Information Security

What is Information Security?

The protection of information and information systems from unauthorised access, use, or disruption.

It is important for employees and all stakeholders to understand information security policies and guidelines.  It is also necessary to have good work practices that comply with security policies so that the effects of possible breaches can be minimised.

Why is it important to keep the University network secure?

• Data theft: Hackers accessing student or employee personal or confidential details;

• Data loss: Unauthorised entities manipulating or deleting important data;

• Law suits against the University;

• Loss of Reputation; and
  

• Financial loss including recovery expenses.

The key areas to consider when safeguarding the University's information and assets are listed below:

1.  Update your software.

• New versions of software are released to address security problems that have been found. Updating your software ensures you take full advantage of all the security upgrades.
• If you do not update the software you can put your computer at risk of viruses and other problems because the software is no longer supported.

UniSA applies updates to your University devices automatically, so you just need to accept the updates/restart your computer when asked.

See: Viruses & Malware

2.  Use anti-virus software.

• Anti-virus companies spend their time ensuring their software helps stops known viruses. If you have a current and up-to-date version, you can be assured that the software is looking out for problems and blocking them.

UniSA regularly checks your University devices using virus software called Symantec Endpoint Protection.  However, you are able to perform a manual scan at any time and you should also ensure that any portable or personal devices that may be used for work purposes are also checked regularly.

See: How do I use Symantec Endpoint Protection to scan my hard drive?

3.  Be suspicious of unsolicited phone calls or emails.

• Unsolicited emails and phone calls are trying to get you to do something that will benefit someone else. It might be just spam trying to get you to buy things, or it might be trying to get you to access something that will put a virus on your computer or give others access to your information.

UniSA has a number of methods to reduce the amount of spam and phishing phone calls or emails received by the University, however sometimes this gets through.

See: Spam and Phishing

4.  Back up your data.

• If you have a problem with your computer and it needs to be reset or even replaced, you will still have access to your information if you have backed it up.

UniSA automatically backs up data held in a number of systems, such as Outlook.  It also backs up shared drives and SharePoint sites.  Any files saved on a C:\ drive are not automatically backed up.  Consider moving these to a shared area or using other means to back these files up.

See: How do I back up my files?

5.  Use legitimate software.

You should always use legitimate software that you have purchased from a vendor or downloaded from the company’s website. Why?

• Using pirated copies of software on University devices will mean that the University could be prosecuted if discovered.
  
• If you use pirated copies you open up your computer to viruses that you may not know about. The software itself may contain a virus, or it won’t be supported by the vendor, meaning you won’t receive regular security updates.

UniSA provides access to many programs as a default on all University devices (Standard Operating Environment).  If specific software is required for work purposes it can easily be purchased.

See: UniSA Standard Operating Environment (SoE)
See: Software Licensing

6.  Set strong passwords and use different passwords for different accounts.

• A password that is strong and changed regularly makes it harder for people to access your information.
• If you use the same password for all your accounts and one account is compromised, the person accessing your account is more likely to be able to guess all your other passwords and access those accounts too.
• If you store an unencrypted list of your passwords on your computer and someone gains access to the computer, they then have all your passwords.

UniSA recommends that you set a strong password for University systems.  Strong passwords reduce the chance that someone is able to break into your account.  You should ensure that you use different passwords for work and personal accounts wherever possible.

See: How do I choose a secure password?

8.  Do not lose your device.

• If someone gets your device, they may have access to all your information and plenty of time to access it.

UniSA recommends that you make sure you know where your tablet, phone or laptop is at all times and that you avoid leaving them unattended unless locked away in a drawer or cupboard.  You should also protect the device using encryption or passwords.

See: Mobile & Portable Storage Devices

Adapted from: Department of Defence - Defence Signals Directorate

www.dsd.gov.au/publications/csocprotect/home_computer_security.htm

Friday, 18 January 2013

As well as the importance of keeping the Universities data secure, staff should also be aware that security can also be breached when data is on your screen or printed off.

Because of this, there are some basic guidelines to help keep your workstations secure.

1.   Be aware of the classification of the information you hold.

University information has been classified into three high level categories and detailed in the University's Information Security policy:

• Public data can generally be made available or distributed to the general public;
• Proprietary data is for internal University use and not for external distribution; and
• Restricted (moderately to highly sensitive) data is to be used only by individuals who require it in the course of performing their University responsibilities, or data which is protected by Federal and/or State legislation.

2.   Ensure that your desk and surrounding workspace is clear of papers and clutter.

• A clear desk assists clear thinking, enables you or your colleagues to find items quickly and promotes a more professional image to visitors.

• Maintaining a clutter-free workspace can also help to reduce workplace accidents and falls.

How?

• Papers containing restricted information should be kept locked away whilst you are working on them but are temporarily away from your desk.  A locked drawer is suitable for this purpose but if you have your own office, locking the door will suffice too.
• Post-its should not be used to record restricted information, such as passwords, or other similar information.
• If large numbers of files are required, a lockable filing cabinet should be procured and when you are finished with a file, it should be put away as soon as possible.
• Don't print out emails or papers only to read them and then throw them away.  Only print what you absolutely need a hard copy of.
  Always clear your desk before you leave for the day, that way information isn't kept unsecured and you are ready to work when you arrive the next morning.
• All waste paper which contains restricted information must be shredded or placed in 'confidential waste' bins.  Under no circumstances should this type of waste paper be thrown away in normal wastebins.

3.   Ensure that restricted information is not kept on your screen when not needed.

• A clear screen works in a similar way to a clear desk and allows you to think more clearly.

How?

• Close any applications or windows that are not required.  Any that are required on an ongoing basis, such as Outlook, can be minimised to reduce clutter on the desktop.
• Every time you leave your desk, even if only for a few minutes, you should lock your screen (Press the windows button on your keyboard and L at the same time).  A quick chat or coffee break can turn into an extended time away from your desk.  University computers are set up to require a password to unlock computers, this should not be disabled.

4.   Know where your mobile and portable storage devices are at all times.

• Theft or misuse of devices leaves the University susceptible to exploitation of any data they may hold.

How?

• Every time you leave your desk, ensure any mobile devices are locked away or taken with you.

5.   Keep your copies safe.

• Restricted information left lying around in printer trays or fax machines may be picked up and/or used maliciously by someone who shouldn't have access to that information.

How?

• All printers and fax machines should be cleared of papers as soon as they are printed; this helps ensure that sensitive documents are not left in printer trays for the wrong person to pick up.

Ensuring that University passwords are strong, safe and protected will help to prevent breaches of the network.

UniSA has provided some Frequently Asked Questions (FAQs) on passwords and logging on.  These FAQs are available here.

The University's Information Security Policy and its Appendix also provide more information about how passwords are used at UniSA.

Compromised passwords

How can your password get compromised?

1. Disclosing your password to friends or colleagues.

2. Writing your password down and then losing it.

3. Hackers manage to crack your password.

4. Spy software such as key loggers can capture your password when you are typing it in.

Password protection

• Use a strong password with mix of letters and numbers
  Examples:
  A weak passwords: hello, peter01, password1

• Never use personal details like your last name, child's name or date of birth in your password

• Use a password which you can remember but which cannot be predicted by others

• Use different password for your work account and personal account/email

• Never write down or store your password

• Change your password regularly.

See How do I choose a secure password?

What is a computer virus?

A virus is a computer program that can replicate itself and spread from one computer to another.  It is a type of malware (malicious software)

What is malware?

Malware also includes other forms of software which can:

• impede the normal operation of your computer,
  
• collect sensitive information, or
  
• gain access to private networks and systems.
  

Viruses, Worms, Trojan Horses are all well known malware.

What happens when your computer is affected by a malware?

• Installed computer programs can become corrupted or stop working altogether.

• Computer performance is slowed down.

• Multiple copies of files are created which occupy disk space and leaves less storage space for your files.

• Some malwares can also spy on your computer activity and steal data.

What is the difference between antivirus software and firewalls?

• Antivirus software detects and quarantines viruses and other malwares in your computer.
• Firewalls (hardware or software) protects against threats from the internet by controlling inbound programs.

How can you protect yourself and the computers you use from viruses and malware?

UniSA has produced some guidelines to help you protect the University network:

• The University has a firewall which is set up on all UniSA computers, this should never be turned off.
  

• Antivirus software is installed on all UniSA computers, this should never be disabled.

• You should never run a program unless you know it has been authored by a person or company that you trust.

• An automatic update for the operating systems of University computers is in place, this should never be disabled.

If you are using your personal laptop on campus or you try to access the UniSA network from home through VPN, dialup or wireless, then failure to protect your computer may result in your access being removed.

Therefore make sure that computer you are using to connect to the UniSA network has antivirus software installed and is configured to update automatically.

See Staff- Basic security for your personal computer

What is Spam?

Unsolicited e-mail you receive that advertises products, goods, or services can be considered Spam.  Multiple emails from unknown email accounts which look similar could also be Spam emails.

What is Phishing?

Phishing or vishing (voice phishing) scams come in a variety of forms so be vigilant when asked by anyone to provide your personal information over the phone or via the Internet.

Emails which try to retrieve your user name, password, account number, credit card details or other personal information are usually phishing emails, especially if they are unsolicited.

You may also receive a phone call that requests you to provide sensitive information over the phone, or asks you to visit a specific website.

Microsoft also publish some information on phishing which can be found here.

Identifying Spam & Phishing

You can identify spam and phishing emails in a variety of ways:

• Poor spelling and odd grammar.

• An email asks you to visit external links embedded in the email.

• An email says it's from an organisation/company you've never heard of.

• An email asks for a password or other personal information.

• A URL is misspelled but looks like a familiar website.

• An email asks you to forward the email to friends to earn points or win gifts!

What should you do when you see spam email in your UniSA account?

• Never click on links in unsolicited email.

• Never download files from suspicious email.

• Never give out your password to anyone.

• Never forward spam emails to your friends.

• Notify UniSA ISTS about the email address and subject.  You can do this by forwarding the email to ITHelpdesk_spam@unisa.edu.au

See What can I do about SPAM email?

Reducing SPAM

• Install email filters (or set rules) to reduce the amount of spam.

• Check the terms and conditions before your subscribe to any email account services or social networking websites.

• Do not use UniSA emails for social networking, online shopping (use different email for personal matters).

• If you subscribed to an email service by mistake, look for options in websites or emails that allow you to unsubscribe further emails, offers or other marketing messages.

The best thing to do when you receive an email or you receive a call you believe is phishing for information is to:

• Be careful and do not provide your details.
• Locate a contact number for the institution that supposedly sent the email or placed the call (do not use a contact number provided by the sender of the email or the caller/caller ID).
• Directly call the institution to check whether this was a legitimate request.

Mobile Devices

Mobile computing devices, such as those in the list below, can hold a large amount of data and can be easily lost or stolen:

• smart phones,
• tablets, and
  
• laptops

Portable Storage Devices

On occasion, staff may use portable storage devices such as CDROMs, USB sticks, or external hard drives to store their work.

1.   What can happen if a mobile or portable storage device is lost?

Someone who finds your storage device can access all the confidential data stored on it.  Unauthorised access of information and data theft are the main threats due to lost storage devices.

When a mobile or portable storage device is lost, confidential information stored in the device can be disclosed to an unauthorised person.

• If you have a UniSA laptop or table PC in your office always remember to lock the room, even if you only leave for a few minutes.
• Avoid storing any confidential data or personal details on portable storage devices.
• Set access codes and always use strong passwords or access codes.
• The UniSA Information Security Policy requires staff to use encryption on sensitive data stored in mobile or portable computing devices.
  

See: Information Security Policy

2.   Other threats from portable storage devices:

If your device is infected with malware and you plug it in to any UniSA computer (or personal computer), malware can spread to the computer it is plugged into, and then subsequently on to other computers on the same network and devices plugged into them.

See: Viruses and Malware

3.   Using portable storage devices when connected to UniSA network:

Scan for viruses, worms and other threats before you access the files in storage devices.  Protect files from unauthorised access by using passwords or encryption.

See: How do I use Symantec Endpoint Protection to scan my hard drive?