Skip Navigation
INFORMATION SECURITY

Information Security
Frequently Asked Questions (FAQs)

Frequently asked questions, or FAQs (pronounced "fax"), are exactly that -- questions that have come up in conversation, demonstrations, presentations, staff meetings, and any other number of possible situations. They have been collected here as a first point of reference, a place to check if anyone else has asked the same question you're thinking.

This section will continue to grow as more questions are asked and the answers are posted here. If you've got a question that's not listed below, send
it to infosec@uthscsa.edu and we'll do our best to answer it.

  1. Does the University have Information Security policies? Where are they?
  2. What is HIPAA?
  3. Who is my TSR?
  4. What is computer security?
  5. What is the difference between information security and computer security?
  6. Why have good passwords?
  7. What is a good password?
  8. What is a virus?
  9. What can I do to keep from getting a virus?
  10. What is hacking?
  11. Do I have a virus?
  12. My computer is acting up. Do I have a virus?
  13. What are virus hoaxes?
  14. Why do I have to worry about information security?
  15. What anti-virus software is available?
  16. How do I install anti-virus software?
  17. Why should I update my anti-virus software?
  18. Does the University monitor my Internet usage?
  19. Does the University read my e-mail?
  20. What about file sharing utilities?
  21. Why shouldn't I download music and video onto my work computer?
  22. Can I download games or utilities to my work computer?
  23. What are the differences between the different *wares (shareware, freeware, etc.)?

Does the University have Information Security policies? Where are they? [Top]

Yes, the Health Science Center currently has 29 Information Security policies. These policies can be found in section 5.8 of the Handbook of Operating Procedures (HOP). Information Security and Assurance also works closely with many other departments on Information Security-related topics, incidents, and activities. For this reason, Information Security and Assurance has collected the HOP entries related to Information Security on to one page. Go to the following link for those policies:

http://ims.uthscsa.edu/policies.aspx

The Handbook of Operating Procedures can be found at this link.

What is HIPAA? [Top]

HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996, also know as Public Law104-191. It has three parts -- transaction code sets, privacy, and security. Information Security deals with the security rule; Information Security and Assurance also works with the Office of Regulatory Affairs and Compliance, who has responsibility for the privacy rule. The security rules states that sensitive patient data, also referred to as electronic protected health information (ePHI), must be protected in all of its forms -- while being stored (e.g., on servers), while being moved (e.g., on CDs or portable media), or while being transmitted (e.g., in e-mail or other electronic data transfers).

Who is my TSR? [Top]

Your Technical Support Representative, or TSR, is your first line of defense for computer-related problems, both hardware and software, and Information Security. They can give you a hand by putting you in contact with the people responsible for computer support, network support, and Information Security; some are very technically proficient and can even help you solve your problem then and there. The link below will take you to a listing of TSRs by department. If your department is not on the list, contact the Customer Service Desk at 210-567-7777 or on-campus at 7-7777 and they will help find out who your TSR should be. [Click here for the TSR list. It will open in another window.]

What is computer security? [Top]

Computer security is the set of technological and managerial procedures applied to computer systems to ensure the availability, integrity, and confidentiality of information managed by the computer system. It is often synonymous with information security, but is really a subset.

What is the difference between information security and computer security? [Top]

Where computer security deals with the processes applied to computer system(s), information security concerns all of the aspects regarding the system of policies and/or procedures for identifying, controlling, and protecting information from unauthorized disclosure. While often synonymous, information security is actually a superset of computer security, encompassing the fields of data security, transmission security, network security, physical security, personal security, and personnel security, among others.

Why have good passwords? [Top]

The combination of your username and password uniquely identifies you to the Health Science Center network. They are required to log on to your computer, access your e-mail, visit certain University web sites, and other University resources, and all network activity is routed with them. A good, strong password keeps anyone else from logging on to the network with your username and impersonating you. If this happens, it appears that any harm, misuse, abuse, and/or impropriety is being caused by YOU, not the intruder, since it's your username and password which are being used to access the network; the same goes for e-mail sent out in your name. Remember, pick a good password and protect it. Never share it with anyone.

What is a good password? [Top]

Most simply put, a good password is easy for the user to remember but extremely difficult for an intruder to guess. As a general rule, the longer the password, the better, but passwords that are both longer and more complex are better still. Making a password complex involves combining letters (both upper and lower case), numbers, punctuation, and special characters, but still in such a way that the user can easily remember it. For example, a six-character password using only lower case letters has about 309 million possible combinations; an eight-character password using those same lower case letters has about 209 billion possible combinations. If you add upper case letters and numbers into the mix, that eight-character password now has about 218 trillion possible combinations. Though the numbers seem impressive, many people unfortunately make the intruder's job easier by making the password obvious (their name or username) or probable (family member, date, cultural icon) or just plain write it down. Using a password over and over by changing a single character is a possible problem, too, since the intruder only needs to guess it once and then follow your pattern. Pick passwords that are obscure (your mother-in-law's maiden name and birthday) or acronyms (Wdwgfh? = Where do we go from here?) or parts of words (GeoCatJoh3! = the first three letters of George, Cathy, and John, along with something extra at the end), but never anything from the dictionary (local or foreign) or popular culture. Currently, the University requires all passwords to be at least eight (8) characters in length and at least three (3) of the following - upper case, lower case, punctuation, and numbers.

What is a virus? [Top]

A virus is a program or piece of code that is loaded onto a computer without the user's knowledge and runs against the user's wishes. Most viruses can also replicate themselves and, in many cases, can redistribute themselves. Virus activity can be as simple and benign as a prank or so destructive that valuable data is lost. Viruses, or malware, can be distributed by hard media (diskettes or CD), by accessing maliciously configured web pages, across network shares, or, as has been the case recently, through attachments in electronic mail.

What can I do to keep from getting a virus? [Top]

The single most important tool for preventing computer virus infection is awareness.

When malware (malicious software) developers first started writing their code, the primary means of information exchange was diskette, so the viruses were small enough to infect the files on the disk and even the disk itself. In this case, you had to be aware of what the files on the disk were and where the disk came from.

As networking improved and the Internet became popular, it provided a widespread transport system for the viruses. Still, if you knew it to be a relatively trustworthy site (one that inspected its files before they were made available to the public), you were able to make an assumption of safety. Again, awareness of where the file was coming from and what the application was supposed to do were key.

Lately, though, viruses have become more sophisticated, as have the methods of delivery. In the past, you had to copy the infector to the floppy or download the infected file, but it had to be a concious act on your part. Now the primary method of infection is electronic mail (e-mail). The most recent and prolific infectors are disguised as legitimate files sent from people you know; the viruses infect someone's computer and then mail themselves as attachments to the names listed in the user's e-mail address book. The subject appears innocent, the sender is someone you know, and the message encourages you to view the attachment, but when you do, the cycle starts over again. In this case, you must be aware of whether or not you were expecting a message from the sender. If you're not sure, contact the sender and inquire; if they did not conciously send it, then it was most likely sent by the virus, and your conversation lets the sender know he or she is probably infected. If this is the case, delete the e-mail and its attachment immediately and then empty your e-mail deleted messages.

Another of the latest trends is to put the infector on a web page that infects the viewer's computer when the page is accessed with a browser; this is referred to as a "drive-by infection". Frequently, the address to that web page is sent in an e-mail and appears to be from someone the viewer knows; this is another aspect of the previously-mentioned process, except that the virus doesn't send itself as an attachment, just the link to the infected web page. Again, be aware of unsolicited e-mail messages, even from someone you may know.

Finally, be aware of and use the latest anti-virus software on your computer. Well-managed e-mail and file servers have their own anti-virus software designed to look for infected files passing through them; our own e-mail gateway watches for infectors coming in to and out of the University. However, keeping an up-to-date anti-virus tool on your computer greatly reduces the possibility of infection, especially through those less well-known avenues.

What is hacking? [Top]

Long-time computer users and technology professionals consider "hacking" as pushing a computer system to its extremes and beyond, attempting to improve the operation, functionality, and/or security by finding what causes it to fail or what allows the "hacker" to take control of the system. Lately, though, mainstream media have begun using the term to mean hacking for criminal intent, or "cracking". "Crackers" are considered hackers who have gone over to the dark side and intrude into systems with the intent to damage, defraud, or destroy the system or its data. Cracker motives range from personal entertainment to monetary to political, or any combination of factors. Many times, crackers get the bad press, but the true hackers are the ones who help catch them.

Do I have a virus? [Top]

Another question to ask is "If I have a virus, where did it come from?" If your anti-virus software is active and up-to-date, if you haven't opened any unknown e-mail attachments, if you haven't visited an untrustworthy web site, if you don't have any open shares on your system, and if you haven't accessed files from another user's computer, you probably aren't infected. The best way to be sure is to make sure your anti-virus software is running and current (first "if" above), and run a full scan of your system, all drives, all files. If you're not sure how to run a scan or if you want a second opinion, contact your TSR. [[Who is my TSR?]]

My computer is acting up. Do I have a virus? [Top]

Not always. Though many viruses cause visible symptoms (slow processing, hard disk drive access, display messages, etc.), most don't. In fact, many ordinary applications show those same symptoms and are often interpreted as virus activity. Your best bet is to follow the guidelines in the previous question.

What are virus hoaxes? [Top]

Virus hoaxes are messages sent (originally by one or more hackers) describing some virus or worm that is extremely dangerous and urges the reader to take some action against their own computer, and then to send the message on to everyone they know. This is social engineering in its purest form -- the virus writer does nothing to your computer, he gets YOU to do it.

Just about every virus hoax has some combination of the following three characteristics: (a) invoking the names of one or more large, reputable companies who have reported the virus, (b) the virus is the "most destructive ever" and none of the top anti-virus vendors can stop it, and (c) send the message to "everyone you know". Virus reports are usually sent by the anti-virus vendors themselves as a public service and they always give links back to their sites to the full report.

Here are four of the top virus hoax explanation sites (in no particular order):
Symantec
McAfee
Vmyth

Why do I have to worry about information security? [Top]

The shortest answer that can be given to this question is that everything today, about you, your family, your job, is either stored on or transferred through computers.

Information Security (InfoSec) takes into account not just the security of data, but of the people you work with (personnel security), the area you work in (physical security), and the networking environment (transmission security). If any of these fail, the probability of having data corrupted or stolen rises sharply. That data can be personnel, student, or patient files; grant information; research data; financial records; or your own personal data, just to name a few.

What anti-virus software is available? [Top]

There are several reputable vendors, foremost among them are Symantec and McAfee. The University has a site license for the Symantec Enterprise Security product which can be installed on any University system. Since many users work at home, the license also allows the product to be installed on any faculty, student, or staff personal computer; this license applies only so long as the user is currently employed or enrolled at the University, after which time the software must be removed. For personal use systems, please contact the Service Desk (Triage) at 210.567.7777 or on-campus 7-7777.

How do I install anti-virus software? [Top]

If you are unfamiliar with installing software on a personal computer, please contact your TSR [[Who is my TSR?]] or call the Triage Help Desk at 210.567.7777 or on-campus 7-7777.

Why should I update my anti-virus software? [Top]

It is estimated that there are over 72,000 viruses, worms, Trojan horses, and other problem software in existence today, and about 300 new ones or variants are developed monthly. Though most never successfully replicate "in the wild," enough do to keep life interesting. Add to the mix the millions of computers tied together through thousands of networks, and the possibility of exposure to one or more of the bugs rises drastically. Anti-virus vendors base their reputations on their ability to respond quickly to new viruses, and to get new updates to the field as soon as possible. A properly configured anti-virus product, with the latest virus definitions, is your best protection from the malware developers and distributors.

Does the University monitor my Internet usage? [Top]

The University does not monitor YOUR Internet usage directly. As part of daily operations, Systems and Network Operations and Information Security and Assurance monitor traffic levels coming in to and leaving the University network. This is done for performance and tuning and not to watch any one user. If we (InfoSec) notice a higher-than-normal volume of traffic for a particular system, we will investigate only that system since traffic spikes generally point to infected or hacked computers or systems using unauthorized peer-to-peer (P2P) file sharing software.

Does the University read my e-mail? [Top]

NO! We don't want to nor do we need to.

If you follow the guidance in the Handbook of Operating Procedures regarding e-mail usage, there should never be a reason for the University to take an interest. Evidence of misuse, though, such as personal gain, spamming, threatening, etc., or anything causing high levels of e-mail traffic, can bring an e-mail account to the attention of Systems and Network Operations, Information Management Client Support Services, and/or Information Security. Also, since the e-mail is generated on University-owned computers and transported on University-owned networks, they may fall under records retention guidelines, could become part of the public record, and may even be subpoenaed.

The best rule: Don't send anything through e-mail that you wouldn't want posted on a hallway bulletin board.

What about file sharing utilities? [Top]

Because of the legal and security ramifications of peer-to-peer (P2P) applications, their use is not authorized at the University; click here for the Handbook of Operating Procedures policy. The legal issues deal with downloading and storing copyrighted material on State-owned University computers, including music, movies, and software. P2P-downloaded software is frequently "hacked" so that is doesn't need serial numbers or it has the serial number included, and has been know to be purposely or accidentally infected with malicious software. Software piracy is a serious and expensive problem for individuals as well as the University, with fines in the millions of dollars.

Why shouldn't I download music and video onto my work computer? [Top]

First and foremost, your work computer is a State-owned information resource and must be used in accordance with State and University policies. If your department allows you to play music on your computer, get permission and follow the departmental policies.

Music, movies, television shows, and other forms of entertainment are generally copyrighted to their developers, writers, networks, artists, etc. Downloading and/or sharing these types of media using free or shared sources frequently bypass the payment to those who hold the copyrights. There are several legitimate sites to purchase and download music, movies, and televsion, the most common of which is the Apple iTunes store. For other issues concerning file sharing, see the previous topic.

Can I download games or utilities to my work computer? [Top]

As stated in the previous topic, your work computer is a State-owned information resource and must be used in accordance with State and University policies. Utilities that allow you to better perform your job may be allowed, but you must check departmental policies first. Games, on the other hand, are not work-related and shouldn't be installed on your work computer.

What are the differences between the different *wares (shareware, freeware, etc.)? [Top]

Shareware is generally copyrighted software that is give out without a fee for evaluation and to raise awareness of the product (marketing, for instance). A fee is usually required to get full functionality from the product or to remove notices or advertising.

Freeware is exactly that - fully-functional software that is given away without cost.

Nagware blurs the line; it is sometimes shareware, sometimes freeware. The software is usually fully-functional, but it nags the user to register to pay to get additional functionality or to remove advertisements.

Adware is malicious software installed on a user's computer that displays advertisements while using the browser. These advertisements generate revenue of the advertiser, but are a source of annoyance to the user; additionally, the functions of the adware can interfere with the operations of the user's computer. Adware can also have hidden functionality, making it spyware.

Spyware is malicious software that obtains information from a user's computer without the user's knowledge or consent. The software is also generally installed unknown to the user. It may be installed as part of another program (Trojan horse), as part of a virus or worm, or by visiting a compromised web page (a drive-by download). The types of information collected and sent back to the intruder include username/password combinations, credit card information, and bank data, among others.

Malware is just short for "malicious software".