COMPUTING HABITS & GUIDELINES FOR PROTECTED INFORMATION

Along with security strategies such as passwords, updates, firewalls, and spyware and virus protection, your computing habits can play a very important role when it comes to securing data. One of the best computing habits to develop is storing sensitive university data on your personal H:\ drive (also known as the users drive on the Mac). By storing files on your H:\ drive, you ensure that only you have access to these files. Also, by following this method, you also have access to the files from any other Internet enabled computer by using the MyFiles website, located at http://myfiles.wright.edu. To read more about the many other computing habits you should be aware of to help ensure data security, check out the five areas below.

 
 

1.0 - Privacy


1.1 - Overview of Privacy and Protected Information

Wright State University is responsible for collecting, storing, and distributing very large amounts of information. Some of this information is federally legislated as private and must be protected in accordance with laws such as the Family Education Rights and Privacy Act (FERPA) of 1974 (for student records), the Gramm-Leach-Bliley Act (GLBA) of 1999 (for personal financial information), and the Health Insurance Portability and Accountability Act (HIPAA) of 1996 for personally identifiable health information). All of us-faculty members, custodians, administrative assistants, computer support staff-have a responsibility to protect information about our students from public disclosure. It doesn't matter whether this information is on the network computer, on a printout, a computer screen, a diskette, a CD-ROM, etc. Information that is classified as “protected” cannot be disclosed or disseminated to the public (people who are not employees of the university). Much of the information about our students is considered protected.

Examples of protected information include:


1.2 - General Privacy Guidelines

All employees and users of network computing resources at WSU have a role in protecting the University's information assets because their machines provide potential gateways to protected information stored on the network. Therefore, whether or not you deal directly with protected or confidential University information, you should take the following steps to reduce risk to WSU’s information assets.


Back to Top
 

2.0 - Physical Security


2.1 - Overview of Physical Security and General Guidelines

The physical security of computing resources (computers, equipment, files, etc.) is actually the first principle of good security, because as long as someone can obtain physical access to your computer he/she can gain control over it. By instituting a few simple safeguards, you can greatly limit security breaches and other unauthorized access to computing resources. Here are a few helpful hints to safeguard the physical security of items that are your responsibility:


2.2 - Security of Surplus Equipment

When university owned computer systems reach the end of their usefulness in your department, you have the option to surplus that equipment through ESPM. However, this presents its own share of security risks that need to be addressed. Due to the significant risk of sensitive information leaving the university on hard drives that have not been properly erased, all computers (desktops and laptops) that are being sold through ESPM must have their hard drive removed by CaTS before sending to ESPM. CaTS will ensure proper disposal of the drive. To arrange a removal, contact the CaTS Help Desk at 775-4827.


2.3 - Security of Physical Media

Ensuring the confidentiality of information requires that all physical media (CDs, floppy disks, hard drives, etc) be disposed of properly. This means that, in addition to being properly erased before being discarded, hard drives must also be erased before being returned for any type of warranty work. Additionally, other media such as floppy disks, CDs, DVDs, and paper must also be carefully destroyed if they contain confidential information. Floppy disks should be destroyed by breaking the disk in half, and cutting the center ring with scissors. CDs and DVDs should be broken into multiple pieces, and paper documents should be shredded. If assistance is needed in properly disposing of any physical media, contact the CaTS Help Desk at 775-4827.


2.4 - Security of Laptop Computers

Laptops are easy targets for theft because they are so portable. They can be stolen from almost anywhere, including your office. Keeping your laptop secure, especially when traveling, is of utmost importance in order to safeguard University information. Follow the guidelines below to prevent your laptop from being stolen:


Back to Top
 

3.0 - Data Theft Techniques


3.1 - Social Engineering

Social engineering is a term that describes a non-technical kind of intrusion that relies on human interaction and involves tricking people to break normal security procedures. Social engineering relies on the fact the people are unaware of the value of the information they possess and are careless about protecting that information.

Social engineering can occur in many forms:


If you receive a phone call or visit from someone asking you for personal or confidential information, ask questions. Here are a few to ask that may help you stop a potential intruder:


3.2 - Phishing

Phishing is a new type of social engineering used to gather personal information about someone. Phishing refers to email messages that are sent to fool the recipient into providing personal or financial information. These messages are often disguised as an email from a financial institution, such as a credit card company, bank, or e-commerce sites such as eBay and PayPal.

The recipient will receive an "official looking email" asking them to verify account information in order to update their account profile. The email will then ask the recipient to click on an email address or website link, which will take them to the "official" website of that company. The website then asks the recipient to enter personal information. What's not known by the recipient is that this is not a legitimate page, and by entering personal information into the website, the creators of the website have stolen the information.

If you receive a phishing email, simply delete. Do not click the links or fill in personal information. Remember, financial institutions will never ask for your personal or account information via email. They have this information already in their records. If you have any doubts or questions about a particular email, contact the organization or company listed in the email to verify the message's authenticity.


3.3 - Infected Websites

Another type of data theft technique is the use of infected websites to obtain a user's personal information. The largest number of computer infections (nearly 70%) are now coming from exploits that are embedded in websites. These websites are most often delivered through email links, where a user clicks on a link in their email program that opens a browser window. Once the website is open, a script on the site automatically installs unwanted software on the user's computer, without interaction from the user. Often times this happens in the background and the user doesn't know about the software. The end result is that the installed software tracks the user's web usage, and can collect information such as bank account and credit card numbers, addresses, and Social Security Numbers. These type of infections are similar to phishing, except that these websites do not require user interaction, whereas phishing does. To prevent this type of attack, do not click on links from unsolicited emails or from untrusted sources.


Back to Top
 

4.0 - Email Information


4.1 - Email Usage

Email has become one of the quickest and most efficient ways to contact individuals and groups of people. However, using email presents its own set of security risks and challenges that you need to be aware of. Viruses, worms, and spyware are often spread as attachments through email. Here are a few tips to guide you down the path of using email appropriately and avoiding security pitfalls:


4.2 - Spam

Spam is unsolicited email. It is a form of advertisement that is sent in mass quantities to email addresses. There's not much that can be done to stop spammers from creating and sending out these messages. The best that we can do is create filters that will block most spam. Spammers are constantly working to find ways around spam filters, so even if filters are turned on and set to their highest setting, some spam email can still get through. If you receive any spam messages, simply delete the email. There are a few things that you can do to minimize the amount of spam you receive:


Back to Top
 

5.0 - Protecting Data Integrity


5.1 - Encryption

Encryption is the process of transforming information from clear or plain text into a non-readable format so that only the intended reader can understand or change the message content. Encryption ensures privacy. It is a way to keep prying eyes from reading confidential information that is sent across the public Internet. Certain software applications have encryption methods embedded in them for sending and receiving secure information and for the storage of information. There is also third party software available that can be used to encrypt information. For information using encryption in various scenarios, check out the following links:


5.2 - Virtual Private Network (VPN)

A virtual private network (VPN) is a secure and private connection between two points across a public network such as the Internet. A VPN allows users to access their organization's network securely from their home, hotels, or off-campus public locations.

Any student, staff, or faculty member may use the Wright State's VPN service. You must fill out a form located at the CaTS VPN website and follow the directions. Contact the CaTS Help Desk at (937) 775-4827 for more information on WSU's VPN service.


5.3 - Backups

One of the most important steps you can take to ensure that the integrity of your data is protected is to backup your files on a regular basis. Data loss can come at any time, and for a number of reasons:


You should perform a backup of your files at least once a week, and backup critical files more often if they change. If you need assistance in backing up your files, contact the CaTS Help Desk at (937) 775-4827 and they will be glad to assist you.



5.4 - Mobile and Cellular Devices

Information stored on laptop computers, personal organizers (e.g., Blackberry, Palms), cellular phones, thumb drives, and other similar mobile devices are susceptible to equipment failure, damage, or theft. Information transmitted via wireless connections is not always secure - even networks using encryption are vulnerable to intruders. Here are some tips to keep your information secure on a mobile device:


Back to Top
 

 

3640 Colonel Glenn Highway - Dayton, Ohio - 45435