Secure and Safe Computing for Administrative Offices

Overview

The purpose of this document is to lay out guidelines for secure and safe computing for College faculty and staff. In the world of computing, it seems that anything that stays the same for more than six months is obsolete. This document is not immune. Please check back for updates.

Confidentiality of Information

The College’s Confidentiality Policy can be found at http://wiki.williams.edu/display/handbooks/Confidentiality

If you work in an administrative office, you very likely work with information of confidential nature on a regular basis.  Even if you don’t, you should be aware that there are an ever-increasing number of laws intended to protect people from identity theft and other types of misuse of their information.  These laws include:

  • FERPA – protects student information
  • Gramm-Leach-Bliley – protects personal financial information
  • HIPAA – protects personal health information
  • Massachusetts Identity Theft Law (and similar laws in other states and countries)

Though this document focuses on electronic information, these laws address protection of personal information in any form, including paper files. Each office will have to decide on what level of protection is appropriate. In general, keep confidential information in paper files secure with the use of lockable file cabinets or filing rooms. Shred documents containing confidential information – do not recycle them until they’ve been shredded.

Usernames and Passwords

The computer accounts you use which are protected by username & password security include

  • logon access to your personal computer
  • email & calendaring services
  • network file storage
  • access to various administrative systems

Using computers and networks, someone can attempt to break into your accounts and in rare circumstances can try out thousands of potential passwords in a matter of minutes.

Use different passwords for your work systems and your personal systems. The password for your Amazon or EBay account should never be the same as for your online banking, which in turn should never be the same as what you use for Williams College accounts.

Never write down usernames and passwords and leave them where others can find them. Never divulge passwords to anyone. This includes Williams OIT staff and family members. If you forget a password, a new one can be generated for you without having to tell anyone what your password was.

The likelihood of your password being guessed by someone trying to break into your accounts goes down as the password gets longer and the mix of characters gets more complex

At Williams, we generally require a minimum password length of 8-12 characters and require that there be at least 1 non-alphabetic character. We strongly encourage you to use passwords contain a mix of characters (upper and lower case), numeric digits, and special characters (eg +,#,@,~).

Physical PC security at work

Your personal computer itself should be reasonably secure. If you work behind a locked door, the physical security of your computer is probably good. If you work in a space accessible to others, you should consider using a locking screen saver, so that after a 3-5 minute delay someone must enter a password to unlock your PC. This capability is built in to common personal computer operating systems like Windows and Mac OS and mobile devices.

Traveling with a Computer

Traveling with a computer containing information of a confidential nature can expose the College to lawsuits and to unfavorable news reports. Following these guidelines will help minimize the risk.

  • Keep your laptop with you – This may seem obvious, but never check your laptop as baggage or leave it unattended.
  • Know what’s on your hard drive – If your laptop is stolen (yes, this is a common occurrence) it will be important that you know what information was stored on your hard drive, including username/password information and spreadsheets, databases, documents, and e-mail messages. Although you must log in to your laptop, it’s fairly easy for a thief to bypass this security given time.
  • If you are traveling with confidential documents, password-protect them. Excel spreadsheets and Word documents have built-in password protection. Other documents can be secured using encryption software such as 7-Zip or WinZip.
  • Keep your hard drive clean – Periodically (perhaps before you leave on a trip) review the files on your hard drive and delete those you don’t need any more.
  • Consider leaving your laptop at home and borrowing a clean computer for your trip.

E-Mail Security

In general, you should assume that e-mail messages are not secure and can be read by others. E-mail messages that leave campus can be stored and forwarded on many mail servers on the way to their destination and there’s no guarantee of confidentiality.

If you must send information of a confidential nature, it’s best to send the information as an attachment that’s been password-protected. Give the password to the recipient by phone or in person – not via e-mail.

Information protected by the Massachusetts Identity Theft Law such as SSN, credit card number and bank account numbers, may not be  sent over public networks unless it’s been encrypted.

Web Security

As with e-mail, you can assume information you enter onto a web page isn’t confidential. Unlike e-mail, the World Wide Web does have a built-in, commonly-used security mechanism called SSL (Secure Sockets Layer). In short, any web address or URL that’s prefixed by https:// (as opposed to http://) supports SSL and information traveling between your web browser and the web site will be encrypted in transit. So as long as you trust the web site owner to treat your information responsibly, sending information to a web site using SSL should be reasonably safe.

Preventing Virus Infections

  • Don’t download software from the Internet from any source and run it unless you trust the source.
  • Do not open any e-mail attachments you weren’t expecting to receive. If you don’t want to delete it immediately, contact the sender to verify that the attachment is safe. Viruses routinely fake their return e-mail addresses. Even emails that appear to come from trusted colleagues and family members can contain viruses.
  • Keep your computer patched with Critical Updates (especially for Windows computers). Set your computer to download and install patches automatically. Viruses and worms can travel over the network and infect vulnerable computers without you having to do anything.
  • Keep your PC’s built-in firewall on. This will generally prevent unauthorized access to your computer and prevent network viruses from reaching your computer.
  • One common way computer viruses spread is through file sharing programs (BitTorrent, Gnutella, KaZaa, eMule, etc.) and instant messenger programs with file transfer capabilities (AIM, etc). The email virus scanner will not protect you from viruses obtained through those programs. Do not use these programs on College-owned computers.
  • Do not trust email messages from “administrator” or “admin.” Verify any suspicious messages by contacting OIT Help Desk.

Preventing Spyware

The term spyware covers a wide range of situations from the benign (browser cookies) to the malicious – applications which are indistinguishable from viruses. In fact the worst spyware applications are like viruses designed to make money, which means the people responsible for the spyware are highly motivated. The authors are not 18 year old hackers looking to have fun, they are professionals hoping to steal passwords, account numbers, credit card information and personal data or to sell you something. Infecting a computer with spyware has become a business model.

Spyware is often bundled as a hidden component in freeware or shareware applications downloaded from the Internet. You may think you are getting something useful. At first glance Weatherbug and Bonzi Buddy seem like things that are cool, but there are dangerous strings attached.

Spyware applications can monitor keystrokes to record credit card numbers, scan files on the hard drive, open up backdoors so your computer can be remotely controlled or simply monitor your web browsing. Spyware can also be downloaded by Internet Explorer without your knowledge as you browse untrustworthy sites. Some spyware modules include auto-update functions that can download and install more spyware. This is one reason spyware tends to snowball quickly on an infected computer.

Follow these steps to minimize the risk of spyware infection:

  • Do not download “free” software from the Internet unless you have done some research and are confident the software contains no spyware. A simple search on Google or Yahoo on the name of the software package can turn up all kinds of information about the potential risks of using it.
  • Keep anti-spyware programs installed on your PC and up-to-date – The Office for Information Technology currently recommends four products: Windows Defender, Spybot Search and Destroy, AdAware and Ewido. The easiest to use is Windows Defender and it can be downloaded from http://www.microsoft.com – it is not necessary to run more than one anti-spyware program unless your computer is already highly infected.
  • Keep up-to-date on recommendations for both anti-spyware and anti-virus recommendations by checking the OIT web site for updates