IT Security FAQ

General security FAQs

1. What is information security?

Information security is the practice of protecting information and information systems from unauthorized disclosure, modification, and destruction. It encompasses the security of all IT resources, including both University information and the IT devices that access, process, store, or transmit it.

2. What is Secure UD?

Secure UD is the University's comprehensive, community-oriented information security initiative. It empowers and equips the University community to make sound security and risk decisions in their personal and professional lives.

3. What is University information?

University information is the set of information that the University owns or for which the University is accountable. Included in this definition are all data relevant to or that supports the administration and missions (teaching, research, and service) of the University.

4. What is an IT device?

An IT device is any device that is used to access, process, store, or transmit University information and that uses the University's IT infrastructure, including the University network. Examples of IT devices include desktop computers, laptop computers, smartphones, tablets, network devices, and printers.

5. What are IT resources?

IT resources are the full set of University-owned or -controlled IT devices and data involved in the accessing, processing, storage, and transmisison of information. IT resources include both University information and IT devices.

6. What is confidentiality?

Confidentiality is the preservation of authorized restrictions on University information access and disclosure, including means for protecting personal privacy and proprietary information.

Confidentiality has to do with the privacy of information, including authorizations to view, share, and use it. Information with low confidentiality concerns may be considered "public" or otherwise not threatening if exposed beyond its intended audience. Information with high confidentiality concerns is considered secret and must be kept confidential to prevent identity theft, compromise of accounts and systems, legal or reputational damage, and other severe consequences.

7. What is integrity?

Integrity is the protection against improper modification or destruction of University information. It includes non-repudiation and authenticity.

Integrity has to do with the accuracy of information, including its authenticity and trustworthiness. Information with low integrity concerns may be considered unimportant to precise University activities or not necessary to vigorously check for errors. Information with high integrity concerns is considered critical and must be accurate in order to prevent negative impact on University activities.

Integrity concerns—along with availability concerns—contribute to data's criticality.

8. What is availability?

Availability is the timeliness and reliability of access to and use of University information.

Availability has to do with the accessibility and continuity of information. Information with low availability concerns may be considered supplementary rather than necessary. Information with high availability concerns is considered critical and must be accessible in order to prevent negative impact on University activities.

Availability concerns—along with integrity concerns—contribute to data's criticality.

9. What is criticality?

Criticality is the importance of data availability and integrity to the business continuity and operational effectiveness of the University.

Criticality is a reflection of data's integrity and availability concerns. Data's criticality is the higher of its integrity and availability concerns. For example, data with high integrity concerns but moderate availability concerns would have a high criticality.

There are three levels of criticality:

1. Non-critical
2. Critical
3. Mission critical

10. Isn't information security an IT issue?

Information security is an organizational issue, not exclusively an IT issue. IT provides security to central systems and the University network. However, much of the risk to IT resources can only be managed within units' day-to-day operations. We all share responsibility for properly managing the University's IT resources, including University information and IT devices.

Units have significant autonomy to fulfill their operational missions. Each unit has a responsibility to manage its own security posture just like each individual has a responsibility for his or her own actions. Security is a balance between the need for information security and the need for information use.

Device security FAQs

1. How do I secure my computer?

Even if you aren't a security expert, there are a few basic steps you can take to secure your computer. Read the Secure UD Essentials for computers for more information.

• Install and run anti-virus software on your computer to detect and remove malware.
• Back up your computer's data to protect yourself and the University from data loss or corruption.
• Enable your computer's firewall to block potentially harmful traffic.
• Encrypt sensitive information to protect it from being read or misused if it's lost or stolen.
• Password-protect your computer to prevent others from logging in and using your system and files.
• Regularly patch your computer's software and firmware to protect against the newest vulnerabilities.
• Physically secure your computer in a locked office when possible. Never leave laptop computers unattended in public locations.
• Configure your computer to automatically lock after fifteen minutes of inactivity.

If you're a faculty or staff member, talk to your local support provider or contact IT for more information about the University's computer management tool, which automates security tasks like patching, anti-virus scanning, and more. It can be administered by either your unit or IT, and it's never used to spy on you or your files.

2. How do I secure my mobile device?

Mobile devices like smartphones and tablets present unique security challenges because of their portability and simplicity. Read the Secure UD Essentials for mobile devices for more information.

• Back up your mobile device's data to protect yourself and the University from data loss or corruption.
• Encrypt your mobile device with whole-disk encryption to protect its data from being read or misused if the device is lost or stolen.
• Password-protect your mobile device to prevent others from accessing its data and apps.
• Regularly patch your mobile device's software and firmware to protect it against the newest vulnerabilities.
• Physically secure your mobile device in locked offices or cabinets when possible. Never leave mobile devices unattended in public locations.
• Configure your mobile device for remote management. Enable it to automatically erase data after ten failed password entries in a row and to be remotely locked, located, or erased at your request.
• Configure your mobile device to automatically lock after five minutes of inactivity.

3. Can IT help me manage my computer's security?

Yes; both IT and your unit's IT staff can help you manage your computer. If you're a faculty or staff member, talk to your local support provider or contact IT for more information about the University's computer management tool, which automates security tasks like patching, anti-virus scanning, and more. It can be administered by either your unit or IT, but your unit may also offer its own computer management solution that is more suited to your particular data needs.

The computer management tool is used only to help secure your computer. It is not used to read or record your personal files or spy on your computing activity.

4. What is malware and how do I get rid of it?

Malware is short for malicious software—software used by hackers to impair your device's function, steal your device's data, or even gain control of your device itself.

Typically, malware is downloaded unknowingly when an unsuspecting user opens an infected file or visits an infected website. Once it's on your computer, it launches a specific kind of attack based on its design. For example, keyloggers record each keystroke and report it to hackers, who look for usernames, passwords, and other sensitive credentials. Trojans masquerade as useful or benign software—often as fake anti-virus software or games—to trick users into opening them and granting them access to system files or the ability to download more malware.

You can protect your computer against malware by installing anti-virus software and running routine scans. IT provides a University-licensed copy of McAfee VirusScan free of charge to all students, faculty, and staff. Any faculty or staff member whose computer processes sensitive University information should contact the IT Support Center to get a copy of Cylance advanced anti-virus software.

If your computer is running slowly or taking unusual actions (such as "reminding" you to download strange software), it may be infected with malware. Run an anti-virus scan to check for, identify, and remove malware from your device.

5. What should I do if I want to dispose of a device that was used for University activities?

If the device in question is a University-owned IT device, then check with your unit's IT staff first. Your unit may have its own procedures for securely disposing of IT devices. If your unit doesn't have its own procedures, then you should use central IT's secure device disposal service.

If the device in question is your personally-owned device and was used to conduct University-related work, then you should follow this basic process:

1. Back up any files that you need to retain.
2. Securely erase the device's memory. If you don't plan to sell or donate the device, you can physically destroy its storage media.
3. Dispose of the device by using an electronics recycling center or by selling or donating it.

Data security FAQs

1. What is data management?

Data management is the responsible stewardship of data throughout its lifecycle.

There are five components to data management:

• Acquisition—What data is acquired, how, and why?
• Utilization—How is the data used? Does the use support an institutional need or University activity?
• Maintenance—For how long is data retained? What are the data management rules?
• Access—Who is authorized to access, under what requirements, and under whose approval?
• Protection—How are the confidentiality, integrity, and availability of data maintained?

Effective data management requires appropriate acquisition, utilization, maintenance, access, and protection of data. Data management depends on information confidentiality and criticality.

2. How does proper data management help me?

Proper data management is a responsibility of every University employee; you are responsible for any University information to which you have access. Properly managing the data in your care will help protect you, the University, and the community from data-related harm.

Improper data management can lead to IT security incidents, which are a cause of identity theft, reputational harm, lawsuits, and extremely expensive damages. The goal of data management is to appropriately manage these risks without impairing University operations.

3. How can I manage data safely?

The best way to manage data safely is to recognize that it's an integral part of your job responsibilities and to incorporate it into your workplace routine. Turn safe computing and information behavior into new habits, and be mindful of how your actions affect the security of your data and devices.

Knowing what kinds of data you use, as well as how and where you use them, is the first step. This knowledge will help you maintain a cleaner system and respond more quickly to possible IT security incidents.

Review the Secure UD Essentials and best practices for information security and take note of opportunities for you to improve the way you manage the data in your care. Be aware of and understand your responsibility to support unit security efforts. Your unit will have an information security plan that describes the requirements and processes for protecting IT resources.

IT provides tools and services to help you manage the data in your care and meet information security standards. Some of these tools and services may also be offered locally through your unit.

4. How do I know whether I have sensitive data?

In many cases, sensitive data is hidden in larger data sets or files. To find sensitive data on your computer, download a program to detect sensitive data and use it to scan your computer. Upon completing a scan, it will generate a report that will assist you in finding and protecting any unencrypted sensitive information, including Social Security numbers, on your computer or drives.

5. How do I protect the data I have?

Once you determine what data you have and where it's stored, you can protect it by archiving, encrypting, or erasing it as appropriate.

For sensitive University information:

• If you still need the information, but don't need to store it on your device, archive it on a network drive or by contacting University Archives and Records Management.
• If you need the information and it must be stored locally on your device, encrypt it.
• If you no longer need the information to fulfill an operational requirement, securely erase it from your device.

You can apply the same principles to your personal information. If you don't need to store records like old tax returns, bank statements, or other records on your computer or other device, you can store them on an encrypted flash drive or external hard drive and then securely delete them from your device. You should also encrypt any files that you choose to keep on your device (and encrypt the device itself with whole disk encryption).

6. What is a backup?

A backup is a copy of the data stored on a device. It's useful for restoring data if your device crashes or continuing work if your device is lost or stolen.

When you back up your data, you create a copy of some or all of the files on your device and store them in a separate location (which is usually either on a flash drive, removable hard drive, or in the cloud). Some kinds of backups even store your device configurations. Backup and recovery software can automate the backup process by performing backups based on a set schedule.

To restore data from a backup, you use either recovery software (to restore full backups of a device's data and configurations) or manually replace files with copies from the backup (usually to restore lost or corrupted files).

7. How often should I back up my data?

It depends on how critical that data is. If it's important that your data be accurate and available (to you or others), you should consider backing it up often. For example, you may want to back up critical project data at the end of each day or week.

You can use backup and recovery software to automate the backup process and remove much of the effort involved in performing backups.

8. What is encryption?

Encryption is a means of protecting files and devices. When you encrypt a file, you "lock" it with an encryption key or password. The file itself is scrambled and becomes unreadable without the appropriate key or password.

Faculty and staff are required to encrypt portable devices (laptops, tablets, smartphones, and removable storage media) and sensitive University information.

IT recommends that all members of the University community also encrypt their personal devices and sensitive files to protect them from misuse. Don't leave your data defenseless against thieves and hackers!

9. Can I just erase sensitive data?

No. Sensitive data needs to be securely erased to ensure that it can't be recovered.

When you delete a file using your computer's Recycling Bin (Windows) or Trash (Mac) feature, what you're actually doing is telling your computer to forget where that file is located. The file itself—and all the data it contains—is still on your computer, and hackers can still find it if they search your device's memory. In order to prevent a file from being recovered, you must securely erase it. When you securely erase a file, your computer overwrites it with randomly generated data to destroy its original contents, ensuring they can't be recovered.

Always securely erase sensitive files to prevent them from being recovered and compromised.

10. Can I use email to send sensitive data?

You shouldn't use email to send or receive sensitive data. If an email account is hacked or if the email is forwarded, that sensitive information could easily be exposed to someone other than the original, intended recipient. Instead, use a secure file transfer service like UD Dropbox or a secure Web form.

If, for some reason, alternatives are not available and you must use email to transmit sensitive information, that information must be encrypted. Encrypt the file first, then send the encrypted file as an attachment. Contact the recipient separately to provide the encryption password. Never send sensitive information in clear text.

Security awareness FAQs

1. What are my information security responsibilities?

All members of the University community—students, faculty, and staff alike—are responsible for protecting the IT resources they use or manage. Access to the University's information, devices, and systems is a privilege, and everyone who has access has a duty to use it responsibly and in accordance with information security procedures and requirements.

Bottom line: You are responsible for protecting the IT resources you use.

2. I have other job responsibilities. Will my security responsibilities prevent me from fulfilling them?

Not at all. Security requirements aren't meant to distract you from your other responsibilities; they're meant to equip you to keep yourself, the University, and the community safe from cyber threats.

Information security is already a part of your workday. Each time you sign in to your computer or UDelNet account, you're practicing security. Many security requirements are exactly these kinds of small tasks; if they aren't already part of your daily routine, they will take you only moments to complete and will soon become second nature.

3. How do I learn more? Is there training I can take?

Faculty and staff can take Secure UD Training to improve their awareness of information security issues. Secure UD Training is a modular, self-paced, online training program that helps employees identify and address threats and concerns regarding computing and information security. If you aren't already enrolled in training, contact the IT Support Center to request your enrollment.

All members of the University community can also use the resources available on this website to learn more about the University's new information security efforts, best practices for computer and information security, and the tools and services available to help protect you and the University.

4. Why are strong passwords important and how do I create one?

The strength of your password directly affects how easy it is to guess that password or how long it takes a hacker to crack it. In many cases, hackers gain access to an account because the account's owner set a weak password.

To set a strong password, follow University password guidelines:

• Create a longer password. The more characters you use, the harder the password will be to guess and the longer it would take to crack. UDelNet passwords must be between 12 and 30 characters long.
• Never use a single dictionary word or name as your password.
• Use a variety of characters, including uppercase letters, lowercase letters, numerals, and special characters like punctuation marks.
• Never choose an obvious password like "password," "password1," "12345," or "00000."

If you have a hard time remembering passwords containing random characters, try using a passphrase, which is a string of words used as a single password. For example, "ClevelandChapelLovettAcademy," or "CorrectHorseBatteryStaple" are both passphrases with 25 or more characters, but they can be easier to remember than randomly generated passwords even 15 characters long!

5. What is two-factor authentication (2FA)?

Two-factor authentication (2FA) is a means of protecting your digital accounts from unauthorized access and use.

Typically, you log in to an account by providing your username and password. This is a quick way to log in, but hackers can easily access your account if they steal or crack your password. However, if your account is protected by 2FA, then you will need to provide the standard username and password combination and then a second authentication factor (such as a temporary security code or the answer to a security question) to log in. Even if hackers steal or crack the password to a 2FA-protected account, they still can't log in to it without the second factor.

2FA is available for your UDelNet account, and you're strongly urged to sign up for 2FA to help protect your account from theft and misuse. You're also urged to enable 2FA protection for your other sensitive accounts, such as your banking, credit card, tax filing, and investment accounts.

6. What is phishing and how do I avoid it?

Phishing is a cyber attack in which scammers send fake emails with intent to steal your personal information or get you to download malware. Common examples of phishing emails include unexpected "special offers," notifications that your email account is reaching its quota or may be suspended, or classic scams like the Nigerian advance fee fraud.

Most phishing emails use common tactics:

• A fake or spoofed sender to create a sense of legitimacy. For example, "IT Help Desk" or a name from your contact list.
• A sense of urgency. For example, "Your account will be deactivated in 24 hours."
• Typos, poor grammar, unusual wording, or other obvious errors.
• Links that don't go to real or legitimate websites. For example, "udel.com" or "udel.edu.biz."
• Suspicious attachments. For example, an unexpected "court summons" or "the files you asked for."

Spear phishing is particularly dangerous. In a spear phishing attack, scammers use a company's real logos, names, and terminology and may even spoof real email addresses in order to create convincing phishing emails to trick that company's employees. For example, previous spear phishing attacks on the University community have used terms like "UDelNet" and logos like the interlocking UD in official-looking fake emails.

Avoid falling victim to phishing scams. Always verify that the sender is legitimate and that the links go to trustworthy domains. Look for mistakes in the information or wording of the email. If you have questions about the email's content, contact the alleged sender through a separate channel. You can also check the Secure UD Threat Alerts blog to see if the email has been identified as a known scam.

If you receive a phishing scam, forward it to reportaphish@udel.edu and then erase it.

7. How can I protect myself from identity theft?

Protecting yourself from identity theft is largely a matter of following best practices (and requirements) for information security. If you learn to identify and avoid phishing scams and install and run anti-virus software, you'll protect yourself from the most common means by which hackers and scammers steal your personal information. Exercise caution when providing personal information, including your name and date of birth, Social Security number, and bank account or credit card numbers, to anybody. If you're providing this information online, make sure that you're using a secure form and connection and that you're on the legitimate website of the company or group you mean to contact.

You can also request credit monitoring to watch for suspicious activity on your credit files.

8. What kinds of information are safe to share on social networking sites?

When you use a personal account on a social networking site, you are in control of the information you share, including what you share and who can see it.

Limit the amount of personal information you share through your social networking sites. For example, consider whether you need to share your date of birth, hometown, birth town, the names of pets, etc. While this information may sometimes be interesting to friends, it's also the kind of information most often asked for by security questions, and attackers can potentially use the information you post on your social media accounts to impersonate you or bypass some kinds of authentication procedures.

Remember, too, that any information you share on the internet can be shared by others. Once you post something, you can't necessarily delete it; sharing and archiving features make it so that your information persists online, sometimes in unsafe locations. Personal photos in particular are often propagated, so think twice before posting a picture of yourself that you wouldn't want friends, family, or employers to see.

Check your account's privacy and sharing settings and limit who can see your posts and personal information. For example, you may choose to censor certain personal information such as your birthday so that only people on your friends list can see it. Think about whether you need location services turned on or whether you want other people to be able to tag you in photos.

9. How should I use University social networking accounts?

When you use a University account of any type, including an official social media account, you are both expected and obligated to use it according to the conditions under which it was provided to you. Don't use official University accounts for personal purposes. Share only the information that you are authorized to share through that account, and do not use the account to post your personal opinions or endorse ideas outside of the University's official capacity. For example, don't use your unit's social networking account to like a band or share a political opinion.

If you're unsure of whether something is acceptable, ask your supervisor or refrain from doing it. Remember, official University accounts represent official University views. Don't take actions that will reflect poorly on the University; save your personal use for your personal accounts.

10. Am I allowed to use my personal device for University activities?

The University does not prohibit the use of personal devices for University activities. If you're considering using your own computer or mobile device for work, consult your unit head or local support provider to discuss the potential risks to both University and personal information and whether a personal device is appropriate for the task.

Be aware that all devices—personal or University-owned—used to conduct University activities are held to the University's information security standards.

11. Am I allowed to download music, movies, and other media?

Only if you're doing it legally.

There are lots of artists and companies producing music, games, television shows, movies, software, and other media. This media is protected by copyright laws such as the Digital Millennium Copyright Act. Anybody who violates copyright laws by illegally downloading copyrighted material is subject to fines and other legal action.

To facilitate the exchange of scholarly information, the University does not restrict or filter network traffic. Your access to the University network does not, however, give you license to violate copyright laws. The University will cooperate with copyright holders to identify individuals who illegally share copyrighted materials.

Do not illegally download copyrighted material. Remove peer-to-peer (P2P) file-sharing programs from your computer prior to coming to campus, and do not facilitate illegal file sharing or torrenting.

12. Am I allowed to used my University-owned device to play games, listen to music, or browse the internet?

Employees are given access to University-owned devices for work purposes. If you have a question about a non-work or otherwise unusual use for your University-owned device, consult your unit head or local support provider to discuss the potential risks to both University and personal information and whether the proposed use is acceptable.

For example, you may not use a tablet in a healthcare clinic to play games or listen to music between appointments.

As a general rule, you shouldn't install apps or enable functions on a University-owned or -operated device unless they're essential to the work-related tasks you're performing.