Information security is the responsibility of every member of the Worcester State University community. The safeguarding of information falls to all in some way, even those at the University whose position does not require handling sensitive information on a daily basis. Information security involves not just electronic data—it applies to any sensitive material in both electronic and paper form.
Data is one of the University’s most important assets, and its loss or theft could lead to serious financial and security consequences, and a big impact to the institution’s reputation. In order to protect both the university’s and our own personal information, we all need to be aware of what good data handling practices look like and where our potential vulnerabilities may lie.
The university’s IT Services department provides a curated list of hardware and software options made available to students, faculty, and staff. However it is always prudent to:
The university provides and installs antivirus on all college owned computers and servers. It also provides free antivirus for student laptops as well.
Information Technologies performs regular patching of college owned systems. Personal machines should have updates applied automatically – ask the HelpDesk if you do not know how to set this up.
Many free software programs contain malicious code – avoid installing “free” software or software add-ons from unknown vendors. “Helpful” free browser toolbars often cause computer problems and security issues.
Setting passwords, best practice and what to avoid:
A password serves as a means to authenticate the identity of the person using an account. Only the authorized user is meant to have access to the account and a password helps prevent misuse by unauthorized users. Remember, the authorized user will be held responsible for misuse of the account if the password is shared.
It is a safe bet a hacker knows all the tricks. Avoid using anything that is easily attainable online. Things such as your first or last name or a combination of them can be easily cracked. Account names are another example of something to avoid. Silly tricks such as making your password, “password” are also easily cracked.
…use password made up of a mix of upper and lower case letters, numbers and symbols, no less than 8 characters in length – preferably 12 or 16. These constraints combine to increase the complexity of your password making it much more difficult to crack.
You would be surprised how often you may accidentally expose your password to others. This will cut down on the possibility of misuse by others.
While it is understandable that users often need to record their passwords, it really is not a good practice to write them down. Password lists should be stored in a safe place, such as a strongly encrypted file with a good encryption key. In any case, great care must be taken to safeguard the password when it is used and to be sure to return it to a safe storage immediately after use.
And so it follows…
Do not leave your password on a post-it on your desk or written down in any other places where someone could easily find it. Certainly do not write down, “This is the password for ….”. If you absolutely must write down your passwords, keep them in a secure, locked place. Also, do not leave your passwords where others can find them electronically. Never send them in email, post them to a site, leave them online in a file, etc.
Preferably, use a password keeper utility like 1password or LastPass.
Never open email, a file, or any other form of data that comes to you from an unfamiliar source.
Never click on a link in an email. Instead, copy and paste the link into your browser or use the hover technique.
Be wary of emails containing links that claim to give away merchandise for free.
Worcester State’s Information Technology Services department will never send an email asking for your username, password or any other sensitive information, nor would any other reputable organization.
The following video (from Cabrillo College) covers the topics of phishing and internet security:
In General, our institutional systems are designed on the principles of free information exchange to accommodate diverse user populations. The concept of free exchange of information, ideas and research do however create unique security challenges. Compliance with various regulations including FERPA, HIPAA, PCI DSS as well as other state and federal privacy regulations often puts the burden of protection on all our shoulders. The following are beginning steps, we as a community can take, to share the security responsibility.
Use strong passwords and change your passwords often.
Use the standard campus-wide anti-virus program and be aware of steps to take to minimize computer virus risks. New viruses appear constantly and daily virus definition updating decreases the risk of computers becoming infected. While IT provides anti-virus software and maintains the update schedule you should never attempt to turn it off. If you believe it is necessary, contact the IT Helpdesk for assistance. All computers joining the Worcester State domain are mandated to be virus protected.
Remember, If you receive an unexpected email attachment, even if you know the sender, do not open the attachment unless you can answer “YES” to all three of the following conditions:
Do not save sensitive date to unsecured devices.
Since 2010, all university owned laptops have been encrypted. All university owned desktop computers in key areas have been encrypted and any future new or reimaged desktop computers will be encrypted.
Encryption is the conversion of data into a form, called a ciphertext, that cannot be easily understood without decryption. Decryption is the process of converting encrypted data back into its original form, so it can be understood.
Remember: your Worcester State Network username and password are the key.
The use of encryption/decryption is as old as the art of communication. In wartime, a cipher, often incorrectly called a code, can be employed to keep the enemy from obtaining the contents of transmissions. (Technically, a code is a means of representing a signal without the intent of keeping it secret; examples are Morse code and ASCII.) Simple ciphers include the substitution of letters for numbers, the rotation of letters in the alphabet, and the “scrambling” of voice signals by inverting the sideband frequencies. More complex ciphers work according to sophisticated computer algorithms that rearrange the data bits in digital signals. In order to easily recover the contents of an encrypted signal, the correct decryption key is required. The key is an algorithm that undoes the work of the encryption algorithm. Alternatively, a computer can be used in an attempt to break the cipher. The more complex the encryption algorithm, the more difficult it becomes to eavesdrop on the communications without access to the key.
The university is prepared to handle lost or stolen computer hardware but we must be made aware. It is imperative that you contact University Police or ITS Help Desk if your computer or laptop has been lost or stolen. When you report the issue you will be asked specific questions about the incident, please know that we are only trying to help recover the items, protect lost data, and inform as needed. We understand things happen beyond our control; the sooner we know the faster we can protect you and the university.
We are all responsible for Information Security Awareness. Be sure that you lock your door if you leave your office, even if it is just for a short time. If you are in an open office be sure that there are other members of the staff who know that you are going to be away and secure your laptop in a locked drawer of your desk whenever possible.
Use the Windows+L keyboard keys to secure your Windows computer, which will require someone to log in to view the open applications/documents. Other devices should have a similar lock sequence. If this does not seem feasible, please contact the Information Technologies Help Desk so that we can discuss your situation and provide assistance.
