HomeUniversity LifeCurrent StudentsUniversity Technology Services (UTS)Information Security — Information Security Standard

Information Security Standard

Learn, Do, Secure

The Information Security Standard is derived from the University’s IT Policies to provide the minimum requirements for safeguarding University Information and IT resources.  

All employees are required to familiarize themselves with the standard and associated guidelines. 

Training

Policies

User Account 

  • NEIU Net IDs (for example, Joe Blog is jblog@neiu.edu with no hyphen) and passwords must not be used to register accounts on any IT system or website that is not work-related. E.g., social media platforms, online retail stores, online banking, or cloud services.
  • A user must change the default password assigned to their NEIU account to a private password.
  • Strong passwords or passphrases must be used and must not be shared.
  • Multi-factor authentication (MFA) must be used when accessing the University's IT systems.
  • Passwords to user accounts must be changed as soon as possible if suspected to be compromised. 

Device Security

The University reserves the right to refuse network connections to devices or applications that may pose a risk to its information and IT resources.

All users are responsible for the security of the University's devices in their care and the data stored on them. Devices:

  • Must run up-to-date operating systems and security patches and have automatic updates enabled.
  • Must have active and up-to-date antivirus protection enabled.
  • Access to devices must be protected with passwords or pin codes, which must be kept private.
  • Automatic screen lock must be enabled to prevent unauthorized access to information when a user is away from the device.
  • Hard disk encryption must be enabled.
  • Devices must have the University's asset management software installed (where practical) and recorded in the asset inventory system. Where possible, all devices must have asset tags. For more information and support, contact property-control@neiu.edu.
  • The use of University devices for work or personal business must comply with the Acceptable Use of Information Technology Resources Policy. Personal use of University devices must be reasonable and not interfere with work.
  • Only the official stores for app downloads, such as Microsoft Store, App Store, Google Play, and BlackBerry, may be used. Unlicensed software must not be installed or distributed on University devices.
  • Software restrictions and system or file security settings on University devices must not be disabled or amended. This includes disabling passwords or pin codes and any security software installed (e.g., antivirus, hard disk encryption).
  • Unusual or random behavior of a University device (such as unsolicited window pop-ups) or suspected malware infection must be reported to the IT Service Desk as soon as possible.
  • Mobile devices such as laptops, tablets, smartphones, and hardware tokens must not be left overnight in a vehicle.
  • Mobile devices must be locked away during long absences from the office and at the end of work, or carried along by the user if practical.
  • Mobile devices must not be left unattended in an open area in a University building or other public places.
  • When traveling, appropriate safeguards must be used to protect University devices from loss or theft.
  • Lost or stolen devices must be reported as soon as possible to line managers, the University Police, and the IT Service Desk.
  • Where data wipe, device lockout or deactivation features are available on a device, they must be enabled. For support, contact IT-ServiceDesk@neiu.edu.
  • All University laptops, other devices, and data stored on them remain the property of Northeastern Illinois University and the State of Illinois. They must be returned to the appropriate line manager when no longer required or when employment ends. 

Personal Computers for Work

The University is committed to protecting its computers and other electronic devices by providing controls to safeguard these devices from events that could compromise them or the data they hold. Individuals are responsible for the use and management of their personal computers, and the University's authority over the use and security of personal computers is limited in most cases. For this reason, personal computers are not permitted for work. 

Network and Internet Security

  • Secure Wi-Fi must be used when accessing University-restricted or internal information and IT resources. This also applies to remote working.
  • Home Wi-Fi used for remote work should be configured to meet the following:
    • Change the default passwords to the network device and Wi-Fi. Use strong passwords or passphrases.
    • Enable automatic software updates on the network device.
    • Use WPA2 encryption or stronger.
  • Visits to websites and downloads from emails and the internet onto a University device must be done with care to prevent downloading malware on the devices.
  • Only the University-approved VPN software must be used to access the University's internal network when working remotely.

Data Security

The University owns all work information transmitted or processed on a device during the University’s business or otherwise on behalf of the University.

  • Data must be collected and used in line with the University's policies and any relevant legislation.
  • Appropriate safeguards must always be in place to prevent unauthorized access to the University’s information on or off campus.
  • The University’s storage drives are the approved storage areas for its information. Storing restricted or internal work information on the University’s mobile devices must be done reasonably and only when necessary, as a temporary arrangement. Such information must be transferred to the approved storage drive as soon as practical and deleted from the mobile device.
  • Where restricted or internal data must be stored temporarily on removable storage devices such as USB drives and portable hard disks, the devices must be encrypted.
  • For remote working, authorization must be obtained from line managers before confidential hardcopy documents are transported and used. Such documents must be protected against unauthorized access at all times.
  • Clear desk and lock screen: Confidential information, whether electronic or paper, must be kept away from public view or access, in the office or when working remotely.
  • Need-to-know basis: University information must only be accessed and/or shared when required for work.
  • Email is the main form of communication for all University activities and may store confidential information. Employees are not to redirect their work email to their personal email. Use of personal email for work is not permitted.
  • Cloud services: Personal cloud workspaces must not be used for work, including storing, processing, or sharing University information.
  • Use of social media: Employees are responsible for the information shared on social media and should consider the type of information they make public. Employees should check with the Division of Marketing and Communications if they need a social media user account for work. See the Social Media Practices and Procedures for more information. If you are unsure of sharing certain work information on social media, check with your line manager or email marketing@neiu.edu.
  • Investigation: The University reserves the right to access, inspect, or delete its information held on work devices (to the extent permitted by law and for legitimate business purposes). Every effort will be made to ensure that the University does not access private information on the devices.
  • Retention and disposal: Data must be held only within the specified timeframe and in line with the purposes identified in the privacy notice or as required by law. See Records Retention for more information. University information and IT equipment must be disposed of following the University’s Data Erasure and Equipment Disposal policies. For support, contact property-control@neiu.edu.

Incident Management

  • Suspected or actual security incidents must be reported to IT-ServiceDesk@neiu.edu or (773) 442-4357 as soon as possible to address any potential risks to employees, students, and the University. See the Information Security Incident Management Policy for more information. 

Related Policies and Guidelines

 

Approved: By the Information Security Committee

Date: November 2024

Contact University Technology Services (UTS)

T (773) 442-4357

helpdesk@neiu.edu

Contact Us