Information Security Policy & Training
Important
All DWR employees must digitally acknowledge the DWR Information Security Policy annually.
On an annual basis and in consultation with IT, up-to-date training and training documentation will be developed and provided to all faculty and staff who have access to physical and/or electronic versions of sensitive information at the DWR fall orientation session, which takes place in August each year. If a new employee’s hire date begins after the orientation session, training will be provided within one month of their start date to ensure they comply with the university’s information security policies. Upon completing security awareness training, DWR faculty and staff will be required to submit confirmation of training completion to the Administrative Coordinator. These training confirmations will be retained in DWR personnel files which are maintained in the department chair’s office. In addition to in-house training, all employees will be encouraged to attend IT sponsored training throughout the year;which can be found at https://ittraining.olemiss.edu/. We have added the following section about Annual Security Awareness training to the department’s IT Security Policy:
Any member of the department who has access to confidential student or employee information in digital or physical formats is required by the University to complete security awareness training annually.
Additionally, all faculty and staff should routinely complete training and attend workshops hosted by the department and IT.
UM Information Security Resources
Antivirus and Firewall
All employees within the department are required to install Anti-Virus software on their computer and maintain an active firewall. Please see the IT Antivirus Instructions page and follow tutorials for downloading and installing antivirus software. Employees can seek assistance from the IT Helpdesk or the designated local contact for departmental virus protection. Additionally, all employees should be aware of the following requirements/ responsibilities:
Update virus protection software daily, and configure computer systems to perform frequent auto-scans for viruses (daily recommended).
Exercise extreme caution when opening attachments. Never open an attachment unless it is expected even if it is from a trusted user.
Report all virus incidents to the IT Helpdesk. Provide the following information if known: virus name or type, extent of infection (single PC, Server, Network, etc.), source of virus, and potential recipients of infected material.
Perform regular backups of data on individual computer systems (daily recommended).
If IT responds to a virus incident and finds that the infected computer system is not running virus protection software, then the individual must agree to purchase, install and properly use the software to prevent future incidents.
Designate a local contact for departmental virus protection. The contact will assist in installation of software, education of the user community, and incident response.
Screen Locks and Session Timeouts
A password protected session/screensaver lock should be used on all departmental computers to prevent viewing/access of data after a certain period. Session lock is required after 15 minutes of inactivity.
Automatic Security Updates
Desktop computers and personal devices should be configured to apply application updates and operating system (OS) patches daily. Patches should be applied to servers on a regular basis as frequently as is feasible.
Monitoring of Sensitive Servers and Devices
All UM owned computers or servers, which are used to store, process, or transmit sensitive UM data locally, must be entered into the UM System Registry. The associated department must provide an active contact for each machine and ensure that registered information is kept current.
The department is responsible for actively testing and monitoring its security practices and periodically evaluating and adjusting its information security program based on the results of testing and monitoring. In addition, all servers and storage devices that contain sensitive information must be registered so they can be periodically scanned for vulnerabilities. To register a server or workstation, login to myOleMiss and select UM System Registry under “Technology”.
Mobile Device Encryption
Mobile devices that will be used to store sensitive data locally must be approved by the IT Security Coordinator prior to use, and have disk-level encryption enabled. If disk-level encryption is not a viable option, the individual sensitive files may be encrypted with AES-256 encryption or equivalent instead.
Additionally, it is recommended that all UM owned mobile devices have disk-level encryption enabled by way of the operating system. Devices should also have a PIN or Password screen-lock configured.
Cloud Storage
As part of our responsibility to safeguard confidential information, all faculty, staff, and student workers will use only cloud storage approved by the University of Mississippi when conducting professional activities.
At present, only three cloud storage options are approved and supported by UM:
Box (@olemiss.edu accounts)
Microsoft OneDrive for Business (@olemiss.edu accounts)
Google Drive (@go.olemiss.edu accounts)
Danger
Mac Users: iCloud Drive should be disabled in the Apple ID section of System Preferences. If not, MacOS will automatically store information from Desktop, Documents, and maybe other folders directly on their cloud storage service. This is especially concerning for any devices that access/store sensitive or confidential information. Once disabled, information stored in the service may need to be retrieved and will definitely need to be deleted by logging in to https://www.icloud.com/iclouddrive/ with the configured AppleID.
Windows Users: If you sign in to a Windows device with a personal Microsoft account, make sure to *disable* backups of work-related folders to your personal OneDrive Account. Instead, *add* your @olemiss.edu Micrsoft Account to Windows and enable backups to your OneDrive for Business (@olemiss.edu) account.
Annual Policy Acknowledgement
Important
All current DWR employees must digitally acknowledge the Information Security Policy annually by August 31. New employees should acknowledge the policy upon beginning work for the DWR.
Note: If you have an @olemiss.edu email address, select “Faculty and Staff.” If you only have a @go.olemiss.edu email address, select “Student Employees.”
