Standards & Guidelines - Information Security in the Workplace
Information security controls are not effective unless they're combined with users who know their responsibility to protect information privacy and confidentiality, take the recommended precautions seriously, and don't attempt to "get around" the rules of good security practices. Here are some examples of good and bad practices:
Accounts and Passwords
| DO |
DO NOT |
| Choose a password that can't be guessed - e.g., an acronym for a simple phrase with numbers randomly inserted works well |
Let anyone else login with your account and password |
| Change your password 2-4 times per year |
Share your password with anyone (NEVER give out your password over the phone, not even to the Help Desk!) |
| Logoff when you leave for the day |
Write your password down & stick it under your keyboard or mouse-pad, on your monitor, or in your pencil drawer |
| Use desktop locking during the day, e.g., a screen saver with password, or a lock workstation function. See Best Practices web page (url below) for instructions. |
"Save this Password" in your browser (Anyone with access to your workstation could impersonate you.) |
| Change your password if you think someone may have learned (seen, heard) it |
Look up sensitive information for others who are not authorized |
E-Mail Security
| DO |
DO NOT |
| Install and use anti-virus software, and keep it updated (daily or weekly) |
Open (click on) attachments or links sent to you from unknown sources |
| Make sure the text of a note references the attachment and its purpose before opening it, and you know or have verified the sender |
Keep old e-mail messages forever |
| Consider e-mail a "postcard" - it is NOT private unless encrypted (scrambled) |
Send ids & passwords or other sensitive data in an email message |
| Report obscene e-mail messages, and any messages that ask you for personal information |
Send harassing, threatening, abusive, insulting or offensive messages |
| Delete all unsolicited advertising e-mail without replying to it. (Instructions to "remove you" will often backfire!) |
Send personal information, e.g., your name, account numbers, address, phone, or pictures of yourself to anyone you do not know personally |
Physical Security
| DO |
DO NOT |
| Question or report strangers in your area to your supervisor or to building security (...Can I help you?) |
Leave confidential documents out on your desk, or on a shared printer |
| Lock your workstation, keyboard when you leave work for the day |
Store backups in an unlocked place |
| Make backup copies of important documents and files on your workstation |
Let others borrow your keys or University ID card to get into a secured area, or follow you into a secured area without ID |
Handling Sensitive Information
| DO |
DO NOT |
| Share files with authorized personnel only |
Gossip or share with others sensitive information you have access to |
| Obtain permission for secondary use of data (Uses other than originally approved) |
Look up confidential information for co-workers who do not have the access without supervisor approval |
| Remove all confidential or sensitive data from your workstation before it leaves your control (To go to surplus or as a dept hand-me-down) |
Store your confidential files on public or unsecured network file servers |
| Protect saved or printed reports that represent sensitive or confidential data |
Throw confidential reports in the trash without shredding them first |
Copyright, Fair Use and Piracy
| DO |
DO NOT |
| Use excerpts with appropriate attribution ( "fair use") |
Use your co-worker's computer disks to install software programs unless you have a license |
| Install and use the software licensed for everyone at the University ( "site-licensed") |
Copy or share "free" music or video files that you would reasonably expect to pay for (e.g., feature films, music CD's, e-books) |
| Install and use software purchased by your department for your use |
Copy software to take home with you |
|
|
|
