Information Security

Does OWU have Information Security Policies? Where are they?
What is information security?

Information security is the set of business processes that protect information assets regardless of its format and status (processed, transmitted, or stored). It should be noted that information security is not a single technology, but a comprehensive strategy of policies, processes, and tools to avoid, prevent, detect and report threats to both digital and non-digital information.

Link to this section of the page.

What is computer security?

A component of information security concerning the risks related to computer use. This includes techniques (tools, processes, policies, etc) for ensuring that the data stored in a computer cannot be read or compromised by unauthorized individuals.

Link to this section of the page.

What are the recommendations for creating strong passwords?
  1. Minimum Requirements
    1. Be at least six characters in length,
    2. Contain only alphanumeric characters and the underscore, and
    3. Not contain any other punctuation or spaces.
  2. Recommendations for additional security
    1. Be at least 8 characters in length (additional characters produce even stronger passwords)
    2. Does not contain your username, real name, or company name (OWU, Bishops, etc)
    3. Does not contain a complete word
    4. Is significantly different from previous passwords
    5. Contains characters from each of the following: uppercase, lowercase, numbers.
    6. Avoid using your OWU password on non-OWU sites. For example, your OWU password should be different than your social media, financial, shopping, or other external account passwords.

Link to this section of the page.

How often should I change my password?

Many security policies recommend changing your password to a new unique password every 90 days. It is also recommended that you not reuse old passwords for at least 1 year. If you are handling data covered under PCI, HIPAA, or GLBA you must follow the recommendation to be in compliance.

Link to this section of the page.

What is two-step verification?

Two-step verification is a security control in which a user is required to provide two forms of identification in order to access a secure resource. It is much more secure than single-factor authentication (username and password only) because stealing a victim’s password would not be enough for an attacker to access their information. Not all sites require or allow two-step verification, but users are encouraged to enable it whenever the information requires additional protection. OWU email supports two-step verification, see https://www.google.com/landing/2step/ for more information. Information Services strongly recommends enabling this feature on email to better protect your account from phishing scams and other malicious activity.

Link to this section of the page.

What are phishing attempts and how can I detect and avoid them?

Phishing scams are fraudulent email, phone, or text messages that appear to come from legitimate institutions or a person you know. Phishing scams often include links to a spoofed website or otherwise entice you to divulge private information (user credentials, account information, security codes, SSN, etc). Sometimes they are designed to entice the user by creating a sense of urgency or panic in the victim, such as strong warnings of your account being over quota or at risk of being closed if you do not act quickly. Phishing scams vary widely in their objective, quality and complexity.

To avoid phishing:

  1. Be aware of unsolicited emails, calls or text messages even if the message appears to be from a legitimate source.
  2. Never email or text personal or financial information.
  3. Remain skeptical of hyperlinks found in emails. While the link may look legitimate, it may direct you to a fraudulent or insecure page. If you are unsure about a link you may right click on the link and “Copy Link Address”, then paste the link into a text editor to view the full URL. Whenever possible avoid hyperlinks in emails and go to the site address by manually typing the correct provider’s website in a new browser session.
  4. Sophisticated phishing attempts often include a hacked clone or copy of a legitimate site with what appears to be correct layout, fonts, colors, and graphics. The key signal to watch is the address bar in the web browser. While the site content can be replicated to look the same the domain name in the URL cannot.
  5. If you have any doubt, avoid the link and report the email to Information Services (helpdesk@owu.edu) for review.
  6. Phishing scam emails often utilize a forged sender address (email spoofing). Do not trust messages simply because you recognize the sender in the “from:” address.
  7. Enable two-factor authentication on your OWU email account.

 

 

Example of Phishing:

Link to this section of the page.

What is a virus?

Computer viruses are software programs that are designed to spread from one computer to another and to interfere with computer operation. Computer viruses are often spread by email attachments and hidden in illicit software or other files or programs downloaded from the internet.

Link to this section of the page.

Do I have a virus?

Common symptoms include a slowly running computer, unexpected messages or programs starting automatically, unexplained increase in hard disk or network activity. To check for viruses, scan your computer with Sophos using current virus signatures.

Link to this section of the page.

What anti-virus software does OWU require or recommend?

Campus owned systems utilize Sophos Endpoint Security and Control deployed through the Sophos Cloud – Enterprise Management Console. Home users and personal devices can take advantage of Sophos’s free anti-virus for Windows, PC, and Mac systems. https://www.sophos.com/en-us/products/free-tools.aspx

Link to this section of the page.

Do I need to install system updates?

Yes. Regardless of your Operating System (Windows, Mac, Linux, etc), regular functional enhancements and security patches are published by the developer to provide new features and close known security vulnerabilities. If you do not apply system updates your system will remain at risk to a vulnerability that is publically known by both the user community as well as hackers and malware that use the known vulnerabilities to attack or infect your computer.

Link to this section of the page.

What are the differences between the “wares”, (spyware, malware, adware, freeware, shareware)?
  • Spyware – Software that is installed surreptitiously and collects and reports information about an internet user’s browsing habits or intercepts the transmission of personal data or other information to a third party.
  • Malware – Software that is intended to damage a computer or take control of its operation.
  • Adware – Software that displays advertisements and is integrated into another program offered as a free service or very low cost.
  • Freeware – Software distributed without charge and for which source code is not available. Freeware may have restrictions on redistribution or commercial use. Examples include Adobe Reader and Google’s Chrome Browser
  • Shareware – Software distributed without initial charge Shareware is intended to generate revenue after being installed through support, commercial licenses, or expanded features.
  • Open-source – Software distributed without a charge, including source code, made available with a license entitling the community of users to study, change and distribute the software. Some open-source software is monetized through support and professional services. Red Hat Enterprise Linux is one such example.

Link to this section of the page.

What is HIPAA?

HIPAA is the federal Health Insurance Portability and Accountability Act passed by congress in 1996. The law provides protection of individually identifiable health information and sets national standards for the security of electronic protected health information. For more information about HIPAA privacy, security and breach notification rules visit www.hhs.gov and search HIPAA.

Link to this section of the page.

What is FERPA?

FERPA is the Family Educational Rights and Privacy Act passed by congress in 1974. The law aims to protect the privacy of student education records. FERPA applies to all schools that receives funds under applicable U.S. Department of Education programs. For more information about FERPA requirements visit the Family Policy Compliance Office website familypolicy.ed.gov or U.S. Department of Education website www.ed.gov

Link to this section of the page.

What should I do with my old computer or Hard Drive(s)?

If your computer Hard Disk contains personal information, it is important that the disk be permanently destroyed and the information actively destroyed, not just deleted. OWU Information Service recommends Disk Wipe (www.diskwipe.org) which first formats the disk then overwrites the volume with useless random binary data multiple times. OWU Information Services can perform this service on your behalf (at no cost) by opening a support ticket with the helpdesk@owu.edu.

Link to this section of the page.

What should I do if my computer, tablet, or smartphone is lost or stolen?

If you suspect your computer was stolen, first contact OWU Public Safety or local law enforcement to report the theft. Second, if your computer was lost or stolen, notify your immediate supervisor and OWU Information Services. An investigation will be necessary to determine if a data security breach occurred and whether any applicable notification processes are required.

Link to this section of the page.

What should I do if I suspect confidential information has been exposed or breached?

Notify your immediate supervisor and OWU Information Services. An investigation will be necessary to determine if a data security breach occurred and whether any applicable notification processes are required.

Link to this section of the page.

What is a VPN?

A Virtual Private Network extends a private network (OWU Network) across a public network (the internet). It allows remote users on insecure or public networks to send and receive data on the private network using a secure connection. Shared drives, Intranet sites and other resources only available on the private network are extended to the public network when securely connected through the VPN.

Link to this section of the page.