Learn, Do, Secure
The Information Security Standards provide the requirements and expected practices for safeguarding University information and IT Resources when working on-campus or remotely.
All employees are required to familiarize themselves with the standards and associated guidelines to help them maintain appropriate safeguards against events that could compromise the security of the University’s information and IT resources they use.
- Employees must complete all mandatory information security awareness training.
- Employees must familiarize themselves with the University’s IT Policies and comply with them.
User Account Security
- NEIU net IDs and passwords must not be used to register accounts on any IT system or website used for personal purposes, e.g., social media platforms, online retail stores, or online banking.
- The default password provided for an NEIU user account must be reset after the first login.
- Strong passwords must be used, and passwords must not be shared.
- If available, multi-factor authentication (MFA) must be used when accessing University applications.
- The University reserves the right to refuse network connections for some devices or software that may put the University's information and IT resources at risk.
- Must have up-to-date operating systems and be configured to receive software updates automatically.
- Must have up-to-date and active antivirus protection enabled and where available, firewalls should be enabled.
- Access to devices must be protected using the security features of the device e.g., pin code, password or passphrase and these must be kept private.
- Devices must have an automatic screen lock after a period of inactivity (ideally 15 minutes) to prevent unauthorized access to information.
- Disk encryption should be used if the device has the feature.
All users are responsible for the security of University-issued devices in their care and the data stored on them.
- Devices must have the University asset management client software and endpoint antivirus software installed (where practical) and the asset must be recorded in an asset register. Where possible, all university-issued devices must have asset tags. For more information, contact email@example.com.
- Use of University devices for personal purposes must be reasonable and must not be used for activities (including but not limited to visits to potentially malicious websites, unknown software or file downloads, or use by family members) that could put the University’s information and IT resources at risk.
- Only the official stores for app downloads such as App Store, Google Play, and Blackberry must be used for downloading apps. Unlicensed software must not be installed on any University devices.
- Software restrictions and system or file security settings on University devices must not be changed or amended. This includes disabling passwords, pin codes and any security software installed (e.g., antivirus, file encryption).
- Unusual or random behavior of University-issued devices (such as unsolicited window pop-ups) or suspected malware or virus infection must be reported to the Help Desk as soon as possible.
- Mobile devices such as laptops, tablets, smartphones and hardware tokens must not be kept in open view or left overnight in a vehicle.
- Mobile devices must be locked away in secure cabinets or drawers during long absences from the office and at the end of work, or carried along by the user if practical.
- Mobile devices must not be left unattended in an open area in a University building or other public places on or off campus.
- When traveling, appropriate safeguards must be used to protect University-issued mobile devices from loss or theft.
- Lost or stolen devices must be reported as soon as possible to line managers, the police, and the Help Desk.
- Where data wipe off, device lockout or deactivation features are available on a device, they must be enabled. For more information, contact firstname.lastname@example.org.
- Any laptop or other devices issued to university employees and the data stored on them remain the property of Northeastern Illinois University and the State of Illinois and must be returned to the appropriate line manager when no longer required or when employment ends.
Personal Devices Used for Work
The University will not monitor the content of personal devices. However, the University reserves the right to monitor and log all network traffic between such devices and university networks and systems.
- University information that is sensitive including but not limited to employee and student information, intellectual property data, business strategies, etc. must not be stored on personal devices unless authorized by the line manager.
- All University applications including DUO Mobile authentication app and VPN clients on personal devices must be deleted when the device is no longer used.
- University data and IT resources must not be accessed or used on devices that the manufacturer’s security settings and configuration files designed to protect the device have been tampered with.
- A factory reset should be completed on the device before it is sold, transferred, exchanged or disposed of.
- Where data wipe off, device lockout or deactivation features are available on a device, they should be enabled.
Network and Internet Security
- Secure Wi-Fi must be used when accessing University information and IT resources that are sensitive. This also applies to remote working environments.
- Personal Wi-Fi used for remote working must be configured to meet the following:
- Default login passwords to the network device (e.g., router) and Wi-Fi must be changed to private passwords. Passwords should be strong and not easily guessed.
- The default Wi-Fi SSID name should be changed and the SSID broadcast disabled.
- Automatic software updates must be enabled on the network device.
- The wireless network must use WPA2 encryption or stronger.
- Visits to websites and downloads from emails and the internet onto University-issued devices must be done with care to protect the information stored on such devices. This should also apply to personal devices used for work.
The University owns all work information transmitted or processed on a device during the course of the University’s business or otherwise on behalf of the University irrespective of who owns the device.
Access to certain University IT services and information may be restricted when using personal devices to safeguard the security of University IT services and information.
- At all times, appropriate safeguards must be in place to prevent unauthorized access to University information on campus and during remote working.
- The University’s network file drives or university Google Drive is the approved storage location for University information. Storing sensitive work information on University-owned mobile devices must be done reasonably and only when necessary to do so as a temporary arrangement. Such information must be transferred to the approved storage drive as soon as practical.
- In situations where sensitive work information must be stored on personal devices, this must be authorized by line managers as a temporary arrangement. After use, the information must be transferred to the University’s network file drive as soon as possible and deleted immediately from the device after the transfer.
- If sensitive data must be stored on removable storage devices such as USB drives and portable hard disks, these devices must use encryption to protect the data held.
- In remote working situations, authorization must be obtained from line managers before confidential hardcopy documents are transported and used. Such documents must be protected against unauthorized access when being used and must be stored away in a secure place when not in use.
- Clear Desk and Screen: Confidential information whether digital or paper must be kept away from public view or access in the office or when working remotely. Confidential papers must be cleared from work desks and stored away at the end of work.
- Need to Know Basis: University information must only be accessed and/or shared when it is required for work purposes. Excessive data not required to complete a job must not be shared.
- Email is the main form of communication for all University activities and may store confidential information. Employees are not to redirect their work email to their personal email and should keep the use of work email separate from their personal email.
- Remote Access: Only the University’s approved VPN software must be used to access the University’s internal network resources.
- Cloud Solutions and Services: Personal email and cloud services must not be used for the University’s business including storing, processing or sharing university information.
- Use of Social Media: Employees are responsible for the information shared on social media, and should consider what type of information they make public. Employees should check with the Division of Marketing and Communications if they need a social media user account for work. See the Social Media Practices and Procedures for more information. Before sharing any work-related information that may appear to be confidential on social media platforms, employees must check with their line managers and the Division of Marketing and Communications.
- Investigation: The University reserves the right to request access to inspect or delete University information held on personal devices to the extent permitted by law and for legitimate business purposes. Every effort will be made to ensure that the University does not access private information relating to the individual.
- Retention and Disposal: University information must only be held within the specified timeframe and in line with the purposes identified in an applicable privacy notice or as required by law. University information and IT equipment must be disposed of following the University’s disposal procedure. Contact the Help Desk at email@example.com or (773) 442-4357.
- Suspected or actual security incidents should be reported to firstname.lastname@example.org or (773) 442-4357 as soon as possible to ensure the incident is resolved promptly to address any potential risks to employees and the University. See the Data Security Breach Policy for more information.