Information for security presentations
All WMU employees should attend and/or view the information security presentation, including full-time and part-time faculty, graduate assistants, staff, and student employees. Administrators are responsible to ensure that data of their department is kept secure according to the policies referenced below.
Best practices for information security
- Best practices apply to both electronic and paper records.
- Restricted/confidential information must be stored on departmental or University owned network servers that are backed up regularly. Secured servers can be accessed from both on and off campus through VPN.
- Restricted/confidential information stored on mobile computing devices, both University and personally owned, must be encrypted.
- All WMU and personally owned computers, which connect to WMU's network, must have anti-virus software where definition files are current and routinely updated in order to prevent damage or compromise to applications, data, files, and/or hardware.
- WMU Webmail Plus is the required secure means for conducting University business. Neither Webmail Plus, nor any other email system, should be used for document retention/storage.
- Use caution when opening email attachments for file types such as .ZIP or .EXE which are known to load malicious software that could compromise your system and data.
- If you are using an IMAP email client which stores your messages locally on your device, you are at risk.
- Faculty are required to store all current grades in the e-learning system and not on laptops or other mobile devices, if possible. Files containing grades from prior semesters should be encrypted.
- Faculty should have students turn in course work and access it through the e-learning system. If there is a need to keep electronic copies they should be encrypted and/or stored on secure servers.
- iClicker data should be encrypted and/or stored on secure servers.
- NEVER give Bronco NetID/password combination to anyone. The information technology Help Desk will never ask you for your password via an email message or over the phone.
- NEVER accept someone else’s Bronco NetID/password combination. Knowing someone else’s password may make you a person of interest in the event of a security incident.
- Do not use the same password for all systems, especially for encrypted files. The WMU password guidelines provide details on how to establish strong passwords.
- Delete old data, especially information that includes social security numbers. Paper copies should be shredded.
- Delete/redact individually identifiable information from all records when possible, including research files.
- Delete "temporary" files on your computer. These include file attachments opened in email and download files. If these files contain restricted/confidential information, they should be immediately removed or encrypted.
- Keep personal data separate from University data. Follow the same encryption standards for personal data.
- If you have access to protected health information, know and follow the special policies that apply.
Selective summary of key policies
- Restricted/confidential information is defined as individually identifiable information about students, faculty, staff, alumni, vendors, or others that WMU is required to keep confidential by law, policy, or contract. Examples include:
- Social security numbers and credit card numbers, stored electronically or on paper. Credit card numbers are subject to PCI rules.
- Research data that identifies people.
- Cognos downloads of student data or PeopleSoft staff data.
- All grade information tied to a student including individual assignment grades and final course grades.
- Student work, such as drafts of papers or thesis chapters.
- Restricted/confidential information should never be stored on a mobile computing device - personal or University owned - such as a laptop, portable hard drive, smartphone, USB key, DVD, or CD unless it is encrypted. See recommended encryption software.
- Restricted/confidential information should be retained only as long as needed, especially information about current majors/minors or other student information. See records management and the University Record Retention Guide.
- When sending computing items to surplus sales, please be aware that hard drives must be re-formatted or destroyed (see University policy). Departments are responsible for cleaning all data including operating systems from computers and electronic equipment (i.e. copiers, fax machines, etc.)
What happens if data are lost
- Notify the local police (off-campus) and WMU police (269) 387-5555 if a device is missing or stolen. Notify information technology at firstname.lastname@example.org. If it is a personally-owned device that contains University data follow these same procedures.
- Notify your college or department IT staff or LAN manager and/or the Help Desk (269) 387-4357, option 1 if your data becomes corrupted or inaccessible.
- Having your data encrypted means if your device is lost, the data are not lost.
- Information technology will follow the WMU information security incident response plan.
- Direct incident costs will be billed to the department responsible for the loss.
Know the University’s Policies on Information Security
The most relevant policies are:
- Cloud computing
- Computing resources acceptable use policy
- Copyright and ethics
- Data classification
- Data wiping
- Ethical treatment of information resources
- Information security incident response
- Lost or stolen devices
- Mobile computing devices
- Network and Internet policies
- Password guidelines and policy
- Remote access
Other relevant policies:
- Confidential information policy for employees
- Electronic commerce policies
- Family Educational Rights and Privacy Act
- Health information policies
- Research policies
- Social security number policy
- Contact your college or department LAN manager.
- Call the IT Help Desk at (269) 387-4357, option 1.
- Send email to email@example.com.
Updated: April 2013