Information Technology Security Policies and Guidelines
All students, faculty, and staff are expected to comply with the policies below that are designed to protect University IT resources.
All students, faculty and staff are encouraged to review and comply with the guidelines
below to prevent security incidents that could lead to a violation of University policies.
Working with Restricted University Data
In compliance with University policy IT6005 - Data Security Policy, restricted University data must be protected against physical theft or loss, electronic invasion, or unintentional exposure. The following guidelines outline practices for working with Restricted University data.
ITS has developed guidelines to recommend appropriate storage services and locations to be utilized for restricted and all other classifications of University data. Please refer to the Guidelines for Storage of University Electronic Data page for a listing of storage services and locations by data classification. All paper and reports that contain restricted data must be securely stored in locked cabinets.
ITS has developed standards for encryption to ensure restricted University data is protected from disclosure. In compliance with University policy IT6005 - Data Security Policy, employees are responsible for protecting restricted University data to which they have access. University-owned laptops and portable media devices storing restricted University data must be encrypted. Local Support Providers (LSPs) in each department are responsible for assisting faculty and staff with this process.
ITS has defined the following standards for encryption software:
- Windows 7/8/10/11: Microsoft Bitlocker or Veracrypt
- macOS: Apple File Vault
- Android: Android Device Encryption
- iOS: Enable iOS DataProtection using a passcode
In compliance with University policy IT6005 - Data Security Policy, restricted University data must be securely erased from all equipment or portable media prior to disposal. Deleting files from your computer or laptop does not permanently remove the data. The hard drive must be overwritten (sometimes called "wiping" the drive) before disposal to ensure that deleted files cannot be recovered. Paper and reports that contain restricted data must be securely shredded. Local Support Providers (LSPs) in each department are responsible for assisting faculty and staff with disposal of University equipment.
The University adheres to the requirements of the Family Educational and Privacy Rights Act (FERPA). Additional information regarding FERPA is located on the Registrar's FERPA Compliance page.
Protecting Your Account
Maintain a complex password and do not share it with others. Sharing your University passwords is a violation of University policy IT6003 - Acceptable Use of Information Technology Resources. Additional guidelines and information can be found on the Password Security page.
The University Single Sign-On (SSO) system supports Multi-factor Authentication (MFA) capabilities using a product from Duo Security. Duo protects user's accounts by requiring a second means of authentication in addition to the password. Password-based authentication has become increasingly hackable, and MFA greatly reduces the threat of someone else gaining access to accounts. According to Microsoft, MFA stops 99.9% of account compromises.
New employees are walked through the steps of using Duo during orientation. Users can use the Duo Mobile app to enroll their smartphone or tablet to receive push notifications or to generate a one-time passcode. Users can register multiple devices. For more information about Duo, visit memphis.edu/duo.
Individuals should report potential security issues, including but not limited to lost/stolen devices, potential data breaches or exposure, compromised University account credentials, and malicious network activity via the IT Security Incident Report Form.
ITS will never ask individuals to send personal information such as usernames, passwords or social security numbers via email. Additionally, individuals may occasionally receive unsolicited emails (spam) or phishing emails specifically designed to trick users into clicking inappropriate links. These types of emails may be forwarded to the University of Memphis Information Security Abuse group via email at email@example.com. Alternatively, you can click the Phish Alert Button in Outlook to report phishing emails.
Protecting Your Computer
New security vulnerabilities are found every day. The best way to protect a computer or device against threats is to install security updates to the operating system. Supported versions of macOS and Windows updates are free to download.
Additionally, any applications installed on a computer or device, such as third party web browsers and plugins or extensions, conferencing apps (like Zoom or Skype), cloud storage software, etc., should be updated to the latest versions. Check your products' support pages for information on enabling automatic updates. Be sure to restart any updated browsers or apps to ensure updates are applied.
ITS may automatically install updates on University-owned devices. ITS reserves the right to block from the network any device running vulnerable versions of software applications or unsupported operating systems that no longer receive software updates. For more information about software updates, visit Updating Your Devices.
Make a habit of rebooting your computer regularly—at least once a week is recommended. Many app and operating system updates require your computer to restart before they are applied. Restarting may be required even if the software doesn't remind you to do so. Note that putting your computer in rest or sleep mode does not restart it; you must select "Restart" or "Shut down" from the power menu. Shutting down your computer completely can also refresh your hardware and software to their normal states, helping to remedy any app malfunctions, system slowdowns or network connectivity problems you may be experiencing. For more information about rebooting, visit Updating Your Devices.
Viruses can corrupt data and slow down entire computer networks. To protect your computer from infection, install antivirus software, and update when prompted. Windows 8 and later versions include Defender, Microsoft's antivirus product. To check whether Defender is enabled on your device, follow Microsoft's directions here: Use the Windows Security app to check the status of Microsoft Defender Antivirus.
University-owned devices must have up-to-date antivirus software installed. If you need assistance from your LSP to install antivirus software, contact the umTech Service Desk at firstname.lastname@example.org or 901.678.8888.
Malware (malicious software) is software installed on your computer without your knowledge. It may be installed while you are downloading an application, browsing websites, opening email attachments or using a file-sharing program online. To avoid malware, only download files from trusted sources, never install suspicious applications, and keep your antivirus software updated to the latest version. Antimalware products are also available to help defend against malicious software that might otherwise go undetected.
Peer-to-Peer (P2P) file sharing allows individuals to share files with other users. (More information about P2P file sharing at Wikipedia.). Inappropriate use of P2P applications is associated with many potential legal issues. Users of these programs are encouraged to review and abide by applicable copyright laws (more information available at the U.S. Copyright Office website). Violation of copyright laws or other inappropriate P2P file sharing may result in a violation of policy IT6003 - Acceptable Use of Information Technology Resources. Sharing of copyrighted music, videos, movies, and documents are examples that may constitute a violation of University policy.
Information Technology Services is committed to fostering a culture of information security within our community. As an expression of this commitment, the Vulnerability Response Timeline provides guidelines for resolution and documentation of system vulnerabilities. These guidelines apply to systems and software supplied by Information Technology Services, University departments and vendors.