Professional Documents
Culture Documents
CITI - Collaborative Institutional Training Initiative8
CITI - Collaborative Institutional Training Initiative8
CITI - Collaborative Institutional Training Initiative8
pageID=125#view
ID 12745604
Switch View
•
Liggett Consulting
This module is for educational purposes only. It is not designed to provide legal advice
or legal guidance. You should consult with your organization's attorneys if you have
questions or concerns about the relevant laws and regulations discussed in this
module.
1 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view
Most individuals probably already have a great deal of personal knowledge and
intuition for information security from the routine security practices of their
everyday lives. Much of good security comes from simply applying common sense.
Unfortunately, not all information security practices are simple or
commonsensical, so there is a need for training. Deliberate, malicious activity
causes its share of security di�culties, but nothing presents a greater risk than
simple human error.
Moreover, it is easy to forget common sense when busy and trying to get work
done. Smart people still sometimes make mistakes when under pressure; and
2 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view
It may help to know that most organizations have resources to assist with
information security questions and provide guidance. This module, coupled with
the Basics of Information Security, Part 2 module, provide a foundation. Additional
modules in the CITI Program’s Information Privacy and Security (IPS) course address
in more depth the requirements for particular types of information, devices, or
settings.
However, information security is not limited to that. It also includes practices for
safely using old-fashioned paper-based data, personal email and messaging, faxes
(yes, they still exist), pagers (yes, those too are still around), telephones, web
browsers, and even just talking aloud. Misuse of any of these can create a security
3 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view
Information security’s goals and the measures to achieve those goals are often
described in threes.
4 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view
In order to ful�ll privacy requirements, security measures �rst and foremost aim to
assure . That is, that sensitive information is accessed only by
appropriate persons for appropriate reasons.
Data availability principle is compromised if data are not available when needed
for use.
5 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view
These PTA safeguard types can be seen as complementing each other, but there
are also trade-o�s; if one kind of safeguard is weak, one or both of the other types
must be strengthened to compensate.
A security system must also have measures to detect what was not prevented. It
should also identify potential and actual security issues, and respond with
appropriate speed to limit the damage. It is common for perpetrators of security
breaches violations to spend months or years secretly harvesting data before
using that information in a way that reveals the problem.
There is both a complimentary and an inherent trade-o�. For example, with PDR,
unless preventive measures can be perfect (which they almost never can be) some
attention to detection and response is essential.
The greater the sensitivity and quantity of the data at issue, the more carefully we
should address the balance among the goals and measures. Applicable laws and
regulations, as well as what has become standard practice in an industry, may set
minimum requirements for security practice. However, organizations generally
6 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view
have some discretion in how far above “the minimums” they will go, based on their
own assessments of risk.
7 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view
Most people just want to do the right thing and this module aims to provide the
knowledge to do that. However, it needs to be mentioned that federal and state
laws protecting personal information (such as HIPAA) include severe penalties for
misuse. Such penalties are generally only applied for serious, deliberate misuse,
where someone intentionally accesses data in order to do harm or for personal
gain (such as identity theft). Substantial �nes are also possible for negligent
behavior, even if violations were unintentional; and such �nes are now more
commonly applied to an individual than in the past.
Beyond the �nes, and the possible jail time, information security negligence can
(and usually will) also lead to suspension or termination of employment or
enrollment status.
The following section presents the basic rules of information security, structured
by the type of system or environment. Topics include:
8 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view
Do not be discouraged by the amount of material. With time and practice, most of
these rules will become second nature if they are not already.
9 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view
In their out-of-work lives, individuals may rely on locks for the security of their
homes, cars, and other property. Maybe they also have an alarm system. At work,
most organizations use a combination of door locks, alarms, surveillance cameras,
and security o�cers on patrol to keep persons out of places they are not
supposed to be in. Many organizations also provide ID badges, uniforms, or other
visible identi�ers, so it is easier to spot intruders.
• Door locks, alarms, and other physical security devices are used to keep areas
secure when not open for business.
• Unattended areas are kept secure with door locks and other devices whenever
possible, even during business hours.
• Access to sensitive equipment and data is controlled -- that includes access to
printers, fax machines, computers, and paper �les.
• Visitors are appropriately monitored and escorted (as necessary). Persons in
restricted areas are politely challenged for ID.
• Keys, ID badges, and anything else that controls physical access are kept secure.
Theft or loss of such items is reported to appropriate organizational authorities
immediately.
10 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view
It is not required that people take a vow of silence or change their whole work
communication routines. It is only required that they make reasonable e�orts to
be discreet if conversations include sensitive information -- the way someone
would want others to talk if their conversation was about their personal situation
or that of a loved one, say in a matter related to personal health.
11 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view
• Sensitive documents are kept in secure places, like a locked �ling cabinet, and
never left in unsecured areas (such as unattended computer printers,
photocopiers, fax machines, or persons' desktops).
• Documents that are no longer needed are shredded immediately or placed in a
secure container for disposal in the near future.
• Sensitive documents are never left in plain view in areas where visitors could be
present. If such materials must be kept in public areas, they should be face
down or otherwise concealed.
• In healthcare or other sensitive settings, sign-in sheets should ask for only
limited information -- ideally, only last names. In healthcare settings, patient
schedules should not be left in public areas or where non-sta� can easily view
them
12 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view
(talking), some of the biggest security problems come from familiar, everyday
things.
As with telephones, it is precisely because fax machines are easy, convenient, and
(still) common that they cause so many security problems. That includes faxes sent
to the wrong number and faxes sent to the right number but without a cover sheet
to hide sensitive information.
13 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view
• Whenever possible, faxes are sent only to machines at known locations, where
the security of the receiving machine can be assured.
• All faxes containing sensitive information include a cover sheet identifying the
recipient and including a con�dentiality notice. That notice should request that
faxes sent to an incorrect destination be destroyed, and also request
noti�cation to the sender of such errors. It is not clear these notices have any
legal e�ect, but they are a standard practice.
• Sensitive faxes -- inbound or outbound -- are not left sitting in or around the
machine. When possible, digital fax to email should be used with con�rmed
email addresses.
• Whenever possible, postal mail is used for written transmissions. It is generally
more secure and there are clear legal protections for it.
The expectation was probably that a module on information security would focus
on computers and the “electronic world.” That higher-stakes territory is covered in
the second module of this two-part set.
Even in an electronic world, the stakes are also high with old-fashioned o�ce
equipment like photocopiers, fax machines, and telephones. Failure to use these
things securely may only put a limited amount of data at risk on an average day,
but day in and day out, that adds up. Furthermore, if it happens to be personally
sensitive information, or about someone else, a risk to even a single data record is
a big deal.
14 of 15 16-10-2023, 16:41
CITI - Collaborative Institutional Training Initiative https://www.citiprogram.org/members/index.cfm?pageID=125#view
Content for the CITI Program’s Information Privacy and Security (IPS) series was
originally developed with support from the University of Miami Ethics Programs.
Many CITI Program sta� and external reviewers have contributed to its
improvement.
July 2006
December 2021
888.529.5929 Accessibility
Terms of Service
15 of 15 16-10-2023, 16:41