UMass Boston

Security Guidelines

Desktop Security

Basic Security

  • Keep your operating system up to date. Updates from the vendor patch common security vulnerabilities. IT uses KACE to manage updates and keep University owned computers up to date.
  • Install anti-malware software and keep it up to date. IT Installs Sophos on all University owned computers.
  • Install only the software you need. Each program you add is an additional item that may cause instability, require updates, or create a vulnerability.
  • Pay close attention to alerts and beware of granting permission to an unknown program, such as a rogue installer from the Internet that you did not realize was there.

Passwords

  • Create a strong password (i.e., a non-obvious, difficult-to-guess password of at least 10 characters containing at least three of the following four parameters: at least one upper-case character; at least one lower-case character; at least one special character; at least one numeric character)
  • Never write your password down or share it, and beware of online scams. The most common way a hacker breaks into an account is by simply asking the user for the password! Learn more at out phishing page. Remember, sharing your password exposes you to identity theft and might makes= you liable for anything that another user might do while using your password.
  • Avoid using the same password on multiple sites. You don't want someone able to log in to your bank account just because they found the password to your social media account.
  • Reset your password at any time, even if you have forgotten it, using theSelf-Service Password Management portal.
  • Avoid saving your password online. For example: if a website or an application asks to save a password, saying no will keep a computer more secure. 

Confidential Information

  • If someone wants to use your computer while you are logged in, politely let them know that they need to use their own login to access the network because of liability consequences. Either log out of your computer or use fast user switching to allow the person to use your computer.
  • Please keep PII (Personally Identifiable Information) off your local drive. PII is information about a person that would allow fraud or identity theft. PII includes a person’s name plus  an identifier such as birth date or Social Security number and requires special handling by law. See our PII page for more information.
  • If you must share or transfer PII or other confidential information, use appropriate encryption tools and other security measures.  For example, use a secure application such as OneDrive rather than sending files through email.
  • Share information only with those who have a legitimate business need for the information.
  • Dispose of confidential information in a secure manner. Check your stored files periodically to make sure you do not have unneeded/outdated information stored on your desktop or in a shared file. Be mindful of retention schedules as some information may need to be saved as a legal requirement. 

Laptop Security

In addition to the tips above, follow these additional tips for mobile computing.

  • Avoid using computer bags - Computer bags can make it obvious that you're carrying a laptop. Instead, try toting your laptop in something more common like a padded briefcase or suitcase.
  • Safeguard your password - Keeping your password with your laptop is like keeping the keys in the car. Without your password or important access numbers it will be more difficult for a thief to access your personal and corporate information.
  • Carry your laptop with you - Always take your laptop on the plane or train rather than checking it with your luggage. It's easy to lose luggage and it's just as easy to lose your laptop. If you're traveling by car, keep your laptop out of sight. For example, lock it in the trunk when you're not using it.
  • Encrypt your data - If someone should get your laptop and gain access to your files, encryption can give you another layer of protection. Both Windows and Mac OS allow you  to encrypt files and folders. Then, even if someone gains access to an important file, they can't decrypt it and see your information. Learn more on our data encryption page.
  • Keep your eye on your laptop throughout your travels and lock it (require a password to wake) when you're not using it. When you go through airport security don't lose sight of your bag. Hold your bag until the person in front of you has gone through the metal detector. Many bags look alike and yours can easily be lost in the shuffle.
  • Avoid setting your laptop on the floor - Putting your laptop on the floor is an easy way to forget or lose track of it. If you have to set it down, try to place it between your feet or against your leg (so you're always aware it's there).
  • Buy a laptop security device - If you need to leave your laptop in a room or at your desk, use a laptop security cable to securely attach it to a heavy chair, table, or desk. The cable makes it more difficult for someone to take your laptop. There are also programs that will report the location of a stolen laptop. They work when the laptop connects to the Internet and can report the laptop's exact physical location. Two such tracing programs are ComputracePlus or LocatePC.
  • Use a screen guard - These guards help prevent people from peeking over your shoulder as you work on sensitive information in a public place. This is especially helpful when you're traveling or need to work in a crowded area. This screen guard from Secure-It is just one example of a screen guard you could use.
  • Try not to leave your laptop in your hotel room or with the front desk - Too many things have been lost in hotel rooms and may not be completely secure. If you must leave your laptop in your room, put the "do not disturb" sign on the door. Or get a laptop cable that you can secure your laptop to something stationary which will deter but not prevent theft.

What to do if your laptop is stolen

  • Change your network password to help secure access to corporate servers.
  • Report the theft to local authorities (police, etc.) and to your university's IT department as well as Public Safety.
  • If customer data was on the laptop, contact your account representative, legal representative, or appropriate person at your company so they can take the appropriate actions.

Windows Server Security Guidelines

Securing Your Data

The UMass Internal Audit Team recommends the article "Disposing of Records Containing Personal Information" from Privacy Rights Clearinghouse.

1.  Don't toss documents.  Shred or incinerate them.  The saying "one person's trash is another person's treasure" rings especially true for identity thieves.  Fraudsters look for any documents containing Social Security numbers, financial account numbers, your driver's license number and health insurance account information.  Savvy criminals will dig through your trash, hunting for data that can be used to steal your identity.  Always use a cross-cut, diamond-cut or confetti-cut shredder.  Unlike strip-cut models in which the pieces can potentially be put back together, these shredders will produce much smaller pieces.

2.  Consider a shredding facility.  If you have a large amount of shredding and are not able to handle it at home, consider taking it to a shredding facility that guarantees and certifies that your documents are fully destroyed.  If you have a large amount of papers to destroy (this can occur, for example, when an elderly family member passes and the family must dispose of decades of documents), there are services that will send a shredding truck to your home.  Fees are charged for both types of services.

3.  Keep sensitive documents under lock and key.  "Old fashioned" physical security still has a place by discouraging opportunistic thieves.  Centralize sensitive paperwork and invest in a locked filing cabinet.  Or you can simply take advantage of a locking desk drawer.  Another option is to scan documents and save them securely.

4.  Physically destroy old flash drives.  Flash drives are different from hard drives.  A 2010 study by the University of California, San Diego found that applying hard drive data sanitization methods to flash drives was unreliable.  Open the drive and smash the circuit board and chips.  Read the Campus Technology article How and Why to Destroy Old Flash Drives for detailed instructions.

5.  Wipe old computer hard drives.  Often, computer files continue to exist on the hard drive, even after you've deleted them using keyboard and mouse commands.  Use specialized software such as Eraser to remove specific files.  To delete an entire hard drive's data, use software like Darik's Boot and Nuke.

Before recycling or selling your old computer, make sure you've successfully destroyed all personal data.  You may be better off physically destroying the hard drive and taking the computer and destroyed drive to an electronics recycling center.  For more details, read Popular Mechanics: How to Absolutely, Positively Destroy Your Data.

Do not toss any digital devices into your trash bin and don't take them to the municipal waste center.  By taking both intact and destroyed digital devices to an electronics recycling center, you are ensuring proper disposal regarding both your privacy and environmental protection.

6.  Wipe data from cell phones.  Cell phones are like computers in that deleting data using the user menus may not truly delete it from the hardware.  Always wipe your phone by deleting the data using menu settings and then performing a factory reset.  Every phone has a different process, so check the phone's manual to restore the phone to its factory setting or search YouTube for an instructional video.  According to PCWorld, no wipe solution is perfect.  The only way to guarantee old cell phone data is gone for good is to take the phone apart and physically destroy the memory chip.

If you're wondering what to do with your wiped phone, we recommend donating it to a nonprofit that provides used cell phones to soldiers, domestic violence victims and others.  Unless the phone is truly a relic, there are many who would appreciate the donation.

7.  Erase the hard drive on unwanted digital copiers.  Nearly every digital photocopier since 2002 contains a hard drive.  The hard drive stores an image of each document processed by the machine.  Check your machine's manual for instructions on how to clear the data from the hard drive before getting rid of the copier.

8.  CDs and DVDs should be physically destroyed by breaking them into many pieces.  A pair of Wiss Tin Snips (scissors that can cut through tougher materials) will help you easily cut your CDs and DVDs into four or more pieces.  Some shredders can do this too.  If you are destroying older media such as floppy disks and tapes, remove the film and cut it into small pieces.

9.  Know the law when disposing of business documents.  If you work from home or operate a small business out of your home, data destruction should be especially rigorous.  There may even be industry standards and federal and state laws that you must comply with regarding proper disposal of business-related documents.  As a small business you certainly don't want the negative publicity that comes with having to notify individuals of a data breach, the law in 46 states.

Keeping your personal data safe at home is important and keeping University records and data safe is every employee's responsibility.

Please refer to the following UMass Policies, Guidelines and Standards for more information about the safeguarding and proper disposal of University devices and records, including paper and electronic data.

 
 
Information Technology Services
Healey Library, 3rd Floor
 617.287.5220
 ITServiceDesk@umb.edu