Information Security

Information Security
InfoSec Overview
How to Recognize "Phishing" Scams
Phishing
is a type of social engineering attack often used to steal sensitive information by pretending to be a trustworthy source. Phishing can be done through email, phone or even in person with the intention of tricking an individual to give up confidential information such as: Login Credentials (passwords), Social Security Numbers, Credit Card Data, Protected Health Information, etc. Please see this video for more information:
How to Avoid Social Engineering Scams
Most phishing emails are designed to obtain your user credentials by linking you to a landing page asking for a username and password. Phishing emails can also load malware onto your computer in the form of an "attachment".
Important!
You should never give out your account info, passwords, credit card numbers, bank account numbers, birthdate, social security number, or other sensitive information to a site you were directed to by an email message, nor should you ever send this information via email. Always be suspicious if you receive an email requesting that you do so. When in doubt you should contact Help Desk or InfoSec for advice.
Here are a few points to consider when trying to recognize a phishing attempt:
Tone
– Does the message use a threatening tone such as "account deletion" if not responded to immediately ? Malicious actors will often play into our feelings by stressing a sense of urgency for a response.
Structure
– Does the greeting of the message identify you by name? Or is it a general greeting such as "Dear Customer" ? Is it awkwardly worded ? Be especially cautious if your name is not used in the email.
Odd Request
– Does the sender appear to be a colleague or someone from authority asking for an urgent response or favor that doesn't quite make sense ? Be on the lookout for unexpected requests appearing to be coming from someone you know. Often times upon closer review of the senders name you will see a fake email address instead. It’s always good practice to contact the sender directly by phone or email (never reply to the suspicious message) to verify if the message is legitimate.
Suspicious Attachment
– Be skeptical of any email with an attachment that you weren't expecting. Especially if the message requests your login credentials or asks you to click a link to proceed.
Think Before You Click
– Hover your mouse over the link
(without clicking it)
to see where it would take you. You may discover that the web address (URL) is different than what is shown in the message.
Please don’t underestimate your instincts. If something feels suspicious, it probably is. When in doubt, throw it out!
Forward any suspicious emails to
infosec@artic.edu
or contact Chris Johnson, Director of Information Security at
cjohnson@artic.edu
/ 312-499-4031 with any questions.
Security Tip:
When purchasing and banking online, you should always go to the site first on your own by typing in the url, e.g. www.amazon.com, and making sure that when you do provide sensitive information that the site is "secure." This is easy to tell by the "lock" icon on your browser window and the "https" - the "s" added to the end of http in the address location bar.
Google Workspace Protection
The most significant things to know about our email protection is that all incoming and outgoing artic.edu messages are checked for viruses and certain types of files that are prohibited from being sent or received. This service provides added protection against email borne computer viruses passing through the Art Institute's e-mail system, but doesn't replace virus protection programs already installed on your computer.
This does NOT mean that it's now impossible for your computer to be affected by a computer virus. Malicious people who write computer viruses are always trying to circumvent technologies to protect you. You should be careful about opening documents or following links sent from people you don't know or weren't expecting from people you do know. Act wisely.
Email - Prohibited Files
For improved protection from malicious programs, certain file types are not permitted to pass through the AIC email system, regardless of whether they are attached to email messages or archived (zipped, tar, etc.).
Remember, always use caution when opening attachments that you receive via email. If you don't recognize the sender, you shouldn't open any attached files. If you weren't expecting an attached file from a sender you do know, verify that the sender did in fact intend to send you the file.
Credit Card Handling (PCI)
PCI Compliance
The Art Institute must comply with the
Payment Card Industry Data Security Standard (PCI DSS)
. This is a set of technical and operational standards required by credit card issuers for any business that accepts, stores, processes, or transmits credit card information in order to protect sensitive cardholder data.
Procedures, training requirements, and additional information are below, and the complete policy can be found in the
Credit Card Processing and Handling Policy
Responsibilities
Procedures
All credit card payments received must be directed into the Art Institute’s approved bank accounts.
Departments or individuals may not sign a contract with a third party to process credit cards under any circumstances.
Only the Controller’s Office may authorize banking or third party credit card processor relationships, departments may not set up these relationships.
Training Requirements
Any person at the Art Institute who handles Cardholder Data in any manner, from the initial entry to the final reconciliation, or has access to a system that processes credit card payments is required to:
Sign the
Responsibilities for Staff that Handle Cardholder Data
form. Supervisors must provide these forms to their staff during onboarding and return the signed form to
pci@artic.edu
Annually complete the
PCI-101: PCI Essentials for Account Data Handlers and Supervisors
course in Bridge. Managers in departments which handle Cardholder Data must also complete the training annually.
Additional Documents
Point of Sale Device Inspection Log
- to be maintained by departments with Point of Sale (POS) or PIN pad devices to check for possible tampering
Quick Reference Guide for Handling Cardholder Data
- a quick reference guide with reminders on how to handle credit cards provided in-person or via phone or mail
Cardholder Data
POS Device Tampering Training Document
- a reference document including details on the inspections and awareness needed from persons with direct contact with POS devices in order to detect potential tampering