WWU Security Best Practices and Policies

Security/Privacy Breach Reporting

All Western employees have a responsibility to protect the security of our data and the privacy of our customer's data which they have entrusted to Western. As such all employees have a responsibility to report any possible breach of security or privacy. Immediately report any possible breaches to the Director of Administrative Computing, x3502, or the CIO.


Index:
- Confidential Information
- Passwords
- Workstation Security

- Security Zones
- Email
- Backup of Data
- Code of Responsiblity
- Release of information
- Ethical Conduct
- Servers and Server Applications
- Data Transmissions
- Remote Access Services
- Work@ home - Disaster and Pandemic Preparation
- Employee Security Training

Confidential Information
To be safe consider all information related to individuals as confidential information (SSN, Birthdate, medical information, account information, etc.). Do not release any confidential information unless specifically approved by the custodian of the data; i.e., Registrar is the custodian of student data. Confidential information should not be loaded on local workstations or laptops unless the data is encrypted. Transmissions of confidential information over the Internet must be encrypted. All printed materials containing confidential information needs to be secured. Once printed material containing confidential information is no longer needed it should be shredded.
Passwords
Passwords are possibly the most important component of user security - safeguard them.
Don’t post where others can see it. Consider using encryption software such as KEYPASS see Perdue University wesite: http://www.purdue.edu/securepurdue/pswdManager.cfm
Choose a password that is hard for someone or a hacker to figure out.
  -  Should be at least 8 characters.
-  Include at least one number or special character
-
  Use only the following special characters (%  _   ,  .)
-
  Do not include words.
Change regularly.
Never give a password to anyone; not even computer services technicians.
Banner Password Changing
Workstation Security
Always use a password protected screen saver if workstation contains protected data or has access to protected data.  Set the idle time to 15 minutes or less. Whenever leaving one's workstation lock the systems by holding down the Windows "START" key  and pressing the letter "L" key. 

Do not store personal or confidential information on workstations. If you need to, you must encrypt that data. See the ATUS Web information on encryption relating to security and securing documents.

Insure any connected devices are "clean". Have virus protection software installed on smartphones. Connect only flash drives, DVDs and CDs that you know are safe.

Never reduce the User Control Settings in the Windows Control Panel.

Disable the Flash program if you don’t need it. If you do make sure it is up-to-date.

Have virus protection installed and set for auto updates. Have Windows set up for auto updates. Regularly check if the virus protection software is active and up-to-date. There will be a green icon in the Windows task tray. For assistance contact the ATUS Help DHsk at x.3333.

E-mail
Have virus protection software (Forefront) installed and set for auto updates. Have Windows set up for auto updates. Regularly check if the virus protection software is active and up-to-date. There will be a green icon in the Windows task tray. For assistance contact the ATUS Help Desk at x.3333

WWU E-mail is university business communication. This is public information. At Western Email is not encrypted so no PII (Personally Identifial Information: SSN, credit card, birthdate, major, etc.) should be sent via email, and certainly not passwords. PII data can be sent via email if the data is encrypted by an encryption program first and attached to the email. One program to consider is TrueCrypt Contact ATUS Help Desk, X.3333.
Backup of Data
If important data is stored on a workstation it must be backed up regularly.  Hard disks do fail – it is just a matter of time.   Central hard disks are mirrored and backed up every night.  Critical university and departmental data should be stored on central file servers (U: or P: drive).
Code of Responsibility
Defines users' responsibility in regards to protecting and releasing ... information.  Users that get access to Banner & other centralized data agree to abide by the Code of Responsibility.
Release of Information
See Confidential Information above; See Code of Responsibility
Ethical Conduct
University standards for appropriate ethical conduct in the information technology area. Refer to the following
Use of University Resources
-  Responsible Computing
-  User Agreement
-  File Sharing
Servers and Server Applications
Servers or workstations causing problems with the campus network will be disconnected from the network to insure the campus services are maintained. Users should not install their own servers or server applications. 

If server based applications are needed the user should consult ITS Technical Services or their local technical support organization to insure appropriate security protections are installed and configured properly. 

All servers must have the latest patches and virus protections installed and maintained.  All servers must also have all ITS required security features enabled.
Data Transmissions
Internet transmissions of confidential information must be encrypted. Communications with Central systems transmitting confidential information are encrypted.
Remote Access Services
WWU has central facilities to provide users with high speed network access.  Users should not install their own auto answer modems, network hubs or WiFi Access devices  to provide network access services.  If remote access services are needed, the user must consult with ITS.  To get personal remote access via the internet complete the Remote Access Request E-sign form.    Also, do not store WA SCAN codes or WWU long distance access codes in dialing software, unless high security mechanisms are used.  
Work @ home - Disaster and Pandemic Preparation
Supervisors should make sure employees are prepared to work from home in the event of an emergency like a natural disaster or a pandemic occurrence. Employees with home computers must submit an Esign form to get VPN access. They need to install WWU's VPN client software available from the ATUS web site.
Employee Security Training
Supervisors should insure employees get proper training and refreshers on security best practices. Supervisors need to periodically remind employees of these best practices.
Employee Termination
Contact ATUS  at x.4444, or e-mail the ATUSHelpDesk@wwu.edu  to immediately have access to computer systems disabled.
   

 

Page Updated 06.26.2013