Security Recommendations for Users of Financial, Student, and Employee Data

Overview

This page outlines security measures users of financial, student, and employee data should take in order to meet the recommendations as specified by the Information Services Security Group at the University of Oregon.

Desktops and Laptops

  1. Current versions of popular operating systems are significantly more secure than earlier versions. Hardware that cannot run the most recent version of Microsoft Windows or macOS must be replaced.
  2. Operating systems must be patched for known vulnerabilities. In particular, users should understand that as soon as vendors release new patches, malicious individuals race to develop exploits for those vulnerabilities so they can take advantage of systems that haven't yet been patched, therefore it is critical that you install new patches as soon as they are available.
    • For systems that are actively administered, the administrator responsible for those systems shall ensure that all available patches are installed within 48 hours of their general availability. Systems that are administered by individual users shall have automatic updates enabled, and all available patches shall be installed within 48 hours of their general availability. When a reboot is required to complete the installation process, reboot your computer immediately after applying updates rather than waiting to do so at a later point in time.
    • You will never be sent patches by email. Any "patches" you may receive by email are likely to actually be malware.
  3. Use Google Chrome, Firefox, Safari, or Edge for web browsing.
    • Ensure that it is set to automatically download any available updates.
    • Use AdBlock Plus to block web advertisements.
    • Use NoScript to help avoid dangerous JavaScript.
    • Use Certificate Patrol to watch for fake certificates.
  4. Keep third-party helper applications up to date. These applications (e.g., Java, Adobe Flash, and Adobe Reader) are a prime attack vector.
  5. All users of financial, student and employee data must install antivirus software, per university policy. This includes keeping it up to date, enabling on-access scanning, and scheduling a re-occurring weekly scan. Information Services provides the McAfee VirusScan product for this purpose at no charge.
    • Malware writers are producing new versions of malware faster than antivirus vendors can keep up. However, many of these people still rely on old malware that antivirus software can identify and block.
  6. Any user that may have personally identifiable information (PII) of any sort on their system must enable full-disk, or at least home directory, encryption.
    • Loss of a system with unencrypted PII on it may result in material costs to the university.
    • Because it will generally be impossible to access the contents of a system that's been secured using whole disk encryption without the password, be careful not to lose or forget that password. Password escrow for whole disk encryption should also be considered.
  7. Enable and configure the operating system firewall. After doing so, check your system by visiting the GRC Shield's Up site.
    • When it is time to select what to check, request to check all service ports.
    • For a typical administrative workstation, all such ports should show green.
    • Any ports that are red or blue need to be investigated and resolved with your computer support person within the Information Services Systems team.
    • Consider the use of a hardware firewall to supplant the operating system firewall.
  8. Require a username and password to log into or unlock the computer. Set the computer to auto-lock the screen after ten minutes of inactivity (or less)
  9. Passwords:
    • Whenever possible, systems with financial, student or employee data should use two-factor (or two-step) authentication solution to supplement passwords. This could include hardware one-time password, cryptographic fobs (e.g., Duo token, Yubikey), a smartphone-based, second-channel solution (like Duo Mobile), client certificates store on hard tokens, or biometric solutions.
    • Any passwords must be transmitted over an encrypted connection. If you are logging in to a website, that login page MUST be an HTTPS web page.
    • Choose long passwords or use a passphrase consisting of several words. Your password or passphrase must be at least ten characters long, and should include a combination of upper and lowercase letters, numbers, and/or special symbols.
    • Do not use the same password on multiple accounts or websites.
    • Never share your password with anyone. This includes your supervisor, co-workers, and IT staff. No university-affiliated person will ever ask you to disclose your password. If someone claims otherwise, do not disclose it as to avoid getting phished.
  10. Do not send or save passwords in e-mail, within the web browser, or in an unencrypted file on the computer. Use a secure password saver instead.
  11. You may not use peer-to-peer (P2P) file sharing applications and/or other non-essential/recreational applications on a system used for financial, student, or employee data.
  12. Be sure your system is backed up. Because backups may contain sensitive information, protect your backups as you protect the computer itself. Backups should be encrypted.
  13. Physically secure your system, backup media, and other portable media against theft. This includes USB thumb drives, data CD/DVDs, etc.
    • Do not leave your computer or related media unattended in places where they (or the data on them) could be stolen.
    • It is not safe to leave your laptop in your car, even if it is locked in the passenger compartment or trunk. Keep your office door locked when you're not present.
    • Travelers need to take special care—many hotel rooms (and even hotel room safes) are not secure. Your best bet will normally be to keep your computer and other media with you wherever you go.
    • There may be some destinations (such as China, Russia, and other areas overseas) where it may be difficult or impossible to prevent your computer from being attacked and electronically compromised. Some nations such as China and Russia may also forbid you from using whole disk encryption. If you anticipate traveling to destinations of that sort, consult with the Information Services Security Group.
  14. Never insert any flash drive, CD or DVD you find lying around into your system. It may be intentionally infected, and planted in an effort to infect you or others.
  15. Promptly report any suspicious issues or activity with your computer to your IT support staff. If you believe that your computer has been infected with a computer virus or has been compromised, inform the Information Services Security Group and your Banner security officer immediately.
  16. Physically secure your device against theft. Do not leave device or related media unattended in places where it could be stolen (vehicle, airport lounge, etc.). Keep your office door locked when you're not present.
  17. Promptly report stolen computers or any evidence of network tampering to your IT support staff and the Information Services Security group.
  18. Do not use a personally-owned computer to store or access financial, student or employee data. Only use university-provided systems.
  19. Do not let someone take advantage of you!
    • YOU are a critical part of keeping university computers, networks, and sensitive information safe. 
    • Be skeptical and if you're in doubt, ask others for help rather than being pressured into doing something you think might be unsafe online!

Note: These recommendations should not be viewed as covering every possible scenario; they are general guidelines designed to improve your overall security, but your particular circumstances may require additional steps. If you have any additional questions or concerns, please contact your IT support staff or the Information Services Security group for assistance.

Mobile Devices (Smartphones and Tablets)

The following steps can be used to reduce the common risks associated with accessing or storing sensitive data on a mobile device:

  1. Apply operating system updates in a timely fashion.
  2. Keep any third-party applications up to date.
  3. Install antivirus software, keep it up to date, enable on-access scanning, and schedule a re-occurring weekly scan, if antivirus software is available for your device.
  4. You may not jailbreak or root university-provided mobile devices, as this may disable built-in security mechanisms or introduce additional security risks.
  5. Only install software from trusted sources, such as the vendor's app store. Avoid brand new applications that do not have an established reputation.
  6. Physically secure your device against theft. Do not leave device or related media unattended in places where they could be stolen (vehicle, airport lounge, etc.). Keep your office door locked when you're not present.
  7. Promptly report stolen or lost devices to your IT support staff and the Information Services Security group. In some situations it is possible to remotely disable or wipe the device to prevent unauthorized access to e-mail and sensitive data. You should separately record pertinent information about your mobile device (including your phone number, device serial number, and any other identifiers, as well as the contact number for your carrier, should you need to report it lost or stolen).
    1. For non-managed devices:
      • Configure device to require a strong pin or password to unlock device
      • Configure device to auto-lock after ten minutes
      • Enable, if available, native data encryption
      • Install or enable, if available natively, anti-theft/data protection software
    2. For centrally managed devices:
      • Require strong personal identification number (PIN) or password to unlock device
      • Enforce screen lock timeout (after ten minutes)
      • Enable remote wipe
      • Enforce remote wipe upon a specified number of failed authentication attempts
      • Enforce data encryption for users accessing or storing sensitive data.
    3. Portable Media (e.g., portable hard drive, USB thumb drive):
      • Encrypt sensitive data being transferred or stored on portable media. Devices that have native support for strong encryption, such as the IronKey flash drive, should be used rather than devices that do not support encryption. 
      • Promptly report the theft or loss of any device that is storing sensitive information. You must notify both your local IT support staff and the Information Services Security group.

Remote Banner Users

Hardware

  1. You must use an institutionally-owned computer that is checked out to the user on loan
    • The department is responsible for tracking security patches and updates, and ensuring that they are applied to the computer in a timely manner. A laptop is recommended for portability—the user is more likely to bring a laptop back to the department to have security patches and updates applied.
  2. This computer must not be used by any other individuals.
    • Note: This includes spouse or significant other, children, friends, and visiting relatives.
  3. The computer should be for work-related use only, and it must be password protected. 
    • ​​​​​​​There should be no personal/recreational use. 
    • Note: This includes P2P/distributed file sharing, games, personal/recreational web browsing, and personal/recreational messaging.
  4. Use the Cisco VPN client to encrypt connections to and from campus.

More information about connecting remotely can be found in the Remote access to Banner and other business applications article.

Network Connectivity                              

  • Connections should be via DSL/cable broadband connection only (NOT a modem).
  • Configure your home wireless router to use a strong wireless password and WPA2/AES encryption. WEP encryption is not secure and is NEVER acceptable
Note: Modem access is not recommended due to the high bandwidth commonly required to download critical updates.

Hardware Reuse

Prior to any computer being re-issued for use by other staff:

  1. Critical data should be backed up
  2. The hard disk drive should be securely reformatted
  3. The operating system and applications should be reinstalled from the original media or from a clean image. 
  4. The computer should then be updated and secured prior to issuing it to another user.

Reusable portable media should be securely reformatted prior to reuse.This includes USB flash drives and portable hard drives.

100% helpful - 1 review

Details

Article ID: 32989
Created
Fri 7/7/17 1:06 PM
Modified
Tue 10/26/21 1:55 PM