September 10, 2015

Encryption guidance

Data that are supported by federal funding must be protected by encryption that meets the federal encryption standard: FIPS 140-2.

If users are unsure about the sharing of UAB data, they can contact UAB IT's Enterprise Information Security unit for help determining the right protection to use.

7-Zip is open source software used to compress or zip files secured with encryption. When you send or transfer files that contain Personal Identifiable Information (PII) or other confidential and sensitive data the files must be encrypted to ensure they are protected from unauthorized disclosure.

7-Zip, like WinZip, creates a container called an archive that holds the files to be protected. That archive can be encrypted and protected with a password. 7-Zip is free software that can create Zip files that can be opened with WinZip or other similar programs.

To obtain a copy of 7-Zip please see http://www.7-zip.org/ and select the Download link.

Once the software is installed please follow these steps to encrypt a file or folder.

Step 1: Right click on the file / folder to be encrypted.

Step 2: Select “7-Zip” then “Add to archive…”

Step 3: In the Add to Archive window change the name of the archive you wish to create.

Step 4: Change the Archive format to “Zip."

Step 5: Change the Encryption Method to “AES-256."

There is a trade-off between using AES-256 and ZipCrypto. AES-256 is proven much more secure than ZipCrypto, but if you select AES-256 the recipient of the zip file may have to install 7-zip or another zip program to read the file contents. Selecting ZipCrypto may allow users to open the zip file in Windows without a zip program, but it does not provide adequate protection against attackers with modern cracking tools.

It is strongly recommended to use AES-256 to protect sensitive and confidential data.

Step 6: Enter a Password. Use a strong password with at least 8 characters and containing upper and lower letters and a minimum of one number.

Step 7: Select “OK” to create the encrypted archive file. The new archive file will be located in the same folder as the original.

Best security practices recommend that you do not email the password with the Zip file as it could be intercepted in transit. It is better to call the recipient of the Zip file and convey the password over the phone.




The UAB Enterprise Information Security Department (EISD) is sponsoring a National CyberSecurity Awareness Month Video Contest for currently enrolled undergraduate students.

The top three winning submissions will be announced via email and signage

There is no entry fee. The deadline for submission is noon, Friday, Oct. 23, 2015.


ELIGIBILITY: Prizes in this contest will be awarded to the best video submitted by an individual or group of currently enrolled undergraduate students. Participating students must be at least 19 years of age by September 5, 2015.

TO ENTER: During the contest period, sign up for a free YouTube account and follow the online instructions for registration.  The video’s format and size must follow YouTube’s video upload guidelines.

YouTube is not a sponsor of this contest.  Lastly the Contest Entry form must be read, completely filled out and submitted before the submission deadline.  Uploaded entries without a submitted entry form will be disqualified.  Groups cannot have more than four total members.

Your submission must:

  • Creatively demonstrate your perceived understanding of one of the following topic areas
    • Keep a Clean Machine
    • Protect Your Personal Information
    • Connect with Care
    • Be Web Wise
    • Be a Good Online Citizen
  • Be 1 minute or less in duration without credits
  • Must be an original and unique recording created by the submitters entered on the submitter form
  • Must be recorded during the submission period (September 5 – October 9).
  • Must comply with all of these submission guidelines and rules as stated in this document

SUBMISSION GUIDELINES: Submissions cannot misrepresent, defame, or have disparaging remarks about the University of Alabama at Birmingham its administration, staff, employees, faculty, students, services or products.  The EISD reserves the right to and will monitor or screen submissions prior to posting them.  By providing a submission, the submitter grants EISD an exclusive, perpetual, transferable license to copy, publish, broadcast, display, distribute, use, edit, translate, alter, combine with other material, reuse and adapt any or all portions of the submissions in any way and for any purpose whatsoever, at any time now or in the future.  Submissions that are not in accordance with the guidelines as stated herein or are not received by the contest submission deadline will be disqualified.  Submissions cannot (1) be sexually explicit or suggestive, violent or derogatory of any ethnic, racial, gender, religious, professional or age group, profane or pornographic, contain nudity or any materially dangerous activity; (2) promote alcohol, illegal drugs, tobacco, firearms/weapons (or the use of any of the foregoing), any activities that may appear unsafe or dangerous, or any particular political agenda or message; (3) promote illegal behavior; (4) promote violence; (5) contain trademarks, logos or trade dress owned by others or advertise or promote any brand or product of any kind (other than the UAB trademarks, logos, trade dress, brands or products); (6) contain any personal identification, such as license plate numbers, personal names, email addresses or street addresses without permission; (7) cannot be in violation of any of the local and national laws in the country of origin.

By submitting a submission you warrant and represent that it: (a) is your or your teams original work, (b) has not been previously published, (c) has not received previous awards, (d) does not infringe upon the copyrights, trademarks, rights of privacy, publicity or other intellectual property or other rights of any person or entity; (e) that you/your team have obtained permission from a person who is used in the submission whose name, likeness or voice is used in the submission.

CONTEST JUDGING: During the contest judging period, submissions will be judged on the following criteria (1) 60 percent – delivery of topic; (2) 40 percent – originality & creativity.  The top three finalists will be determined by the highest cumulative scores awarded by the judges.  Tied submissions will be broken by the highest score awarded in the first topic criteria.  If the tie continues, then it will be broken by the highest score awarded in the second criteria.

PRIZE DETAILS: The first place prize of $250 will be awarded to the individual entry that receives the most votes.  Additional prizes may be awarded to the second and third place entries.

Protecting UAB's digital assets is one of our core responsibilities. As part of an initiative to protect UAB's assets and inventory servers and workstations, UAB IT is making Microsoft SCCM available at no cost to all areas of campus. 

Having all of the asset information in and managed by a single system is critical to maintaining a secure computing environment.
















The Microsoft Outlook mobile app will be blocked from accessing UAB mailboxes as of noon Thursday, Feb. 26, 2015, because of security concerns. Individual users of the app will be notified.




UAB IT’s Enterprise Information Security team has determined that the Microsoft Outlook mobile app violates UAB’s Password/Passphrase Standard because it caches BlazerID passwords in a cloud service — posing a serious security risk.





UAB IT will be blocking the Microsoft Outlook mobile app from accessing UAB mailboxes, so you won’t be able to receive email through the app. The Outlook mobile app is essentially a rebranded app from a company called Acompli, which Microsoft purchased recently. Many universities and other entities are also taking the step to block the Outlook mobile app.




Native mail applications on iOS and Android are still safe for use.




  • Discontinue using the Outlook Mobile App and uninstall it from your device.
  • Change your BlazerID Password
  • Configure the standard mobile app for use with Exchange (employees) or Office 365 (students). 
p.




{slide=What does "caching in the cloud" mean?}

The Outlook mobile app captures each user’s BlazerID and password and stores them in a cloud service. UAB has no contract with — nor a security assessment from —the service, so UAB IT has no way of guaranteeing the safety of those BlazerIDs and passwords.





An official copy of this standard can be found in the UAB Policies and Procedures Library and on the UAB IT Information Security website in the IT Related Policies and Guidelines pageUAB’s password/passphrase standard states that applications should not cache BlazerID passwords/passphrases without an approved exception.





If you need help setting up a new mail app on your phone or mobile device, please contact AskIT@uab.edu or phone 205-996-5555.



October 28, 2014

IT Risk Bulletins

Each month, the chief information security officers for UA, UAB, UAB Medicine and UAHuntsville publish a monthly electronic newsletter to help users avoid IT errors.

October 2015 | Issue No. 10

September 2015 | Issue No. 9

Summer 2015 | Issue No. 8

March 2015 | Issue No. 6


February 2015 | Issue No. 5


January 2015 | Issue No. 4

December 2014 | Issue No. 3


November 2014 | Issue No. 2

October 2014 | Issue No. 1

UAB has contracted with DriveSavers to provide data recovery services for the UAB
community. DriveSavers is the only data recovery company in the industry that undergoes
annual SAS 70 Type II Audit Reports and is HIPAA compliant, offering the highest level of data
security available. DriveSavers is also compliant with FAR 52.224-2 (Privacy Act), ISO 17799,
Sarbanes-Oxley Act of 2002 (SOX), the US government Data-At-Rest (DAR) mandate, the
Gramm-Leach-Bliley Act (GLBA) and the new regulation by National Institute of Standards and
Technology, NIST SP 800.34 (Rev. 1).


To view DriveSavers certifications, and learn more about Data Recovery Industry standards,
visit: http://www.drivesaversdatarecovery.com/proof


Order Data Recovery Services click & follow instructions.

January 01, 2012

Spinrite - Windows

Run Spinrite to analyze your hard disk in order to identify and attempt to correct any disk errors prior to encryption.

Order/Download Now


*While Windows XP is shown in the following video, the steps can be used for both Windows XP or Windows Vista platforms.

Flaws are found in application software on a regular basis and the manufacturer often corrects these issues by releasing patches or new versions. To determine whether your system is using old versions of software, use Microsoft Baseline Security Analyzer.


*While Windows Vista is shown in the following video, the steps can be used for both Windows XP or Windows Vista platforms.

Do you use your laptop for UAB business?

Do you provide your own tech support?

Has your laptop been encrypted?

If you answered yes to the first two questions but have not encrypted your laptop, you are encouraged to take advantage of the options listed below to protect UAB data by encrypting your laptop.

HSIS Customers: Please contact the Health System Information Services (HSIS) Help Desk at helpdesk@uabmc.edu or 205-934-8888 for assistance with laptop encryption.

AskIT Customers: Please choose from the options listed below or contact the AskIT help desk at 205-996-5555 for assistance with laptop encryption.

Laptop Encryption Options:

Option 1 - Option 1 - Let Us Do It For You-!
This option requires that the laptop is dropped off at one of our locations for at least 1-2 business days.  The following procedures will be performed on your machine:

  • Backing up your data
  • Verifying or installing antivirus software
  • Updating antivirus definitions and scanning for viruses
  • Scanning with hardware diagnostic software
  • Installing operating system updates
  • Defragmenting the hard drive
  • Encrypting your laptop

Option 2 - Do It Yourself: "How-To" Documentation & Training Videos 
This is a do it yourself option. Please refer to the documentation and training videos on the following topics for information on how to configure and encrypt laptop computers. 

  • How to create a strong password
  • How to configure your laptop
  • How to scan for missing patches
  • How to update applications
  • How to install OS updates
  • How to install antivirus
  • How to backup your machine
  • How to defragment your hard drive
  • How to run SpinRite hardware diagnostic software
  • How to encrypt your laptop

Please feel free to contact us with any questions through our help desk, AskIT, by email or phone at 205-996-5555.

 

January 01, 2012

Encryption

PGP Whole Disk Encryption software (or FileVault for Macs) is designed to provide an additional layer of security for your data. Encryption is required for laptops used for UAB Business, and it is highly recommended for desktops in theft-prone areas. PGP software essentially "locks down" your hard drive, making the data accessible only to you and those you authorize. The disk encryption, in conjunction with logon and screensaver passwords, protects UAB data if the computer is lost or stolen.

Encryption Methods:

 

Additional PGP Documentation: