Information security is the responsibility of every member of the Worcester State University community. The safeguarding of information falls to all in some way, even those at the University whose position does not require handling sensitive information on a daily basis. Information security involves not just electronic data—it applies to any sensitive material in both electronic and paper form.
Data is one of the University’s most important assets, and its loss or theft could lead to serious financial and security consequences, and a big impact to the institution’s reputation. In order to protect both the university’s and our own personal information, we all need to be aware of what good data handling practices look like and where our potential vulnerabilities may lie.
The university’s IT Services department provides a curated list of hardware and software options made available to students, faculty, and staff. However it is always prudent to:
Keep virus protection up to date.
The university provides and installs antivirus on all college owned computers and servers. It also provides free antivirus for student laptops as well.
Keep your system up to date.
Information Technologies performs regular patching of college owned systems. Personal machines should have updates applied automatically – ask the HelpDesk if you don’t know how to set this up.
Use spyware and spam blocking.
Only install known products.
Many free software programs contain malicious code – avoid installing “free” software or software add-ons from unknown vendors. “Helpful” free browser toolbars often cause computer problems and security issues.
Setting passwords, best practice and what to avoid:
Have a password and do not share it with others.
A password serves as a means to authenticate the identity of the person using an account. Only the authorized user is meant to have access to the account and a password helps prevent misuse by unauthorized users. Remember, the authorized user will be held responsible for misuse of the account if the password is shared.
Make passwords hard to guess.
It is a safe bet a hacker knows all the tricks. Avoid using anything that is easily attainable online. Things such as your first or last name or a combination of them can be easily cracked. Account names are another example of something to avoid. Silly tricks such as making your password, “password” are also easily cracked.
…use password made up of a mix of upper and lower case letters, numbers and symbols, no less than 8 characters in length – preferably 12 or 16. These constraints combine to increase the complexity of your password making it much more difficult to crack.
Change your password on a regular basis.
You would be surprised how often you may accidentally expose your password to others. This will cut down on the possibility of misuse by others.
Store your password in a safe place.
While it’s understandable that users often need to record their passwords, it really isn’t a good practice to write them down. Password lists should be stored in a safe place, such as a strongly encrypted file with a good encryption key. In any case, great care must be taken to safeguard the password when it is used and to be sure to return it to a safe storage immediately after use.
And so it follows…
Don’t leave passwords where others can find them.
Don’t leave your password on a post-it on your desk or written down in any other places where someone could easily find it. Certainly do not write down, “This is the password for ….”. If you absolutely must write down your passwords, keep them in a secure, locked place. Also, don’t leave your passwords where others can find them electronically. Never send them in email, post them to a site, leave them online in a file, etc.
Never open email, a file, or any other form of data that comes to you from an unfamiliar source.
Never click on a link in an email. Instead, copy and paste the link into your browser or use the hover technique.
Be wary of emails containing links that claim to give away merchandise for free.
Worcester State’s Information Technology Services department will never send an email asking for your username, password or any other sensitive information, nor would any other reputable organization.
The following video (from Cabrillo College) covers the topics of phishing and internet security:
Higher education and Data security
In General, our institutional systems are designed on the principles of free information exchange to accommodate diverse user populations. The concept of free exchange of information, ideas and research do however create unique security challenges. Compliance with various regulations including FERPA, HIPAA, PCI DSS as well as other state and federal privacy regulations often puts the burden of protection on all our shoulders. The following are beginning steps, we as a community can take, to share the security responsibility.
What is at risk?
- Personally identifiable information (PII)
- Credit card
- Bank account numbers
- Health records
- Financial records of students and possibly their parents
- Registrar’s office information
- Financial aid information
- Research databases
What steps can you take to better secure your information?
Use strong passwords and change your passwords often.
- Remember a strong password is one that is not obvious or easy to guess. A strong password should be a mix of upper and lower case letters, numbers and symbols, no less than 8 characters in length – preferably 12 or 16.
- Do not share your password or username with others.
- Do not email your password to others.
- Always change the default password when you receive a new account that requires a password and assigns a default.
- Make it a practice to change your password every 90 days, especially when using public computers. This practice will better prevent people from knowing and utilizing your password.
- When setting up multiple accounts, use unique passwords for each account.
- Try not to write your passwords down; choose passwords that are easy to remember. If you must write them down, keep it in a secure place. Consider using a password keeper utility like 1password or LastPass.
- Do not log others into a computer with your password, as you are responsible for your account.
Use the standard campus-wide anti-virus program and be aware of steps to take to minimize computer virus risks. New viruses appear constantly and daily virus definition updating decreases the risk of computers becoming infected. While IT provides anti-virus software and maintains the update schedule you should never attempt to turn it off. If you believe it is necessary, contact the IT Helpdesk for assistance. All computers joining the WSC domain are mandated to be virus protected.
Email and attachments
Remember, If you receive an unexpected email attachment, even if you know the sender, do not open the attachment unless you can answer “YES” to all three of the following conditions:
- I know exactly what this file is.
- I have scanned this file with my virus scan AND I have ensured that my virus scan was recently updated.
- I have verified the identity of the sender and their intentions via email or phone call.
What else can you do?
Do not save sensitive date to unsecured devices.
- Laptops, memory sticks, memory cards should be encrypted whenever sensitive data is involved.
- You can also encrypt data when sent via an email.
Encryption of laptops, desktops, and removable media
Since 2010, all university owned laptops have been encrypted. All university owned desktop computers in key areas have been encrypted and any future new or reimaged desktop computers will be encrypted.
What is Encryption?
Encryption is the conversion of data into a form, called a ciphertext, that cannot be easily understood without decryption. Decryption is the process of converting encrypted data back into its original form, so it can be understood.
Don’t give away the key!
Remember: your Worcester State Network username and password are the key.
The use of encryption/decryption is as old as the art of communication. In wartime, a cipher, often incorrectly called a code, can be employed to keep the enemy from obtaining the contents of transmissions. (Technically, a code is a means of representing a signal without the intent of keeping it secret; examples are Morse code and ASCII.) Simple ciphers include the substitution of letters for numbers, the rotation of letters in the alphabet, and the “scrambling” of voice signals by inverting the sideband frequencies. More complex ciphers work according to sophisticated computer algorithms that rearrange the data bits in digital signals. In order to easily recover the contents of an encrypted signal, the correct decryption key is required. The key is an algorithm that undoes the work of the encryption algorithm. Alternatively, a computer can be used in an attempt to break the cipher. The more complex the encryption algorithm, the more difficult it becomes to eavesdrop on the communications without access to the key.
Report lost or stolen items immediately.
The university is prepared to handle lost or stolen computer hardware but we must be made aware. It is imperative that you contact University Police or ITS Help Desk if your computer or laptop has been lost or stolen. When you report the issue you will be asked specific questions about the incident, please know that we are only trying to help recover the items, protect lost data, and inform as needed. We understand things happen beyond our control; the sooner we know the faster we can protect you and the university.
Leave nothing unattended
We are all responsible for Information Security Awareness. Be sure that you lock your door if you leave your office, even if it’s just for a short time. If you are in an open office be sure that there are other members of the staff who know that you are going to be away and secure your laptop in a locked drawer of your desk whenever possible.
Use the Windows+L keyboard keys to secure your Windows computer, which will require someone to log in to view the open applications/documents. Other devices should have a similar lock sequence. If this does not seem feasible, please contact the Information Technologies Help Desk so that we can discuss your situation and provide assistance.