Information Technology

Security Guidelines

Desktop Security


  • Create a strong login password (i.e., 8-character minimum length and containing three of the following four parameters: at least one upper-case character; at least one lower-case character; at least one special character; at least one numeric character)
  • Create a memorable password so that you will not need to write it down for others to see.  For example, use the title of a book or movie or song to create a password, substituting numbers or special characters in a few places.  Following the rules above, Lord of the Rings would become L0rdofth3R!ngs.  This method gives you a strong password because it is long and contains various types of characters, but it is also fairly easy to remember, so you won’t need to write it down. Never write your password down!
  • You must change your UMass Boston email password every six months. Our Self-Service Password Management makes this easy and lets you set up a profile that allows you to reset your password if you have forgotten it. You can access this service at
  • Keep your password (s) to yourself. Sharing your password makes you liable for anything that another user might do while using your password.
  • Avoid saving your password online. For example: if a website or an application asks to save a password, saying no will keep a computer more secure. 

Confidential Information

  • If someone wants to use your computer while you are logged in, politely let them know that they need to use their own login to access the network because of liability consequences. Either log out of your computer or use fast user switching to allow the person to use your computer.
  • Please keep PII (Personally Identifiable Information) off your local drive. PII is information about  a person that would allow fraud or identity theft. PII includes a person’s name plus  an identifier such as birth date or Social Security number.
  • If you must share or transfer PII or other confidential information, use appropriate encryption tools and other security measures.  For example, use a secure application such as Xythos rather than sending files through email.
  • Share information only with those who have a legitimate business need for the information.
  • Dispose of confidential information in a secure manner. Check your stored files periodically to make sure you do not have unneeded/outdated information stored on your desktop or in a shared file. Be mindful of retention schedules as some information may need to be saved as a legal requirement. 

Laptop Security

In addition to the following, harden your laptop by using the desktop guidelines above to help make your operating system more secure. 

  • Avoid using computer bags - Computer bags can make it obvious that you're carrying a laptop. Instead, try toting your laptop in something more common like a padded briefcase or suitcase.
  • Safeguard your password - Keeping your password with your laptop is like keeping the keys in the car. Without your password or important access numbers it will be more difficult for a thief to access your personal and corporate information.
  • Carry your laptop with you - Always take your laptop on the plane or train rather than checking it with your luggage. It's easy to lose luggage and it's just as easy to lose your laptop. If you're traveling by car, keep your laptop out of sight. For example, lock it in the trunk when you're not using it.
  • Encrypt your data - If someone should get your laptop and gain access to your files, encryption can give you another layer of protection. With Windows XP, Windows Vista, and Windows 7 you can choose to encrypt files and folders. Then, even if someone gains access to an important file, they can't decrypt it and see your information. Learn more about how to encrypt your data with Windows XP, encrypt your data with Windows Vista, or encrypt your data with Windows 7.
  • Keep your eye on your laptop - When you go through airport security don't lose sight of your bag. Hold your bag until the person in front of you has gone through the metal detector. Many bags look alike and yours can easily be lost in the shuffle.
  • Avoid setting your laptop on the floor - Putting your laptop on the floor is an easy way to forget or lose track of it. If you have to set it down, try to place it between your feet or against your leg (so you're always aware it's there).
  • Buy a laptop security device - If you need to leave your laptop in a room or at your desk, use a laptop security cable to securely attach it to a heavy chair, table, or desk. The cable makes it more difficult for someone to take your laptop. There are also programs that will report the location of a stolen laptop. They work when the laptop connects to the Internet and can report the laptop's exact physical location. Two such tracing programs are ComputracePlus or LocatePC.
  • Use a screen guard - These guards help prevent people from peeking over your shoulder as you work on sensitive information in a public place. This is especially helpful when you're traveling or need to work in a crowded area. This screen guard from Secure-It is just one example of a screen guard you could use.
  • Try not to leave your laptop in your hotel room or with the front desk - Too many things have been lost in hotel rooms and may not be completely secure. If you must leave your laptop in your room, put the "do not disturb" sign on the door. Or get a laptop cable that you can secure your laptop to something stationary which will deter but not prevent theft.

What to do if your laptop is stolen

  • Change your network password to help secure access to corporate servers.
  • Report the theft to local authorities (police, etc.) and to your university's IT department as well as Public Safety.
  • If customer data was on the laptop, contact your account representative, legal representative, or appropriate person at your company so they can take the appropriate actions.

Windows Server Security Guidelines



Securing Your Data

The UMass Internal Audit Team recommends the article "Cleaning Tips to Keep Personal Data Safe" from the Privacy Rights Clearinghouse website.

1.  Don't toss documents.  Shred or incinerate them.  The saying "one person's trash is another person's treasure" rings especially true for identity thieves.  Fraudsters look for any documents containing Social Security numbers, financial account numbers, your driver's license number and health insurance account information.  Savvy criminals will dig through your trash, hunting for data that can be used to steal your identity.  Always use a cross-cut, diamond-cut or confetti-cut shredder.  Unlike strip-cut models in which the pieces can potentially be put back together, these shredders will produce much smaller pieces.

2.  Consider a shredding facility.  If you have a large amount of shredding and are not able to handle it at home, consider taking it to a shredding facility that guarantees and certifies that your documents are fully destroyed.  If you have a large amount of papers to destroy (this can occur, for example, when an elderly family member passes and the family must dispose of decades of documents), there are services that will send a shredding truck to your home.  Fees are charged for both types of services.

3.  Keep sensitive documents under lock and key.  "Old fashioned" physical security still has a place by discouraging opportunistic thieves.  Centralize sensitive paperwork and invest in a locked filing cabinet.  Or you can simply take advantage of a locking desk drawer.  Another option is to scan documents and save them securely.

4.  Physically destroy old flash drives.  Flash drives are different from hard drives.  A 2010 study by the University of California, San Diego found that applying hard drive data sanitization methods to flash drives was unreliable.  Open the drive and smash the circuit board and chips.  Read the Campus Technology article How and Why to Destroy Old Flash Drives for detailed instructions.

5.  Wipe old computer hard drives.  Often, computer files continue to exist on the hard drive, even after you've deleted them using keyboard and mouse commands.  Use specialized software such as Eraser to remove specific files.  To delete an entire hard drive's data, use software like Darik's Boot and Nuke.

Before recycling or selling your old computer, make sure you've successfully destroyed all personal data.  You may be better off physically destroying the hard drive and taking the computer and destroyed drive to an electronics recycling center.  For more details, read Popular Mechanics: How to Absolutely, Positively Destroy Your Data.

Do not toss any digital devices into your trash bin and don't take them to the municipal waste center.  By taking both intact and destroyed digital devices to an electronics recycling center, you are ensuring proper disposal regarding both your privacy and environmental protection.

6.  Wipe data from cell phones.  Cell phones are like computers in that deleting data using the user menus may not truly delete it from the hardware.  Always wipe your phone by deleting the data using menu settings and then performing a factory reset.  Every phone has a different process, so check the phone's manual to restore the phone to its factory setting or search YouTube for an instructional video.  According to PCWorld, no wipe solution is perfect.  The only way to guarantee old cell phone data is gone for good is to take the phone apart and physically destroy the memory chip.

If you're wondering what to do with your wiped phone, we recommend donating it to a nonprofit that provides used cell phones to soldiers, domestic violence victims and others.  Unless the phone is truly a relic, there are many who would appreciate the donation.

7.  Erase the hard drive on unwanted digital copiers.  Nearly every digital photocopier since 2002 contains a hard drive.  The hard drive stores an image of each document processed by the machine.  Check your machine's manual for instructions on how to clear the data from the hard drive before getting rid of the copier.

8.  CDs and DVDs should be physically destroyed by breaking them into many pieces.  A pair of Wiss Tin Snips (scissors that can cut through tougher materials) will help you easily cut your CDs and DVDs into four or more pieces.  Some shredders can do this too.  If you are destroying older media such as floppy disks and tapes, remove the film and cut it into small pieces.

9.  Know the law when disposing of business documents.  If you work from home or operate a small business out of your home, data destruction should be especially rigorous.  There may even be industry standards and federal and state laws that you must comply with regarding proper disposal of business-related documents.  As a small business you certainly don't want the negative publicity that comes with having to notify individuals of a data breach, the law in 46 states.

Keeping your personal data safe at home is important and keeping University records and data safe is every employee's responsibility.

Please refer to the following UMass Policies, Guidelines and Standards for more information about the safeguarding and proper disposal of University devices and records, including paper and electronic data.

Please visit the Privacy Rights Clearinghouse website for a full copy of the article.