5 Information Safeguards

5 Information Safeguards

5.1 Special Procedures for Securing Sensitive Documents

Many records fall under the provisions of laws and regulations that impose additional security and retention requirements designed to prevent unauthorized access to those records. Examples of such laws are the Health Information Portability and Accountability Act, which regulates access to Protected Health Information, and the Gramm-Leach-Bliley Act, which regulates access to non-public financial information about a University customer (student or other parties purchasing services from the University). The UNT Record Retention Schedule indicates the retention period of these records, but in addition to the retention procedures, users of documents falling under the provisions of those laws and regulations should be aware of the following security guidelines:

  • Workstation screens should not be visible to anyone but the authorized user of secure documents
  • Workstations used to view or edit secure documents should be protected with a screen saver that requires a password to re-activate the screen after it goes into sleep mode
  • Only authorized persons may use a machine on which secure documents are viewed or edited (no sharing of a workstation, in other words.)
  • A person with password access to secure data is prohibited from sharing his or her password with others.
  • Passwords must be changed periodically in compliance with UNT standards.

State and federal regulations may also require that some or all of the following access monitoring controls be implemented:

  • who is logged into which work station; how long they are logged in;
  • the nature of files that are accessed;
  • how long a workstation is idle after an employee logs in;
  • irregular patterns in employee logins;
  • and manager review of access logs to determine any potential security risks.

State and federal regulations require that security assessments be conducted periodically by the manager of a department with secure data. Depending on the nature of secure documents that the department uses, these assessments might be conducted once a month, but must be conducted at least twice a year. At least once a year, the manager must certify compliance with applicable state and federal security regulations, and must identify areas of security risk as well as improvements in security processes that have been implemented as a result of the security assessment.

5.2 Tips for Selecting Strong Passwords

5.2 Tips for Selecting Strong Passwords

5.2.1 Select a good password

  • Use a combination of letters, numbers and special characters ($, *, !, etc.).
  • Use the first (or second, or last, ...) letter of each word in a phrase.
  • Use upper and lower case characters.
  • Choose passwords that are a minimum of eight characters in length.
  • Select a password your can remember. For example, use the first (or second, or last, ...) letter of each word in a phrase: "The quick fox jumped over the lazy dog" might yield a password of "Tqfj^1ld"
  • Don't use a common word, a friend's name, a pet's name, your nickname, the name of your favorite team, etc. Co-workers, friends, and even casual acquaintances, may know this information.
  • Use a different password for each system.

5.2.2 Keep your password secure:

  • Change your password when you first receive your computer user-ID.
  • Remember to destroy any paperwork that lists the account user-ID and password.
  • Change your password when you suspect that someone else may know it. (Keep your password secret!)
  • Change your password periodically (every sixty to ninety days).
  • Never re-use an old password.
  • Never write down a password:
  • Do not identify a password as being a password.
  • Do not attach the password to a terminal, keyboard, or any part of a computer.
  • Never record a password on-line, and never send a password to another person via electronic mail.
  • Destroy any paperwork that lists the account user-ID and password.

5.2.3 Don't be a victim of "social engineering"

A frequent cause of loss of password security is "social engineering" - a deliberate attempt by someone to obtain your password through deception. To prevent such loss of your password:

  • Never reveal your password to anyone else.
  • Help desk personnel, network managers, or computer support personnel should never have occasion to need your password to diagnose problems.
  • Don't reveal your password over the telephone, via e-mail, etc.
  • Make sure that no one is peering over your shoulder when you type in your password.

5.3 Strong Password Standards

The following standards were established to create and maintain strong passwords. Inclusion of all of the following in password composition will ensure that your password will be at a low risk for compromise.

5.3.1 Creating a Strong Password

Passwords are required to be a minimum length of 6 characters and should be composed of at least two of the following:

  • One UPPERcase or lowercase alphanumeric character;
  • One number;
  • Or, one Special Character (non-alpha-numeric).

5.3.2 Restrictions

Several types of passwords are considered weak and easy to guess. In order to avoid creating a vulnerable password, the computer system will prevent you from choosing any of the following to create your password:

  • Your EUID, account name, or login name;
  • Your EagleMail address;
  • Any word that can be found in any English or foreign language dictionary;
  • Passwords that do not meet minimum length requirements, e.g., h3lp, adm1n, etc.)
  • Numerical (digit) substitutions for characters (e.g., pa$$w0rd, etc.);
  • Passwords composed of numbers only, i.e.,
  • Your social security number,
  • Your telephone number,
  • Any part of your birth date;
  • Blank or null passwords;
  • Or, any previously used password.

5.3.3 Security of Your Account and Password

  • Passwords for continuing students, faculty, and staff will expire after 120 days from the date on which the password was set.
    • Passwords for applicants, transfer students, and returning students will expire 60 days from the date on which their enrollment status changes to a "student" role. This usually occurs when the student registers for classes.
    • If you forget your password, or your password expires, go to Account Management System page, http://ams.unt.edu, to reset it.
    • Your account has been protected from intruders who attempt to guess your password. After a set number of failed password attempts, your account will be locked in order to prevent further unauthorized access attempts.
    • If you attempt to log into your account and your authorization fails as a result of entering invalid passwords, try again in 15 minutes. If you are still unsuccessful, go to the Account Management system page on the web, http://ams.unt.edu, to reset your password.

5.4 Workstation and Computer System Security

You can increase the chances that your computer will not be attacked by an intruder by learning how a computer can become vulnerable to attack. To learn more about the latest types of attacks on computers and how to avoid them, read "How to Secure Your UNT Workstation" found on the information security website: http://www.unt.edu/security. Faculty and staff members should contact their network manager or system administrator for assistance implementing the suggested recommendations. The following information is included in the guide: a description of a typical hacking scene, applying software patches, disabling unnecessary services and servers, the perils of using your computer account with administrative rights enabled, spam ("unsolicited" e-mail), vulnerabilities in commonly used software, peer-to-peer software, why it's good to use password protected screen savers, file and print sharing, and using personal firewalls.

Network managers and system administrators will find the "Code of Good Practices (Reference for Securing Systems)" guide helpful. These best practice documents are available to administrators who would like to learn more about securing windows and unix based systems. The information can be found on the information security website at http://www.unt.edu/security.

5.5 Physical Security

The physical security of computing resources (computers, equipment, files, etc.) is actually the first principle of good security, because as long as someone can obtain physical access to your computer he/she can gain control over it. By instituting a few simple safeguards, you can greatly limit security breaches and other unauthorized access to computing resources. The Texas Property Accounting Standard (� 403.276) states: "If [an] investigation discloses that a property loss has been sustained by the state through the fault of a state official or employee, the Attorney General shall make written demand on the state official or employee for reimbursement to the state for the loss sustained." In other words, you are held responsible for property that has been assigned to you. This property includes (but is not limited to) computers, pagers, cell phones, etc.

Here are a few helpful hints to safeguard the physical security of items that are your responsibility:

  • Log out when leaving your computer.
  • Close and lock your office door every time you leave.
  • Don't leave your office keys in easily accessible locations-secure them.
  • Complete a “Property Custody Receipt” (obtainable from the Asset Management department) to authorize official removal and return of University property from campus
  • Restrict the number of keys to your office.
  • Know who accesses your office. (It may be necessary to maintain an attendance log for high security areas.)
  • Use a screen-saver that requires a password to get back into your computer after the screen saver activates
  • Keep your passwords and computer user-ids a secret.
  • Report suspicious looking persons or activity to the UNT Police department.
  • Express any concerns about physical security to your supervisor.