Many university employees collect, manage, and handle Highly Restricted and Restricted data in the course of performing their duties. Sensitive information can take many forms including employees’ personal data, students’ academic records, financial records, health records, and other personally identifiable information.
The safety of your personal and university information is a shared responsibility.
Please review the Do’s and Don’ts of information security practices at UCF:
Data Security Safeguards
- DO follow university’s data classification and protection policy 4-008.
- Read the Data Classification and Protection Policy for more information.
- Handling Restricted data
- DO NOT copy or download Highly Restricted data (e.g., Social Security Numbers (SSN), credit card numbers, electronic health records, or other personally identifiable information protected by law, contract or regulation, such as HIPAA, PCI, etc.) from the University’s administrative systems to your PC, laptop, smartphone, public web server, personal cloud system, or any portable storage device. Storage of personal restricted data on PCs, portable devices, personal cloud systems (e.g., Dropbox, etc.) is strictly prohibited.
- DO leave Highly Restricted data on enterprise systems or on UCF secure servers. Restricted data, such as university business sensitive information, grade books, etc., can be stored on university provided equipment and university provided cloud storage systems, such as Office 365 when it becomes available.
- DO NOT store Highly Restricted data at home or on remote third-party/cloud storage system not sanctioned by the university.
- DO use the university provided email systems, such as Exchange, to communicate Restricted data.
- DO NOT send Highly Restricted data without encryption using any protocol, including email. Email messages can be intercepted by third parties or mistakenly sent to the wrong addresses.
- DO make frequent backups of your critical data that you do not want to lose
- DO protect Highly Restricted data in printed form. Store Highly Restricted data in a secure cabinet.
- DO shred/cross shred Highly Restricted data that needs to be disposed of.
- DO NOT leave Highly Restricted data in printed form (hard copy) lying around, unattended on copiers, fax machines, or printers.
- DO download only the data-sets you need, such as only email addresses for communicating with students.
- DO NOT download data-sets not intended for the immediate task at hand.
- DO NOT share Highly Restricted data with individuals who are not authorized to view it.
Email Security Safeguards
- DO double check each email prior to sending it to ensure no unintended email addresses are added in the “TO:” field and no Highly Restricted data is attached.
- DO NOT hastily send emails without reviewing the content or attachment for Highly Restricted data, and unintended email addressees.
- DO follow the UCF and Florida Public Records Law email retention policy. Most email must be retained for seven years.
- DO leave your UCF business emails on a UCF sanctioned secure email system, such as UCF Exchange, Knights email, Webcourses, etc.
- DO NOT forward your UCF business email to a third party external email system, such as Gmail, Hotmail, AOL mail, Yahoo mail, or any other third party email system. Such action could potentially expose Highly Restricted or Restricted data and your personal email inbox may be subject to Florida’s Public Records Laws.
- DO look closely at links embedded in an email by hovering your pointer over it, and cut and paste a link from the email into your web browser. Scammers can make links look as though they go to a safe site, but will actually send you to a harmful website.
- DO report phishing scams, or any suspicious email, to the UCF Security Incident Response Team (SIRT@ucf.edu.) Please send suspected emails as an attachment.
- DO NOT click on links in an email message
- DO NOT open file attachments from an unsolicited email
- DO confirm the source by contacting the sender before opening email attachments
Secure Computing Safeguards
- DO secure your workstation (lock or log off of your session) every time you leave your desk
- DO NOT leave a logged on workstation unattended
- DO NOT use a computer without having up-to-date antimalware software running on it
- DO NOT dispose or transfer ownership of devices without making sure it is properly erased
- DO use antimalware software and update it frequently to keep malicious programs off of your computer
- DO NOT use wireless technologies for transmitting Highly Restricted or Restricted data without making certain end-to-end encryption is enabled (e.g., VPN, TLS, etc.), regardless of whether or not wireless encryption is used
- DO run the most up-to-date versions of your web browser, browser plug-ins (e.g. Adobe Flash, Java), email software, and other programs
- Internet Browser Security
- DO NOT install Peer-to-Peer (P2P) file sharing programs, such as BitTorrent, to share copyrighted files
- DO NOT download programs, documents, applets, and or images from unreliable and unknown sources; your download may contain malicious software
- DO use a strong password that is difficult to guess, consisting of eight (8) or more characters, including lower case and upper case letters, numerals, and special characters. Longer passwords, or pass phrases are in general more secure than shorter passwords.
- Strong Password Guidelines
- DO NOT use easy-to-guess passwords that contain only numbers or letters
- DO use different passwords for your different online websites. Using the same password for all your online websites will put you at risk of an account compromise.
- DO use a non-Administrative account when using your computing devices. Administrative accounts are created for system management responsibilities and are not intended for regular use
- DO use university-provided VPN solution to securely connect to UCF resources from remote untrusted networks, such as public Wi-Fi networks, hotels, Internet cafés, etc.
Social Networking Safeguards
- DO provide only the mandatory information required on social networking sites. The more personal information you provide, the more at risk you are for targeted scams.
- DO NOT provide a complete list of personally identifiable information when signing up for a social networking site.
- DO ask yourself: Do others really need to know this information? Will making this information available online be harmful to me or to anyone else?
- DO NOT post sensitive information about yourself online. This includes your Social Security Number, physical address, and credit card and bank account numbers. Before posting anything online, think of the consequences of this action.
- DO interact only with people you already know and trust, or those recommended by trusted and verified friends.
- DO know the social networking site and its privacy settings before giving away your information.
- DO NOT add people you do not know to your online social network. More importantly, don’t arrange a face to face meeting with a person that you have only met online.
- DO NOT permit applications that access sensitive information or permit posting your physical location. Use caution prior to installing or running applications and opening any links. If a friend’s account is hacked, links may contain malicious software.
Know your rights and responsibilities concerning the proper and ethical use of technology on campus by reading UCF IT policies.
Computer Security Incident: If you suspect your identity or data was compromised, or detect any suspicious activity on your computer, immediately contact your IT staff and the UCF Security Incident Response Team (SIRT) at email@example.com. If you don’t have IT staff, contact the UCF Service Desk at (407) 823-5117.
Request further information or send your feedback to firstname.lastname@example.org.