Security Awareness (Responsible Computing) at UVA
A Handbook for Faculty & Staff
The University of Virginia has a highly complex and resource-rich information technology environment upon which there is increasing reliance to provide mission-critical teaching, research, public service, and healthcare functions. Users of the University's IT resources are responsible for using these resources responsibly in support of these functions, and for respecting the rights of others. The University is strongly committed to maintaining the privacy and security of confidential personal information and other data it collects. It expects all those who store such information to treat these data with the utmost care in order to protect the privacy and legal rights of the University community.
Use of these resources is governed not only by the University's own policies, Standards of Conduct and Honor System, but also by local, state, and federal laws. It is important that you read and understand the information within this handbook regarding responsible use of the information technology resources at UVA. Irresponsible behavior can jeopardize not only your access privileges, but may also lead to disciplinary and legal issues that could damage your university experience and ultimately your future.
Table of Contents
- Access to the University Information Technology Resources
- Securing Equipment
- Safeguarding University Information
- Data Protection Regulations
- Email: Rules, Requirements, and Best Practices for Use
- Monitoring and Expectation of Privacy
- Copyrights: Legal and Ethical Use
- Cybercrime and Abuse
- About Web Pages and Individual Websites
I. Access to University Information Technology Resources
The University provides access to information technology resources such as email accounts, databases, servers, and the network, as well as to individual use employee workstations, peripherals, and software. The University maintains ownership of these resources, determines who may use them, and provides guidance regarding their intended use. In return, the University expects faculty and staff to utilize these resources responsibly, in accordance with University policy and with local, state, and federal laws. The University reserves the right to terminate access to the UVA IT resources whenever such action is deemed appropriate, such as for policy violations or malicious use.
Note: In order to connect your electronic device to the University of Virginia's network, you will have to register it. This registration associates your Computing ID with your device and its network activity.
Who Owns What?
We often use the possessive word “your” when referring to equipment such as a laptop or workstation, but this is not meant to imply that you, the user, own the device. More often, you have exclusive use of the equipment without ownership. We also assign ownership of equipment and data to the University when in reality some of these items may officially belong to the Commonwealth of Virginia, a research sponsor, or some other entity. When in doubt regarding the ownership of a particular item, ask your manager or department head, or contact the UVA Help Desk.
The department or unit may also own software licenses — for example, word processing or spreadsheet software — purchased from a software vendor. The licenses usually allow you to possess ONE copy of this software per workstation. It is a violation of your software license agreement to make copies of the software without permission. You should read and abide by the software license agreement. You also may NOT make a copy of software someone else has purchased. The general rule is ONE purchase, ONE copy, ONE USE.
II. Securing Equipment
Safeguarding the institution’s IT resources in the face of growing security threats is a significant challenge requiring a strong, persistent and coordinated program that leverages widely accepted, effective security practices appropriate for the higher education environment. It is required that all computing equipment, regardless of ownership, take reasonable care to meet requirements highlighted in the Security of Networked Devices Standard. If you connect your personal computing equipment or any other non-UVA equipment to the University network, you are responsible for securing that equipment. Failure to secure your personal equipment may result in the removal of access for your equipment to our network. Please refer to this standard, as well as to the University Information Security office website for more information.
Please observe the following to prevent introducing additional risk to the University network:
- limit access to your equipment to authorized persons;
- keep files from unknown sources off your equipment;
- use up-to-date antivirus software;
- use caution in opening attachments and clicking links in suspicious emails;
- use only supported operating systems and software;
- keep your operating system up-to-date;
- use only legal copies of software and copyrighted materials;
- keep application software updated; and
- disable unneeded software features.
III. Safeguarding University Information
The consequences of unauthorized release of data are increasing due to Commonwealth of Virginia and federal regulations and growing public concern over privacy and identify theft. While fulfilling your job duties at UVA, it is highly likely that you will encounter information that is not intentionally made public. UVA publishes policies, standards, and procedures for safeguarding all UVA information assets and you are expected to familiarize yourself with these documents to learn what is required. Important security safeguards are listed below.
It is your responsibility to review all University Information policies, standards, and procedures, but familiarizing yourself with the following best practices will be a great first step toward making information security part of your work routine.
- Successfully complete either the University’s or Health System’s online security awareness training at least annually, which includes acceptance of the Electronic Access Agreement.
- Choose a strong password/passphrase and do not share it with anyone. For help choosing a good password/passphrase, see http://security.virginia.edu/passphrase-guidance. Do not re-use UVA passwords/phrases anywhere else online.
- Do not use another individual’s credentials.
- Enable two-factor authentication whenever available.
- Log off or password lock the screen of your computer when you leave your desk.
- Keep information displayed on your screen confidential and keep confidential printed material secured.
- Seek required approvals for storing highly sensitive data on portable electronic devices and electronic media.
- Encrypt any hard drives and portable storage devices that store highly sensitive University data. See https://security.virginia.edu/encryption. Complete a Highly Sensitive Data Storage Request form BEFORE storing HSD on individual-use electronic device or media.
- Back up your data regularly. Store the backups where they would be available in the event of a disaster and familiarize yourself with how to restore the backed-up data.
- Do not view or access data not required for the performance of your job duties.
- Reformat used storage media to securely erase data that is no longer needed. Destroy external hard drives and other electronic media when they are no longer reusable. Follow the Electronic Data Removal Procedures for any electronic media that contain sensitive data or University-licensed software. Also follow these procedures when surplusing electronic devices or returning them to a leasing company, transferring them from one University employee to another employee with differing software, and data access privileges.
- Secure external hard drives and other storage media in locked desk drawer or in a locked, fire-resistant cabinet when unattended.
- If you become aware University data may have been exposed to unauthorized persons, contact Information Security at email@example.com.
- Ensure that both electronic and paper files in your care are safeguarded according to the University Data Protection Standards.
IV. Data Protection Requirements
In addition to University information policies, there are many state and federal regulations and contractual agreements requiring you to protect University information. A few such regulations are summarized below.
- The retention, protection and filing practices, and techniques for all files and records governed by the state records management program (Code of Virginia, Chapter 7, Public Records Act). Where necessary the University will develop specific regulations and procedures for electronic media within departments needing.
- Standards for electronic file organization; and
- measures for protecting sensitive information stored electronically, and procedures for file backup and restoration.
- The Family Educational Rights and Privacy Act, or FERPA, requires the University protect the confidentiality of student educational records (see the Office of the University Registrar's related information). These include academic records, financial records, disciplinary records, medical records, and placement office records. To be in compliance, the University must obtain the written consent of a student before disclosing non-directory information. The rights of a student to see his or her records does not extend to parents or guardians. The University may not release directories, rosters, lists, or address labels of students to parties not affiliated with the University when a student has requested that this information be withheld. And, the University may not post grades and test scores publicly, unless such data are aggregated and approval is obtained from the Registrar’s office.
- The Gramm-Leach-Bliley Act requires personally identifiable information associated with University customers (persons with whom a continuing financial agreement exists) be safeguarded against unauthorized access or use).
- The Payment Card Industry Data Security Standards (PCI DSS) is a robust security framework governing how credit card data is to be protected. Non-compliance with the PCI DSS could result significant fines, reputational damage, and a suspension of the University’s ability to accept payment cards.
- The Health Insurance Portability and Accountability Act (HIPAA) requires protected health information be safeguarded against unauthorized access or use.
- Be aware student, employee, patient, clinical trial participant, donor and other personally identifiable information is the most sensitive information with which you may come in contact and should be treated accordingly. The University forbids the use of any data for one's own personal gain or profit, for the personal gain or profit of others, or to satisfy personal curiosity. Do not view or access data that are not required for the performance of your job.
V. Email: Rules, Requirements, and Best Practices for Use
As the primary mode of rapid and widespread communication, email serves as a hub for all UVA business and academic processes. It has also become the essential historical content, calendar, and contact filing system for most users. Unfortunately, these qualities make email a rich target for cybercriminals, who are frequently formulating email-based attacks. It is also an effective tool for those who wish to engage in other types of offensive behaviors. Therefore, many guidelines and best practices have been established within University policy, standards, and procedures specifically around the use of email and protection of its content.
- Do not use University email for commercial purposes or for personal gain.
- Do not email highly sensitive data unless you are emailing from a Health System email address to a Health System email address.
- Never email credit cardholder data and never process payments from cardholder data that was emailed to you.
- Coordinate any large scale according to the mass email procedure.
- Should you die, any stored email and files associated with your account are a part of your personal effects and cannot be released unless you have provided written permission.
Although not an exhaustive list, the following 10 guidelines, tips, and reminders will assist you in safeguarding your email.
- Protect yourself against phishing. Phishing is the most commonly-used scam using email or pop-up messages to deceive you into disclosing your credit card numbers, bank account information, Social Security number, passwords, or other personally identifiable information. These messages should be viewed as illegitimate attempts to gain this personal information and should be deleted. These emails may appear to be legitimate. Be wary. Legitimate sources will not ask for personal or account information without providing a way to verify the email. If you receive an electronic communication such as an email from what appears to be your bank or credit card company, or any email that seems out of context given the sender, directing you to click an embedded link, delete the email. Learn more about phishing »
- Do NOT send any highly sensitive data via email. Although some email programs claim to use encrypted email, most still produce messages in plain text; they should be likened to postcards in that others might view the messages in transit or those left in plain view.
- If you receive highly sensitive information via unencrypted email, reply to the sender (after deleting the highly sensitive information from your reply message and from your inbox) asking them to refrain from sending highly sensitive information.
- Email you send becomes the possession of the receiver and is easily redistributed by recipients. Do not put anything in email you do not wish to be accessed by anyone other than the recipient.
- Double-check email content and the addresses of your intended recipients. You will not be able to retract emails you mistakenly send.
- Delete any email mistakenly sent to you and alert the sender.
- When the confidentiality of a message is of the utmost importance, only a person-to-person conversation will suffice.
- The Suspicious Email Alerts page provides a useful list of malicious email messages known to be circulating at UVA (please bookmark this page!).
- Do not download or execute attachments about which you have any question, even if they appear to be coming from a friend. Email attachments are a popular format used to distribute viruses and your friend may not even know that his or her email account is being used for that purpose.
- If you are sending attachments, include personalized text and specific references to provide specific context that will help the recipient know that the message and attachment are indeed from you.
VI. Monitoring and Expectation of Privacy
No user has any expectation of privacy in any message, file, image, or data created, sent, retrieved, or received by use of the Commonwealth's equipment and/or access. The University has the right to monitor any and all aspects of their computer systems and to do so at any time, without notice, and without the user's permission. However, the University does not routinely examine or monitor content such as that contained within email without providing notice to affected individuals or first getting approval from a University authorizing official. Email messages and other files associated with an individual are subject to review with sufficient justification. They may be subject to Virginia Freedom of Information Act (FOIA) if they were produced, collected, received or retained in pursuance of law or in connection with the transaction of public business. To understand how the University responds to requests for individual account log or content information by persons other than the account holder, as well as what approvals are required, see the Monitoring Guidance and the Electronically Stored Information Release Standard.
University policy allows system administrators to view and modify files, including email messages, in the course of diagnosing or resolving system problems and maintaining information integrity without additional approvals. System administrators are expected to treat any such information on the systems as confidential. However, if an administrator comes across information that indicates illegal activity, he or she is required to report the discovery to appropriate authorities.
VII. Copyrights: Ethical and Legal Use
Unauthorized use of copyright-protected or licensed materials (including, but not limited to, software, images, movies, music or audio files) is a violation of University policy and federal law. Any individual who reproduces and/or distributes copyrighted material without permission and in excess of "fair use" has violated University policy, the Employee Standards of Conduct, and federal digital copyright law. Please see the Copyrights of Digital Materials and Software Standard for more information. The University will not shield such individuals from lawsuits brought by the copyright owner.
Individuals who use filesharing software such as BitTorrent to stream or download files often unknowingly allow their computers to be used by the software to share not only these files, but also the individuals' personal files with other filesharing users on the Internet.
Copyright owners such as major entertainment companies have technology that will detect illegal streaming and downloading over the internet and will contact UVA with specific location details used to identify you. UVA will use this information to contact you and require that you immediately discontinue the illegal use. The University will not protect individuals who use or share (knowingly or not) copyrighted materials without an appropriate license to do so.
Copyright laws and policies also apply to software. Most software available for use on computers at the University of Virginia is protected by federal copyright laws. The software provided through the University for use by faculty, staff, and students may be used only on computing equipment as specified in the various software licenses. Licenses sometimes specify that you may use the software only while you are a member of the UVA community.
It is the policy of the University to respect the copyright protections given to software owners by federal law. It is against University policy for faculty, staff, or students to copy or reproduce any licensed software on University computing equipment, except as expressly permitted by the software license. Of course, faculty, staff, and students may not use unauthorized copies of software on University-owned computers.Remember: You are held accountable for any misuse of your account, even if you are not the perpetrator.
VIII. Cybercrime and Abuse
The Internet community is constantly under attack by cybercriminals seeking to do harm for financial, political, or personal gain. Such malicious activities that may lead to an information security incident include:
- committing fraud and identity theft from compromised accounts or systems;
- theft of UVA computing IDs and passwords;
- disruption of computer systems and networks;
- flooding email with unwanted messages (spam);
- hijacking email accounts and sending forged electronic messages;
- phishing (learn more at http://secureuva.virginia.edu/phishing/);
- posting threatening messages;
- spreading viruses and other malware; and
- subscribing and unsubscribing others to mailing lists without their consent invading the privacy of others.
Faculty and staff who willingly engage in these activities at the University of Virginia may lose computing privileges and suffer other severe consequences from the disciplinary entities at the University. They might also be subject to prosecution under state and federal laws. Should you become aware that any of these activities are occurring, please report them immediately to the University Information Security office.
Abuse of Information Technology Resources
Unfortunately, computer abuse, malicious behavior, and unauthorized account access do happen. Prohibited conduct relating to computer access and use for which faculty and staff may be subject to disciplinary action are defined in their respective "standards of conduct." Some examples of abuse include:
- the use of obscene or abusive language (a Group I offense for staff, resulting in written notice; three "active" Group I offenses result in suspension without pay);
- unauthorized use or misuse of state property or records which includes electronic data (a Group II offense for staff, resulting in written notice and/or suspension without pay);
- willfully or negligently damaging or defacing state records, state property or other persons' property (a Group III offense for staff, resulting in written notice and removal or notice and suspension of up to 30 workdays without pay);
- falsification of records; and
- theft or unauthorized removal of state records, state property, or another persons' property.
Should you become aware of any of these activities, report them to University Information Security your system administrator or another appropriate University authority immediately. Abuse of information technology resources should be reported to the electronic mail address firstname.lastname@example.org. For more information on acceptable use practices, see the University Information Security website.Violations of law that occur in the context of computing activities have serious University-mandated disciplinary consequences. Sanctions involving central University information technology and communications resources for violation of policy or for law are determined by various disciplinary entities. In the event that an immediate threat to the information technology resources is found, the University will take direct and immediate action to safeguard the resources it is charged to protect.
IX. About Web Pages and Individual Websites
The University's Web server and tools provide the opportunity for you to develop and publish an individual website. In doing so, you are expected to act responsibly, just as you would in all use of information technology resources at the University.
The following is not an exhaustive list of web page development responsible use, but provides a good overview of what is required.
- You assume full legal responsibility for the content of your Web page(s).
- You must abide by all applicable local, state, and federal laws, including laws of copyright. Be advised that you are responsible for the content used on the Web pages you develop (http://www.virginia.edu/siteinfo/copyright).
- You may not use individual Web pages for fundraising or advertising for commercial or non-commercial organizations, except for University-related organizations and University-related events and in accordance with policies governing these activities.
- You may not use the University name in your Web pages in any way that implies University endorsement of organizations, products, or services about which you publish.
- You may not use University logos and trademarks, including the crossed sabers and "V," the Cavalier mascot, the University seal, or photographs copyrighted by the University. Requests for permission to use the University logos or seal in Web or print publications should be directed to University Communications.
Please note any complaints regarding the content on your website will be forwarded to the appropriate disciplinary system within the University.
The University provides Internet access to you with the expectation that, in exchange, you will act as good, responsible, and accountable Internet citizens. The following are practical terms for how you can be a good internet citizen at UVA.
- Familiarize yourself with all applicable University policies, standards, and procedures pertaining to the use of technology and abide by them.
- Don’t let colleagues, relatives, or any other person gain access to the University's IT resources using your account. You will be held accountable for any abuse of IT resources by persons who use your UVA computing ID and password.
- Don’t use computer accounts, computing IDs, and passwords belonging to someone else. To do so violates policy and may violate law.
- Know what local, state, and federal laws and regulations pertain to computing activities. Violators may be prosecuted.
- Good Internet citizens respect one another's privacy. Persons who gain access to resources either by directly breaking into them or because they are poorly protected violate the Acceptable Use policy, along with an array of other University policies.
In exchange for providing information technology resources, the University trusts you to make responsible use of them. If you violate that trust, you may lose access to UVA IT resources.It is your responsibility as a user of the University of Virginia's IT resources to become familiar with the University policies, standards, and procedures that govern their use. By using your computing ID at UVA, you automatically agree to abide by all of the policies, terms, and conditions, including but not limited to the information in this publication and on the UVA Information Technology Policy website.
Have further questions? Please contact the UVA Help Desk.