Teachers College
Columbia University

Secure Computing and Information Management Guidelines


A. Reason for Guidelines

Safe computing and information handling procedures are required to mitigate the risk from threats to information confidentiality, integrity, and accessibility.  No computer system is immune to attack, so a multi-layered approach is required, with best practices applied at all levels, including computer configuration, physical security, and personal awareness.  These guidelines describe the College’s expectations for computing and information handling practices.

B. Responsible Office & Officer

The department of Computing and Information Services (CIS) is responsible for the maintenance of these guidelines, and for responding to questions regarding them.  The responsible officials are the Registrar and the Director of Information Technology.

C. Guidelines

The guidelines apply to all College-owned computers as well as to personally-owned computers used to access College information resources via the TC or Columbia wired or wireless networks. Everyone is responsible for maintaining awareness of information security recommendations and following them.    

Virus protection

CIS configures College-owned computers for automatic upgrading on campus; users must specify if a computer will be used off-campus for weeks at a time. On your personally owned computers, you must implement reputable anti-virus software and keep it up-to-date, configured for on access scanning and for email scanning.  Most computers come with at least a trial subscription. Continuing to purchase its renewal is usually the best option because uninstalling anti-virus software does not always work. If you do not have an active subscription to anti-virus software with updates for your personally-owned computer, you may download and use the antivirus software licensed by Teachers College.  Downloads for personal PCs and Macs are available from the TC Bookmarks channel in myTC under “Software and Tools.” Email attachments are a common source of viruses and spyware, so you should not click on an email attachment to open it unless you were expecting it.  The email address in the sender field can be spoofed, so you should not rely solely on who apparently sent it to assess its authenticity.

Spyware protection

Spyware is a class of software that self-installs on a computer, enabling access to a person’s internet use, passwords and other sensitive information.  To guard against spyware, do not install an application or click on a link in an email unless you fully understand what it will do and that it is from a trusted source.  In addition to providing virus protection, McAfee AntiVirus for Windows licensed by Teachers College protects against the most prevalent spyware programs. FI you download virus protection (per above) for your personally-owned computers you should select the spyware protection on the configuration.

Related article: What is spyware?   http://www.microsoft.com/security/pc-security/spyware-whatis.aspx

Software updates

Periodically, security weaknesses in the operating system and/or applications are discovered, and vendors provide security updates to remediate such exposures.  Configure your computer to automatically check for and install vendor security updates.

For TC Managed workstations, operating system updates are managed by the Help Desk.

Related article: What are operating system updates?   http://windows.microsoft.com/en-us/windows7/Updating-your-computer

Passwords

A password is used to “prove” who you are (known as authentication) to an application and/or computer system.  Strong passwords should be used on all computer systems, including all mobile devices to protect them in accordance with Teachers College policy (see Password Standards at http://www.tc.columbia.edu/Computing/security/passwordstandards.) If you suspect that someone has your password, change it immediately.  Refrain from using the “save password” feature of applications because those who have access to your computer will also have access to your accounts.  It is wise to use different passwords for different activities, such as personal purchases, banking, and TC online systems. 

             Columbia UNI Password Requirements:

           - Must be at least 8 characters in length

           - Must use a combination of upper and lower case letters

           - Must include at least one numeric and/or special character (&, ?, @, etc.).

   TC Network Password Requirements:

           - Must be at least 8 characters in length

           - Must include at least 2 character types

           - Must be changed every 120 days.

Related article: Strong passwords: How to create and use them   

 http://www.microsoft.com/security/online-privacy/passwords-create.aspx

 

Account use and oversight

One person/one account 

Each person must use his/her own account. Sharing a password is a violation of TC and Columbia policies.  Supervisors should provide sufficient access privileges to employees, but no more than is required for their work. If you need to designate a “delegate” for your email or calendar, email the CIS Help Desk or call them at x3300. Shared account access is available for workgroups based on access requested by the designated account owner. If your office needs a shared account for access to departmental email or calendar, contact the CIS Help Desk. If you supervise people, be sure that you inform Human Resources when anyone on your staff leaves, or the CIS Help Desk if they change responsibilities, so that his/her network, email, and/or Banner access will be discontinued or changed.  Do not ask people to pass along passwords when they leave.

Protecting an unattended computer

When you must step away from your work station during the day, make sure to lock your computer. Password-protected screensavers engage automatically to protect information from being changed or seen by others. Best practice is to log out and close the browser after being logged into an application, and to shut down your computer at the end of the workday.

Data location and backup

Computers can and will fail, resulting in data that is corrupt or unrecoverable.  Laptops, smartphones, mobile devices and flash drives are particularly susceptible to loss and theft. Employees who choose to synchronize their TC email or other information with a mobile device must promptly report any loss or theft to the Teachers College Help Desk via email to or by telephone to 212-678-3300, or by contacting the cellular carrier to request that all content be cleared from the device. Students are encouraged to contact their cellular carriers to do the same.

TC Servers are backed up and securely administered according to best practices, so store information about individuals and other sensitive data on servers rather than on your desktop machines or portable storage devices. Refrain from storing non-public personal information altogether when it is not necessary or appropriate, particularly information such as social security numbers, credit card, bank account or driver's license numbers.  When possible, access Banner information directly from the central system. Use an individual’s TC ID number (in the format of T12345678) for TC forms and stored data. If your department has a local database, application, or server set up a meeting with CIS to review database and server security practices.  The CIS Help Desk can assist you on accessing network file shares from home.  Locally-stored data requires regular backups.  Calendar and contact information on your smartphone should be synched to your TC Gmail account or to a computer. Contact the CIS Help Desk by email or call at x3300 for assistance in configuring backups.

Websites

Use the Teachers College content management system to maintain websites; it does not require web development skills and conforms to best security practices.   Contact the Office of the Web at x 3118 for assistance. Departments who wish to use an external provider for development and/or hosting services must have the agreement vetted by the contracts manager in the Office of the General Counsel.

Accessing sensitive information

Never access sensitive data from or enter your password on a computer that is not owned by you or TC or known by you to be maintained with updated security patches and anti-virus software.  Do not access sensitive or confidential data from open wireless networks (like TC’s or those at Internet cafes) unless there is a secure encrypted connection to the source of the data (you will see https:// instead of http:// in the address bar).  Do not use email for non-public personal information such as social security numbers, credit card numbers, grades or other personal, academic, health or counseling information.  

Academic Material Created by Student and Faculty

Do not distribute material posted by students and instructors on course management systems or websites without permission of the author. Do not forward emails with such material without permission. See Family Educational Rights and Privacy Act (FERPA) policy at http://www.tc.columbia.edu/academics/catalog/index.asp?id=FERPA.

Physical security

If you must keep personal information on a desktop or portable device (e.g., laptop, CD, flash drive), physically secure the device (e.g., a computer lock or store it in a locked drawer) and preferably encrypt the data.  Do not leave papers with confidential information on your desk where others will see them. Retrieve copies, faxes, and printouts immediately. When the area is unattended, lock filing cabinets and lock office doors to protect confidential hard-copy records.

Social interaction

Never discuss non-public personal info about anyone (student, faculty, staff, alumnus, vendor, trustee, etc.) with your family or friends nor with any coworker who lacks a specific work-related reason to need the information.  Be aware of information stealing methods such as social engineering (e.g., someone falsely presenting themselves as authorized to access private information), phishing scams, and shoulder surfing to obtain personal and sensitive information about you or others. 

Related article: Social engineering  http://en.wikipedia.org/wiki/Social_engineering_%28security%29

Related article: Recognize phishing scams and fraudulent e-mails

 http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx

Disposing of computers and data records

Email the CIS Help Desk or call x3300 when you wish to dispose of college-owned computers.  According to the Computer Disposal Procedure (http://devweb.tc.columbia.edu/computerdisposal) the Help Desk will remove and erase the hard drive, and the Facilities Department will move the computer to the staging area for donation or disposal.  Use a shredder to dispose of paper records with personal information; the Purchasing Office can recommend different models depending on your requirements. If you have file cabinets full of old information, contact Facilities about large-scale shredding and disposal. Do not keep old records on your desktop, laptop, PDA, flash drive, or paper file folders if you can delete them completely or archive them and store them more securely elsewhere.

Suspicion of compromised information

If you believe that a computer system has been compromised, shut it down and contact the CIS Help Desk at x3300 immediately. 

If your smartphone or mobile device is lost, call the CIS Help Desk or the Columbia University Help Desk off-hours at 212-854-1919 so that they can assist you with getting all information wiped off it.

You may also call your carrier directly to make that request. Note: TC’s Email Usage Policy (URL) requires that employees do this promptly when a device is lost or stolen.

If your laptop is lost, please call the CIS Help Desk.

If you believe that non-public personal information may have been exposed, contact  the CIS Help Desk.

Tagged: