1. Information Communicated Orally
- Make it a practice not to discuss confidential information outside of the workplace or with anyone who does not have a specific need to know it.
- Be aware of the potential for others to overhear communications about sensitive information in offices, on telephones, and in public places like elevators, restaurants, and sidewalks.
Documents that include confidential information need to be secured during printing, transmission (including by fax), storage, and disposal.
- Do not leave paper documents containing sensitive information unattended; protect them from the view of passers-by or office visitors.
- Store paper documents containing sensitive information in locked files.
- Do not leave the keys to file drawers containing confidential information in unlocked desk drawers or other areas accessible to unauthorized personnel.
- Store paper documents that contain information that is critical to the conduct of University business in fireproof file cabinets. Keep copies in an alternate location.
- Shred confidential paper documents that are no longer needed, and secure such documents until shredding occurs. If a shredding service is employed, ensure that the service provider has clearly defined procedures in the contractual agreement that protects discarded information, and that the provider is legally accountable for those procedures, with penalties in place for breach of contract.
- Make arrangements to immediately retrieve or secure sensitive documents that are printed on copy machines, fax machines, and printers.
- Double-check fax messages containing confidential information:
- Recheck the recipient’s number before you hit ‘start.’
- Verify the security arrangements for a fax’s receipt prior to sending.
- Verify that you are the intended recipient of faxes received on your machine.
3. Information Stored Electronically
All employees and users of networked computing devices on UConn’s network have a role in protecting the University’s information assets because their machines provide potential gateways to private information stored elsewhere on the network. Therefore, whether or not you deal directly with sensitive or confidential University information, you should take the following steps to reduce risk to UConn’s information assets.
3.1 Educating Yourself
- Read UConn’s IT Security Policies, and understand their implications for the information for which you are responsible.
- Know who your Department Technical Administrator is and what s/he can do for you.
- Immediately advise your Technical Administrator of any suspicious activity on your computer or a suspected information system security compromise. They will report the event to the Help Desk or to the Information Security Office for follow-up action.
- Be mindful of how you are sharing or transmitting sensitive information across the network.
3.2 Protecting E-Mail
- Understand that e-mail is not secure; it can be forged, and it does not afford privacy.
- Do not open unexpected e-mail attachments, and do not download documents or software from unknown parties.
- Clear e-mail boxes of old messages on a regular basis by deleting unnecessary messages or archiving needed ones. Be sure to back up important email on a regular basis and secure the back-ups with encryption, passwords, or if in a physical form, in a locked desk or area.
- Take precautions not to send anything by e-mail that you wouldn’t want disclosed to unknown parties. Recipients have been known to distribute information to unauthorized recipients or store it on unsecured machines, and viruses have been known to distribute archived e-mail messages to unintended recipients.
3.3 Restricting Access to Information on Your Desktop
- Orient your computer screen away from the view of people passing by.
- Turn off your desktop computer at the end of the workday, unless automatic updates, backup processing, and/or various other maintenance operations are scheduled during off-hours.
- Use a password-protected screen saver on your desktop computer and configure it to display after a reasonable period of non-use (10 minutes is recommended).
- Use security devices to lock down computers that are in public or otherwise unsecured spaces.
- Sanitize the hard drives of computers that you declare surplus and of those that are going out of service for other reasons to ensure that data is removed and not recoverable (see Procedures for Removing (Wiping) Data from a Computer Prior to Re-Deployment, Surplus or Disposal. Deleting files, moving files to “trash,” and emptying the “trash” file is insufficient because the files can still be recovered.
- Ensure that functions that enable data sharing on an individual workstation are either turned off or set to allow access only to authorized personnel.
3.4 Protecting Passwords
- Adhere to UConn’s Password Policy.
- Employ passwords that are easy for you to remember but impossible for someone else to guess
- Secure your passwords, and restrict access to them. Passwords written on a post-it in a work area, placed under a keyboard, or stored in an unlocked desk drawer are not safe from unauthorized access.
- Never share your passwords or accounts.
- Change your passwords at least every 6 months. The more sensitive the information being protected, the more frequently you should change your passwords.
3.5 Safeguarding the Integrity of Information
- Apply system updates for your desktop systems and department servers’ operating systems and their integrated network services (e.g., e-mail and web browsers) in a timely manner.
- Keep local applications updated and patched. Ensure that your computer is configured to automatically download and install the latest patches.
- Install a personal firewall and keep it set to automatically or regularly download and install updates.
- Store all confidential data on a centrally managed server and not on individual workstations or laptops whenever possible.
- Do not place any sensitive information in an unsecured online location.
- Secure local servers in a locked room and limit the access to the room to system administrators only.
- Ensure that remote access (from off campus) connections are done securely using SSH or VPN.