Policy 8060 Users – Data Security Guidelines
Updated February 2016
Being familiar with and adhering to university IT policies
Users are expected to adhere to all university IT policies and exercise good judgment in the protection of information resources. They should be familiar with this policy and other information-related policies, including but not limited to the university’s policies regarding acceptable use, access and privacy.
Users must provide physical security for their information technology devices. Doors must be locked to protect equipment when areas housing them are unattended. Special care should be exercised with portable devices which are vulnerable to loss or theft.
Confidential information must be kept in a place that provides a high level of protection against unauthorized access and should not be removed from the university. Encryption consistent with university standards and Encryption Guidelines is required for confidential information stored electronically on all computers, and special care should be taken when electing to store confidential information on laptops or other devices that are vulnerable to theft or loss.
Distribution and transmission of information
Confidential information that is transmitted electronically, transported physically, or spoken in conversation must be appropriately protected from unauthorized interception. For electronic information, appropriate encryption is required for all restricted information, especially if that information is transmitted over public networks. Information Services Providers are responsible for employing appropriate encryption when transmitting electronic information; users must avail themselves of these services. (Reference Encryption Guidelines.)
Destruction and disposal of information and devices
Confidential information must be disposed of in such manner as to ensure it cannot be retrieved and recovered by unauthorized persons. Physical documents containing confidential information must be shredded prior to disposal.
When donating, selling, transferring, or disposing of computers or removable media such as jump drives, or CDs, care must be taken to ensure that confidential data is rendered unreadable. For example, if used computers are donated or sold, all information stored on machines must be thoroughly erased. It is insufficient to “delete” the information, as it may remain on the medium. Software that rewrites random data on the medium (preferably several times) must be used. Alternatively, the medium may be physically or electromagnetically destroyed. Contact Help Desk at 426-4357 for assistance.
Access to computers, software applications and electronic information is frequently password controlled. Users are responsible for creating and protecting passwords that grant them access to resources. Passwords cannot be shared, displayed in plain view, or stored in computers.
Although different applications may have unique password requirements, passwords should generally be at least 8 characters long and include a combination of letters, numbers, and symbols. Passwords should not contain names, words, or permutations of personal data such as social security numbers, dates of birth, etc. Passwords must be changed at least every 90 days, and default passwords must be changed on a user’s first login.
Users must take steps to protect their desktop, laptop, and mobile devices from compromise either by external individuals or members of the university community. Users must utilize secure operating systems and software and modify default installation passwords and configurations to minimize vulnerabilities. It is the user’s responsibility to ensure that security patches are promptly installed on their laptop, desktop and mobile devices, or to ensure that an Information Service Provider has installed these patches. Users must cooperate with and avail themselves of any central services providing support for and/or review of these activities.
Many personal computer operating systems can be configured to allow access across the Internet and other networks. Users must ensure their systems are configured to prevent unauthorized access.
Users must log off of applications, computers and networks when finished. If computers are located in secure locations, users may not leave without locking office doors, regardless of the time they anticipate being away. Public terminal users must also log off when completing their session. The use of boot or start-up passwords is required where unauthorized users may have physical access to computers. When leaving the computer unattended for any period of time, users should utilize the computer lock function (i.e. Ctrl+Alt+Delete for Windows, Ctrl+Shift+Power for Macs) which requires a password to unlock the computer prior to continuing usage.
Virus and malicious code protection
Users must ensure that their personal computers employ mechanisms that protect against viruses and other forms of malicious code which may be distributed through email or the web. Users must have anti-viral software loaded on any device used to access the university’s network from off-site. To ensure that virus protection remains effective, individuals must install new versions as they become available.
Because no anti-viral software is effective against all viruses, users must exercise caution when opening email or downloading files from the Internet. Users should not open unexpected or suspicious attachments and should configure word processing, spreadsheet, and other applications to require user confirmation before macros, scripts, or other executable enclosures are opened. Confirmation should be granted only if the source of the file is known or trusted.
If a virus is detected, it must be immediately and completely eradicated before email or files of any sort are sent to other users. After contamination is eliminated, individuals who may have been sent infected files must be informed by telephone or other non-electronic means. All potentially infected files, including those stored on network servers and backup media must also be examined for infestation and treated accordingly.
Backups and record retention must comply with the university’s records retention policy. Information stored on personal computers and not easily replaced must be copied to removable media to protect from loss. Backup copies should be made regularly and maintained in a different physical location to protect against loss from flood, fire or theft. Care should be taken to store media under environmentally appropriate, secure conditions and should be periodically refreshed.
Incident handling and reporting
Users must report suspected compromises of information resources, including contamination by computer viruses, to their managers and per the university’s Incident Response Procedure on the same business day that they become aware of the compromise.