when under pressure; and

2 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view

workplace (and educational) settings are commonly pressure-�lled.

It may help to know that most organizations have resources to assist with
information security questions and provide guidance. This module, coupled with
the Basics of Information Security, Part 2 module, provide a foundation. Additional
modules in the CITI Program’s Information Privacy and Security (IPS) course address
in more depth the requirements for particular types of information, devices, or
settings.

By the end of this module, you should be able to:

• Describe the basic security issues with various types of non-electronic

information, information use, and information “devices.”
• Implement a set of “best practices” for safer information use at work and in
your personal life.

Information security typically focuses on computer-based data systems; and within

that category, the shared systems that may be networked together to access large,
sensitive data collections, because those are generally the most important
information assets to protect.

However, information security is not limited to that. It also includes practices for
safely using old-fashioned paper-based data, personal email and messaging, faxes
(yes, they still exist), pagers (yes, those too are still around), telephones, web
browsers, and even just talking aloud. Misuse of any of these can create a security

3 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view

problem, even if not on the scale of a major computer system breach.

Information security’s goals and the measures to achieve those goals are often
described in threes.

4 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view

In order to ful�ll privacy requirements, security measures �rst and foremost aim to
assure . That is, that sensitive information is accessed only by
appropriate persons for appropriate reasons.

It is also important to take steps to assure the (which refers to the

accuracy of the data for its intended use) and of data for its legitimate
users. Integrity is the security equivalent of terms like data validity and reliability. It
includes concerns with verifying data’s sources and subsequent non-corruption on
the way to the user. Data integrity principles are lost if the data are corrupted (so
no longer valid or reliable for their intended uses) or cannot be relied upon as
accurately sourced.

Data availability principle is compromised if data are not available when needed
for use.

Without the CIA triad, an information system is e�ectively useless.

Security measures to incorporate CIA are sometimes described as a combination

of physical, technical, and administrative (PTA) safeguards.

include everything from locks to proper lighting. Simple

material barriers are critical, and too often forgotten to protect everything from
USB �ash drives to corporate datacenters. They are the �rst “line of defense.”

include a broad spectrum of measures, such as device data

encryption (which is unlocked with strong passwords / biometrics), anti-malware
software, and encrypted communications.

5 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view

can be summarized as “the rules,” such as policies

about who is granted access to what types of data. It also includes rules like “use a
strong password” and “do not share it.”

These PTA safeguard types can be seen as complementing each other, but there
are also trade-o�s; if one kind of safeguard is weak, one or both of the other types
must be strengthened to compensate.

It is generally best to prevent bad things from occurring, including information

security violations. Exposure or loss of data can be catastrophic for both the
organization and the individuals who work for it. Moreover, such exposures are
potentially even more damaging for the persons whose data are exposed.

A security system must also have measures to detect what was not prevented. It
should also identify potential and actual security issues, and respond with
appropriate speed to limit the damage. It is common for perpetrators of security
breaches violations to spend months or years secretly harvesting data before
using that information in a way that reveals the problem.

There is both a complimentary and an inherent trade-o�. For example, with PDR,
unless preventive measures can be perfect (which they almost never can be) some
attention to detection and response is essential.

The greater the sensitivity and quantity of the data at issue, the more carefully we
should address the balance among the goals and measures. Applicable laws and
regulations, as well as what has become standard practice in an industry, may set
minimum requirements for security practice. However, organizations generally

6 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view

have some discretion in how far above “the minimums” they will go, based on their
own assessments of risk.

Like most things in life, information security

requires trade-o�s -- whether it be time,
inconvenience, or expense (or sometimes all
three). Learning how to be secure takes time too.

In the era of cloud computing and “big data,” as

information systems become more e�ciently
networked together, the privacy of each person's information depends on the
security practices of more people every day (and that includes you). Someone you
care about may have records stored in your organization's data systems. Your own
records may be there. The time-honored Golden Rule applies here: treat the
information under your control with the same respect and care that you would like
for your own.

Being knowledgeable about information security practices and putting knowledge

into practice is the only way to do that. As an added bene�t, what you learn here
about security will also help you protect the personal information you keep

7 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view

outside of work, whether on a personal computer or old-fashioned media like

paper.

Most people just want to do the right thing and this module aims to provide the
knowledge to do that. However, it needs to be mentioned that federal and state
laws protecting personal information (such as HIPAA) include severe penalties for
misuse. Such penalties are generally only applied for serious, deliberate misuse,
where someone intentionally accesses data in order to do harm or for personal
gain (such as identity theft). Substantial �nes are also possible for negligent
behavior, even if violations were unintentional; and such �nes are now more
commonly applied to an individual than in the past.

Beyond the �nes, and the possible jail time, information security negligence can
(and usually will) also lead to suspension or termination of employment or
enrollment status.

The following section presents the basic rules of information security, structured
by the type of system or environment. Topics include:

8 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view

Do not be discouraged by the amount of material. With time and practice, most of
these rules will become second nature if they are not already.

Virtually every organization relies on

sophisticated technical and administrative
measures to protect its information systems,
and so do individuals for their personal

9 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view

information. However, simple physical

protections are the �rst and most important
line of defense, whether at work or outside
work.

In their out-of-work lives, individuals may rely on locks for the security of their
homes, cars, and other property. Maybe they also have an alarm system. At work,
most organizations use a combination of door locks, alarms, surveillance cameras,
and security o�cers on patrol to keep persons out of places they are not
supposed to be in. Many organizations also provide ID badges, uniforms, or other
visible identi�ers, so it is easier to spot intruders.

• Door locks, alarms, and other physical security devices are used to keep areas
secure when not open for business.
• Unattended areas are kept secure with door locks and other devices whenever
possible, even during business hours.
• Access to sensitive equipment and data is controlled -- that includes access to
printers, fax machines, computers, and paper �les.
• Visitors are appropriately monitored and escorted (as necessary). Persons in
restricted areas are politely challenged for ID.
• Keys, ID badges, and anything else that controls physical access are kept secure.
Theft or loss of such items is reported to appropriate organizational authorities
immediately.

Most people have been talking for many years

10 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view

now, and are probably quite good at it. However,

take a walk around the average workplace, and it
becomes evident that many people do not know
how to talk securely. Sometimes the most
familiar things are the most dangerous for
security, because individuals grow casual about their behavior. That is certainly
true with talking.

It is not required that people take a vow of silence or change their whole work
communication routines. It is only required that they make reasonable e�orts to
be discreet if conversations include sensitive information -- the way someone
would want others to talk if their conversation was about their personal situation
or that of a loved one, say in a matter related to personal health.

• Whenever possible, conversations involving sensitive information should take

place in non-public areas where they cannot be easily overheard.
• Sensitive conversations that must take place in public areas are conducted
discreetly and as quietly as the environment allows.
• Names or other information that could identify individuals are avoided
whenever possible, in case a conversation is overheard.
• If these considerations cannot be done, attempt to not have the conversation.
• Only last names are used in public areas or on intercom/paging systems
(although avoid when possible).

Handling of paper documents remains a big security problem, even in

11 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view

environments that aim to be paperless. It is di�cult to ensure information is not

printed, when some individuals have preferences and access to printers. Paper
documents containing sensitive information need to be kept secure, from the
moment they are created to the moment they are destroyed.

• Sensitive documents are kept in secure places, like a locked �ling cabinet, and
never left in unsecured areas (such as unattended computer printers,
photocopiers, fax machines, or persons' desktops).
• Documents that are no longer needed are shredded immediately or placed in a
secure container for disposal in the near future.
• Sensitive documents are never left in plain view in areas where visitors could be
present. If such materials must be kept in public areas, they should be face
down or otherwise concealed.
• In healthcare or other sensitive settings, sign-in sheets should ask for only
limited information -- ideally, only last names. In healthcare settings, patient
schedules should not be left in public areas or where non-sta� can easily view
them

Most people have also probably been talking on

the telephone for many years, and have
mastered that skill. However, because phones
are so familiar and with individuals everywhere
they go, it is easy to forget that the device may
contain sensitive information and should be
treated securely. As with oral communications

12 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view

(talking), some of the biggest security problems come from familiar, everyday
things.

• Whenever possible, telephone conversations involving sensitive information are

conducted in non-public areas, where they cannot be overheard.
• When discussing con�dential information on the phone, the other person's
identity is con�rmed before proceeding with the conversation.
• Only names and callback numbers are left on voicemail or answering machines
-- or with the person that takes the message -- if someone cannot be reached
directly.
• The speaker volume is turned down on answering machines and voicemail
systems so that incoming messages cannot be overheard when left or played
back. If a voicemail system uses a password or PIN, protect it and change it
periodically. Use of headphones can help with playing back voicemail without
using a speakerphone.

As with telephones, it is precisely because fax machines are easy, convenient, and
(still) common that they cause so many security problems. That includes faxes sent
to the wrong number and faxes sent to the right number but without a cover sheet
to hide sensitive information.

• Tested, pre-programmed fax numbers are used whenever possible, to reduce

dialing errors when sending. All new fax numbers are con�rmed by voice call
before �rst use.

13 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view

• Whenever possible, faxes are sent only to machines at known locations, where
the security of the receiving machine can be assured.
• All faxes containing sensitive information include a cover sheet identifying the
recipient and including a con�dentiality notice. That notice should request that
faxes sent to an incorrect destination be destroyed, and also request
noti�cation to the sender of such errors. It is not clear these notices have any
legal e�ect, but they are a standard practice.
• Sensitive faxes -- inbound or outbound -- are not left sitting in or around the
machine. When possible, digital fax to email should be used with con�rmed
email addresses.
• Whenever possible, postal mail is used for written transmissions. It is generally
more secure and there are clear legal protections for it.

The expectation was probably that a module on information security would focus
on computers and the “electronic world.” That higher-stakes territory is covered in
the second module of this two-part set.

Even in an electronic world, the stakes are also high with old-fashioned o�ce
equipment like photocopiers, fax machines, and telephones. Failure to use these
things securely may only put a limited amount of data at risk on an average day,
but day in and day out, that adds up. Furthermore, if it happens to be personally
sensitive information, or about someone else, a risk to even a single data record is
a big deal.

14 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view

Content for the CITI Program’s Information Privacy and Security (IPS) series was
originally developed with support from the University of Miami Ethics Programs.
Many CITI Program sta� and external reviewers have contributed to its
improvement.

July 2006
December 2021
888.529.5929 Accessibility

9:00 a.m. – 7:00 p.m. ET Copyright

Monday – Friday Privacy and Cookie Policy

Contact Us Statement of Security Practices

Status Page Anti-Discrimination Policy

Terms of Service

15 of 15 16-10-2023, 16:41