Security Information

Quick steps to protect your accounts, desktop, laptop and other mobile devices:

1. Enable a firewall on your computer to prevent other computers or devices from accessing services running on your computer without your knowledge.
2. Enable a password protected screen saver after a period of inactivity or when you leave your work area.
3. Set up secure file sharing or use known secured methods for sharing files and data.  Use validated storage locations and share files appropriately.  
4. Use the VPN to access university resources from off-campus locations. All university employees have access to use the VPN; no form is required.
5. Send from and respond to oakland.edu email. Read email addresses carefully before responding. Do not click on links in email from unknown sources.
6. Make backup copies of your critical data, and encrypt your backup.
7. Use a hard-to-guess password, do not share the password and change it periodically. Oakland University and University Technology Services will never send you an email asking you for your password; do not respond to emails that ask for passwords.
8. Enable two-step authentication on your NetID account.  
9. Make sure your software is up-to-date: install patches, firewall protection and anti-virus updates.
10. Log out of all services and keep unattended devices (desktop computers, laptop computers, smart phones and other equipment) in locked drawers and in locked offices.
11. Securely delete outdated sensitive files.

University Technical Services (UTS) has partnered with the SANS Institute, an industry leader in security, to provide designated employees access to information security training. This training focuses on topics pertinent in your role, is accessible on-demand, and can be completed in as little as five minute increments. The link to access the SANS training is https://oakland.litmos.com. Please use your NetID and password to access the security training. Please send comments or questions to [email protected].

Two-factor authentication requires an individual to provide a secondary confirmation of their identity after initial NetID login by using a physical device in their possession such as the DUO mobile app, text message (SMS), or phone call. This provides an additional layer of security that protects your account and Oakland University systems from being accessed if your password is lost or stolen. For more information please refer to:

• DUO Two-Factor Authentication

Oakland University provides remote and traveling employees access to a centrally managed Virtual Private Network (VPN) to provide a secure and encrypted network connection to the University's campus network. In essence, a remote computer connected through the VPN has similar access to standard on-campus office computers. Common scenarios for using the VPN are to gain access to resources available only on campus, such as Banner, or to remotely connect to and use a designated primary workstation. It is important to note that VPNs only secure network communications; it is important to ensure computer security by following all advice and guidance for device security. University Faculty and Staff automatically receive VPN access and can utilize the service by following posted instructions.

Your mobile computer and portable device may contain information such as location tracking, personal contact data, tax returns, social security information, bank accounts and other important files that are convenient for you. The mobility, technology, and information that make smart phones, tablets, netbooks, laptops, and other mobile computing devices so useful to employees and organizations also makes them valuable prizes for thieves.

Four reasons to secure your mobile device are to protect:

• Your information
• Your identity
• Your privacy
• University data and resources

There are options, both free and paid, that can keep your information safe even if someone walks off with your laptop or breaks into your device. If possible, device encryption should be deployed. The use of encryption requires key management and must be managed by either yourself or your department. If possible, password protect or otherwise protect the entry to the device. Consider enabling location tracking and remote wiping, but also consider your privacy and tracking when you make the decision to enable location-based services. If you are using a device funded by Oakland University, login password protection, passcode locks, auto-lock, and location services should be enabled. If you lose a device that is connecting to the university G Suite environment, contact UTS to evaluate possibilities for remote wiping.

It is your responsibility to understand the risks and be proactive in keeping your mobile device secure. The questions you need to consider are what types of data you are storing on your mobile device, what types of services have automatic login access, and why data or services are on the device. There is no foolproof way to prevent a mobile device from being stolen, lost, or otherwise compromised by an intruder.

Contact UTS at [email protected] if you have questions or comments about how we can help you learn more about how to secure your mobile computer.

What are Personal Accounts and Solutions?

Oakland University employees have an obligation to protect the data created, stored, accessed and transmitted by Oakland University. A Personal Account is one used for an online service where the individual person has individually agreed to Terms and Conditions or licenses. Examples include Dropbox, Evernote, iCloud, OneDrive, Microsoft Office 365, and others. This includes any IT or software service where you, as an individual, has setup an account that is not maintained by University Technology Services and there is no university contract in place. These services should never be used to maintain or share Confidential Data as defined in university policy #860 Information Security. External service providers, including cloud services, should not be used for confidential university information unless there is a contractual agreement between Oakland University and the service provider that protects the confidentiality of information and security. When creating a password for cloud or other online services, use a password that is different from any password used for a University Account. University Accounts are described on the Access, Accounts and Password Guidelines page.

At this time, G Suite is a university personal service, and it may be used for university documents that do not include Confidential data. Microsoft Office Education is a personal service and should not be used for any official university business. No backups are made for material stored in either solution. When an individual student, faculty, or staff member leaves Oakland University, the individual must transfer or preserve materials appropriately prior to departure or termination.

Are there guidelines for securing my mobile device?

We recommend following guidelines from Educause.

Review the FCC Smart Device security guidance on the FCC.gov website.

Are there travel guidelines for securing mobile devices?

In general, consider that the traveling mobile device may be lost, stolen, or confiscated during the course of travel. Individuals and departments need to plan carefully for the potential loss.

Research, beware of the risks, and prepare your technology before you travel. We recommend following guidelines from Educause and the Internet2 site for travel.

Academic travelers should review material posted by the Research Office under Export Controls and UTS Research Support Information. Consider checking out an older laptop with limited software from UTS by sending a request to [email protected]. Download and check the International Travel Checklist.

You can request the following FBI documents by emailing [email protected]:

• Best Practices for Academics Traveling Overseas
• FBI Business Travel Brochure

Review the FCC Smartphone Security Checker posted with on the fcc.gov website here and the FCC Cybersecurity Tips for International Travel here.

Review guidelines for protecting privacy at the border: Defending Privacy at the U.S. Border:  A Guide for Travelers Carrying Digital Devices.

What are the risks for a lost or stolen laptop, smartphone or other computing device?

Only you can determine what is actually at risk. To review the issues in detail, or to file a report for a lost or stolen device, complete the Checklist for Lost, Stolen or Missing Computer, Smartphone or Other Media Storage Devices.

Here are some common risks:

• The risk that confidential or sensitive information is lost, stolen, or shared inappropriately in violation of privacy, laws, regulations, or contracts.
• The risk of identity theft.
• The risk to gain unauthorized access to private networks.
• The associated costs and business interruptions of laptop and data loss.
• The threat of litigation and public embarrassment if confidential information from a third party is lost or stolen.
• The cost of compliance with privacy breach notification laws.

What types of mobile devices need security?

Mobile devices include laptop computers, smartphones (Android, iPhones, etc.), tablets (iPads),  and any handheld computing device. Mobile devices that may store data include USB flash drives, external hard drives, CDs (compact discs), and DVDs (digital video discs).

The available technology for devices other than laptops may be insufficient to assure security and should be reviewed prior to storing confidential data.

Do I have to secure my personal smartphone or computer if I use it for University business?

Yes, you are responsible for implementing security measures to protect the data on any device (university owned or personally owned) that is used to access and/or store confidential university data. We recommend that university data not be stored on any device not owned by the University. Please review the Data Management and Information Security Policy #860 before storing any university data on a device not owned by the University.

What is encryption?

Encryption is the process of enhancing security by converting data into a format that is unreadable so it is protected against everyone except those with a special key. There are two options:

• Encrypting individual files and/or directories
• Encrypting an entire disk

University Technology Services recommends full disk encryption.

What types of data and devices need to be encrypted?

Data that are specifically restricted from open disclosure to the public by law, such as Personally Identifiable Data, are classified as “Confidential Data” and require a high level of protection against unauthorized disclosure, modification, destruction, and usage. Devices storing Confidential Data should be encryption. Mobile devices, such as laptops and smartphones, should be encrypted.

Examples of confidential data include, but are not limited to:

• Social security numbers
• Credit card numbers
• Official student grades
• Financial aid data
• Research data
• Drivers license numbers
• Individuals’ health information

Some data are federally protected under laws like the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA). For more information, read the Data Management and Information Security Policy #860.

What types of encryption solutions are available?

Encryption software is available either paid or free software. The use of encryption requires key management and must be managed by either yourself or your department. Encryption key management is not the responsibility of University Technology Services.

• File Vault is the built-in file/folder encryption solution available for Macs.
• Apple Platform Security describes protections for Apple devices.
• Bitlocker - Windows is the built–in full disk encryption available for Windows.
• ChromeBook is locked by default, but pass phrases should still be used.
• OpenPGP is a third party paid encryption solution for Macs and Windows. PGP also offers mobile encryption solutions.

How do I protect my activities on a wireless network?

You can protect your wireless network by enabling WPA (Wireless Protected Access) encryption. WPA2 is the newest and highest level of encryption available. The encryption scrambles data on your wireless network so that only computers that have the encryption key can read your communications.

Refer to the owner's manual for your wireless router or access point to determine how to enable and configure encryption for your device. Once you enable encryption on your router or access point, you will need to configure your wireless network devices with the proper information to access the network.

Is fingerprint and biometric recognition software a recommended security measure?

There are many vendors who promote fingerprint and biometric recognition as a security measure.  Biometrics do provide an additional layer of security.

What are some best practices for securing a mobile device?

The following best practices are easy to implement and inexpensive ways to secure your mobile device:

• Keep patches up-to-date on operating systems — Whenever a security issue comes to light, the software maker issues an update or a patch. This reduces the possibility that a system can be compromised. If the computer is on the University domain environment then these patches are maintained through group policy.
• Remove Files — Clear temporary Internet files (cache), cookies, and browsing history after Internet usage. Each Internet browser is different see help from the menu bar on how to remove these files.
• Do not store passwords — There are security risks in letting your Internet browser save your passwords. The AutoComplete feature can save Web addresses, form data, and access credentials such as usernames and passwords. Learn how to turn off this feature within the browser help menu.
• Use password protection — Enable the password locking feature and change the password regularly. Choose a strong password - one that is at least eight characters, including a mix of numbers and letters. A long idle time allows someone walk away with a laptop and still have access to all its contents. To minimize this risk, enable a password request after five minutes of inactivity.
• Set-up a personal firewall — Configure your device to enable firewall protection. Firewall software blocks unwanted network communication with your computer. Both Microsoft and Apple provide firewall protection on their operating systems.
• Adjust the wireless security settings — When using wireless connections adjust the security settings on your device to the strongest settings.
• Lock the device — Avoid leaving unsecured laptops or mobile computing devices unattended. Purchase locking cables and lock the device to a heavy non-movable object or store the device in a secure location. If they must be left in a vehicle, they should be covered up or locked in the trunk. If you must occasionally leave a laptop or other mobile device in a car or other location, you must have full encryption enabled on the device.
• Alarm the device — If the laptop is moved or handled without authorization, the system will give a warning signal. There are many different kinds of alarm systems. The simplest ones are integrated into the cable lock, which, if broken, will start the alarm. These alarms can be purchased at office supply stores.
• Encrypt your data — Assess and evaluate the data stored on your device and use the appropriate encryption method or invest in advanced data protection. Leverage advanced data protection technology to remotely wipe sensitive information in the event that your computer is lost or stolen.
• Do not root or jail-break the device, as this may leave the device vulnerable to unauthorized access.

What happens if I lose a device?

What is phishing?

Phishing is a type of Social Engineering attack in which a bad actor poses as a trusted or reputable source and sends fraudulent emails with the intent of manipulating victims into taking an undesired action. Information on how to detect and report phishing is available at the OU Phish Tank.

University employees should contact their designated information technology support staff members if they are using an Oakland University owned computer that is not currently running Symantec Endpoint Protection (SEP). Symantec Endpoint Protection installs are available for free for campus computers. Please go to your Start menu-->Programs-->Symantec Endpoint Protection. If you have the program, please open it and look at your Virus Definition File Date (located on the lower right hand corner). The date should be within this month, if not, please contact your designated information technology support area.

Students and faculty using campus network resources with personal laptops are strongly encouraged to install and maintain security protections such as personal firewalls and anti-virus software.

• CERT Coordination Center
• EDUCAUSE Review Security Matters
• FEMA Ready.gov Cybersecurity
• REN-ISAC Alerts
• Online Fraud Prevention
• Privacy Rights Clearinghouse
• Symantec Antivirus Resource Center
• United States FBI E-Scams and Warnings