Issuu on Google+

Basic Security Information for students at halmstad university

halmstad university www.hh.se

1


2


basic security information

Contents

Basic Security Information

Definition: Information Security and IT Security

5

5

Responsibilities within Halmstad University

5

Obligations 6 General advice 6 Computers 6 Borrowed computers 7 USB flash drives, etc.

7

Telephones etc. 7 Public Wireless Networks 7 Passwords 9 E-mail 9 Internet 10 Fraud via websites or e-mail

10

Publishing on the Internet 11 Report suspected information security incidents

13

Actions and Monitoring 13 Link tips 14

3


4


basic security information

Basic Security Information

Information security is required for all forms of information, not only security that is available for IT systems and in contracts, but also, for example, within information that is exchanged via telephone calls or when speaking face-to-face. Information is important in different ways, and therefore needs to be handled differently. For example, we do not normally discuss something we have read in the newspaper in the same way as when a friend discusses something with you in confidence. Certain demands are required regarding the University as a public authority. For example, the University must: • Process information in a clear, accurate, safe and appropriate manner. • Be able to deliver and obtain the correct information at the right time. • Achieve and maintain good information security. Therefore, the University has the view that staff and students only have access to the information and IT systems they require to accomplish their work.

Definition: Information Security and IT Security

Information Security: The security of information to help maintain the required confidentiality, integrity and availability of the content. The concept includes both IT security as well as security within administrative procedures. IT security: The safety of computer systems to prevent unauthorised access and unauthorised or unintentional/accidental alteration or disturbance in data processing or computer- and telecommunications. IT security at Halmstad University also aims to protect and safeguard both the students and employees privacy.

Responsibilities within Halmstad University

The University’s IT department is responsible to maintain a reliable basic IT-security. The responsibility for the IT-security within IT systems is with the system owner, and IT-security is handled by the service provider. All IT users connected to the University’s network have their own responsibility for the information security regarding the issues they work with. According to the Information Security Policy for Halmstad University (reg. 10-2010-2654), it is the IT manager who has the overall information security responsibility at Halmstad University. 5


basic security information

Obligations

All those dealing with information within the University shall: • Have basic knowledge regarding information security • Make sure that information is handled properly • Report errors and deficiencies concerning the University’s information security work to the information security manager (see also section: report suspected information security incidents below). • Express the needs of information and education to the system administrator/information security manager.

General advice

Do not open locked doors for unauthorized persons. Ask them the purpose of their visit.Think about what you say when speaking on the telephone. People may ask you for information they are not entitled to.

Computers

Remember to save your work during the day. The standard setting in Word is that the document is saved automatically every 10 minutes. Always save on H; when at the University. Are you at home and want to save your document on the University server, use myfiles.hh.se. The IT-department does a back-up every night, so documents can be recovered if deleted accidently, or if files are damaged in any way. If you save a document directly on your desktop or on C: then the document is only to be found on that particular computer. If problems with computers in the computer rooms do arise, they can be reinstalled without warning (when no one is using it). You should always log out of a Halmstad University computer when leaving a computer room. Always keep your own personal computer up-to-date concerning security and software. Wireless network at home If you have a wireless network at home, the risk of intrusion of your computer is greater than using a wired network. For example, it is possible for someone to obtain the information you send and receive or gain access to information saved on your computer. Your computer can also be taken over and used for e.g. storing illegal material or distributing mass e-mails (spam). It is, therefore, important to set-up the network correctly, making sure you have as much security as possible. Turn on your wireless router’s encryption feature, change the username and password to the router and turn off the possibility to change settings remotely. You should also rename the network and turn off the broadcast of the network’s name. 6


basic security information

Borrowed computers

If you borrow equipment (e.g. a computer at an internet cafĂŠ or use a computer in a hotel lobby) you do not know what programmes are installed on the computer. There may be (consciously or unconsciously for the computer owner) software that stores: all work you do, login information, payment information (if you buy something) or a record of all pages you visit. Therefore, you should always be careful when using such-like computers.

USB flash drives, etc.

USB flash drives, CD/DVDs, etc. are easy to use to store- and make extra copies of documents. However, they are easy to lose and sometimes become worn, making documents unreadable. Therefore, you should never have just the one copy. You should also delete obsolete versions of files stored on your USB; partly not to confuse yourself and partly to reduce the risk of somebody else reading a half-finished version of the document. USB sticks can easily be used for spreading viruses and other unwanted programmes. Therefore, do not use USB flash drives that you have received from unknown sources e.g. for promotional purposes. You also need to be cautious about using your USB stick in shared-computers outside the University.

Telephones etc.

Smartphones, such as iPhone and Android phones, are more than just telephones – they are small computers. Therefore, they need to be treated as computers. Make sure you keep your phone software up-to-date, make back-ups on a regular basis, preferably use encrypted wireless networks (see also sections on public wireless networks and wireless communications below) and activate password protection on the phone. This is especially important if you log-in to a wireless network and/or on websites automatically. This also applies for tablet computers such as iPad.

Public Wireless Networks

Public wireless networks are found in many public places to connect, for example, a computer to the Internet. However, there are risks in using such networks; e.g. unauthorised interception or an alteration of information wishing to be transmitted. You may also experience a nearby network that interferes with the traffic in the network you are using. Reduce risks by keeping the wireless network connection off when not in use. Inactivate automatic connections to the networks you seldom use. Only use a wireless network that is provided by someone you know and trust. If you are unsure which network to use, ask somebody who knows. 7


8


basic security information

General advice when using wireless communications This advice applies when communicating via a mobile broadband, a public or private wireless local network or Bluetooth. Be aware. Make an assessment of how sensitive your information is. Assess the risks involved and how serious the consequences are, if your information is lost, distorted or intercepted. Consider just how you can protect yourself. Reduce the risk of interception by using a connection that is encrypted. This is especially important when dealing with information that is, or may be, perceived as sensitive, such as personal data, credit card numbers, log-in details and such like. The link to the website is encrypted if https:// is at the beginning of the address.

Passwords

Passwords are personal and should be kept secret. Never give out your password, either to friends, family or other “trusted sources”. You should change your password every 3 months. This reduces the chances of someone gaining access of your work material, data or e-mail account for malicious activity. A password should consist of at least eight characters, with a combination of uppercase and lower-case letters, special characters and numbers. It should not be the same as your user name or have simple combinations such as qwerty or abc 123. Do not use the same user name and password in different places. Change your password if you suspect someone else is aware of it. University network passwords are changed in the Help-Desk System (www.hh.se/helpdesk). Do not write down your password where it can easily be seen by others. A password ought to be easy to remember but difficult to guess and should not be able to trace back to the user.

E-mail

E-mail is a simple tool for spreading information, both by you and by others. Some tips that will help the recipient of your e-mail: • Always state clearly the subject of the message; therefore allowing the recipient to see what he/she can expect the mail to contain. • Do not write sensitive information in the subject line. • Write short letters • Be selective when using large groups of addresses (bulk) and when sending/ forwarding messages containing large files. • Do not sent or forward chain letters. 9


basic security information

When sending e-mails to many recipients, always type your name in the To line and enter the recipients in the Bcc line. This is especially important when sending messages to groups where not everyone is prepared to allow access to their e-mail address or to see just who the other recipients of the message are. The content of regular e-mail is as easy to access as the content of a normal postcard, for someone who has the right equipment. E-mail is also a simple and inexpensive method for the spreading of harmful software or attempting to obtain sensitive information such as bank account numbers. Sender addresses are easy to fake, so just because you recognise the sender’s name, it does not imply that the content of the message is safe. This also applies to reply messages which might not be sent to where you think. Offers that appear to be too good to be true are, normally are. Never open or reply to spam. You might get more than you bargained for.

Internet

Everything you do online is logged, both in your computer and on the sites you visit. If you use a computer from Halmstad University, it becomes clear from the logs on the website where the visit is made from. Therefore, use your judgement when surfing as not to harm the University’s reputation. Surfing on websites with illegal, unethical or inappropriate content is not permitted from the University’s computers, unless work, research or studies specifically require visits to such sites.

Fraud via websites or e-mail

There are various forms of fraud that are prevalent on the Internet. However, mainly through common sense, it is possible to protect yourself. To begin with: be sceptical. Generally, if something appears to be too good to be true, it usually is. So if you are the slightest suspicious, contact personally the company(s) offering their services. Think twice before giving out information about yourself; such as: names, addresses, financial information or social security numbers on the internet. If a site requires such information from you, you should question it and be aware, especially if it is not clear how the data will be used. Do not answer to e-mails or use links to websites in messages where you have been 10


basic security information

asked to divulge personal or financial information. Remember, reliable companies and organisations never request such sensitive information (e.g. bank account details or personal information) via e-mail, websites or telephone. Neither do they send out unordered programme updates by e-mail. Do not add people you do not know in contact- or friend lists, instant messaging or Facebook. Never download programmes or files, if you do not trust the sender and recognise the file types. Remember that the sender, regarding both e-mail and live-chat can be fake. Be sceptical of programmes/software that come via e-mail or offered on live-chat. Do not tick pop-up windows where you are asked to download files from a website, if you are not downloading a file. There are websites specially designed to deceive users in order to obtain sensitive or personal information. An easy way to mislead Internet users is to create a similar website, and with an address rather like the original one. If in doubt, check the URL of the page. Modern browsers often display the domain name more clearly. If the name is not exactly what you expected, leave the site and enter the desired address again. Fraudsters often send-out e-mails to lure users to visit these sites. These messages often contain a language that urges you to respond promptly. Even intimidation tactics are sometimes used.

Publishing on the Internet

If you post information on the Internet (comments regarding newspaper articles or in blogs e.g. Facebook or Youtube), you should assume that what you write will never disappear. Do not write comments that may be considered offensive. Do not give out sensitive personal information. Computer viruses and other malicious software Viruses, worms and Trojans are best described as an application or application sequences whose function is to penetrate into other programmes to cause damage. They are easily spread, although it can be difficult to know just where they come from. Free software, game software and files downloaded from the Internet or attachments to e-mails or instant messaging are the most common modes of transmission. Halmstad University has good software for virus control and the network is continuously checked. Even USB flash drives that are used on the University’s computers and downloaded files are checked. 11


12


basic security information

Do not open attachments or click on links in your e-mail if you not know what they contain. Certain viruses look for and use e-mail addresses as a way of spreading, and even messages from senders you know may contain a virus. Some viruses can spread via the preview or image in your e-mail programme. Signs of viruses in the system may be: • The computer does things you have not asked (however, the IT department can sometimes connect to computers to install software). • A noise or a greeting appears on the screen • The computer behaves abnormally e.g. working very slowly, often crashes or cannot start. If you suspect that a University computer you are working with contains a virus – unplug the computer network cord, leave the computer switched on and, from a different computer, inform helpdesk.hh.se describing which computer and what the problem is.

Report suspected information security incidents All employees and students have a responsibility for their own information. If you discover a serious or continuous information security incident; you need to report it, according to the guidelines given (ref. 10-2011-1298) IT-security incidents e.g. suspected virus or stolen computer is to be notified to helpdesk.hh.se Information security incidents e.g. lost or found paper(s) containing sensitive content, unauthorised access to IT-system(s) or files, unauthorised persons on the premises or violations of information regarding policies and procedures also need to be reported to helpdesk.hh.se.

Actions and Monitoring

The IT Department has the right, without giving advance notice and for the purpose of continuous maintenance management, to intercept net traffic through technical measures in the network and system. In cases where a user is suspected of some unlawful infringement of the regulations, the above rights can be extended to include the user’s stored data. The IT Department has the right in cases of disrup¬tion to net operations, security risks or other suspected infringements or improprieties to temporarily suspend access to individual or collective IT resources. 13


basic security information

Repeated or serious breaches of these regulations can lead to suspension from the use of computer resources and / or being reported to the student / staff disciplinary committee. Suspected legal infringements can be reported to the police.

Link tips

Helpdesk www.hh.se/helpdesk 20-minute interactive training in information security (in Swedish): https://msb.se/disa Learn more about passwords at PTS web service: https://www.testalosenord.pts.se/english.php Testa lรถsenord.. European Network and Information Security Agency: http://www.enisa.europa.eu/

14


15


HALMSTAD UNIVERSITY P O Box 823 • SE-301 18 Halmstad • Visiting address: Kristian IV:s väg 3 Tel. +46 35 16 71 00 • e-mail: registrator@hh.se • www.hh.se

Information Department, Halmstad University • April 2012.

16


Basic Security Information