Safeguarding Information

Objective: 

This Policy sets forth the guidelines and best practices with respect to the following: Physically Secure SF State Equipment, Use Firewall Protection, Set Strong Passwords, Encryption and Removal of Confidential Data, Erasing and Disposing of Media, Remote Connections and Handling Paper Records.

Statement: 

Physically Secure Your Equipment

Portable equipment such as laptops and handheld devices are easy targets for theft; do not leave them unattended. It only takes a moment for someone to pick up your laptop or handheld device while your attention is diverted.

Use Firewall Protection

Firewalls protect computers from network-based attacks by preventing hackers outside of the firewall from scanning computers for network vulnerabilities. A hardware-based network firewall protects the SF State network against attacks from outside of the firewall. However, viruses and worms can still be spread to other workstations via e-mail and file transfers within the firewall. A network firewall does not control spyware, laptops brought to and from campus, or security problems originating from within the firewall.

Software-based firewalls included with Windows and Mac OS should be enabled. They can be installed separately on many other operating systems. All computers should use a software-based firewall when available.

How to turn on the Windows firewall
How to turn on a Mac OS based firewall

Off-campus users with high-speed DSL or Cable Internet connection should use a router with a built-in firewall. Routers are physical devices that are placed between a computer, or network of computers, and the Internet. Routers for home use usually provide both wireless and wired connections. Routers should not be installed on-campus.

Set Strong Passwords

Set strong account passwords to protect computers and servers from being accessed by unauthorized individuals or entities. 

A strong password is one that has at least eight characters and is made up of upper and lower case letters plus special characters and/or numbers.  Many systems on campus limit the special characters that can be used.  Allowable characters for SF State passwords include, for example: ! $ % & ( ) * +

A password made up of a phrase with mixed case, spaces, and punctuation (often called a passphrase) is both easier to remember and safer than a short, complex, password. For example, "IGo2School!" is an easier password than "Vr7q#gKA". You can also try using famous quotations and customize it by adding symbols and/or changing some of the spelling (e.g., "URWhatUEat!"). You can try testing passwords and passphrases using Microsoft's Password Checker.

• If you write down passwords, they must be secured in a locked area or encrypted.  Do not store passwords unencrypted in a file on the computer, on the back of your laptop or in the carrying case
• Set the screen saver password option to lock your computer when the screen saver is activated. When you begin working again, you will be prompted to type your password to unlock your computer
• In general, do not store passwords in applications such as Web browsers or e-mail clients.  If you choose to do so you will need to activate additional mechanisms such as screen locks with strong passwords and encryption of the drive to prevent access.  Passwords should never be cached on public machines
• If needed, use password management programs with encryption to safeguard multiple account names and passwords (e.g., Keychains on Mac), but keep in mind the main password must be remembered to retrieve the others

Securely Remove or Encrypt Confidential Electronic Data

Carefully review the information stored on your PC, laptop, hard drive, phone, PDA, as well as on USB flash drives, CDs and floppy disks. Confidential data should not be stored on these devices unless it is encrypted.  Guidelines for encrypting the drives of laptops are below.

When access to files containing sensitive data is necessary, such data should be stored on protected servers within the campus firewall and viewed over secure network connections when needed. In this way, sensitive data need not be stored on local laptops or desktops, and is therefore not vulnerable in case of equipment theft.

SF State has implemented a new Secure E-Waste and Paper Disposal process for the disposal, transfer or surplus of electronic devices capable of storing sensitive data. Note that student records created prior to 2006 may contain partial social security numbers used as student IDs. Media containing software which is covered by a license agreement between San Francisco State University and a software vendor should be treated as containing confidential data in order to protect the terms of the license agreement. 

Encrypt Confidential Electronic Data

In the exceptional case when there is a requirement to store confidential data on a desktop, laptop or other device, special security measures such as encryption must be employed. The encryption technology bundled with the Windows and Macintosh operating systems provides a layer of protection against casual thieves. Stronger encryption software is available for impenetrable security; however, your encrypted data is not recoverable if you forget your password. Please contact your department's IT support personnel or the Information Technology Services (ITS) Help Desk if there is a need to store sensitive data on your local machine.

• Using Windows encryption
• Macintosh encryption with FileVault

ITS continues to evaluate products to find those that provide strong encryption, but are also easy to use and administer, and have key management capabilities.

Erasing and Disposing of Media

Redeployment of computers within SF State between departments or to external surplus auctions requires trusted erasure or overwrite of confidential data. Normal deletion only erases the information used to access the files on a disk, not the actual files.

• To securely delete files containing confidential information on a Macintosh, put the files in the trash then select: Finder > Secure Empty Trash

• To securely delete the contents of disk volumes on a Mac use Disk Utility

• There are many utilities tor Windows that can securely delete files and the contents of disk volumes. Eraser is one that is easy to use, has been available for many years, and is free

For disposal of media and electronic devices (e-waste), SF State has implemented a new program with a single vendor, SIMs Recycling, for the trusted overwrite or shredding and environmentally sound disposal of e-waste.  This frees campus staff from the effort of finding and implementing complex overwrite and physical shredding methods. Disposal requires placing the media in designated secure bins available at each department or at the campus Recycling Center and completing a new Property Survey Request Form.

Detailed information on completing the forms and information on the bins is at Secure E-Waste and Paper Disposal.

Remote Connections

SF State offers Virtual Private Network (VPN) encrypted connections to faculty and staff to enable access to secure local area network resources when users are not directly connected to the campus network. When unsecured network connections are used, transmitted data can be intercepted using eavesdropping programs.

When running scripts or transferring files over the network, use software that supports the highest security connection method offered. When connecting to campus servers use secure network protocols. For example, web pages that require a password (or PAC or PIN) should use HTTPS addresses instead of HTTP addresses; UNIX shell logins should use SSH (Secure Shell) instead of telnet; file transfers should use SFTP (Secure File Transfer Protocol) instead of FTP.

• Mac OS X has command line versions of SSH and SFTP built in. There is no need for a separate SSH client, but a GUI based SFTP client, FileZilla, simplifies file transfers
• Windows has no built in support for SSH or SFTP. SF State recommends PuTTY and FileZilla be installed for this type of access

Leaving workstations open for remote connections (e.g., Remote Desktop) is discouraged. Generally, files should be stored on a secure server and accessed using secure protocols. If you have special needs that require making a remote connection to a workstation, minimize the number of accounts allowed to log in remotely and make certain they have strong passwords. Please contact your department's IT support personnel or the ITS Help Desk for assistance.

Handling Paper Records

Paper records should also be scrutinized and managed with care. Records which contain confidential information are to be retained only as long as they are valid, useful, and required to be retained. (See section 4 of the Student Privacy Rights Policy and Procedure for student records retention policy, and the CSU Records Retention & Disposition Schedules.)

Control access to rooms and file cabinets where confidential records are kept:

• Keep confidential records in non-public areas
• Lock all doors and windows to office areas during non-business hours.
• Work areas where confidential information is kept or processed must be behind locked doors or otherwise secured during business hours.
• Escort visitors in areas where confidential information is kept.
• File cabinets used to store confidential information must be secured in locked areas.

When no longer required to be retained, any papers that contain confidential information should be securely destroyed (shredded). Staff without access to cross-shredding equipment or services may contact the Registrar's Office x82823 for assistance with disposal of confidential records.

Departmental Managers are responsible for overseeing disposal of paper and other media (including electronic media) in their areas.

Implementation

Responsibility for implementing this Policy will rest with ITS and Information Technology (IT) departments across campus. Submit any apparent violation of Safeguarding Information Policy to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to incident@sfsu.edu.

Non-Compliance

Noncompliance with applicable Policy and/or practices may result in suspension of network access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.