Information security can be defined as identifying, controlling and protecting data and information resources from unauthorized access or harm. Before we can do this, however, we must be made aware of the need for information security, the steps necessary to ensure this security, and how to handle a known or suspected security breach. This manual will address these issues and provide a reasonable approach for reducing information security risks.
The following are key elements of information security:
Confidentiality must be maintained on all sensitive information and data.
Integrity, or accuracy, of data is crucial since, unless our information is accurate or complete, it is either useless or could possibly be dangerous.
Availability of resources and/or data is necessary for making decisions and performing job/classroom requirements.
Why is information security necessary?
Information security is necessary in order to prevent the following:
Loss of information
John was very busy and felt he didn’t have the time to back up his PC. He had been working on a project for months. One day, his hard drive crashed and his information was deemed irretrievable. He wasn’t able to submit the information on time and lost an important grant.
Always make a backup of your important data and keep it in a safe place.
Loss of University assets
All the information that John had on his bad hard drive was extremely valuable and considered an asset belonging to the University.
Always consider that the information that you’re working with belongs to, and is considered an asset of, the state and its people.
Misuse of information
Sue was upset that she didn’t get a pay raise. She had access to Payroll data and obtained salary information for her entire department. She showed this information to various people throughout the organization.
Information to which you have access should always be kept on a “need to know” basis. Never share confidential information with anyone who is not established as having permission to access that data.
Loss of confidentiality
Judy likes to know what’s going on. During lunch, she often reads other people’s correspondence by finding PCs that are not locked or logged off.
Always lock your PC or log off a workstation when you leave the area.
Loss of credibility
Jane didn’t protect her PC from viruses and got a one that sent pornographic images to everyone on the company’s distribution list, including outside clients.
Always use anti-virus tools to protect yourself from viruses. Scan your machine regularly with the latest versions of anti-virus software and beware of any files loaded on to your machine from unknown sources. Again, make backups of all important data.
Financial loss
Bob accidentally deleted some very important files from his PC, didn’t have a viable backup and had no way to recreate the data. This was research data and was considered very valuable.
It takes time and costs money to gather and produce information. Loss of valuable information can be very costly to the organization.
Legal liability
Zelda, who worked in Human Resources, forgot to properly dispose of some information regarding an employee who was fired. This information somehow was released to local news media that broadcast it to the public. The former employee sued the organization and won, costing the company a great deal of money and embarrassment.
Always dispose of discarded confidential information properly, including data generated on computers. Adhere to the organizational policy for disposing of confidential information on hard drives, backup media, and/or hard copy printouts.
Security Tips
What steps can you take to ensure that your data is secure?
Make your password at least 6 characters in length. The longer it is, the more difficult it is to use the ‘brute- force’ method of guessing it.
Use as many different characters as possible. Use a combination of letters, numbers, punctuation, and special characters.
Don’t use personal information in your password, as this is too easily guessed by others.
Don’t use words or geographical names listed in a standard dictionary.
Don’t write your password down so that someone else might find and use it.
Change your password on a regular basis, at least every 60 days, or if you have reason to believe that your password has been compromised, change it immediately.
Your computer might be infected for some time before you were even aware of it. That’s why it’s important to run anti- virus software with the latest version on your computer on a regular basis.
Anti- virus software is a powerful tool that can help you keep your computer safe. It can scan the files you download to determine if they contain any known viruses or other dangerous intruders.
Nasty software programs include worms, which can “burrow” into your computer and duplicate themselves so often that they cause your computer to crash, and Trojan horses, which are seemingly useful programs (like games or utilities) that do something destructive to your computer when activated.
Your files (data, documents, e-mail correspondence) – especially critical files - should always be backed up and placed in a secure location.
Don’t leave your backup data in the same location as your original data. If something happens at your computer site, your backup data may also be lost.
Properly label and store all backup media so that someone else working with you would be able to use the data if needed in your absence.
You also need to know how to restore that back- up data to your computer if need be.
Consider keeping data on the MSIS provided fileservers where files are backed up to media regularly.
Be certain someone isn’t looking over your shoulder when you type in your password or while you’re viewing or entering confidential data.
Control who has access to the data that you manage. Control the type of access they have. Can they update some or all records? Can they update only parts of a record or the entire record?
If departmental policy allows, lock your office when you are not present.
If your workstation is in an open area, be certain to power down your computer, lock your workstation, or utilize your computer’s screensaver password function before you leave.
Do not give office keys/cardkeys to any unauthorized individuals.
Note and report any unauthorized visitors in your work area, especially when you’re processing confidential or mission-critical data.
Don’t drink or eat in the immediate vicinity of your computer, as spilled drinks or food may damage your machine.
Know where the emergency exit, fire alarm, and fire suppression equipment are and how to use them.
Install a personal firewall, which is like a valve that lets you access the Internet, but prevents the Internet from accessing you (this is especially important if you access the Internet using a cable modem or DSL.) It masks from the Internet all the information and activity that is on your side of the firewall and can even alert you if someone is trying to access your system. The following are some firewall software tools:
Faculty, staff, and students are encouraged to use electronic mail to conduct business for the university and to communicate ideas and information for that purpose. However, this must be done in a responsible and professional manner.
Electronic mail communications are not private, despite the use of passwords, and despite any such designation by either the sender or the recipient. Employees' electronic messages are subject to authorized access and monitoring for bona fide University purposes following appropriate due process procedures. The University does not routinely intercept messages, and other than through policy does not control the content of messages. MSIS and C&IT follows generally accepted security measures, but cannot guarantee that electronic mail is completely protected from unauthorized access by individuals who possess the skill and desire to breach these security measures.
Employees should be aware that when sending an e-mail message of a personal nature, there is always the danger of the employees’ words being interpreted as official University policy or opinion. Employees are responsible for clearly expressing in their personal correspondence that their statements and opinions do not represent official University policy.
Personal e- mail should not impede the conduct of University business.
Racist, sexist, threatening, or otherwise objectionable language is strictly prohibited.
E- mail should not be used for personal monetary interests or gain.
Employees should not subscribe to mailing lists or mail services strictly for personal use.
Personal e- mail should not cause the University to incur a direct cost in addition to the general overhead of e-mail.
Tips for proper e-mail etiquette:
Don’t forward chain letters, jokes, virus alerts, or hoax or scam warnings.
Never use all capital letters, as this is perceived as “SHOUTING.”
Do not attach unnecessary files.
Use proper spelling and grammar.
Don’t overuse the ‘high priority’ option.
Review the e-mail before you send it.
Use a meaningful subject title.
Don’t send or forward e- mail containing libelous, defamatory, offensive, racist or obscene remarks.
Don’t reply to ‘spam’ (unsolicited junk e- mail) as this gives the spammer confirmation of your e-mail address.
Never e- mail anything you wouldn’t want posted on a public bulletin board.
The Internet is an awesome and wonderful resource. It can, however, be extremely hazardous to the ‘health’ of your computer, or perhaps even your privacy and finances. You must be aware of several factors when using resources on the Internet:
Be careful when downloading software applications or other files. Be certain that the software/files you’re opening are safe and from a reputable source.
Web pages often include forms. Be aware that data sent from a web browser to a web server is not necessarily secure.
Be certain when downloading information to a server that the server is secure. This will be indicated by a ‘lock’ or ‘key.’ View the ‘certificate’ associated with the web site you have accessed. Each web browser has a different way to doing this. The certificate will list the certificate’s owner and who issued it. If these look trustworthy, you are probably ok.
Read the site’s privacy policy to determine just what the site is going to do with your personal information. Some Web sites treat certain bits of customer information name, address, e-mail address, and purchasing history - as an asset that they can sell to other merchandisers. If you don’t want your information sold in this way, make sure the site has a policy against doing so.
If you’re using the Internet, particularly with an “always-on” connection such as DSL or cable, be sure you have turned off the feature in the Network Control Panel that allows you to share files and printers over the network unless you are behind a properly configured firewall.
Be aware that people in chat rooms are not always as they may try to represent themselves. Be careful how much personal information you divulge. Don’t post anything that you wouldn’t want everyone to know.
Follow all guidelines established by SOM and WSU Executive Orders.
Use of information resources should always be conducted with respect, integrity, and courtesy.
Never use any University resource to do something illegal, threatening, or deliberately destructive.
You may not profit personally from use of any university resource.
Respect the privacy of others.
Be careful of copyright infringement. It is a violation of policy to copy, display, or distribute copyrighted material such as software, MP3 files, or MPEG files illegally.
Be certain to abide by software licensing agreements. Don’t load any software on your machine if you aren’t licensed to do so.
Never try to circumvent login procedures on any University computer or attempt to gain access to any computer or files which you are not authorized to use.
How do I report a security breach or abuse of information resources?
Report these to your supervisor, professor, or MSIS. Be certain to have details of occurrences, I.E., date, time, people and resources involved, etc.
Frequently Asked Questions
What if I forget my password?
If you cannot remember your password but had the forethought to set a Challenge Question/Pass-phrase on your directory entry then you can go to the SoM Directory page, do a search for your entry, and selecting the Reset Password link at the bottom of the page. You can then select the Question that you previously set and then enter the answer to that question. The set what you want the password to be. The system will then check to see if that was the question you requested that it ask and if you've provided the correct answer.
If you cannot remember your password and didn't set a Challenge Question/Pass-phrase on your directory entry, then you must come to 1313 Scott Hall with you WSU ID in order to have MSIS reset the password. No passwords are to be issued over the phone. .
What if my supervisor requests my password? Should I give it to her or him?
In general, passwords should never be shared. Exceptions to this practice should be rare and only be permitted in order to perform business operations in the event of an unplanned employee absence. These exceptional requests should only come from your supervisor or departmental management.
What if someone calls me on the phone and tells me that they are going to work on my computer or the network and need my password? Should I give it to him or her?
No, never divulge your password to anyone other than your supervisor, and, even then, only under certain circumstances.
What if I suspect someone has my password?
Immediately change your password.
How do I get an e-mail account?
Students receive an electronic mail account when they enroll. Employees receive an account after their department sends a service request form to MSIS via the Account Request Page requesting an account.
How do I protect my computer from viruses?
To stop the spread of computer viruses, the Wayne State University has a site license with Symantec Inc., maker of the Norton Antivirus applications. The agreement allows you to use specified Norton Antivirus Corporate version for free. This software and the contract expiration details can be found at the C&IT Norton Software Download page.
How do I know if my computer has been infected with a virus?
It may suddenly become very sluggish and slow or ‘behave’ strangely in other ways. However, sudden adverse activity is not always indicative of computer virus infection, and some infections have no obvious symptoms. Work with your MSIS to diagnose your system. And remember, it is always best to use prevention rather than trying to “cure” a computer virus. Always run the latest version of anti-virus software on your PC.
A coworker has a software program that I’d like to have on my PC. It is only licensed for one user, but no one will ever be the wiser. Should I load it on my PC?
No, it is against state and university policy, as well as federal copyright laws, to run unauthorized or unlicensed software on University PCs.
I frequently leave my office. Do I have to keep password locking my PC or logging off? It’s such a pain to keep signing back on.
Yes, it’s very important to protect your PC from unauthorized use while you are away. Someone could do a lot of damage to important files or perform illegal operations in your name.
I’ve heard that the Internet can be dangerous, but I’ve never had any problems. Do I really need to be concerned?
The Internet can be as wild as the old West, so it’s best to be mindful of where you go and what you do. You may give away personal information without realizing it, or you may end up on a site that’s not appropriate for you, your workplace, or your family. Always be careful when conducting business transactions on the Internet. Be certain that you’re dealing with a reputable site that uses Secure Sockets Layer (SSL) technology. SSL encrypts the information moving from your browser to the electronic merchant to shield it from the eyes of unscrupulous people.
What is a cookie?
A cookie is a small text file created by the Web sites you visit and is stored on your computer so that next time you visit, the site can automatically access information about you, such as your browsing preferences, or in some cases, your name, address, and phone number. Most browsers allow you to select whether to accept cookies or not.
Home
