Dashboard > Documentation > Documentation on the Wiki > Secure and Safe Computing for Administrative Offices
Documentation Log In   View a printable version of the current page.
Secure and Safe Computing for Administrative Offices

Added by Criss Laidlaw , last edited by Criss Laidlaw on Feb 11, 2008  (view change)
Labels: 
(None)

Overview

The purpose of this document is to lay out guidelines for secure and safe computing for people in the College’s administrative offices who use computers. In the world of computing, it seems that anything that stays the same for more than six months is obsolete. This document is not immune. Please check back for updates.

Confidentiality of Information

As someone who works in an administrative office, you very likely work with information of confidential nature on a regular basis. There are an ever-increasing number of laws intended to protect people from identity theft and other types of misuse of their information. Some of the laws you may be familiar with include:

  • FERPA - protects student information
  • Gramm-Leach-Bliley – protects personal financial information
  • HIPAA – protects personal health information
  • Massachusetts Identity Theft Law

Though this document focuses on electronic information, these laws address protection of personal information in any form, including paper files. Each office will have to decide on what level of protection is appropriate. In general, keep confidential information in paper files secure with the use of lockable file cabinets or filing rooms. Shred documents containing confidential information – do not recycle them until they've been shredded.

Usernames and Passwords

The computer accounts you use which are protected by username & password security include

  • logon access to your personal computer
  • email & calendaring services
  • network file storage
  • access to various administrative systems

Using computers and networks, someone can attempt to break into your accounts and in rare circumstances can try out thousands of potential passwords in a matter of minutes.

Use different passwords for your work systems and your personal systems. The password for your Amazon or EBay account should never be the same as for your online banking, which in turn should never be the same as what you use for Williams College accounts.

Never write down usernames and passwords and leave them where others can find them. Never divulge passwords to anyone. This includes Williams OIT staff and family members. If you forget a password, a new one can be generated for you without having to tell anyone what your password was.

The likelihood of your password being guessed by someone trying to break into your accounts goes down as the password gets longer and the mix of characters gets more complex

At Williams, we generally require a minimum password length of 8 characters and require that there be at least 1 non-alphabetic character. We strongly encourage you to use passwords contain a mix of characters (upper and lower case), numeric digits, and special characters (eg +,#,@,~).

Physical PC security at work

Your personal computer itself should be reasonably secure. If you work behind a locked door, the physical security of your computer is probably good. If you work in a space accessible to others, you should consider using a locking screen saver, so that after a 3-5 minute delay someone must enter a password to unlock your PC. This capability is built in to common personal computer operating systems like Windows XP.

Traveling with a Computer

Traveling with a computer containing information of a confidential nature can expose the College to lawsuits and to unfavorable news reports. Following these guidelines will help minimize the risk.

  • Keep your laptop with you – This may seem obvious, but never check your laptop as baggage or leave it unattended.
  • Know what’s on your hard drive – If your laptop is stolen (yes, this is a common occurrence) it will be important that you know what information was stored on your hard drive, including username/password information and spreadsheets, databases, documents, and e-mail messages. Although you must log in to your laptop, it’s fairly easy for a thief to bypass this security given time.
  • If you are traveling with confidential documents, password-protect them. Excel spreadsheets have built-in password protection. Other documents can be secured using a Window XP add-on such as Power Archiver or WinZip.
  • Keep your hard drive clean – Periodically (perhaps before you leave on a trip) review the files on your hard drive and delete those you don’t need any more.
E-Mail Security

In general, you should assume that e-mail messages are not secure and can be read by others. E-mail messages that leave campus can be stored and forwarded on many mail servers on the way to their destination and there’s no guarantee of confidentiality.

If you must send information of a confidential nature, it’s best to send the information as an attachment that’s been password-protected. Give the password to the recipient by phone or in person – not via e-mail.

Web Security

As with e-mail, you can assume information you enter onto a web page isn’t confidential. Unlike e-mail, the World Wide Web does have a built-in, commonly-used security mechanism called SSL (Secure Sockets Layer). In short, any web address or URL that’s prefixed by https:// (as opposed to http://) supports SSL and information traveling between your web browser and the web site will be encrypted in transit. So as long as you trust the web site owner to treat your information responsibly, sending information to a web site using SSL should be reasonably safe.

Preventing Virus Infections
  • Don't download software from the Internet from any source and run it unless you trust the source.
  • Do not open any e-mail attachments you weren't expecting to receive. If you don't want to delete it immediately, contact the sender to verify that the attachment is safe. Viruses routinely fake their return e-mail addresses. Even emails that appear to come from trusted colleagues and family members could contain viruses.
  • Keep your computer patched with Critical Updates (especially for Windows computers). Set your computer to download and install patches automatically. Viruses and worms can travel over the network and infect vulnerable computers without you having to do anything!
  • Keep your PC’s built-in firewall on. This will generally prevent unauthorized access to your computer and prevent network viruses from reaching your computer.
  • One common way computer viruses spread is through file sharing programs (BitTorrent, Gnutella, KaZaa, eMule, etc.) and instant messenger programs with file transfer capabilities (AIM, etc). The email virus scanner will not protect you from viruses obtained through those programs. Do not use these programs on College-owned computers.
  • Do not trust email messages from "administrator" or "admin." All official messages from the College’s Office for Information Technology will have the subject line "OIT Eph Notice mm/dd/yy."
Preventing Spyware

The term spyware covers a wide range of situations from the benign (browser cookies) to the malicious - applications which are indistinguishable from viruses. In fact the worst spyware applications are like viruses designed to make money, which means the people responsible for the spyware are highly motivated. The authors are not 18 year old hackers looking to have fun, they are professionals hoping to steal passwords, account numbers, credit card information and personal data or to sell you something. Infecting a computer with spyware has become a business model.

Spyware is often bundled as a hidden component in freeware or shareware applications downloaded from the Internet. You may think you are getting something useful. At first glance Weatherbug and Bonzi Buddy seem like things that are cool, but there are dangerous strings attached.

Spyware applications can monitor keystrokes to record credit card numbers, scan files on the hard drive, open up backdoors so your computer can be remotely controlled or simply monitor your web browsing. Spyware can also be downloaded by Internet Explorer without your knowledge as you browse untrustworthy sites. Some spyware modules include auto-update functions that can download and install more spyware. This is one reason spyware tends to snowball quickly on an infected computer.

Follow these steps to minimize the risk of spyware infection:

  • Do not download "free" software from the Internet unless you have done some research and are confident the software contains no spyware. A simple search on Google or Yahoo on the name of the software package can turn up all kinds of information about the potential risks of using it.
  • Keep anti-spyware programs installed on your PC and up-to-date - The Office for Information Technology currently recommends four products: Windows Defender, Spybot Search and Destroy, AdAware and Ewido. The easiest to use is Windows Defender and it can be downloaded from http://www.microsoft.com – it is not necessary to run more than one anti-spyware program unless your computer is already highly infected.
Powered by Atlassian Confluence 2.7.1, the Enterprise Wiki. Bug/feature request - Atlassian news - Contact administrators