Learn, Do, Secure
The Information Security Standards provide the minimum requirements and expected practices for safeguarding University information and IT resources.
All employees are required to familiarize themselves with the standards and associated guidelines to maintain appropriate safeguards against events that could compromise the security of University information and IT resources.
- Employees must complete all mandatory information security awareness training and other privacy training required for their job functions.
- Employees must familiarize themselves with the University’s IT policies and comply with them.
- NEIU Net IDs and passwords must not be used to register accounts on any IT system or website used for personal purposes, e.g., social media platforms, online retail stores, or online banking.
- The default password for an NEIU user account must be changed after logging into the account for the first time.
- Strong passwords or passphrases must be used, and these must not be shared.
- If available, multi-factor authentication (MFA) must be used when accessing University IT systems.
The University reserves the right to refuse network connections for devices or applications that may put its information and IT resources at risk.
All COMPUTERS USED FOR WORK
- Must run up-to-date operating systems and security patches and have automatic updates enabled.
- Must have up-to-date and active antivirus protection enabled and where available, firewalls should be enabled.
- Access to devices must be protected using access control features such as pin codes, which must be kept private.
- Enable automatic screen lock after a period of inactivity (ideally 15 minutes or less) to prevent unauthorized access to information.
- Hard disk encryption must be enabled.
All users are responsible for the security of University devices in their care and the data stored on them.
- Devices must have the University's asset management software installed (where practical) and recorded in the asset inventory system. Where possible, all university devices must have asset tags. For more information and support, contact firstname.lastname@example.org.
- Use of University devices for work or personal purposes must comply with the Acceptable Use of Information Technology Resources Policy. Personal use of University devices must be done reasonably and not conflict with work.
- Only the official stores for app downloads such as App Store, Google Play, and Blackberry may be used. Unlicensed software must not be installed on any University devices.
- Software restrictions and system or file security settings on University devices must not be changed or amended. This includes disabling passwords or pin codes, and any security software installed (e.g., antivirus, hard disk encryption).
- Unusual or random behavior of University devices (such as unsolicited window pop-ups) or suspected malware or virus infection must be reported to IT Help Desk as soon as possible.
- Mobile devices such as laptops, tablets, smartphones, and hardware tokens must not be kept in open view or left overnight in a vehicle.
- Mobile devices must be locked away in secure cabinets or drawers during long absences from the office and at the end of work, or carried along by the user if practical.
- Mobile devices must not be left unattended in an open area in a University building or other public places.
- When traveling, appropriate safeguards must be used to protect University devices from loss or theft.
- Lost or stolen devices must be reported as soon as possible to line managers, the police, and the IT Help Desk.
- Where data wipe or device lockout or deactivation features are available on a device, they must be enabled. For support, contact email@example.com.
- Any laptop or other devices issued to university employees and the data stored on them remain the property of Northeastern Illinois University and the State of Illinois. They must be returned to the appropriate line manager when no longer required or when employment ends.
Personal COMPUTERS Used for Work
The University will not monitor the content of personal devices. However, the University reserves the right to monitor and log all network traffic between such devices and university networks and systems.
- Information classified as restricted or internal including but not limited to employee or student personal information, health records, intellectual property data, business strategies, etc., must not be stored on personal devices.
- All University applications including the DUO mobile authentication app and VPN client on personal devices must be deleted when the device is no longer used.
- University information and IT resources must not be accessed or used on devices that the manufacturer’s security settings and configuration files designed to protect the device have been tampered with.
- A factory reset should be completed on the device before it is sold, transferred, exchanged, or disposed of.
- If data wipe, device lockout or deactivation features are available on a device, they should be enabled.
Network and Internet Security
- Secure Wi-Fi must be used when accessing University restricted or internal information and IT resources. This also applies to remote working environments.
- Personal Wi-Fi used for remote working must be configured to meet the following:
- Default login passwords to the network device (e.g., router) and Wi-Fi must be changed to private passwords. Passwords or passphrases should be strong and not easily guessed.
- The default Wi-Fi SSID name should be changed and the SSID broadcast disabled.
- Automatic software updates must be enabled on the network device.
- The wireless network must use WPA2 encryption or stronger.
- Visits to websites and downloads from emails and the internet onto University devices must be done with care to prevent downloading of malicious files and to protect the information that may be stored on such devices. This should also apply to personal devices used for work.
- Only the University-approved VPN solution may be used to access the University's internal network when working remotely.
The University owns all work information transmitted or processed on a device during the course of the University’s business or otherwise on behalf of the University irrespective of who owns the device.
- Data must be collected and used in line with the requirements of the relevant governing legislation and University policies.
- At all times, appropriate safeguards must be in place to prevent unauthorized access to University information on or off campus.
- The University’s network shared drives are the approved storage areas for University information. Storing restricted or internal work information on University mobile devices must be done reasonably and only when necessary to do so as a temporary arrangement. Such information must be transferred to the approved storage drive as soon as practical and deleted from the mobile device.
- If restricted or internal data must be stored temporarily on removable storage devices such as USB drives and portable hard disks, these devices must use encryption to protect the data held.
- In remote working situations, authorization must be obtained from line managers before confidential hardcopy documents are transported and used. Such documents must be protected against unauthorized access during use and must be stored securely when not in use.
- Clear desk and screen: Confidential information whether electronic or paper must be kept away from public view or reach, in the office or when working remotely. Confidential papers must be cleared from work desks and stored away at the end of work.
- Need-to-know basis: University information must only be accessed and/or shared when it is required for work purposes. Data not required to complete work must not be accessed or shared.
- Email is the main form of communication for all University activities and may store confidential information. Employees are not to redirect their work email to their personal email. Use of personal email for work is not permitted.
- Cloud services: Personal cloud platforms must not be used for work including storing, processing, or sharing University information.
- Use of social media: Employees are responsible for the information shared on social media, and should consider the type of information they make public. Employees should check with the Division of Marketing and Communications if they need a social media user account for work. See the Social Media Practices and Procedures for more information. If you are unsure of sharing certain work information on social media, check with your line manager and the Division of Marketing and Communications.
- Investigation: The University reserves the right to access, inspect or delete its information held on work devices, and on personal devices (to the extent permitted by law and for legitimate business purposes). Every effort will be made to ensure that the University does not access private information relating to the individual.
- Retention and disposal: Data must be held only within the specified timeframe and in line with the purposes identified in the privacy notice or as required by law. See Record Retention for more information. University information and IT equipment must be disposed of following the University’s disposal procedure. For support, contact firstname.lastname@example.org or (773) 442-4357.
- Suspected or actual security incidents should be reported to email@example.com or (773) 442-4357 as soon as possible to ensure the incident is resolved promptly and address any potential risks to employees, students, and the University. See the Information Security Incident Management Policy for more information.