Information Security

SWTX Information Security

SWTX is committed to the security of all the information resources under our control. To that end, we incorporate best practices and are constantly monitoring the technology infrastructure to make sure it is protected from unauthorized use. You are a critical part of that protection. A common misconception about cyber-attacks is that they involve sophisticated tools and techniques, and sometimes they do. However, typically the most effective techniques involve simple mistakes. The resources on this page are intended to help you protect the privacy and security of SWTX's information.

SWTX has implemented Multi-Factor Authentication (MFA) for certain cloud services. MFA provides a secondary source of identification for access to SWTX resources and helps prevent the misuse of those resources. Any information or updates concerning system access will be provided here.

Access to the SWTX Information Security Standards and Policies is now available. Faculty and Staff can review the policies and controls SWTX uses to ensure a secure infrastructure.

Information Security Standards and Policies

TX-RAMP

The Texas Risk and Authorization Management Program (TX-RAMP) was created to provide a "standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency." TX-RAMP requirements apply to state agencies, institutions of higher education, and public community colleges (Texas Government Code 2054.003 (13)). As of January 1, 2024, this requirement applies to all data regardless of classification. SWTX complies with the statutory requirements of contracting for cloud services, Level 1 for non-confidential data or low-impact systems and Level 2 for confidential data or high impact systems.

SWTX must only enter into contractual agreements with cloud services that are certified through TX-RAMP and must require the service provider to maintain TX-RAMP compliance and certification throughout the contract period. In addition, the service provider must notify SWTX of data breaches.

Data Classification

SWTX follows the convention of assigning one of three levels to data - Confidential, Sensitive or Public. The following guidelines apply to each level:

Confidential - Information protected specifically by federal or state law, college or system rules or regulations which, if exposed, would likely result in substantial harm to the college, but for which there are no proscribed administrative, punitive or monetary penalties. Data in this category is generally not subject to release under open records laws. Examples include: social security numbers, driver license numbers, passport information or criminal investigation information.
Sensitive - Information related directly to or proceeding from the operation and administration of the college and normally restricted to college employees, but which is releasable in accordance with the Texas Public Information Act. Examples include: IT Policies and Procedures, non-disclosure agreements, contractual data or unpublished research as well as employee appraisals or salary information.
Public - Information which is generally available publicly or appropriately and intentionally made public by the college. Information in this category has no requirement for confidentiality.

MFA

Multi-Factor Authentication (MFA) is the process of protecting resources by adding another factor to identify the user. By combining something you know (a password) with something you have (Microsoft Authenticator on your smart phone) access to those resources are better protected. This will require that users download and install the MS Authenticator app. The app does not store any record of the access, it just confirms your identity. What this helps prevent is the use of compromised credentials, especially while using your email account.

MFA is now required for all accounts, see MFA Configuration for instructions on installing and configuring MS Authenticator. The first time you log into a resource requiring MFA you will be told your organization requires more information, and then be taken through the process of verifying your phone connection.

Report an Incident

Please contact the Service Desk at (830) 591-7323 if you have a current threat, they will evaluate and isolate the threat as well as contacting the appropriate staff members to assist.

Contact the Information Security Officer at (830) 591-7299 if you have a question about suspected threats or anything you think is suspicious.

Contact the Service Desk about email scams or spam email.

Items of Interest

On December 7, 2022, the Governor of the State of Texas issued a Directive banning the use of TikTok and it's apps on any state owned device, that includes cell phones, tablets, desktop and laptop computers, and other Internet capable devices. SWTX defined a policy that states we will abide by the Prohibited Technologies list. Other applications and sites affected include Tencent Holdings, WeChat and Kaspersky among others. Please see Prohibited Software and Applications for the full list.

What this means is that Faculty and Staff are banned from using this technology on college owned devices, and the college is preventing the installation of the technology on our networks.

We have also blocked access to any banned technology from our network, wired or wireless. There will be no access to a banned application on any device, college owned or personal while using SWTX's network.

Please call the Information Security Officer at (830) 591-7299 with any concerns or questions.

An annual report from the Security Information Exchange says ransomware has surpassed data breach attacks as the largest category of cyber attacks on schools.

Often, these attacks target K-12 districts, but attacks are up across the board, and often, the threat actors reach out and contact parents directly looking for a pay out.

In 2023, Ransomware attacks were up 84% from 2022. The United States accounted for 60% of the global attacks, up from 43% in 2022.

The most common attack vector are phishing emails and zero-day vulnerabilities.

PayPal has a feature which can be used to send invoices from within PayPal to anyone. This feature has been used to send fake invoices in an attempt to get the target to call the phone number provided in order to secure your account, there is no reason to call. In SWTX's case, there would be no reason for PayPal to be sending anyone an invoice, and if you receive such an email at your personal account, verify with PayPal before calling the provided contact.

There has been a significant increase in the number of phishing emails, and there are a good number of compromised credentials as well. SWTX is investigating, but the most likely reason is malware or simple passwords being used. We implemented MFA for certain cloud resources. This won't prevent compromised credentials, but it will reduce the number of what appear to be internal users abusing the system.

Also, with the use of AI to produce these phishing emails, threat actors are getting better at avoiding detection and convincing users to provide sensitive information. They still use the same techniques, requiring urgent attention, threatening the loss of access or needing you to access a Google doc for a colleague. Even though the grammar is more refined the intent is the same, and you are the last defense against an AI email phishing scheme.

Information Security

SWTX Information Security

Resources

Items of Interest

TikTok

Ransomware

PayPal Invoice

Phishing scams