Information security controls are not effective unless they’re combined with users who know their responsibility to protect information privacy and confidentiality, take the recommended precautions seriously, and don’t attempt to “get around” the rules of good security practices.  Here are some examples of good and bad practices:

Accounts and Passwords

Do Don't
Choose a password that can’t be guessed – e.g., an acronym for a simple phrase with numbers randomly inserted works well  Let anyone else login with your account and password
Change your password 2-4 times per year Share your password with anyone (NEVER give out your password over the phone, not even to the Help Desk!)
Logoff when you leave for the day Write your password down & stick it under your keyboard or mouse-pad, on your monitor, or in your pencil drawer
Use desktop locking during the day, e.g., a screen saver with password, or a lock workstation function.  See Best Practices web page (url below) for instructions. “Save this Password” in your browser  (Anyone with access to your workstation could impersonate you.)
Change your password if you think someone may have learned (seen, heard) it Look up sensitive information for others who are not authorized


E-mail Security

Do Don't
Install and use anti-virus software, and keep it updated (daily or weekly) Open (click on) attachments or links sent to you from unknown sources
Make sure the text of a note references the attachment and its purpose before opening it, and you know or have verified the sender Keep old e-mail messages forever
Consider e-mail a “postcard”… it is NOT private unless encrypted (scrambled) Send ids & passwords or other sensitive data in an email message
Report obscene e-mail messages, and any messages that ask you for personal information Send harassing, threatening, abusive, insulting or offensive messages
Delete all unsolicited advertising e-mail without replying to it.  (Instructions to “remove you” will often backfire!) Send personal information, e.g., your name, account numbers, address, phone, or pictures of yourself to anyone you do not know personally


Physical Security

Do Don't
Question or report strangers in your area to your supervisor or to building security (…Can I help you?) Leave confidential documents out on your desk, or on a shared printer
Lock your workstation, keyboard when you leave work for the day Store backups in an unlocked place
Make backup copies of important documents and files on your workstation Let others borrow your keys or University ID card to get into a secured area, or follow you into a secured area without ID


Handling Sensitive Information

Do Don't
Share files with authorized personnel only Gossip or share with others sensitive information you have access to
Obtain permission for secondary use of data (Uses other than originally approved) Look up confidential information for co-workers who do not have the access without supervisor approval
Remove all confidential or sensitive data from your workstation before it leaves your control (To go to surplus or as a dept hand-me-down) Store your confidential files on public or unsecured network file servers
Protect saved or printed reports that represent sensitive or confidential data  Throw confidential reports in the trash without shredding them first 


Copyright, Fair Use and Piracy

Do Don't
Use excerpts with appropriate attribution (“fair use”)  Use your co-worker’s computer disks to install software programs unless you have a license
Install and use the software licensed for everyone at the University (“site-licensed”) Copy or share “free” music or video files that you would reasonably expect to pay for (e.g., feature films, music CD’s, e-books)
Install and use software purchased by your department for your use  Copy software to take home with you


For more information:
Information Technology Security Best Practices http:/  
University IT Policy and Procedure
ITS Help Desk