- Password Security
- Staying safe online
- Social Engineering
- Handling sensitive information
- Mobile device security
- Physical information security
- What to do if there’s an information security incident
Do not share your password with anyone. The University's information security policies prohibit password sharing. Don't use the same password more than once. For example, your BearPass password should be different than your Netflix password or your Facebook password. You should make your password complex by combining uppercase letters, lowercase letters, numbers and symbols into a fairly long password that’s difficult to guess.
Staying safe online
Be aware that some malicious sites will attempt to impersonate legitimate sites in order to trick you into giving up sensitive information like your username and password. Malware is often spread through email, so never open an attachment that you're not expecting. Also, be aware that all University computers must have antivirus installed and running.
Cyber-criminals may attempt to manipulate you into revealing confidential information or performing an action. Social engineering comes in many forms including email and web (also known as phishing), by telephone, or in person. It's very important that you be suspicious of this type of attempt and not provide confidential information to cyber criminals.
Phishing usually involves an email from a cyber-criminal attempting to impersonate an organization, or another individual. They will attempt to make you click on a link, open an attachment, or respond to the email. Doing any of these can lead to an information security incident.
- FERPA: Family Educational Rights and Privacy Act, which covers students and disciplinary records.
- HIPAA: Health Insurance Portability and Accountability Act, which covers medical records.
- GLBA: Gramm-Leach-Bliley Act, which covers financial information.
- PCI DSS: Payment Card Industry Data Security Standard which covers credit and debit card information.
If you handle with data covered by these regulations in your job, see your supervisor or My Learning Connection for additional compliance training.
Missouri State has a comprehensive set of information security policies available for review in the policy library.
One of these policies is the Information Security Data Classification Policy. This breaks down all the information the University holds into one of three classifications:
- Public information: Information the University makes publicly available, like the course catalog and directory information.
- Private information: Information the University keeps confidential but that is not subject to regulation. This includes information like BearPass numbers and vendor documentation.
- Restricted information: Information that law or contract requires the University to keep confidential. This includes things like academic records.
- Highly Restricted information: Information that the University has a special obligation to protect, includung Social Security Numbers, Credit Card Numbers, and Protectected Health Information.
Handling sensitive information
Sending private, restricted, or highly restricted information off campus requires that an approved Sensitive University Data Export Request System (SUDERS) request. SUDERS can be found online at My Missouri State. Be conscious of where you store private or restricted information. According to the Information Management Policy, it must be stored in an appropriate place and encrypted.
Mobile device security
Set a passcode for your device. On most modern smartphones, this will encrypt the device. Also, set up a device locator tool.
Physical information security
Paper documents that contain Restricted or Private University information must be locked up when not in use. This could be a locking file cabinet or in a locked office. Securely shred paper documents that are no longer needed.
What to do if there’s an information security incident
Information security incidents must be reported to the information security office. An Information security incident is an event that adversely affects the Confidentiality, Integrity, or Availability of a University system, or information. Examples of information security incidents include unauthorized access to, or modification of, University systems or information, or the loss or theft of equipment used to store private or restricted University information.