Desktops, laptops and servers are encrypted where privacy data is stored; removable media such as thumb drives, CDs and DVDs are strictly limited to approved personnel, and all data written to those devices is encrypted; and backup tapes containing privacy data are encrypted.
Employees wear radio frequency identification (RFID) security badges to access buildings and interior secured areas on the main campus; and internal and external video cameras are monitored 24/7.
Passwords are changed at regular intervals, and “strong” passwords are required; we review accounts regularly for appropriate access; access is immediately revoked on all employee terminations or separations; and two-factor authentication is in place for all privileged users.
We perform background checks on all employees and contractors prior to being granted access to systems.
Anti-virus is installed and updated on all desktops, laptops and servers; internal and external firewalls segregate Internet-facing traffic from internal, and they segregate internal users from direct access to servers; Intrusion Prevention Systems (IPS) are installed at critical “choke points” on the network; egress filtering reduces the threat of command and control malware infections; and email gateways identify and encrypt messages that contain privacy information.
We regularly try to penetrate and exploit our systems to make sure everything is functioning as it should and no weaknesses exist
These safeguards and more comply with guidelines issued by The National Institute of Standards and Technology (NIST) 800-53 Special Publication on Recommended Security Controls for Federal Information Systems and Organizations, the Center for Internet Security (CIS) Benchmarks, and the Department of Defense (DoD) Security Technical Implementation Guides (STIG).