- Does the University have Information Security policies? Where are they?
- What is HIPAA?
- Who is my TSR?
- What is computer security?
- What is the difference between information
security and computer security?
- Why have good passwords?
- What is a good password?
- What is a virus?
- What can I do to keep from getting a virus?
- What is hacking?
- Do I have a virus?
- My computer is acting up. Do I have a virus?
- What are virus hoaxes?
- Why do I have to worry about information security?
- What anti-virus software is available?
- How do I install anti-virus software?
- Why should I update my anti-virus software?
- Does the University monitor my Internet
- Does the University read my e-mail?
- What about file sharing utilities?
- Why shouldn't I download music and video
onto my work computer?
- Can I download games or utilities to my
- What are the differences between the different *wares
(shareware, freeware, etc.)?
Does the University have Information Security policies? Where are they? [Top]
Yes, the Health Science Center currently has 29 Information Security policies. These policies can be found in section 5.8 of the Handbook of Operating Procedures (HOP). Information Security and Assurance also works closely with many other departments on Information Security-related topics, incidents, and activities. For this reason, Information Security and Assurance has collected the HOP entries related to Information Security on to one page. Go to the following link for those policies:
The Handbook of Operating Procedures can be found at this link.
What is HIPAA? [Top]
HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996, also know as Public Law104-191. It has three parts -- transaction code sets, privacy, and security. Information Security deals with the security rule; Information Security and Assurance also works with the Office of Regulatory Affairs and Compliance, who has responsibility for the privacy rule. The security rules states that sensitive patient data, also referred to as electronic protected health information (ePHI), must be protected in all of its forms -- while being stored (e.g., on servers), while being moved (e.g., on CDs or portable media), or while being transmitted (e.g., in e-mail or other electronic data transfers).
Who is my TSR?
Your Technical Support Representative, or TSR, is your first line of
defense for computer-related problems, both hardware and software, and
Information Security. They can give you a hand by putting you in contact
with the people responsible for computer support, network support, and
Information Security; some are very technically proficient and can even
help you solve your problem then and there. The link below will take you
to a listing of TSRs by department. If your department is not on the list,
contact the Customer Service Desk at 210-567-7777 or on-campus at 7-7777 and
they will help find out who your TSR should be. [Click
here for the TSR list. It will open in another window.]
What is computer security? [Top]
Computer security is the set of technological and managerial procedures
applied to computer systems to ensure the availability,
integrity, and confidentiality
of information managed by the computer system. It is often synonymous
with information security, but is really a subset.
What is the difference between
information security and computer security? [Top]
Where computer security deals with the processes applied to computer
system(s), information security concerns all of the aspects regarding
the system of policies and/or procedures for identifying, controlling,
and protecting information from unauthorized disclosure.
While often synonymous, information security is actually a superset of
computer security, encompassing the fields of data security, transmission
security, network security, physical security, personal security, and personnel security, among others.
Why have good passwords? [Top]
The combination of your username and password uniquely identifies you to
the Health Science Center network. They are required to log on to your computer, access your e-mail, visit certain University web sites, and other
University resources, and all network activity is routed with them. A
good, strong password keeps anyone else from logging on to the network
with your username and impersonating you. If this happens, it appears that
any harm, misuse, abuse, and/or impropriety is being caused by YOU, not
the intruder, since it's your username and password which are being used
to access the network; the same goes for e-mail sent out in your name.
Remember, pick a good password and protect it. Never share it with anyone.
What is a good password? [Top]
Most simply put, a good password is easy for the user to remember but
extremely difficult for an intruder to guess. As a general rule, the longer
the password, the better, but passwords that are both longer and more
complex are better still. Making a password complex involves combining
letters (both upper and lower case), numbers, punctuation, and special
characters, but still in such a way that the user can easily remember
it. For example, a six-character password using only lower case letters
has about 309 million possible combinations; an eight-character password
using those same lower case letters has about 209 billion possible combinations.
If you add upper case letters and numbers into the mix, that eight-character
password now has about 218 trillion possible combinations. Though the
numbers seem impressive, many people unfortunately make the intruder's
job easier by making the password obvious (their name or username) or probable
(family member, date, cultural icon) or just plain write it down. Using
a password over and over by changing a single character is a possible
problem, too, since the intruder only needs to guess it once and then
follow your pattern. Pick passwords that are obscure (your mother-in-law's
maiden name and birthday) or acronyms (Wdwgfh? = Where do we go from here?)
or parts of words (GeoCatJoh3! = the first three letters of George, Cathy,
and John, along with something extra at the end), but never anything from
the dictionary (local or foreign) or popular culture. Currently, the University requires all passwords to be at least eight (8) characters in length and at least three (3) of the following - upper case, lower case, punctuation, and numbers.
What is a virus? [Top]
A virus is a program or piece of code that is loaded onto a computer
without the user's knowledge and runs against the user's wishes. Most
viruses can also replicate themselves and, in many cases, can redistribute
themselves. Virus activity can be as simple and benign as a prank or so
destructive that valuable data is lost. Viruses, or malware,
can be distributed by hard media (diskettes or CD), by accessing maliciously
configured web pages, across network shares, or, as has been the case
recently, through attachments in electronic mail.
What can I do to keep from getting a virus?
The single most important tool for preventing computer virus infection
When malware (malicious
software) developers first started writing their code, the primary
means of information exchange was diskette, so the viruses were small
enough to infect the files on the disk and even the disk itself. In
this case, you had to be aware of what the files on the disk
were and where the disk came from.
As networking improved and the Internet became popular, it provided
a widespread transport system for the viruses. Still, if you knew it
to be a relatively trustworthy site (one that inspected its files before
they were made available to the public), you were able to make an assumption
of safety. Again, awareness of where the file was coming from
and what the application was supposed to do were key.
Lately, though, viruses have become more sophisticated, as have the
methods of delivery. In the past, you had to copy the infector to the
floppy or download the infected file, but it had to be a concious act
on your part. Now the primary method of infection is electronic mail
(e-mail). The most recent and prolific infectors are disguised as legitimate
files sent from people you know; the viruses infect someone's computer
and then mail themselves as attachments to the names listed in the user's
e-mail address book. The subject appears innocent, the sender is someone
you know, and the message encourages you to view the attachment, but
when you do, the cycle starts over again. In this case, you must be
aware of whether or not you were expecting a message from the
sender. If you're not sure, contact the sender and inquire; if they
did not conciously send it, then it was most likely sent by the virus,
and your conversation lets the sender know he or she is probably infected.
If this is the case, delete the e-mail and its attachment immediately
and then empty your e-mail deleted messages.
Another of the latest trends is to put the infector on a web page
that infects the viewer's computer when the page is accessed with a
browser; this is referred to as a "drive-by infection". Frequently, the address to that web page is sent in an e-mail
and appears to be from someone the viewer knows; this is another aspect
of the previously-mentioned process, except that the virus doesn't send
itself as an attachment, just the link to the infected web page. Again,
be aware of unsolicited e-mail messages, even from someone you
Finally, be aware of and use the latest anti-virus software
on your computer. Well-managed e-mail and file servers have their own
anti-virus software designed to look for infected files passing through
them; our own e-mail gateway watches for infectors coming in to and out of the University. However, keeping an up-to-date anti-virus tool on your computer
greatly reduces the possibility of infection, especially through
those less well-known avenues.
What is hacking? [Top]
Long-time computer users and technology professionals consider "hacking"
as pushing a computer system to its extremes and beyond, attempting to
improve the operation, functionality, and/or security by finding what
causes it to fail or what allows the "hacker" to take control
of the system. Lately, though, mainstream media have begun using the term
to mean hacking for criminal intent, or "cracking". "Crackers"
are considered hackers who have gone over to the dark side and intrude
into systems with the intent to damage, defraud, or destroy the system
or its data. Cracker motives range from personal entertainment to monetary
to political, or any combination of factors. Many times, crackers get
the bad press, but the true hackers are the ones who help catch them.
Do I have a virus? [Top]
Another question to ask is "If I have a virus, where did it come
from?" If your anti-virus software is active and up-to-date, if you
haven't opened any unknown e-mail attachments, if you haven't visited
an untrustworthy web site, if you don't have any open shares on your system,
and if you haven't accessed files from another user's computer, you probably
aren't infected. The best way to be sure is to make sure your anti-virus
software is running and current (first "if" above), and run
a full scan of your system, all drives, all files. If you're not sure
how to run a scan or if you want a second opinion, contact your TSR.
[[Who is my TSR?]]
My computer is acting up. Do I have a virus?
Not always. Though many viruses cause visible symptoms (slow processing,
hard disk drive access, display messages, etc.), most don't. In fact,
many ordinary applications show those same symptoms and are often interpreted
as virus activity. Your best bet is to follow the guidelines in the previous
What are virus hoaxes? [Top]
Virus hoaxes are messages sent (originally by one or more hackers) describing
some virus or worm that is extremely dangerous and urges the reader to
take some action against their own computer, and then to send the message
on to everyone they know. This is social
engineering in its purest form -- the virus writer does nothing to
your computer, he gets YOU to do it.
Just about every virus hoax has some combination of the following three
characteristics: (a) invoking the names of one or more large, reputable
companies who have reported the virus, (b) the virus is the "most
destructive ever" and none of the top anti-virus vendors can stop
it, and (c) send the message to "everyone you know". Virus reports
are usually sent by the anti-virus vendors themselves as a public service
and they always give links back to their sites to the full report.
Here are four of the top virus hoax explanation sites (in no particular
Why do I have to worry about information security?
The shortest answer that can be given to this question is that everything
today, about you, your family, your job, is either stored on or transferred
Information Security (InfoSec) takes into account not just the security
of data, but of the people you work with (personnel security), the area
you work in (physical security), and the networking environment (transmission
security). If any of these fail, the probability of having data corrupted
or stolen rises sharply. That data can be personnel, student, or patient
files; grant information; research data; financial records; or your own
personal data, just to name a few.
What anti-virus software is available? [Top]
There are several reputable vendors, foremost among them are Symantec
and McAfee. The University has a site
license for the Symantec Enterprise Security product which can be installed
on any University system. Since many users work at home, the license also
allows the product to be installed on any faculty, student, or staff personal
computer; this license applies only so long as the user is currently employed
or enrolled at the University, after which time the software must be removed.
For personal use systems, please contact the Service Desk (Triage) at 210.567.7777
or on-campus 7-7777.
How do I install anti-virus software? [Top]
If you are unfamiliar with installing software on a personal computer,
please contact your TSR [[Who
is my TSR?]] or call the Triage Help Desk at 210.567.7777 or on-campus
Why should I update my anti-virus software?
It is estimated that there are over 72,000 viruses,
horses, and other problem software in existence today, and about 300
new ones or variants are developed monthly. Though most never successfully
replicate "in the wild," enough do to keep life interesting.
Add to the mix the millions of computers tied together through thousands
of networks, and the possibility of exposure to one or more of the bugs
rises drastically. Anti-virus vendors base their reputations on their
ability to respond quickly to new viruses, and to get new updates to the
field as soon as possible. A properly configured anti-virus product, with
the latest virus definitions, is your best protection from the malware
developers and distributors.
Does the University monitor my Internet
The University does not monitor YOUR Internet usage
directly. As part of daily operations, Systems and Network Operations
and Information Security and Assurance monitor traffic levels coming in to
and leaving the University network. This is done for performance and tuning
and not to watch any one user. If we (InfoSec) notice a higher-than-normal
volume of traffic for a particular system, we will investigate only that
system since traffic spikes generally point to infected or hacked computers
or systems using unauthorized
peer-to-peer (P2P) file sharing software.
Does the University read my e-mail? [Top]
NO! We don't want to nor do we need to.
If you follow the guidance in the Handbook of Operating Procedures regarding
e-mail usage, there
should never be a reason for the University to take an interest. Evidence
of misuse, though, such as personal gain, spamming, threatening, etc.,
or anything causing high levels of e-mail traffic, can bring an e-mail
account to the attention of Systems and Network Operations, Information Management Client Support Services, and/or Information Security. Also, since the e-mail is generated
on University-owned computers and transported on University-owned networks,
they may fall under records retention guidelines, could become part of
the public record, and may even be subpoenaed.
The best rule: Don't send anything through e-mail that you wouldn't want
posted on a hallway bulletin board.
What about file sharing utilities? [Top]
Because of the legal and security ramifications of peer-to-peer (P2P)
applications, their use is not authorized at the University; click here
for the Handbook of Operating Procedures policy. The legal issues deal
with downloading and storing copyrighted material on State-owned University
computers, including music, movies, and software. P2P-downloaded software
is frequently "hacked" so that is doesn't need serial numbers
or it has the serial number included, and has been know to be purposely
or accidentally infected with malicious software. Software piracy is a
serious and expensive problem for individuals as well as the University,
with fines in the millions of dollars.
Why shouldn't I download music and video
onto my work computer? [Top]
First and foremost, your work computer is a State-owned information resource and must be used in accordance with State and University policies. If your department allows you to play music on your computer, get permission and follow the departmental policies.
Music, movies, television shows, and other forms of entertainment are generally copyrighted to their
developers, writers, networks, artists, etc. Downloading and/or sharing these types of media using
free or shared sources frequently bypass the payment to those who hold the copyrights. There are several
legitimate sites to purchase and download music, movies, and televsion, the most common of which is
the Apple iTunes store. For other issues concerning file sharing, see the previous topic.
Can I download games or utilities to my
work computer? [Top]
As stated in the previous topic, your work computer is a State-owned information resource and must be used in accordance with State and University policies. Utilities that allow you to better perform your job may be allowed, but you must check departmental policies first. Games, on the other hand, are not work-related and shouldn't be installed on your work computer.
What are the differences between the different *wares
(shareware, freeware, etc.)? [Top]
Shareware is generally copyrighted software that is give out without a fee for evaluation and to raise awareness of the product (marketing, for instance). A fee is usually required to get full functionality from the product or to remove notices or advertising.
Freeware is exactly that - fully-functional software that is given away without cost.
Nagware blurs the line; it is sometimes shareware, sometimes freeware. The software is usually fully-functional, but it nags the user to register to pay to get additional functionality or to remove advertisements.
Adware is malicious software installed on a user's computer that displays advertisements while using the browser. These advertisements generate revenue of the advertiser, but are a source of annoyance to the user; additionally, the functions of the adware can interfere with the operations of the user's computer. Adware can also have hidden functionality, making it spyware.
Spyware is malicious software that obtains information from a user's computer without the user's knowledge or consent. The software is also generally installed unknown to the user. It may be installed as part of another program (Trojan horse), as part of a virus or worm, or by visiting a compromised web page (a drive-by download). The types of information collected and sent back to the intruder include username/password combinations, credit card information, and bank data, among others.
Malware is just short for "malicious software".