End User Self-Managed Campus Computers: Your Responsibilities

Learn About SecurityEnd User – Departmentally managed system(s)

download

PDF iconenduserselfmanaged-chklist.pdf

This “Check List” is intended primarily for UI-owned, self-managed workstations or devices, but also applies to personal devices used at the university. Use it as a means of assessing your information security and to identify areas you can improve. More items completed translates to less institutional and personal risk.

***Work with your local IT support person if you need any clarification or assistance.***
 

Sensitive/ Protected data

  • I know what restricted (Level III) and protected (Level II) data are.
  • I store high sensitivity/restricted (University Level III) information on a secure department file server (or within university web applications), instead of locally on my workstation, laptop, tablet, or other mobile device.
  • If I use a laptop, tablet, or other mobile device, I work with my local IT support staff to implement full disk encryption on the device.
  • I always use secure end-to-end network encryption (e.g., “https” for web sites, “sftp” for file transfers) when communicating any sensitive information.
  • I know which files contain restricted (University Level III) information, and where those files are stored.
  • I regularly run the Identity Finder software program on my desktop/laptop to ensure it doesn’t locally store any social security, credit card numbers or passwords.
  • If Identity Finder flags files with Level III data, I promptly delete, edit, or move them to a secure file server location.
  • I do not share restricted or protected institutional data without appropriate authorization from the business owner for that data.
     

Computer/ System Security Requirements

  • I keep my operating system and application software patches up-to-date.
  • I regularly (at least monthly) check my programs for out of date software and update them accordingly.
  • I have anti-virus software installed, set to automatically update and scan my system regularly.
  • I use complex passwords (University Password Policy) to protect my computer(s), devices, & applications and never share them with anyone.
  • I use central IT services (SCCM/Casper) to manage and protect my encryption keys (key escrow).
  • All of my important information is stored on my home (H:) or on my department shared (L:, S: etc.) drive space, which is backed up.
  • I have discussed with my supervisor and completed training requirements related to my position. Examples of training could be, FERPA, HIPAA or Security Awareness.
  • I have my firewall configured and activated on my device(s).
  • I do not use an account with elevated access for my day-to-day work (i.e. Administrator Account).
  • I consult with my IT Support staff or HelpDesk before purchasing or using any cloud based application.
  • I ensure and have appropriate licenses for all software and applications installed and running on my machine(s).
     

Work Area Security

  • I make sure my computer’s screen is password locked while I am away from the device.
  • I physically secure restricted information on all media (e.g., paper, electronic, including external storage drives and DVDs), storing them in a locked desk drawer or file cabinet.
  • I never reply with personal information or click on suspicious links requested in an e-mail.
  • I know to check with my local IT Support or call the Help Desk (4-HELP) if I have doubts about the legitimacy of any requests for information.
  • I question anyone who requests my personal information, and verify that they have the authority to make the request.
     

Responding to Incidents

  • If I suspect I have a security issue with my computer, I contact the Information Security and Policy Office (5-6332) immediately, before I do anything else on my computer.
  • If I have a problem with my HawkID, I contact my local IT support or the Help Desk (4-HELP).
     

If you interact with a computer, computer security is important to you.

  1. Ensure that the integrity, confidentiality, and availability of data are maintained at an appropriate level all times. Computer security is an ongoing process, not a one-time effort.
  2. Don’t reinvent the wheel or stress on how to implement security controls. Capitalize on services provided to you by the University that will save your time, and that will very likely provide you with a higher level of security.
  3. Where possible, engage your local IT support staffs about services, software, and resources that are available to you.
  4. Take the time to review and follow IT policy, which governs all personal and self-managed devices in addition to university owned devices, connecting to the campus network. Policy is developed to protect you and the University community from harm (such as loss, damage, or exposure of data), as well as to achieve compliance with federal and state regulations.
  5. See http://itsecurity.uiowa.edu/university-it-policy for a complete list of University IT policies

 

Resources for more information
Enterprise Services

  1. Identity Finder - Identity Finder helps you find restricted information stored on your computer. Identity theft can occur when personal information, such as social security numbers and credit card numbers, fall into the wrong hands. For more information on the application and how to install and run it visit: http://its.uiowa.edu/identity/
  2. UI Anywhere - If you are working from home accessing and using institutional data on campus systems, do so via the University’s VPN service (UI Anywhere). Instructions on how to install and use the application to securely access UI campus resources can be found here: http://its.uiowa.edu/vpn

Sensitive/ Protected Data:

Institutional Data Access Policy
Data Classification Guidelines
Encryption Resources
Cloud Computing Resources
Procedures for handling a computer system compromise incident
Work Place Best Practices