Reduce the risk of an incident or breach by incorporating the following security-positive behaviors into your computing routine.
1. Use safeguards when working remotely.
When working from home or another remote location, your responsibility for protecting sensitive university information remains unchanged.
Use these safeguards to avoid unauthorized or accidental access, use, modification, destruction, or disclosure of sensitive university information:
- Only university-provided computers, including mobile computing devices, should be used to access or handle sensitive university information. If you must use a personal computer, it is recommended that you use remote desktop to connect to your university-provided computer.
- Secure your home WiFi router by using a strong, unique password, and enabling WPA2 encryption.
- Boost WiFi security with VPN at home and when traveling; it provides a secure connection to the CU network from any location and may be required to access many CU-specific drives and applications. Be sure to connect to the VPN before using unsecured networks or public WiFi.
- Do not allow other household members to access your university-provided computer. Unauthorized individuals may unknowingly put your computer at risk. Always lock your computer when stepping away from it, just as you would in the office.
- Be mindful when sharing or discussing sensitive university information in virtual meetings. Only share such information with the people who need to know it for an authorized use. This includes verbal and written information.
- Dispose of paper containing sensitive information using a cross cut shredder or wait until you return to your campus office.
Visit your IT department's website for campus-specific information on VPN, encryption, remote desktop, and collaboration tools.
International travel – know before you go
High-risk foreign counties are often governed by laws that restrict how you conduct university business. If you are traveling internationally, be familiar with laws and policies pertaining to technology and take the appropriate precautions to secure your university-provided device if it contains controlled software or sensitive university information or both.
Visit the Institutional Statement of Export Control Commitment and Support website for more information about your campus office contact, policies, and guidance.
2. Report a potential incident.
If you believe an information security incident has occurred, it is important to report it as soon as possible. This allows the investigative team to act quickly to determine the level of impact and contain the incident.
Visit the Reporting an Information Security Incident webpage for more information.
3. Recognize phishing, other deceptive tactics.
Cybercriminals use deceptive tactics to manipulate people into doing what they want with the goal of stealing information and money. The tactics, sometimes called “social engineering,” are the foundation of all phish and scams conducted through emails, text messages, phone calls, and in-person interaction.
Here are some things to remember:
- Do not provide your username, password, or any personal information requested by unsolicited email or phone call. (CU will never ask you for your username or password.)
- Be wary of email links or attachments, unless you are positive the content is safe.
- Don't react to tactics aimed to scare you into taking urgent action, including: threats of a lawsuit, a computer full of viruses, locked accounts, or opportunities to earn or save money now.
- Legitimate companies and service providers will provide a way for you to contact them directly. If you’re uncertain, you can learn more by researching them online.
- Emails from a university leader asking you to make a urgent wire transfer or buy gift cards are likely to be scams.
- No one from your campus IT department is going to call to inform you about a computer virus and ask for your passwords.
- Government agencies will not call and threaten you, or make demands for payment in the form of gift cards.
4. Protect sensitive university information.
If you access, handle, or store sensitive university information, you are responsible for safeguarding it from unauthorized or accidental access, use, modification, destruction, or disclosure.
The information, classified as “Highly Confidential” and “Confidential,” is only for the “eyes of the authorized individuals” in any form including paper or electronic.
Be able to recognize sensitive university information. Some examples include:
- Protected health information
- Social security numbers
- Payment card numbers
- Health insurance policy ID numbers
- Student information and admission applications
- Faculty and staff personnel records, benefits, salaries, ID numbers, and employment applications
- Donor contact information and non-public gift amounts
- Non-public policies
- Internal memos and email, and non-public reports
- Purchase requisitions, cash records, budgetary plans
Take these actions when accessing, handling, or storing sensitive university information:
- Only share with the people who need to know it for an authorized use. This includes verbal and written information.
- Encrypt the information when transmitting or storing.
- Ensure networks or systems used to handle or store the information has appropriate firewalls, monitoring, logging, patching, anti-malware and related security controls.
- Use university-provided computers, including mobile computing devices and storage medium.
- If this is not possible and you must use a personal computer, for example when working remotely, use remote desktop to connect to your university-provided computer.
- Additionally, please do not allow other household members to access your university-provided computer. Unauthorized users may unknowingly put your computer at risk.
- Do not use collaborative platforms, such as SharePoint or Teams, to share or store the information.
- Refer to the universitywide policy for information retention and disposal.
Visit the Data Classification webpage for more information.
5. Keep devices secure.
- Back up files regularly
- This is invaluable if the device is lost, stolen, or compromised and needs to be wiped clean.
- Boost WiFi security with VPN
- Using a virtual private network (VPN) provides an added layer of security by encrypting internet traffic. Be sure to connect to the VPN before using unsecured networks or public WiFi.
- Keep software, including antivirus, updated
- Enable encryption to keep files and folders unreadable to unauthorized people
- This is especially valuable if your device is lost, stolen or compromised.
- Avoid using public charging stations by having a phone backup battery
- Criminals set up fake charging stations that allow them access to your device.
- If you must use the charger, use a USB data blocker.
Visit your IT department's website for campus-specific information on VPN, antivirus, and encryption.
6. Create strong, unique passwords.
Weak and reused passwords make it easier for cybercriminals to gain access to your computing devices, applications, files, and accounts.
Use these tips to create strong passwords and keep them private:
- Go beyond the minimum requirements set by your campus if you can. The US Department of Defense requires a minimum of 15 characters in a password, which is a good rule to follow.
- You can make a password that appears random by making up a passphrase that means something to you, and only using the first letter of each word. For example, the phrase “My first job in 94 was delivering pizzas!” could become the secure password “M1stji94wdP!” Or choose some numbers, letters, and symbols and invent a mnemonic based on what you chose.
- Don’t use the same password for multiple sites.
- Use two-factor or multifactor authentication whenever it’s available to help prevent unauthorized access to your devices and accounts.
- Consider using a password management program.
- Keep your password to yourself, and don’t create opportunities for someone else to steal your information:
- Don’t tell other people your password.
- Don’t write your password down.
- Don’t allow your browser to save your credentials or automatically fill your credentials for you. If you can log in automatically, so can anyone else with your device.
Visit your IT department's website for campus-specific guidance.
7. Be on the lookout for insider threat.
An insider threat is the threat that an employee or a contractor will use authorized access to compromise the confidentiality, integrity or availability of private or sensitive information.
Here are some possible warning signs of an insider threat:
- Working odd hours without authorization.
- Taking proprietary or other sensitive information home without need or authorization.
- Copying material unnecessarily, especially if it’s proprietary or classified.
- Installing personal software or hardware in violation of policies, accessing restricted websites, conducting unauthorized searches, or downloading sensitive material.
- Taking short trips to foreign countries for unexplained reasons.
If you see suspicious behavior, report it to your campus IT or Information Security office.
8. Only use CU-approved applications.
9. Protect the privacy of those in CU community.
Your job function may require that you handle private information related to students, employees, alumni, donors, research sponsors, patients, and others. (Examples of such information includes social security numbers, credit card information, educational records, and health information)
Consider these actions when handling private information:
- Ensure there is a true business need for collecting personal information.
- Only request the minimum information required. Resist the temptation to collect additional information that you “might” need in the future.
- Inform the individual why you need the information and what it will be used for. If the information will be handled by a third-party, clearly disclose that, too.
- Follow CU security standards and consult with the information security office to properly secure personal information. Most notably, limit access to personal information to only those who need to know.
- Have a data retention plan that includes a schedule to delete personal information when it is no longer needed. Have a plan for deleting old information and have processes that ensure information is cleaned up according to that plan.
- Be aware of any regulatory or contractual requirements regarding privacy and security. Be sure you know your obligations and come up with processes to meet them. his may mean meeting specific security standards, minimum/maximum data retention requirements or other required steps.
- Know how you will handle privacy related questions and requests. Privacy@cu.edu can assist or connect you with others at CU to help with privacy concern