Tufts University

Safe Computing at Tufts

What security issues should I be aware of when using the Internet?

Because the Internet has minimal integrated security, users should activate virus protection and apply certain desktop computer security settings. Your school/division/organization’s front-line service provider (FSP) can assist you with these security features. FSP services are described at the following hyperlink: http://uit.tufts.edu/?pid=541.

What should I know about University network services and safe computing in the Tufts local area network (LAN) environment?

Using the Internet introduces the risk that unauthorized parties can access confidential information intended for another person/computer. Tufts invests significant resources to ensure the security of electronic data and desktops connected to the LAN network. These security controls include: firewalls, user ID’s and passwords, virus protection software, file encryption, SSL (secure socket layer) website technology, VPN (virtual private network) technology through which data can be securely transmitted across the Internet, “hardened” desktop and server templates and system vulnerability and intrusion detection analysis to reduce the risk of unauthorized access to confidential information.

Although not all of these security controls may be present or activated on your particular system or application, the University strives to implement appropriate security control measures to reduce the risk of unauthorized access to confidential information.

What can I do to reinforce secure and safe computing practices at Tufts?

In the Tufts computing environment, the most important source of IT control is user information security awareness and communication. A user who detects common security weaknesses such as: using “weak” passwords, sharing passwords, failing to install virus protection, responding to “phishing” schemes, leaving computers operating while unattended, failing to log-out of systems when no longer in use and installing programs from un-trusted sites infecting, monitoring and virtual takeover of desktop computers) and communicates these weaknesses to appropriate technology personnel (your FSP or the TCCS IT Support Center) will help the University to maintain a safe and secure computing environment.

What should I know about user password management and best practices?

Passwords used to access sensitive applications and data should be private, not shared with others and meet minimum basic standards that reduce the likelihood of their compromise. Although powerful new “hacking” tools have been devised to defeat password controls, the adoption of a password that is not readily “guessable”, not a commonly used term (e.g., last user name, sports teams, Tufts-related words such as Jumbos, elephant) or generic (e.g., password, guest, student, etc.), is a “non-dictionary” term and includes eight (or more) alpha-numeric characters in length is still the most effective control we have to control access to Tufts’ applications, systems and confidential data.

Default passwords shipped with certain IT hardware and applications should always be changed or disabled when installed. Passwords should not be displayed or affixed to the side of terminals, under keyboards/mouse-pads or other common “insecure” areas.

Where can I find additional ideas on safe and effective network and password “best practices” in the Tufts computing environment?

The University has adopted many policies related to your responsibilities as a user in the Tufts computing environment. We suggest that you visit the following University-sponsored websites that offer additional ideas about effective password conventions and “best” IT security practices:

• TCCS Secure Computing Web Page: http://www.net.tufts.edu/security.html
• Tufts User Network Account Standards: http://uit.tufts.edu/?pid=179
• TCCS Effective Password Guidelines: http://training.uit.tufts.edu/pdftips/lanpword.pdf
• TCCS Strong Passwords Ideas: http://uit.tufts.edu/?pid=232

Has Tufts adopted any general policies related to my responsibilities as a user of Tufts’ computing IT resources?

The University has adopted a series of policies regarding appropriate use of University IT resources at the following websites:

• Tufts IT Responsible Use Policy: http://uit.tufts.edu/?pid=444
• Tufts IT Security Resource Policy: http://uit.tufts.edu/?pid=431
• Overview of Tufts’ IT users’ responsibilities: http://uit.tufts.edu/?pid=176
• Checklist for Protecting Information: http://www.net.tufts.edu/security/Checklist.pdf

Are there other information security issues that I should be aware of when using Tufts’ IT computing resources?

Password controls alone may not protect unauthorized parties from accessing your computer or data without authority. Once data has been downloaded to your desktop computer, you have a responsibility to properly secure it. If proper data access controls have not been configured, confidential data may be accessed from your computer by an unauthorized person and you may not even be aware of it. To reduce this risk, file access control “levels” should be administered appropriately for users or groups depending on the capabilities of the application and the confidentiality of the data. These include:

• Restricting data access to only authorized users
• Classifying the confidentiality and sensitivity of data by appropriate “levels” of security and then grant user access based on these levels;
• Deactivating data access accounts immediately after an employee (including student employees) leaves his or her position
• Discouraging shared or general “role-based” access rights
• Where supported, implementing “user lock-out” features after a reasonable number of failed access attempts to reduce the risk of “password cracking” attacks.

I’ve heard about computer viruses – what should I know about these malicious programs?

A computer virus (or worm) is a self-replicating segment of computer code designed to spread to other computers by sharing "infected" software or opening certain attachments to an email message. They are usually activated after downloading and/or installing infected files shared by friends and colleagues or downloaded directly from the Internet or from email attachments. Viruses may be "benign" (an annoyance) or "malignant" (harmful to your computer up to and including having to rebuild your machine).

Viruses can be dormant for days, or even months, before becoming activated; once activated, you will probably experience one or more of the following symptoms:

• Frequent system crashes or excessive system/screen “freezing”
• Slower than normal program operation and processing
• Unusual and/or frequent system error messages
• Loss or unexplainable changes in data, application function or screen appearance

The University supports the installation of virus protection programs that are updated daily with new (known) virus patterns. These programs are provided to University users at no cost. Any questions about viruses or the infection of your computer should be addressed through your Frontline Support Provider (FSP) or the University IT Support Center.

What should I know about backup practices and protecting the loss of data on my computer?

Backing up your files provides you the ability to restore lost or corrupted information quickly and accurately to the point you were at before your most recent back-up. In general, it is a good idea to store critical files on secure network drives since these are backed-up nightly by the TCCS Operations staff or your local school/division’s IT group. If you decide to store critical files on your local computer, you should consider an appropriate back-up method that you routinely perform (daily or weekly depending on your critical back-up needs). In general, the more valuable your data, the more frequently backups should occur.

After backing up your files, it is a good idea to physically store them in a separate, secure area away from your computer to ensure that both sets of data are not destroyed in a local disaster incident. Critical or sensitive backup data should be stored in secure, fireproof media containers.

What should I know about Disaster Recovery and Business Resumption Planning?

For those systems and applications that are critical to your operation, we suggest that you prepare a disaster recovery plan which includes the following components:

• Contact list of critical personnel email addresses, telephone numbers and home addresses
• Contact list of TCCS, FSP support staff members and technical personnel responsible for supporting your operating environment and restoring back-ups of your information systems
• A list of major hardware assets
• A list of operating systems and application software
• Contact information for software/hardware vendors needed to acquire new copies of application programs and hardware
• The location of all back-up application and data files and how they can restored.

Plan information should be stored in a secure location away from the area that might be affected.

If I have a question about audits of IT security, can I contact Audit and Management Advisory Services (AMAS)?

AMAS always welcomes inquiries about IT audit and security issues. If you should have questions about information contained herein or wish to suggest an appropriate area for IT audit services, please contact the Director of Audit & Management Advisory Services, Seth T. Kornetsky, at 617-627-2068 or seth.kornetsky@tufts.edu or Senior University Auditor/IT Controls Specialist, William L. Woodfin, at 617-627-2607 or william.woodfin@tufts.edu and they will be glad to assist you with any queries or concerns.