University Technology Services recognizes the need to protect the confidentiality, integrity, and availability of institutional information technology resources and works to comply with obligations from a number of sources, including federal and state laws and regulations, contractual obligations, and the ethical commitment to protect privacy of data entrusted to the university.
Quick steps to protect your accounts, desktop, laptop and other mobile devices:
- Enable a firewall on your computer to prevent other computers or devices from accessing services running on your computer without your knowledge.
- Enable a password protected screen saver after a period of inactivity or when you leave your work area.
- Set up secure file sharing or use known secured methods for sharing files and data.
- Use the VPN to access university resources from off-campus locations.
- Do not click on links in email from unknown sources.
- Make backup copies of your critical data, and encrypt your backup.
- Use a hard-to-guess password, do not share the password and change it periodically. Oakland University and University Technology Services will never send you an email asking you for your password; do not respond to emails that ask for passwords.
- Enable two-step authentication on your NetID account.
- Make sure your software is up-to-date: install patches, firewall protection and anti-virus updates.
- Log out of all services and keep unattended devices (desktop computers, laptop computers, smart phones and other equipment) in locked drawers and in locked offices.
- Securely delete outdated sensitive files.
- Protect yOUrself! from phishing scams! Take a moment to review the materials prepared in partnership with University Human Resources: Protect yOUrself!
Mobility, Security, and Personal Information
Your mobile computer and portable device may contain information such as location tracking, personal contact data, tax returns, social security information, bank accounts and other important files that are convenient for you. The mobility, technology, and information that make smart phones, tablets, netbooks, laptops, and other mobile computing devices so useful to employees and organizations also makes them valuable prizes for thieves.
Four reasons to secure your mobile device are to protect:
- Your information
- Your identity
- Your privacy
- University data and resources
There are options, both free and paid, that can keep your information safe even if someone walks off with your laptop or breaks into your device. If possible, device encryption should be deployed. The use of encryption requires key management and must be managed by either yourself or your department. If possible, password protect or otherwise protect the entry to the device. Consider enabling location tracking and remote wiping, but also consider your privacy and tracking when you make the decision to enable location-based services. If you are using a device funded by Oakland University, login password protection, passcode locks, auto-lock, and location services should be enabled. If you lose a device that is connecting to the university Google Apps for Education environment, contact UTS to evaluate possibilities for remote wiping.
It is your responsibility to understand the risks and be proactive in keeping your mobile device secure. The questions you need to consider are what types of data you are storing on your mobile device, what types of services have automatic login access, and why data or services are on the device. There is no foolproof way to prevent a mobile device from being stolen, lost, or otherwise compromised by an intruder.
Contact UTS at firstname.lastname@example.org if you have questions or comments about how we can help you learn more about how to secure your mobile computer.
Are there guidelines for securing my mobile device?
We recommend following guidelines from Educause
. Review the FCC Smartphone Security Checker posted with on the fcc.gov website here.
Are there travel guidelines for securing mobile devices?
Research, beware of the risks, and prepare your technology before you travel. Academic travelers should review material posted by the Office of Research Administration
under Export Controls. Download and check the International Travel Checklist. Please note the shared document from the FBI: Best Practices for Academics Traveling Overseas
. We recommend following guidelines from Educause
. Review the FCC Smartphone Security Checker posted with on the fcc.gov website here.
Also, review the FBI Business Travel Brochure
What are the risks for a lost or stolen laptop, smartphone or other computing device?
Only you can determine what is actually at risk. Here are some common risks:
- The risk that confidential or sensitive information is lost, stolen, or shared inappropriately in violation of privacy, laws, regulations, or contracts.
- The risk of identity theft.
- The risk to gain unauthorized access to private networks.
- The associated costs and business interruptions of laptop and data loss.
- The threat of litigation and public embarrassment if confidential information from a third party is lost or stolen.
- The cost of compliance with privacy breach notification laws.
What types of mobile devices need security?
Mobile devices include laptop computers, smartphones (Android, iPhones, etc.), tablets (iPads), PDAs (personal digital assistant), or any handheld computing device. Mobile devices that may store data include USB flash drives, external hard drives, CDs (compact disk), and DVDs (digital video disk).
The available technology for devices other than laptops is often insufficient to assure security and a good reason to not store confidential data on these types of devices.
Do I have to secure my personal computer if I use it for University business?
Yes, you are responsible for implementing security measures to protect the data on any device (university owned or personally owned) that is used to access and/or store confidential university data. We recommend that university data not be stored on any device not owned by the University. Please review the Information Security Policy #860 before storing any university data on a device not owned by the University.
What is encryption?
Encryption is the process of enhancing security by converting data into a format that is unreadable so it is protected against everyone except those with a special key. There are two options:
- Encrypting individual files and/or directories
- Encrypting an entire disk
University Technology Services recommends full disk encryption.
What types of data need to be encrypted?
Data that are specifically restricted from open disclosure to the public by law are classified as “Confidential Data” and require a high level of protection against unauthorized disclosure, modification, destruction, and usage.
Examples of confidential data include, but are not limited to:
- Social security numbers
- Credit card numbers
- Official student grades
- Financial aid data
- Research data
- Drivers license numbers
- Individuals’ health information
Some data are federally protected under laws like the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA). For more information, read the Information Security Policy #860.
What type of encryption solutions are available?
Encryption software is available either paid or free software. The use of encryption requires key management and must be managed by either yourself or your department. Encryption key management is not the responsibility of University Technology Services.
- File Vault is the built-in file/folder encryption solution available for Macs.
- iOS: Understanding data protection Describes protections for Apple devices.
- Apple Security Overview More ways to keep your Mac save (including OS X Yosemite).
- Bitlocker - Windows 7 is the built–in full disk encryption available for Windows.
- Bitlocker - Windows 8 is the built–in full disk encryption available for Windows.
- ChromeBook is locked by default, but pass phrases should still be used.
- TrueCrypt is no longer recommended as it is no longer supported. Instead, we suggest investigating use of Bitlocker.
- PGP is a third party paid encryption solution for Macs and Windows. PGP also offers mobile encryption solutions.
How do I protect my activities on a wireless network?
You can protect your wireless network by enabling WEP (Wireless Equivalent Privacy) or WPA (Wireless Protected Access) encryption. WPA2 is the newest and highest level of encryption available. The encryption scrambles data on your wireless network so that only computers that have the encryption key can read your communications.
Refer to the owner's manual for your wireless router or access point to determine how to enable and configure encryption for your device. Once you enable encryption on your router or access point, you will need to configure your wireless network devices with the proper information to access the network.
Is fingerprint recognition software a recommended security measure?
There are many vendors who promote fingerprint recognition as a security measure. Fingerprint identity protection software does provides an additional layer of security.
Microsoft does not promote their built in fingerprint reader as a security device, but rather a convenient tool for those who want a fast way to log on without having to remember user names and passwords. The Microsoft website warns that the fingerprint reader should not be used to protect sensitive data but used to alleviate password memorization.
What are some best practices for securing a mobile device?
The following best practices are easy to implement and inexpensive ways to secure your mobile device:
- Keep patches up-to-date on operating systems — Whenever a security issue comes to light, the software maker issues an update or a patch. This reduces the possibility that a system can be compromised. If the computer is on the University domain environment then these patches are maintained through group policy.
- Remove Files — Clear temporary Internet files (cache), cookies, and browsing history after Internet usage. Each Internet browser is different see help from the menu bar on how to remove these files.
- Do not store passwords — There is security risk in letting your Internet browser save your passwords. The AutoComplete feature can save Web addresses, form data, and access credentials such as usernames and passwords. Learn how to turn off this feature within the browser help menu.
- Use password protection — Enable the password locking feature and change the password regularly. Choose a strong password - one that is at least eight characters, including a mix of numbers and letters. A long idle time allows someone walk away with a laptop and still have access to all its contents. To minimize this risk, enable a password request after five minutes of inactivity.
- Set-up a personal firewall — Configure your device to enable firewall protection. Firewall software blocks unwanted network communication with your computer. Both Microsoft and Apple provide firewall protection on their operating systems.
- Adjust the wireless security settings — When using wireless connections adjust the security settings on your device to the strongest settings.
- Lock the device — Avoid leaving unsecured laptops or mobile computing devices unattended. Purchase locking cables and lock the device to a heavy non-movable object or store the device in a secure location. If they must be left in a vehicle, they should be covered up or locked in the trunk. If you must occasionally leave a laptop or other mobile device in a car or other location, you must have full encryption enabled on the device.
- Alarm the device — If the laptop is moved or handled without authorization, the system will give a warning signal. There are many different kinds of alarm systems. The simplest ones are integrated into the cable lock, which, if broken, will start the alarm. These alarms can be purchased at office supply stores
- Encrypt your data — Assess and evaluate the data stored on your device and use the appropriate encryption method or invest in advanced data protection. Leverage advanced data protection technology to remotely wipe sensitive information in the event that your computer is lost or stolen.
- Do not root or jail-break the device, as this may leave the device vulnerable to unauthorized access.
University employees should contact their designated information technology support staff members if they are using an Oakland University owned computer that is not currently running Symantec Endpoint Protection (SEP). Symantec Endpoint Protection installs are available for free for campus computers. Please go to your Start menu-->Programs-->Symantec Endpoint Protection. If you have the program, please open it and look at your Virus Definition File Date (located on the lower right hand corner). The date should be within this month, if not, please contact your designated information technology support area.
Students and faculty using campus network resources with personal laptops are strongly encouraged to install and maintain security protections such as personal firewalls and anti-virus software.
Some viruses are not viruses at all — they are merely hoaxes circulated usually by e-mail. Before you report a virus or warn friends about it, you should make sure it is not a hoax, otherwise you are only serving to perpuate the hoax! McAfee and Symantec both keep comprehensive lists of virus hoaxes at the following sites:
Other Useful Resources