- Use a unique password for each site. Hackers often use previously coampromised information to access other sites. Choosing unique passwords keeps that risk to a minimum.
- Use a password manager. Using an encrypted password manager to store your passwords makes it easy to access and use a unique password for each site.
- Know what you are sharing. Check the privacy settings on all of your social media accounts; some even include a wizard to walk you through the settings. Always be cautious about what you post publicly.
- Guard your date of birth and telephone number. These are key pieces of information used for verification, and you should not share them publicly. If an online service or site asks you to share this critical information, consider whether it is important enough to warrant it.
- Keep your work and personal presences separate. Your employer has the right to access your e-mail account, so you should use an outside service for private e-mails. This also helps you ensure uninterrupted access to your private e-mail and other services if you switch employers.
- There are no true secrets online. Use the postcard or billboard test: Would you be comfortable with everyone reading a message or post? If not, don't share it.
- Read your credit card, bank, and pay statements carefully each month. Look for unusual or unexpected transactions. Remember also to review recurring bill charges and other important personal account information.
- Review your health insurance plan statements and claims. Look for unusual or unexpected transactions.
- Shred it! Shred any documents with personal, financial, or medical information before you throw them away.
- Take advantage of free annual credit reports. In the US, the three major credit reporting agencies provide a free credit report once a year upon request.
- If a request for your personal info doesn’t feel right, do not feel obligated to respond! Legitimate companies won’t ask for personal information such as your social security number, password, or account number in a pop-up ad, e-mail, text, or unsolicited phone call.
- Limit the personal information you share on social media. Also, check your privacy settings every time you update an application or operating system (or at least every few months).
- Put a password on it. Protect your online accounts and mobile devices with strong, unique passwords or passphrases.
- Limit use of public Wi-Fi. Be careful when using free Wi-Fi, which may not be secure. Consider waiting to access online banking information or other sensitive accounts until you are at home.
- Secure your devices. Encrypt your hard drive, use a VPN, and ensure that your systems, apps, antivirus software, and plug-ins are up-to-date.
- Secure your devices with a strong password, pattern, or biometric authentication. Check the settings for each device to enable a screen-lock option. For home routers, reset the default password with a strong one.
- Install anti-malware. Some software includes features that let you do automatic backups and track your device.
- Check your Bluetooth and GPS access. Disable these settings on all devices when not needed and avoid using them in public areas.
- Update your devices often. Install operating system and application updates when they become available.
- Review phone apps regularly. Remove any apps you don’t use. Be selective when buying or installing new apps. Install only those from trusted sources and avoid any that ask for unnecessary access to your personal information.
- Treat devices like cash! Don’t let your devices out of your sight or grasp. Maintain physical control of your device in public areas. Get a lock (alarmed is best) for your laptop and use it.
- Keep it sunny in the cloud. Whether using Google Drive, Dropbox, OneDrive, iCloud, Amazon Drive, or any of the many cloud options, set privacy restrictions on your files to share them only with those you intend. Protect access to your cloud drive with two-factor authentication.
- Create a secure wireless network. Configure your wireless router to protect your bandwidth, identifiable information, and personal computer. Secure it with proper set up and placement, router configuration, and a unique password, using the strongest encryption option. See http://www.wi-fi.org/ for more tips.
- Protect your Internet of Things (IoT) devices. Are you sharing your livestreaming nanny cam with the world? Review privacy settings for all Internet-ready devices before connecting them to the web.
- Always: Use a unique password for each account so one compromised password does not put all of your accounts at risk of takeover.
- Good: A good password is 10 or more characters in length, with a combination of uppercase and lowercase letters, plus numbers and/or symbols — such as pAMPh$3let. Complex passwords can be challenging to remember for even one site, let alone using multiple passwords for multiple sites; strong passwords are also difficult to type on a smartphone keyboard (for an easy password management option, see “best” below).
- Better: A passphrase uses a combination of words to achieve a length of 20 or more characters. That additional length makes its exponentially harder for hackers to crack, yet a passphrase is easier for you to remember and more natural to type. To create a passphrase, generate four or more random words from a dictionary, mix in uppercase letters, and add a number or symbol to make it even stronger — such as rubbishconsiderGREENSwim$3. You’ll still find it challenging to remember multiple passphrases, though, so read on.
- Best: The strongest passwords are created by password managers — software that generates and keeps track of complex and unique passwords for all of your accounts. All you need to remember is one complex password or passphrase to access your password manager. With a password manager, you can look up passwords when you need them, copy and paste from the vault, or use functionality within the software to log you in automatically. Best practice is to add two-step verification to your password manager account. Keep reading!
- Step it up! When you use two-step verification (a.k.a., two-factor authentication or login approval), a stolen password doesn’t result in a stolen account. Anytime your account is logged into from a new device, you receive an authorization check on your smartphone or other registered device. Without that second piece, a password thief can’t get into your account. It’s the single best way to protect your account from cybercriminals.
- If possible, do not take your work or personal devices with you on international trips. If you do, remove or encrypt any confidential data.
- For international travel, consider using temporary devices, such as an inexpensive laptop and a prepaid cell phone purchased specifically for travel. (For business travel, your employer may have specific policies about device use and traveling abroad.)
- Install a device finder or manager on your mobile device in case it is lost or stolen. Make sure
it has remote wipe capabilities and that you know how to do a remote wipe.
- Ensure that any device with an operating system and software is fully patched and up-to-date with security software.
- Makes copies of your travel documents and any credit cards you’re taking with you. Leave the copies with a trusted friend, in case the items are lost or stolen.
- Keep prying eyes out! Use strong passwords, passcodes, or smart-phone touch ID to lock and protect your devices.
- Avoid posting social media announcements about your travel plans; such announcements make you an easy target for thieves. Wait until you’re home to post your photos or share details about your trip.
- Fortify each online account or device. Enable the strongest authentication tools available. This might include biometrics, security keys, or unique one-time codes sent to your mobile device. Usernames and passwords are not enough to protect key accounts such as e-mail, banking, and social media.
- Keep a clean machine. Make sure all software on Internet-connected devices — including PCs, laptops, smartphones, and tablets — are updated regularly to reduce the risk of malware infection.
- Personal information is like money. Value it. Protect it. Information about you, such as purchase history or location, has value — just like money. Be thoughtful about who receives that information and how it’s collected by apps or websites.
- When in doubt, throw it out. Cybercriminals often use links to try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.
- Share with care. Think before posting about yourself and others online. Consider what a post reveals, who might see it, and how it could be perceived now and in the future.
- Own your online presence. Set the privacy and security settings on websites to your comfort level for information sharing. It’s okay to limit how and with whom you share information.
- Identity thieves. Cybercriminals need only a few pieces of information to gain access to your financial resources. Phone numbers, addresses, names, and other personal information can be harvested easily from social networking sites and used for identity theft. Cybercrime attacks have moved to social media, because that’s where cybercriminals get their greatest return on investment.
- Online predators. Are your friends interested in seeing your class schedule online? Well, sex offenders or other criminals could be as well. Knowing your schedule and your whereabouts can make it very easy for someone to victimize you, whether it’s breaking in while you’re gone or attacking you while you’re out.
- Employers. Most employers investigate applicants and current employees through social networking sites and/or search engines. What you post online could put you in a negative light to prospective or current employers, especially if your profile picture features you doing something questionable or “less than clever.” Think before you post a compromising picture or inflammatory status. (And stay out of online political and religious discussions!)
Manual setup instructions for UABSecure
University of Alabama at Birmingham
DATA PROTECTION AND SECURITY POLICY
Related Policies, Procedures, and Resources
UAB electronic information assets (data) must be protected and maintained in accordance with all applicable federal and state laws and university policies. The intent of this policy is to provide a framework to ensure that electronic data, in all forms, are adequately protected. This policy specifically outlines:
- The roles and responsibilities of the UAB community for data protection and security;
- Additional requirements associated with the use and maintenance of systems containing sensitive information.
2.0 Scope and Applicability of Policy
Managing and protecting data are responsibilities shared by all members of the UAB community [i.e., all individuals (faculty/staff/students/visitors), schools, departments, affiliates, and/or other similar entities within the UAB, including employees of contracted or outsourced non-UAB entities]. This policy applies to all UAB data and systems including, but not limited to, centralized institutional systems, departmental/unit systems, systems created or operated by third party vendors under the direction of UAB, and UAB data in any system.
3.0 Policy Statement
All members of the UAB community should protect their data and data under their control and periodically review all applicable data security, confidentiality, and acceptable use policies. The following rules and policies apply to data classification and protection:
- Institutional Data must be classified according the UAB Data Classification Rule.
- University Data must be protected according to the UAB Data Protection Rule.
- Health System data must be protected according to the UAB HIPAA Policies.
Any information system that stores, processes or transmits institutional data must be secured in a manner that is considered reasonable, appropriate and compliant with University Policies and Federal and State Laws. The required level of security depends on the nature of the data, as defined in the UAB Data Classification Rule.
3.1 Risk Assessment
Deans and administrative unit heads (in conjunction with UAB Information Technology) are responsible for ensuring the assessment and periodic review of the business processes and technical risks associated with implementing any planned, proposed, or existing electronic information system or data collection system. Risk assessments must identify specific procedures to minimize risks and the impact of potential breach/compromise of data.
3.2 Other Data Security Policies at UAB
Other data security policies implemented at UAB (campus-wide or locally by/for a specific department, school, or system) may be more restrictive than this UAB-wide policy but may not be less restrictive. Each University department/unit is responsible for implementing, reviewing and monitoring internal policies, practices, etc. to assure compliance with this policy.
3.3 Incident Reporting and Management
Any suspected breach or compromise of Sensitive or Restricted Data must be reported immediately to the Information Security Office in the Office of the Vice President for Information Technology and to the dean or administrative unit head. Specific procedures for reporting a suspected or actual breach/compromise of data are located on the Information Security web site. Upon receiving the report, the Information Security Office will be responsible for conducting or coordinating the investigation, making or assessing recommendations for corrective action, reporting the incident to the Executive Computer Incident Response Team (ECIRT) and other administrative units as needed, and maintaining documentation of the incident.
Exceptions may be granted in cases where security risks are mitigated by alternative methods, or in cases where security risks are at a low, acceptable level and compliance with minimum security requirements would interfere with legitimate academic or business needs. To request a security exception, complete the Information Security Exception Request Form.
Confirmed violations of this policy will result in consequences commensurate with the offense. Intentional release of Restricted Data or egregious violations of this policy may result in termination of employment, appointment, student status or other relationships with UAB.
This policy will be reviewed by the UAB’s Information Security Office periodically or as deemed appropriate.
The Vice President for Information Technology is responsible for the oversight and implementation of this policy, including the overall procedures related to its implementation and management.
The event will be held from 1 to 2:30 p.m. in Ballroom C at the Hill Student Center.
UAB IT Research Computing aims to conduct two user forums through the year (spring and fall) to update the HPC user community on the status of the HPC system, the organization, planned upgrades, policy changes, and to receive feedback from users in order to improve delivery of HPC services and support to the community.
With UAB's last HPC upgrade in fall 2016, UAB IT now has more than 2,300 additional compute cores and 6 petabytes of storage available to help researchers analyze and manage data and UAB aims to grow the compute, storage and network fabrics to support research needs on Campus.
Please register to attend the HPC user forum here.
The Data Classification Requirement is a standard effort to identify and classify UAB’s data as restricted/PHI, sensitive or public.
There are three classes of data as defined in the standard:
- Public Data is available to the general public and if disclosed will not cause harm to UAB.
- Sensitive data is not readily accessible or available to the general public and may require authentication for access.
- Restricted/PHI data is only available to authorized users with permission of the Data Owner for a specific purpose. Usually regulated by law or contractual obligation.
There are three primary reasons to classify data:
- Security - It is much more difficult to secure data when you don’t know the appropriate level of security to apply. In efforts to secure the assets of UAB, the data classification will go a long way to simplify this effort.
- Simplicity – There are a myriad of compliance requirements, rules and laws that apply to various types of data. Data Classification allows us to simplify protection requirements and reduce complexity of security rules.
- Cost - Knowing what types of data we have helps to know how they are protected. This allows UAB to avoid applying overly constrictive security controls to data that doesn’t need it.
UAB data users are responsible for following use and handling policies for the UAB data and UAB systems as well as applicable rules and laws. Data users should not store or process sensitive data on their desktop or laptop computers without approval and appropriate security safeguards in place. Report breaches to the information security office and complete annual security awareness training.
UAB data stewards are responsible for the policy and practice decisions regarding their data and for classifying the sensitivity of your data. Define protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs. Communicate data protection requirements to the Data Custodians and/or System Administrators and define requirements for access to the data. Data owners are also to complete annual role-based training.
In most cases, Yes. UAB must have a contract with the cloud provider to ensure the data is protected appropriately. Personal services do not provide the appropriate level of protection for Institutional data. Do not store sensitive information on cloud storage services that UAB does not have an institutional-level contract approved for storing sensitive or restricted data.
- Public – UAB Box or UAB Microsoft OneDrive
- Sensitive – UAB Box
- Restricted - UAB Box – Subject to any applicable laws. PHI and credit card information is prohibited.
The classification of research data depends on several factors such as type of data, and/or contractual elements and thus may fall into any of the classifications defined herein. Likewise, time of release and collaboration effect the classification of research data. As such, certain unpublished research data may be classified as private or sensitive until such time the research is published. Likewise, intellectual property that has not been disclosed to or protected by the IIE may need to be classified as sensitive. Additionally, federal laws, rules and regulations (including but not limited to FISMA, HIPAA, FERPA, and Export Controls), sponsor requirements, and UAB policies and guidelines will necessitate a certain classification. It is incumbent upon the Researcher to know the type of data, the circumstances governing the data, and classify it accordingly. Once classified, the Researcher will need to maintain the data using the appropriate UAB system of record or database with the appropriate access and security controls aligning to the classification standard. For example, not all UAB data storage options are recommended for sensitive data. Research data shall also be maintained in accordance with UAB’s Record Retention Policy and record retention schedule. For more information about protected research data please refer to the UAB OVPRED or the UAB IT Data Officer.
First you must request that an exception be granted to allow Restricted data must be encrypted if stored on a mobile or remote device.
- Reading and complying with UAB IT policies.
- Reporting breaches of IT security, actual or suspected, to the Information Security Office.
- Taking reasonable and prudent steps to protect the security of IT systems and data to which they have access.
- Complete annual IT Security Awareness Training
- Implements, manages, and/or operates a system or systems at the direction of the System Owner, Data Owner, and/or Data Custodian.
- Day-to-day administration of IT systems, and implements security controls and other requirements of the University’s information security program.
- Completing annual, role-based training.
- Each system should have at least two System Administrators (one primary, one secondary).
Protecting the data in their possession from unauthorized access, alteration, destruction, or usage.
Establishing, monitoring, and operating IT systems in a manner consistent with Radford University Information Security policies and standards.
Providing Data Owners with reports, when necessary and applicable.
Completing annual role-based training.
- Responsible for the policy and practice decisions regarding data.
- Evaluate and classify sensitivity of the data.
- Define protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs.
- Communicate data protection requirements to the Data Custodians and/or System Administrators.
- Define requirements for approving access to the data.
- Define requirements for regular auditing and removal of access to the data.
- Complete annual role-based training.
The UAB Data Classification scheme and protection requirements only apply to UAB institutional data. Use due care when handling your own personal data.