As custodians of University data, we all have responsibilities to secure our data.  Here are some strategies for how to safely use, store, and share sensitive data, and exercise overall good computing practices.

Remember, data security is the law

Data security practices are not just required by University Policies, but by State and Federal privacy and security laws, including the Gramm-Leach Bliley Act (GLBA) and the Family Educational Privacy Rights Act (FERPA).  University policies and procedures help us understand how to comply with the law in our BU community, including the GLBA Safeguarding Information Program.  GLBA compliance is especially important for employees who work with student financial aid, as the University has committed to safeguarding this data in connection with its receipt of federal financial aid.  Other Policies and Procedures can be found on our BU Policies webpage, under the Information Management category.

Know your data

The first step to making sure you are properly handing University data is to know how the data is classified.  At BU, data is classified into four categories: public, internal, confidential, and restricted use.  Each category has its own set of criteria for how data can be used, stored, and shared.  The University’s Data Classification Policy will help you easily identify the categories of University data in your possession.  Once you know the data’s classification, you will know how you are expected to secure it.

infosecscale

Protect your passwords

Never share your passwords! Your account passwords should be known by you, and you alone.  Service providers will never ask you for your password, so you should not provide it even when a request seems authentic.  If you need to reset a password, make sure that the site you are on is legitimate.  If you are unsure if a website is legitimate or not, you can always ask ithelp@bu.edu for help.

Send email securely

When you are sending email with Restricted Use information, which is defined within our Data Classification Policy, you should use a secure method to transmit the data.  Options at BU include encrypting your document and calling the receiver to share the encryption password with them verbally, or using DataMotion, a service available to the BU community.  More information about how to use DataMotion SecureMail to send emails can be found on the BU TechWeb page.

Be cautious of links or requests for information in emails

Phishing messages are emails that look as if they are from a legitimate source in an attempt to get you to click on corrupted links or share personal information, such as credit card numbers or passwords.  They are a major security concern and the most common cause of data breaches.  Fraudulent links are the most common scammer technique because it is easy to disguise a link look as if it is to a legitimate, trusted source, when in reality it leads to a malicious site.  To find out if the link is misleading, you can hover (but don’t click) your mouse over the link to see the actual address.  If the hover technique shoes you that the address is different than the link presents, it is a scam.  On a smartphone, click and hold the link and the address will appear.  Also, instead of clicking on an email link, you can just manually type the address into your browser.  Note that savvy phishing emails can even look like they are from BU’s IS&T department.  Learn more ways to spot a phishing email, and tips to prevent falling prey to fraudulent links on a BU TechWeb page titled How to Fight Phishing.

Encrypt your computer

We recommend encryption for all devices storing University data, including laptops, desktops, personal computers and devices like cell phones and tablets. Encryption is required if you are working with restricted use data, and recommended for all other data categories.  IS&T is happy encrypt workstations that they manage directly, and will provide advice on encrypting devices they don’t.  It is possible that your device may already be encrypted, but if you are not certain, please contact IS&T.  More information on encryption can be found on a BU TechWeb page.

Secure all your devices and hardware

It’s important to make sure that all of your computers and devices that house University data are secure, including mobile phones, tablets, and even thumb drives or other external storage devices. To keep your devices and hardware secure, always make sure your software is up to date, that strong and unique passwords are enabled, and your data is backed up to a secondary source.  For more detailed information on device security, please visit the Securing Your Devices TechWeb page.

Keeping Data Secure in the Workplace

Sensitive information should never be kept on publicly accessible desktops and other physical areas, like counters, tops of filing cabinets, tables, printers, copiers, and fax machines.  Offices with any personal information should be locked at night.  When records with personal information have met their retention and are ready to be disposed of, they should be disposed of in a secure way, such as secure shredding, burning, and pulverization.  See the Record Retention Policy for more information on record retention and destruction.

When in doubt, ask for help

IS&T is always happy to help.  If you have any questions on how to work with University data in a safe and secure manner, don’t hesitate to reach out at ithelp@bu.edu or (617) 353-HELP (4357).