Security Policies & Recommendations

Security Recommendations

The security and safety of your computer system is a joint effort between the technical support departments at Rutgers University and yourself.  It is important to understand what you should do on an ongoing basis to ensure that your system remains safe.  The following recommendations will help you keep your systems at work and at home running safely and securely:

  1. Disconnect your computer from the network if you believe your computer is infected.  If you believe that your computer is infected with a virus or malware, please disconnect the system from the network it is connected to immediately to reduce the possibility of the virus spreading to other users and to reduce the extent of the problems on your own system.  Please then contact us for assistance.  You should not connect to any sites or services until the problem is resolved.
  2. Back up your important data regularly. You should save important data on your personal drive when working in the office or in our computer labs and you should also ensure that any other important data on your computer is backed up regularly.  A good rule is to have a backup of your data on a secondary drive like a USB drive and another backup on an offsite or cloud-based system.  Members of the Rutgers community have access to cloud-based file sharing services like Google Drive, Box, and One Drive that can be used to backup files.  Backups should be done regularly and if any of the data you are saving needs to be protected, it should be encrypted.  You can contact us for guidance on protecting sensitive data.
  3. Protect your system with anti-virus software and setup scheduled scans.  All systems configured by the Information Technology Services Office at the Bloustein School have anti-virus software installed.  No matter how careful you are using your computer, there are ways that you can be infected.  Anti-Virus software is freely available to faculty, staff, and students at Rutgers University.  If you would like our recommendations on which programs to use, please contact us.  Once you have the software installed, you should setup regular scans of your computer to ensure that there is not anything malicious on your system.
  4. Ensure that your computer is doing automatic updates for the programs that regularly need to be updated. This includes your operating system and any other programs that would need updates.  Please note that we do not recommend updating any programs or software when using public wireless networks.  There have been documented cases of updates being sent by malicious actors on such networks that are actually viruses or malware.
  5. Be careful about opening attachments or clicking on links in email messages.  Many of the problems that users encounter result from opening infected attachments to emails or clicking on malicious links.  You should only open attachments that you are expecting.  If you have received an attachment from someone that you know and you are not expecting an attachment, you should check with the sender prior to opening the attachment.  In addition to attachments, embedded links in SPAM are also another main cause of spyware or malware infestations.  If you receive SPAM messages, you should never use any of the links in those messages.  If you question the validity of any email message, you can always check with us to confirm whether it is valid.
  6. Be careful when browsing web sites.  Another way your system can become infected is by visiting malicious web sites.  It is important to be careful with the sites you open when browsing or doing research, as the safety of your computer depends on it.  In addition to have anti-virus software installed, another way to help keep your systems safe when browsing is by using ad blockers.  We recommend using uBlock origin as a browser add-on to help keep you safe.
  7. Use good password practices.  Good passwords are long passphrases that include upper-case and lower-case letters, numbers, and special characters like punctuation.  For example, the phrase In1972Iwasborn! is both easy to remember and is a strong password.  It is important to use unique passwords for your accounts and to change your passwords regularly.  You should also be very careful as to where you store your passwords.  If you do record them on paper, they should be locked away.  If you store them on your computer, the file needs to be encrypted with a strong password to protect the file, as otherwise a compromise to your computer may result in your passwords being compromised.  Password managers such as LastPass can be helpful if you have a large number of accounts you need to protect.
  8. Use two factor authentication.  One of the best ways to protect your accounts is through the use of two factor authentication.  The most common way of using this is with an app installed on your phone although some systems continue to use texts and emails to provide confirmation codes for accessing accounts.  Rutgers has implemented two factor authentication to help protect your Rutgers accounts and we recommend using it.  You can find out more about Rutgers DUO here.
  9. Maintain the physical security of your system. Physical security can include such measures as physically locking the system down with an aircraft grade cable to prevent theft to setting BIOS passwords that are required to start the system.  Another excellent physical security measure is to setup up full disk encryption that protects your data if your computer is lost or stolen.  Another good practice is to setup screen saver passwords for instances when you may walk away from your system.
  10. Do not run file and print sharing, remote access programs, or peer-to-peer file sharing programs on your system. These programs are dangerous and can expose your computer to security problems.  If for any reason you need these programs for your work, please contact us for guidance.
  11. Install or activate your Personal Firewall. Personal firewalls can also help keep your computer safe. At one time, it was standard protocol to have a third-party firewall running.  At the present time, the built-in firewalls from Microsoft and Apple are sufficient provided that your computer is protected by a firewall or at the very least a router.
  12. Use secure services whenever possible. Secure services are programs that protect communications and file transfer.  There are countless apps that can provide secure communications such as signal and there are many tools available for transferring files securely.  If you need to transfer sensitive data for work related purposes, please contact us for guidance.
  13. Do not use public wireless networks.  Public wireless networks are dangerous and are commonly used to compromise computers.  We strongly recommend against the use of such networks.  If you absolutely need to use a public wireless network, you should use a travel router when possible in conjunction with a VPN service and you should limit the amount of time you are on that network and install any updates when connected to such networks.
  14. Do not allow anyone to connect to your computer unless it is a technical support person you know and trust.  There are countless scams going on with people who want to gain access to your computer to install malicious software.  Most of these scams are perpetrated over the phone where someone will contact you and inform you that they are calling from Microsoft or Apple and need to address a problem on your computer.
  15. Secure your mobile devices.  Phones and tablets that can access your accounts are an easy way to have those accounts compromised.  Password protect your mobile devices, turn off Blue tooth when it is not needed and use tracking software so that you can locate your devices if they become lost or stolen.
  16. Update the firmware on your router and restart it regularly.  There are attacks directed specifically at home routers.  A good practice is to login to your router once a month to see if there are updates that can be installed.  We also recommend restarting your router weekly for security purposes and to keep it running efficiently.

We hope that you find this information useful.  If you have any security questions or concerns, please contact us at help@ejb.rutgers.edu.

Security Policies

Non Public Personal Information Policy

Overview

SECTION I – Overview

Background

As required by Rutgers, The State University of New Jersey, the Bloustein School has developed a school policy to safeguard non-public personal information (NPPI). The compromise of non-public personal information (NPPI) information is a far too common occurrence in the information age in which we live. According to the Privacy Rights Clearinghouse, over 232 million identities were exposed in 2011 alone. In order to reduce the probability of compromise, policies are needed to create guidelines for the use and protection of NPPI.

Policy Purpose

The intent of this policy is to minimize the possibility of the access or manipulation of sensitive information by unauthorized individuals or organizations. This document provides a set of guidelines related to the storage, usage, transportation, and transmission of electronic and hardcopy sensitive information. It also requires that any employee (or student) who is using sensitive data identify themselves as “data custodians” within the Bloustein School. Adherence to these policies by the members of the Edward J. Bloustein School of Planning and Public Policy community will ensure the confidentiality and integrity of sensitive information, while also making this information available to the individuals who may need to use it for administrative, instructional, or research-related functions.

Important Definitions

1. Non-Public Personal Information (NPPI)

As outlined by the security policy at Rutgers University: NPPI shall not include publicly available information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media.” NPPI includes but is not limited to:
(1) Social Security numbers*
(2) Driver’s license numbers or state identification card numbers
(3) Credit or debit card numbers
(4) Medical records
(5) Student records
(6) Financial records
(7) Legal Records
(8) Police Records
(9) Studies or surveys using confidential or personally identifiable data*Social Security numbers (SSN) have become a widely used identifier and is well known as the root of identity theft. University departments should no longer collect or use the SSN (with the exception of temporary use to process a new employee). Instead departments should use alternative forms of identifying students, clients, employees, and faculty whenever possible. Requests to provide a SSN (if the department is legitimately required to store them) should be denied or, in the least, verified for legitimacy.Source: Rutgers University Department of Information Protection and Security Definition of Sensitive Information (Non Public Personal Information or NPPI): http://rusecure.rutgers.edu/nppi/who/department-responsibilities/department-definition-of-nppi

2. Classifications of Data

Classifications are helpful in determining the level of risk involved related to various forms of data.

Restricted Data (highest level of sensitive)

Restricted Data is the most sensitive information and requires the highest level of protection. This information is usually described as “non-public personal information (NPPI)” and is related to people or critical business, academic or research operations under the purview of the Owner/Data Custodian. Restricted data includes, but is not limited to, data that Rutgers is required to protect under regulatory or legal requirements. Unauthorized disclosure or inappropriate use of restricted information could result in adverse legal, financial or reputational impact upon the university, as well as individuals and organizations. Examples of Restricted Data include but are not limited to: sensitive student or employee identifiable information (i.e., Social Security Number, driver’s license number, etc.), credit card information, confidential research, and file encryption keys, as well as certain financial records, medical records, legal records, student records, police records.

Limited Access Data

Limited Access Data is information that does not meet the requirements of restricted data but requires a moderate level of sensitivity and protection from risk and disclosure. Limited Access Data is the default and should be used for data intended for use within the University or within a specific workgroup, department or group of individuals with a legitimate need-to-know. Limited Access Data may be information one unit decides to share with another outside their administrative control for the purpose of collaboration. Unauthorized disclosure or inappropriate use of Limited Access Data could adversely impact the university, individuals, or affiliates but would not necessarily violate existing laws or regulations. Examples of Limited Access Data include but are not limited to: incomplete or unpublished research, internal memos or reports, personal cell phone numbers, project data, data covered by non-disclosure agreements.  Although most Limited Access data is not technically NPPI, in many cases, we will agree to protect it in the same manner in order to comply with the security requirements of organizations providing data as part of grant requests.  In addition, if there is any concern that limited access data should be better protected, please contact the Information Technology Services group for assistance or guidance.

Public Data (low level of sensitivity)

Public data is information that may or must be open to the general public. It is information with no existing local, national or international legal restrictions on access or usage. Public data, while subject to University disclosure rules, is available to all individuals and entities both internal and external to the University. While the requirements for protection of public data are less than that of Restricted and Limited Access Data, sufficient controls must be maintained to protect data integrity and unauthorized modification or destruction. Examples of Public Data include but are not limited to: data on websites intended for the general public, course listings, press releases, marketing brochures, university maps, and annual reports.  Typically, we do not protect any public data with NPPI restrictions or protections, nor are individuals required to register as a data custodian for the use of public data.  If public data has been used to create new information that has value, then that information should be protected by centrally storing it on our systems at the Bloustein School.

Data Custodian

A data custodian is anyone who has access to, stores, transmits, or uses NPPI at the Edward J. Bloustein School of Planning and Public Policy.  This includes restricted data and limited access data that is being protected as restricted data for the purposes of grant requests or in order to provide better protection on that data.
Source: http://rusecure.rutgers.edu/content/draft-information-security-classification-policy

Policy

SECTION II – Policy

Policy Statement

Members of the Edward J. Bloustein School of Planning and Public Policy community are required to know what constitutes NPPI. In addition, if an individual meets the criteria for being deemed a data custodian, that individual should:

  • Register as a data custodian with the Bloustein School by completing the form that accompanies this policy and submitting it to the Information Technology Services office. All registered data custodians will be included in a database for tracking sensitive information usage at the Bloustein School. Anyone who meets the criteria of a data custodian whether an employee, student, or affiliate member must register immediately upon becoming a data custodian.
  • Maintain NPPI in a dedicated, centralized, and secured location.
    • Electronic information should only reside on dedicated file servers (networked drives) within the Edward J. Bloustein School of Planning and Public Policy environment.
    • Hard copy information should be stored in locked drawers or filing cabinets when it is not being used. When such sensitive information is being used, the material should not be left unattended, nor should any such information be left in a room that is unlocked. The information should not be left outside of its primary storage location overnight.
  • Not store electronic NPPI on local systems, portable systems, portable devices, or systems being used for remote access to the Edward J. Bloustein School of Planning and Public Policy networks.
  • Not store or transfer NPPI using university or personal email accounts.
  • Not transport hard copy NPPI outside the confines of the school or center in which it is being held.
  • Not publish NPPI to web sites or any internal or external file sharing systems other than the dedicated Edward J. Bloustein School of Planning and Public Policy file sharing servers. This includes files sharing systems like drop box and replication systems like iCloud.
  • Not take any NPPI with you should you no longer be employed by, or no longer be associated with the Bloustein School.
  • Appropriately discard unused/unnecessary NPPI as soon as possible by complying with the procedures outlined below under “Secure Removal and Disposal of NPPI.”.
  • Notify Information Technology Services or the Business Services Office immediately if there are any possible threats related to the compromise of NPPI. This includes any security threats to computer systems using NPPI. For hardcopy information, this includes any possible breach of physical security to the locations where NPPI stored.
  • Not remotely access NPPI on the secure servers at the Bloustein School through a VPN connection if they have any suspicion that the machine being used to connect to the information is infected with malware, spyware, or a computer virus.

Should it become necessary to store NPPI outside the parameters set forth in this policy, an exception request must be completed by the appropriate data custodian and, where necessary, be approved by the Dean’s office prior to the data leaving the School as listed below. This provision allows the Dean’s office to provide the requestor with advice on best practices for ensuring additional security measures are taken to protect the sensitive information.

  1. For electronic data, when accessing or storing data on any system other than the file servers within the Bloustein network, or transferring such information to individuals outside the Bloustein School, submit the form to the Information Technology Services office.
  2. For hard copy material that is transported outside the normal storage area or that cannot be secured, submit the exception request form to the Business Services Office.

User Responsibilities

Data custodians are responsible for storing all sensitive information on the designated systems within the technical environment of the Edward J. Bloustein School of Planning and Public Policy. The protection of these systems and the associated internal networks are the responsibility of the Information Technology Services staff of the Edward J. Bloustein School of Planning and Public Policy. If an individual is using sensitive information based on an exception request, then that individual is responsible for the safety and security of that data. Data custodians are expected to notify Information Technology Services or the Business Services Office immediately if any threats arise that may jeopardize the security of NPPI. It is also expected that any individuals acting under an exception request will adhere to any additional security related procedures recommended by the technical and business staff of Bloustein Dean’s office.

Should an individual associated with the school but not employed at the school become responsible for NPPI, he or she must register as a data custodian. The responsibility of notice in this regard will fall upon the area director or the principal investigator for grant related research. For centers this will be either the faculty director or the staff executive director.

Proactive Restricted Data Discovery Processes

The Information Technology Services unit of the Edward J. Bloustein School of Planning and Public Policy will use scanning tools to proactively try to identify Restricted Data that resides on systems within the organization to ensure that it is adequately protected. These scanning tools will be used on a regular basis and any restricted data that is discovered will result in communications with the owner of the data to ensure that the data should be stored in its current location, that it is adequately protected, and to ensure that the individual is properly registered as a data custodian. Similarly, the Business Services Office will periodically conduct in-person audits for hardcopy restricted data.

Secure Removal and Disposal of NPPI

Any system that houses NPPI requires special attention prior to its disposal. Specifically, NPPI will need to be securely removed so that there are no traces of that data left on the existing system or device. When such a device needs to be disposed of, the Information Technology Services staff at the Edward J. Bloustein School of Planning and Public Policy should be contacted to provide assistance with securely deleting such information through drive sanitization processes. This includes computers, copiers, fax machines, and portable storage devices.

Sensitive information in hardcopy form should be destroyed once it is no longer deemed necessary by school wide and university wide records retention policies. Hardcopy sensitive information should be cross shredded prior to disposal. Unnecessary NPPI should remain in a locked filing cabinet or desk until it is shredded. In addition, any credit card information recorded for the purposes of processing a transaction should be destroyed immediately after completing the transaction.

Security Training

All members of the Edward J. Bloustein School of Planning and Public Policy are required to complete an online information security awareness training session and take a quiz associated with that training. If an individual scores below 85 percent in the training, an in-person training session will be required. In addition, individuals will be required to take this training at the beginning of their employment with the school and at least once every three years thereafter. These training requirements are also applicable to any registered data custodian whether he or she is part of the school or not.

Policy Modifications or Updates

This policy will be reviewed and modified or updated as necessary or if any major security issues arise related to the use of NPPI. This policy will also be reviewed annually and updated based on any relevant changes to the technical environment.

 Last Revision Date: November 2013
Cover Letter

Cover Letter

To: Bloustein School Faculty and Staff Members

From: James W. Hughes, Dean

Re: Shared Responsibility in the Protection of Non-Public Personal Information

As you are undoubtedly aware, there has been a large increase in the number of cyber-attacks throughout the United States. The Bloustein School is not exempt from these potential threats. As part of a university-wide effort, Rutgers University’s Internal Audit Department recently reviewed the Bloustein School’s security policies and procedures and recommended that because the school has a large number of researchers using sensitive human data, we must take measures to ensure the confidentiality, integrity, and availability of this data. With over $30 million in research work – much of it dealing with human data – being conducted at any one time, the Bloustein School is viewed as a prime unit (along with several other academic units) to implement such a policy. In this regard, the university is requiring that all units and individuals employed or affiliated with the university to safeguard non-public personal information (NPPI), including such data as social security numbers, financial and health information, and driver’s license numbers.

To assist researchers in the school to safeguard NPPI, we are doing the following:

  • Providing a self-reporting form to assist the school in identifying which faculty, staff, and students work with NPPI and whether such data is in paper or electronic form
  • Developing on-line instruction with guidance on how to safeguard NPPI
  • Performing periodic audits, beginning with those centers, faculty, and staff who work with such data. Audits would include electronic scanning of computer hard drives and the network for strings of data that would identify the existence of unprotected social security, credit card, or drivers’ license numbers. Audits would also include offices where paper copies of NPPI are used.

The full policy, reporting form, and other relevant information is available on the school’s website at the following link: www.bloustein.rutgers.edu/nppi

The intent of this policy is to minimize access or manipulation of sensitive information by unauthorized individuals and ensure the confidentiality and integrity of this information while making it available to those who need it for administrative, instructional, or research-related functions.

You will be hearing further from Martin O’Reilly and Sharon Fortin-Kramer on details of implementation. They would also appreciate hearing from any faculty or staff members interested in volunteering to serve on an advisory committee on protecting NPPI in the school.

I appreciate your cooperation in advance, and am happy to answer any questions you may have regarding this policy and its implementation.

Responsibilities

Community Members Responsibility

1. Dean’s office responsibility

    1. Office of the Dean
      • Promote the importance of protecting NPPI through an annual (November) dissemination of the School’s NPPI policy.
      • Provide mandatory online instruction to all faculty and staff, and any student or research assistant who is involved in any research/business that includes NPPI.
    2. Information Technology Services
      • Securely maintain a database of NPPI “data custodians” for the School.
      • Provide in-person instruction and guidance where necessary or requested.
      • Perform electronic scanning for the existence of unprotected NPPI.
    3. Business Services
      • Provide information on protecting NPPI in new employee orientation.
      • Perform periodic audits of physical space (office, storage facilities, etc.) to ensure NPPI is stored in locked cabinets behind locked doors and is properly disposed of when no longer required for research or normal business. Sharon Fortin-Kramer and Fran Loeser will be tasked with NPPI audits of physical space.

2. Center/Program Directors’ responsibility

    • Promote the importance of protecting NPPI.
    • Identification of NPPI users associated with areas of responsibility will be required on an annual basis and as individuals (faculty, staff, students, and other contingent participants) become responsible for NPPI material.
    • Be cooperative with the individuals responsible for NPPI inventory and periodic audits.

3. Principal Investigator responsibility

    • As endorsement forms for new grants/contracts are completed, identifying the use of NPPI will be required using the existing “Additional Information Needed Relating to Proposed Research” form.
    • Be cooperative with the individuals responsible for NPPI inventory and periodic office/desk audit

4. Individual responsibility

  • Register as a “data custodian” should NPPI be accessed or used. All faculty, staff, and students who are employed by the School or who participate in any activity that requires the use of NPPI must register as a data custodian with the dean’s office.
  • Familiarize yourself with related University and School policies and other sources of information, and handle NPPI as prescribed for “data custodians”; they are as follows:
    • Edward J. Bloustein School Non Public Personal Information Use Policy
    • University Information Protection and Security (click here)
  • Participate in mandatory online instruction provided by the school. Includes all faculty, staff and any student who may come in contact with NPPI.
  • Maintain NPPI according to the policies of the school and the university.
  • Be cooperative with the individuals responsible for maintaining NPPI inventory and performing periodic office/desk audits.
  • Notify Information Technology Services or the Business Services Office immediately if you are aware of any possible threat related to NPPI.
Form, Training, Links

Sign Off Form

Employee Agreement & Data Custodian Registration Form (Please contact the EJB Information Technology Services office for the link to the current form)

Training

Training is provided on the KnowBe4 security awareness training platform.  Users who register as data custodians, or who are onboarding to positions using sensitive data will receive information on the required training.

University Links