Along with security strategies such as passwords, updates, firewalls, and spyware and virus protection, your computing habits can play a very important role when it comes to securing data. One of the best computing habits to develop is storing sensitive university data on your personal H:\ drive (also known as the users drive on the Mac). By storing files on your H:\ drive, you ensure that only you have access to these files. To read more about the many other computing habits you should be aware of to help ensure data security, check out the five areas below.
1.1 - Overview of Privacy and Protected Information
Wright State University is responsible for collecting, storing, and distributing very large amounts of information. Some of this information is federally legislated as private and must be protected in accordance with laws such as the Family Education Rights and Privacy Act (FERPA) of 1974 (for student records), the Gramm-Leach-Bliley Act (GLBA) of 1999 (for personal financial information), and the Health Insurance Portability and Accountability Act (HIPAA) of 1996 for personally identifiable health information). All of us-faculty members, custodians, administrative assistants, computer support staff-have a responsibility to protect information about our students from public disclosure. It doesn't matter whether this information is on the network computer, on a printout, a computer screen, a diskette, a CD-ROM, etc. Information that is classified as “protected” cannot be disclosed or disseminated to the public (people who are not employees of the university). Much of the information about our students is considered protected.
Examples of protected information include:
- Social security number
- Birth date
- Home phone number
- Home address
- Health information
- Student grades
- Citizen visa code
- Veteran and disability status
- Courses taken
- Test scores
- Advising records
- Educational services received
- Disciplinary actions
1.2 - General Privacy Guidelines
All employees and users of network computing resources at WSU have a role in protecting the University's information assets because their machines provide potential gateways to protected information stored on the network. Therefore, whether or not you deal directly with protected or confidential University information, you should take the following steps to reduce risk to WSU’s information assets.
- When in doubt don't give it out!
- Identify information as "PROTECTED" on the print-out pages, diskette, screen, etc.
- Use special care when posting grades (assign random numbers, do not use part of Social Security numbers).
- Do not leave paper documents containing protected information unattended; protect them from the view of passers-by or office visitors.
- Store paper documents containing protected information in locked files.
- Do not leave the keys to file drawers containing confidential information in unlocked desk drawers or other areas accessible to unauthorized personnel. Shred confidential paper documents that are no longer needed, and secure such documents until shredding occurs. If a shredding service is employed, ensure that the service provider has clearly defined procedures in the contractual agreement that protects discarded information, and that the provider is legally accountable for those procedures, with penalties in place for breach of contract.
- Make arrangements to immediately retrieve or secure protected documents that are printed on copy machines, fax machines, and printers.
- Restrict access of information and systems to people who need it to perform their jobs.
- Regularly review list of users who have access to systems that contain protected information.
- Test internal processes to ensure data integrity and security.
2.1 - Overview of Physical Security and General Guidelines
The physical security of computing resources (computers, equipment, files, etc.) is actually the first principle of good security, because as long as someone can obtain physical access to your computer he/she can gain control over it. By instituting a few simple safeguards, you can greatly limit security breaches and other unauthorized access to computing resources. Here are a few helpful hints to safeguard the physical security of items that are your responsibility:
- Never allow another person to use your computer account.
- Log out when you leave your computer for long periods of time and “lock” your computer every time you step away. View the following PDFs for directions on how to lock your screen: Locking Your Computer Screen in Windows (PDF) or Locking Your Computer Screen on a Macintosh (PDF).
- Close and lock your office door every time you leave.
- Use security devices to lock down computers that are in public or otherwise unsecured spaces. Restrict the number of keys to your office.
- Know who accesses your office. It may be necessary to maintain an attendance log for high security areas.
- Use a screensaver that requires a password to get back into your computer after the screen saver activates. View directions on Setting Up a Screen Saver Password for Your Windows Computer (PDF).
- Workstation screens should not be visible to anyone but the authorized user of secure documents.
- Keep your passwords and computer ID's a secret.
- Report suspicious looking persons or activity to the WSU Police department.
- Express any concerns about physical security to your supervisor.
2.2 - Security of Surplus Equipment
When university owned computer systems reach the end of their usefulness in your department, you have the option to surplus that equipment through ESPM. However, this presents its own share of security risks that need to be addressed. Due to the significant risk of sensitive information leaving the university on hard drives that have not been properly erased, all computers (desktops and laptops) that are being sold through ESPM must have their hard drive removed by CaTS before sending to ESPM. CaTS will ensure proper disposal of the drive. To arrange a removal, contact the CaTS Help Desk at (937) 775-4827.
2.3 - Security of Physical Media
Ensuring the confidentiality of information requires that all physical media (CDs, floppy disks, hard drives, etc) be disposed of properly. This means that, in addition to being properly erased before being discarded, hard drives must also be erased before being returned for any type of warranty work. Additionally, other media such as floppy disks, CDs, DVDs, and paper must also be carefully destroyed if they contain confidential information. Floppy disks should be destroyed by breaking the disk in half, and cutting the center ring with scissors. CDs and DVDs should be broken into multiple pieces, and paper documents should be shredded. If assistance is needed in properly disposing of any physical media, contact the CaTS Help Desk at (937) 775-4827.
2.4 - Security of Laptop Computers
Laptops are easy targets for theft because they are so portable. They can be stolen from almost anywhere, including your office. Keeping your laptop secure, especially when traveling, is of utmost importance in order to safeguard University information. Follow the guidelines below to prevent your laptop from being stolen:
- Never leave your laptop unattended in a public place.
- During off hours, place your laptop in your office or work area and lock the door.
- Place your laptop in a locked drawer or cabinet if you are unable to lock your office or work area.
- When traveling, lock your laptop in the trunk of your car, and watch out for potential thieves as you do this.
- Do not use your business card as a luggage tag since it discloses your place of work.
3.1 - Social Engineering
Social engineering is a term that describes a non-technical kind of intrusion that relies on human interaction and involves tricking people to break normal security procedures. Social engineering relies on the fact the people are unaware of the value of the information they possess and are careless about protecting that information.
Social engineering can occur in many forms:
- A phone call asking for certain information such as a username and password, or other confidential information.
- Someone looking through trash to find printed documents with confidential information about students, faculty, and staff.
- A phone call from someone pretending to be an outside consultant or internal system support personnel.
- Emails asking for personal information
If you receive a phone call or visit from someone asking you for personal or confidential information, ask questions. Here are a few to ask that may help you stop a potential intruder:
- Ask for their name and correct spelling.
- Ask for identification to verify who they are.
- Ask for their phone number so you can return their call.
- Ask why they need the information.
- Ask who authorized the request and let the person know that you will need to verify this information with that authority.
3.2 - Phishing
Phishing is a new type of social engineering used to gather personal information about someone. Phishing refers to email messages that are sent to fool the recipient into providing personal or financial information. These messages are often disguised as an email from a financial institution, such as a credit card company, bank, or e-commerce sites such as eBay and PayPal.
The recipient will receive an "official looking email" asking them to verify account information in order to update their account profile. The email will then ask the recipient to click on an email address or website link, which will take them to the "official" website of that company. The website then asks the recipient to enter personal information. What's not known by the recipient is that this is not a legitimate page, and by entering personal information into the website, the creators of the website have stolen the information.
If you receive a phishing email, simply delete. Do not click the links or fill in personal information. Remember, financial institutions will never ask for your personal or account information via email. They have this information already in their records. If you have any doubts or questions about a particular email, contact the organization or company listed in the email to verify the message's authenticity.
3.3 - Infected Websites
Another type of data theft technique is the use of infected websites to obtain a user's personal information. The largest number of computer infections (nearly 70%) are now coming from exploits that are embedded in websites. These websites are most often delivered through email links, where a user clicks on a link in their email program that opens a browser window. Once the website is open, a script on the site automatically installs unwanted software on the user's computer, without interaction from the user. Often times this happens in the background and the user doesn't know about the software. The end result is that the installed software tracks the user's web usage, and can collect information such as bank account and credit card numbers, addresses, and Social Security Numbers. These type of infections are similar to phishing, except that these websites do not require user interaction, whereas phishing does. To prevent this type of attack, do not click on links from unsolicited emails or from untrusted sources.
4.1 - Email Usage
Email has become one of the quickest and most efficient ways to contact individuals and groups of people. However, using email presents its own set of security risks and challenges that you need to be aware of. Viruses, worms, and spyware are often spread as attachments through email. Here are a few tips to guide you down the path of using email appropriately and avoiding security pitfalls:
- Keep in mind that email is not secure; it can be forged very easily. Never put sensitive information, such as Social Security Numbers or bank account numbers into any part of your email or email attachments.
- Faculty and staff: Please note that any attachments containing ePI (electronic personal information) must be encrypted before being sent via email.
- Do not open unexpected attachments, and do not open or download attachments from unknown parties.
- Immediately delete messages from parties you don't recognize.
- Clear your email inbox of old messages on a regular basis.
- Password protect your local email folder file, such as Outlook's Personal Folder (.pst file).
- Make it a habit not to send any information via email that you wouldn't want disclosed to a third party.
- Be careful when forwarding email to others, as many of the emails you receive as forwards are actually hoaxes, and may contain viruses.
- When sending an encrypted message through email, never place the password to unlock the file in the same email.
4.2 - Spam
Spam is unsolicited email. It is a form of advertisement that is sent in mass quantities to email addresses. There's not much that can be done to stop spammers from creating and sending out these messages. The best that we can do is create filters that will block most spam. Spammers are constantly working to find ways around spam filters, so even if filters are turned on and set to their highest setting, some spam email can still get through. If you receive any spam messages, simply delete the email. There are a few things that you can do to minimize the amount of spam you receive:
- Modify your settings on the WSU anti-spam service. You can read more about the service, including how to set it up, by going to the CaTS Anti-spam Service webpage.
- Do not click the "unsubscribe" or "remove" link within spam messages; this simply confirms to the spammer that your email address is valid.
- Do not give your email address to a person or online website or newsletter without knowing how it will be used. It could end up on a marketing list that is sold to spammers
5.1 - Encryption
Encryption is the process of transforming information from clear or plain text into a non-readable format so that only the intended reader can understand or change the message content. Encryption ensures privacy. It is a way to keep prying eyes from reading confidential information that is sent across the public Internet. Certain software applications have encryption methods embedded in them for sending and receiving secure information and for the storage of information. There is also third party software available that can be used to encrypt information. For information using encryption in various scenarios, check out the following links:
5.2 - Virtual Private Network (VPN)
A virtual private network (VPN) is a secure and private connection between two points across a public network such as the Internet. A VPN allows users to access their organization's network securely from their home, hotels, or off-campus public locations.
Any student, staff, or faculty member may use the Wright State's VPN service. You must fill out a form located at the CaTS VPN webpage and follow the directions. Contact the CaTS Help Desk at (937) 775-4827 for more information on WSU's VPN service.
5.3 - Backups
One of the most important steps you can take to ensure that the integrity of your data is protected is to backup your files on a regular basis. Data loss can come at any time, and for a number of reasons:
- Theft of computer
- File corruption
- Hard drive failure
- Accidental deletion of a file or files
- Natural disasters
You should perform a backup of your files at least once a week, and backup critical files more often if they change. If you need assistance in backing up your files, contact the CaTS Help Desk at (937) 775-4827 and they will be glad to assist you.
5.4 - Mobile and Cellular Devices
Information stored on laptop computers, personal organizers (e.g., Blackberry, Palms), cellular phones, thumb drives, and other similar mobile devices are susceptible to equipment failure, damage, or theft. Information transmitted via wireless connections is not always secure - even networks using encryption are vulnerable to intruders. Here are some tips to keep your information secure on a mobile device:
- Protect and secure mobile devices from theft at all times.
- Use internal firewalls and strong authentication when transmitting information via wireless technologies.
- Use personal firewalls on laptops that will access the WSU Network from a remote location.
- Back up the data on your mobile devices on a regular basis.
- Password protect mobile devices when not in use.
- Encrypt documents containing sensitive information before they are placed on portable devices.
- Charge batteries on mobile devices as soon as the "low battery" prompt appears to avoid losing information, configurations, and settings.