DRAFT rev 9.22.2006

The following are guidelines which should help you keep your data and College data safe.

Protocols for Handling Sensitive College Data

DRAFT rev 9.22.2006

Individual compliance with security protocols is one of the most important pieces in an organization’s overall security strategy. Employees with access to sensitive data must protect institutional and personal information. All Amherst College employees must understand and abide by security guidelines.

  1. Sensitive data should be used only when absolutely necessary (never for convenience).
  2. Sensitive data should be used, moved, and stored only in secure and/or encrypted environments (never via unencrypted email, ftp, or http downloads, etc.; never over unencrypted wireless networks; never stored in unrestricted, unsecured or unencrypted media).
  3. Sensitive data should be handled with due care (e.g. use of patterns to generate PINs, such as the reverse of a social security number, rather than randomly generated PINs, is not acceptable).
  4. Sensitive data should be accessible only to users who absolutely need it.
  5. Computers logged in to secure databases and other secure repositories of sensitive data should never be left unattended (log out before stepping away from your computer).
  6. Amherst College passwords should never be easy to guess (such as any word in a dictionary), shared, or written down. If exposed, they should be changed immediately. Amherst College usernames and passwords should not be used for any non-Amherst College accounts.
  7. Employees must keep their operating system, applications, and antivirus software current. If a computer does become infected with a virus, spyware, adware, etc. the IT helpdesk must be notified immediately. An employee must consult with IT staff before installing software.
  8. An employee should never log into the College network or access encrypted files and then allow another person to use that computer.
  9. Only IT staff will assign, re-assign, or loan College computer hardware and network access to employees.
  10. The College should maintain an active security plan that is regularly updated.
  11. If an employee of the College believes that a breach of sensitive data may have occurred, he/she should follow the Security Breach Action Plan.
General Guidelines
  • Do not send or access sensitive institutional data through any unencrypted channel, such as email, ftp, telnet, unencrypted web forms, or other plaintext services.
  • Report all suspected security breaches immediately to designated Security Officer.
  • Never leave an unattended computer logged into a repository of sensitive data.
  • Do not leave your laptop or handheld unattended where it can be accessed by others.
  • Do not loan your laptop to others.
  • Do not allow others to access removable storage devices, e.g. flash drives or CDs, with sensitive data.
  • Don’t leave devices visible in vehicles (or in extremely hot or cold conditions).
  • Wireless Security
    • Using Public Networks:
      • When using a computer in public spaces disable your wireless connection whenever Internet access is not necessary.
      • When working over a wireless network use Amherst Firewall VPN to access network drives.
    • Home Networks:
      • Use WPA (Wi-fi Protected Access) Encryption if possible–stronger than WEP
      • On older equipment, enable WEP (Wired Equivalent Policy)—weak but better than nothing.

Protecting and Managing Passwords and Accounts

  • Use strong passwords (min 6 characters alpha numeric) or pass phrases (Sentence of mixed letters and numbers - easy to remember).
  • Change passwords every 90 days.
  • Do not share, write down or store passwords in any unencrypted form. This includes not allowing web sites or browsers to store your passwords.
  • Use a BIOS password on a laptop computer.
  • Do not use your Amherst username or password for non-Amherst accounts.
  • Do not use your Amherst e-mail address for personal business. (We recommend that everyone have an alternate email account. Free accounts can easily be established with Yahoo, Gmail, etc.)

Data Encryption

Unencrypted institutional data should not be stored on local hard drives, removable drives, unsecured servers or home computers.

Protect Against Malicious Programs and Hackers

  • Keep virus software enabled and definitions up to date.
  • Maintain current operating system patches and updates.
  • Install application patches when instructed to do so by IT.
  • Do not install any file sharing software on your Amherst device without prior approval from IT.
  • On Windows computers use Windows XP Personal Firewall.
  • If a computer becomes infected or compromised with spyware clean it and report the incident to IT.
  • Back up data on a regular basis.