SAR IT: Security Do’s and Don’ts
The following information highlights BU Information Security Data Protection Guidelines, focusing on the most important things each of you need to do to ensure that all Sargent/BU data are kept safe and secure. Please take a few minutes to familiarize yourself with these Do’s and Don’ts. The full guidelines can be found at https://www.bu.edu/tech/support/information-security/security-for-everyone/. We encourage everyone to read through these guidelines.
DO: Keep all Sargent/BU related data on Sargent’s Servers (gpnas and ru-gpnas) and not on a workstation or laptop.
DO: Make use of the free McAfee antivirus software that BU provides to protect your personal computers. You can get this antivirus program here: http://www.bu.edu/tech/desktop/virus-protection-security/
DO: Keep all HIPAA-covered data on Sargent’s HIPAA Server, ru-gpnas.
DO: Log off (but do not shut down) all Windows computers at the end of the workday. Mac computers may be shut down.
DO: If your computer does not automatically lock after you leave it for 15 minutes, please set it to do so. This is a good idea on your personal computers, too: instructions.
DO: Use BU E-Mail (Exchange) for Sargent/BU communication. Please note that many email providers, including Google, cannot guarantee that data will be stored on servers located in the United States, and some grant and regulatory agencies require that data be kept only on servers located in the United States.
DO: Use BU Secure E-Mail for all email that contains HIPAA-covered information. Please see this page for information on Secure E-Mail: http://www.bu.edu/tech/accounts/special/datamotion-securemail/. Sending email via even Outlook that contains patient information is not allowed (unless you have written approval from patient).
DO: Get into the habit of changing your password every three months. Before you do, though, consult your IT person for best practices.
DON’T: Ever give your BU Kerberos password to anyone.
DON’T: Use your BU password as your password for any non-BU accounts (i.e., banks, credit cards, personal email, etc.).
DON’T: Keep any personal data (including photos, music such as iTunes music libraries, documents, etc.) on Sargent computers (desktops and laptops) and servers; they are to be used for Sargent/BU work and research purposes only.
DON’T: Keep any Sargent/BU data on any personally owned computer/laptop.
Mobile Devices (phones, tablets):
DO: Set up a password on all cell phones and other mobile devices—both personal and BU owned—that are used to access Sargent/BU data, including email.
DO: Set these devices to automatically lock after 10 minutes or less of inactivity.
Social Security and Credit Card Numbers:
DON’T: Keep social security numbers (in electronic or paper form) unless it is required for a business or regulatory reason; convenience is not a valid reason.
DO: Keep papers containing confidential/restricted data in locked cabinets or drawers; they should not be left on desks when the office/cubicle is unattended. Keys to the cabinets and drawers should be limited to as few authorized persons as possible. Please see this website for definitions and examples of confidential and restricted data: http://www.bu.edu/tech/policies/info-security/1-2-a-data-classification-guide/.
DO: Keep only the last four digits of a credit card number if necessary for record keeping.
DON’T: Keep even the last four digits of a social security number.