Human Firewall Training for Employees
The Cyber Security Training, Education, & Awareness (CSX TEA) program engages all users to focus attention on security and help build relevant cyber security skills. OUIT CSX TEA aims to educate the University community about security best practices and to help end users understand security risks, policies and compliance, mitigation strategies, and data protection.
Employee Human Firewall Training
HSC Employees- Additional Required Standards
In addition to Human Firewall training, HSC employees must follow the required standards listed below.
All portable computing devices (PCDs) used for University Business must be encrypted per the Portable Computing Device Security Policy. New purchases of USB/Flash/Thumb drives and external hard drives must be hardware-based FIPS 140-2 Level 2 Validated AND 256-bit Advanced Encryption Standard (AES). Military-Grade FIPS PUB 197 Validated does NOT meet the minimum requirement. The drives listed below have been approved by IT Security to be used for University Business.
Encrypted USB/Flash/Thumb Drives
- Aegis Secure Key 2.0
- Aegis Secure Key 3.0
- Aegis Secure Key 3z
- IronKey D300 (Standard Model Only)
- IronKey S1000 (Basic Model Only)
Encrypted External Hard Drives
Aegis offers several varieties of 256-bit AES external hard drives. (All are NOT FIPS 140-2 Level 2 Validated). Models listed below meet both requirements.
- Aegis Fortress 3.0
- Part # A25-3PL256-xxxxF (xxx= drive size in GBs)
- Aegis Padlock DT FIPS 3.0
- Part # ADT-3PL256F-xxxx (xxx= drive size in GBs)
Previously purchased USB drives must meet the following requirements:
- Hardware-based FIPS 140-2 Level 2 Validated AND 256-bit Advanced Encryption Standard (AES)
- Drives should be compatible with Dell Data Protection (DDP) or McAfee File and Folder encryption software
- Drives must be 3TB or less
- Drives must encrypt 100 percent of all stored data
- Drives must not allow removal of encryption software
- Drive password rules should comply with Password Complexity requirements per the Password Management Policy
All suspected information security incidents must be reported promptly to the appropriate university office or party.
- Any event in which access to University data might have been gained by an unauthorized person
- Any event in which a device containing University information has (or might have been) lost, stolen or infected with malicious software (viruses, Trojans, etc.)
- Any event in which an account belonging to a person that has access to the data might have been compromised or the password shared with unauthorized person (responding to phishing emails, someone shoulder surfing and writing down your password, etc.)
- Any attempt to physically enter or break into a secure area where University data is or might be stored
- Any other event in which University data has been or might have been lost or stolen
- Any event in which University information system policies, standards, or practices are violated
- Should attempt to stop any IT security incident as it occurs.
- First, DO NOT TURN OFF OR UNPLUG POWER TO THE COMPUTER.
- Second, unplug the network cable from the back of the computer and turn off any wireless internet connection.
- Report IT security incidents to the appropriate OUHSC campus IT Service Desk or Tier 1. The Service Desk will help you assess the problem and determine how to proceed.
- Oklahoma City campus IT Service desk: email@example.com, (405) 271-2203 or Toll Free (888) 435-7486
- Tulsa campus IT Service desk: ou.edu/tulsa/it/help (918) 660-3550
- Following the report, individuals must comply with directions provided by IT Support staff or IT Security to repair the system, restore service, and preserve evidence of the incident.
The Information Security Risk Assessment Process is intended to assist Business Units with understanding the technology risks associated with technology-related products and services. Requesting an Information Security Risk Assessment early in the process will help avoid delays later.
Information Security Risk Assessment Policy
All information system resources receiving, storing and/or transmitting University data must have a Product Review completed by OUHSC IT to identify risks and necessary regulatory controls. InformationSecurity Risk Assessment Policy
This policy applies to:
- Implementation of a new or upgraded multi-user Information System
- Solutions requiring an interface to an existing Information System
- Contracting with a third party service for software or technology service
- Implementing a solution interacting with regulated data (ePHI, PCI, FERPA, PII)
- Software not covered by OUHSC Site or Volume licenses
- Multi-function or Network Printers
- Purchase of servers and network equipment
- Purchase of digital signage and classroom audio/visual equipment not maintained by Academic Technology
- Purchase of cloud, networked or removable storage
- Medical/Research Devices
- Software not covered by OUHSC Site or Volume licenses
This policy does not apply to:
- Desktops and laptops
- Computer accessories, peripherals, and supplies
- DVDs, CDs and videotapes
- Software covered by OUHSC Site or Volume licneses
- Desktop (non-networked) printers and toner cartridges
- Backup tapes
- Camcorders, digital cameras, DVD players
- Non-networked Smart TVs
- Smart Phones
- Wired or Wireless Mouse
- Power Cords/Adapters
- Presenter pointer/clicker
- Projector accessories
- UPS Power Supply, battery backup
The Information Security Risk Assessment process does NOT constitute an approval or authorization to purchase a reviewed product. State of Oklahoma and University purchasing rules still apply.
- All OUHSC Information Security Risk Assessments (Product Reviews), must supply pertinent information regarding the security capabilities of the requested product. This information is captured in the OUHSC Information Security Risk Assessment questionnaire.
- ROWS 1-24 will automatically determine the classification of the request and determine what security questions must be answered. Please pay careful attention and respond accurately to these questions.
- Open the The OUHSC Information Security Risk Assessment Questionnaire.
The review begins in and is controlled by the automated system used by HSC Information Technology to manage requests.
- The first step in the process is to log in to Service Now. You will be re-directed to the HSC Information Technology self-service system where you can sign in using your normal OUHSC UserID and Password
- After logging in, go to the Service Catalog form.
- When prompted to select a campus, select Oklahoma City.
- Select Information Services Risk Assessment in the Professional Services section.
5. Read the information in the top portion if you are unfamiliar with the process. Some of the data will already be filled in for you, such as your UserID, Department, and Campus phone number. Complete the Risk Assessment request form with as much detail as possible. Providing as much information as possible when the item is first sumbitted for review will expedite the request.
6. When the form is complete click on the ORDER NOW button in the top-right portion of the webpage to submit the item for review.
7. After you have chosen the Order Now button you may log out of the IT self-service system.
- You will receive an email from firstname.lastname@example.org for each item you have requested for review. Please use the request numbers provided in this email if you have to ask for further assistance from IT.
- When the Review process is complete, you will also recieve another email informing you of the completion of the review and providing you with a link to the complete review, including both the information you submitted and any Information Technology feedback or recommendations. It is this information that may be requested by Purchasing prior to any order being placed.
- After submitting your request, IT Security will contact you via email with further questions regarding the nature of your request. Upon completion of our analysis, IT Security will schedule a conference call to provide any Information Security recommendations identified as part of the assessment.
- Revised on 10/28/2014 to update the ServiceNow URL and provide updated screenshots of the request process.
- Revised on 12/11/2014 to remove the link to the MS Word request form since the form has moved to ServiceNow.
- Revised on 05/16/2017 to add links to OUHSC Risk Assessment Questionnaires.
- Reviews on 07/17/2017 to update Review Criteria.
Alerts & Recommendations
- CISA- Cybersecurity & Infrastructure Security Agency (Partners with FBI)
- FBI- Federal Bureau of Investigation Cybersecurity
- National Cybersecurity Alliance
- InfoSecurity Magazine