November 2021 IT Security Newsletter

Share on

It’s the end of November and you know what that means. It means I am going to talk about the AUP like I do every November. 😊  This is such an important policy I like to do everything I can to make you aware of it and remind you that your expectation as an employee of the Institute is to review this policy (and ALL policies) at least annually.

And speaking of annual requirements, the deadline for completing your security awareness training is approaching. This year anyone not completing the training by 5pm on 12/17, will lose access to anything using the NetID.

And ‘tis the season! I will give you tips on how to protect your money and your identity online.

Please read below to learn more.

UTIA IT0110 – Acceptable Use of Information Technology Resources Security Policy (AUP)

One of the most important IT Security policies the Institute has is UTIA IT0110 – Acceptable Use of Information Technology Resources Security Policy, or the AUP as it is most often called. This policy defines guidelines for the Institute and its IT assets. The scope includes every IT asset owned, operated, or provided by the Institute, as well as all students, faculty, staff, and any other users who access, use, or handle the Institute’s IT assets. This policy also applies to the use of all University IT assets.

While this policy is particularly long, some of the key points to be familiar with are:

  1. User Privacy
    • Users have no expectation of privacy when using any Institute- or University-owned IT assets.
    • Email may be considered a public record under the Tennessee Open Records Act.
  2. Users WILL
    • Comply with all Institute policies and procedures, as well as all University policies.
      • You aren’t expected to memorize every word of every policy, but I created a “cheat sheet” that will give you a short summary of each policy and to whom it applies.
      • It is expected that every employee regularly reviews these policies.
      • I try to make this more convenient for you by including policy updates and information in these monthly newsletters.
    • Using Institute-owned IT assets implies that you accept this policy.
      • Every time you turn on your Institute-owned computer, you should see the Welcome Screen has a very brief excerpt of the AUP and you are agreeing to this policy when you proceed.
      • Every time you change your password on the Password Management site, you must check the box to acknowledge your agreement to abide by the AUP before you can continue with the password change.  
    • Protect data by
      • Following backup policies and best practices.
      • Logging out of sessions and devices.
      • Monitoring access to their accounts.
      • Immediately reporting suspected compromises or unauthorized accesses to me.
      • Using only approved and licensed software and operating systems.
  3. Users WILL NOT
    • Share access codes or passwords.
    • Tamper with or modify restrictions or protections placed on any accounts or IT assets.
    • Commit copyright infringement.
    • Use Institute-owned IT assets for sending spam, phishing emails, viruses, worms, or other malware.
    • Misrepresent their identity by using IP address “spoofing,” email address falsification, or social engineering.
    • Engage in activities that violate Institute policies, plans, or procedures; local, state, or federal law, and Institute or University contractual obligation, or other University policy or rule included but not limited to HR policies and Standard of Conduct for students.
  4. Institute and University Rights
    • The Institute and the University reserve the right to access, monitor, review, and release the contents and activity of an individual user’s account(s), as well as that of personal Internet account(s) used for Institute business.
    • This action will be taken only after obtaining approval from the Institute’s Chief Information Security Officer; Human Resources; Office of General Counsel; Office of Audit and Compliance; campus, local, state, or federal law enforcement; or in response to a subpoena or court order.
  5. Copyrights and Licenses
    • Users will use only properly licensed software.
    • The Institute is responsible and accountable for maintaining records of purchased software licensure.
  6. Personal Use
    • Institute-owned IT assets are provided for conducting authorized Institute business and all users are strictly prohibited from using these resources for person gain, illegal activities, or obscene activities.
    • Any personal use that results in additional risk t the confidentiality, integrity, and availability to any Institute-owned IT assets and data on those assets is strictly prohibited.
    • The “.edu” domain on the Internet has rules restricting or prohibiting commercial use.
  7. Misuse of IT Assets
    • Users must report all suspected or observed illegal activities to the appropriate Institute administrative office. (ex: theft, fraud, copyright infringement, illegal file sharing, audio or video piracy, hacking, and viewing or distributing child pornography)

Yes, this is a very lengthy policy, and there is more, but it is very significant. Within the policy I have include references to the policies, procedures, state codes, codes of conduct, etc., so that you may have a better understanding of the importance of each area and the consequences involved.

And please let me know if you ever have any questions about this or any of our other policies and procedures. I can’t meet with Audit and Compliance for you if they come to see how well you are meeting requirements, but I can help you before they ever have a need to visit!

UTIA Security Awareness Training

Don’t forget that we are less than three weeks away from the deadline for our annual required security awareness training. To those who have already completed the training that was assigned on 10/08, I thank you very much! To those who have not completed it, you have until 5pm on Friday, 12/17. This is especially important to remember this year because NetIDs will be disabled if the training is not completed by the end of the day on 12/17. If you work on weekends (including those at UTCVM) and you haven’t done your training, you won’t have access to anything using your NetID on 12/18. Please refer to UTIA IT0123 – Security Awareness, Training, and Education Policy for details.

If you have any questions or concerns, please send me an email. And, yes, those with an E01 responsible account get their training assigned by UTK.

‘Tis The Season!

It’s that time of year when we all do a bit of shopping, but with the pandemic still threatening, or you just hate crowds, you probably do a lot of shopping online. Please use special care to ensure that you are not taking unnecessary risks with your personal information.

  1. Use these Recommended Secure Browser Settings to prevent ransomware, malware, etc., or criminals from stealing your personal information.
  2. Use a different password for every online account you have.
    • Make the password a strong one. Some sites have a gauge that will tell you if the password is weak or strong.
    • Even for your personal accounts I highly recommend using the information under the Authenticator Management section in UTIA IT012 – Identification and Authentication Policy.
  3. If you are asked if you want to use multi-factor authentication for your online accounts such as banking, retail, personal email, bill payments, etc., please do! This can protect your money and your identity from someone who just bought your password on the Dark Web.
    • This additional layer of security would prevent anyone else from accessing your accounts.
    • This is now being offered by many banks, Gmail, online retailers, etc.
  4. If you can use you TouchID for your accounts on your smartphone or tablet, please do.
  5. Never store your credit card information in your accounts.
  6. If you get an email telling you to click because you won a gift card, don’t click…check it out instead. Does it make sense that a retailer would send you a $100 gift card just because you were a good customer?
  7. If you get *anything* in email telling you to click, hover over it to see if the link matches up with what it should.
  8. Do not use a hotspot at public establishments (e.g., coffee shops) for shopping online, as these are not secure.
  9. Monitor your account often for any unauthorized purchases or accesses.
  10. Oh yeah, because I haven’t mention spear phishing yet in this newsletter, your supervisor will NOT send you an email instructing you to reply, but not to call, because they need you to purchase some gift cards and they will pay you back at the office later.

Stay safe and thank you all for all that you do!