Information Technology Security Policies and Guidelines
All students, faculty, and staff are expected to comply with the policies below that are designed to protect University IT resources.
All students, faculty, and staff are encouraged to review and comply with the guidelines
below to prevent security incidents that could lead to a violation of University policies.
Working with Restricted University Data
In compliance with University policy IT6005 - Data Security Policy, restricted University data must be protected against physical theft or loss, electronic invasion, or unintentional exposure. The following guidelines outline practices for working with Restricted University data.
ITS has developed guidelines to recommend appropriate storage services and locations to be utilized for restricted and all other classifications of University data. Please refer to the Guidelines for Storage of University Electronic Data page for a listing of storage services and locations by data classification.
ITS has developed standards for encryption to ensure restricted University data is protected from disclosure. In compliance with University policy IT6005 - Data Security Policy, employees are responsible for protecting restricted University data to which they have access. University owned laptops and portable media devices storing restricted University data must be encrypted. Local Support Providers (LSPs) in each department are responsible for assisting faculty and staff with this process.
ITS has defined the following standards for encryption software:
- Windows 7 / 8 / 10: Microsoft Bitlocker or Veracrypt.
- Mac OS X: Apple File Vault
- Android: Android Device Encryption
- iOS: Enable iOS DataProtection using a passcode
In compliance with University policy IT6005 - Data Security Policy, restricted University data must be securely erased from all equipment or portable media prior to disposal. Deleting files from your computer or laptop does not permanently remove the data. The hard drive must be overwritten (sometimes called "wiping" the drive) before disposal to ensure that deleted files cannot be recovered. Local Support Providers (LSPs) in each department are responsible for assisting faculty and staff with disposal of University equipment.
Family Educational and Privacy Rights Act
The University adheres to the requirements of the Family Educational and Privacy Rights Act (FERPA). Additional information regarding FERPA is located on the Registrar's FERPA Compliance page.
Protecting Your Account
Maintain a complex password and do not share it with others. Sharing your University passwords is a violation of University policy IT6003 - Acceptable Use of Information Technology Resources. Additional guidelines and information can be found on the Password Security page.
Duo Account Security
The University Single Sign-On (SSO) system supports Multi-factor Authentication (MFA) capabilities using a product from Duo Security. Duo protects user's accounts by requiring a second means of authentication in addition to the password. Password-based authentication has become increasingly hackable and MFA greatly reduces the threat of someone else gaining access to accounts.
New employees are walked through the steps of using DUO during orientation. Users can use the Duo Mobile app to enroll their smartphone or tablet to receive online push notifications, or generate a one-time passcode. Users can also enroll an SMS number (a phone number that can receive texts) to receive notifications via text, or enroll a phone number to receive a phone call, depending on their preference.
Report a Security Incident or Abuse
Individuals should report potential security issues which include but not limited to lost/stolen devices, potential data breaches or exposure, compromised University account credentials, and malicious network activity via the IT Security Incident Report Form.
ITS will never ask individuals to send personal information such as usernames, passwords
or social security numbers via email. Additionally, individuals may occasionally receive
unsolicited emails (spam) or phishing emails specifically designed to trick one into
clicking inappropriate links. These types of emails may be forwarded to the University
of Memphis Information Security Abuse group via email at email@example.com.
Protecting Your Computer
Viruses can corrupt data and slow down entire computer networks. To protect your computer from infection, install anti-virus software, and update when prompted.
University owned computers/laptops can get anti-virus software installed at no cost. Contact the umTech Service Desk at 901.678.8888 to request this service by your Local Support Provider (LSP).
Malware (malicious software) is software installed on your computer without your knowledge. It may be installed while you are downloading an application, browsing websites, reading emails, opening email attachments, or using a file sharing program online. It is recommended to use an approved Anti-Virus or Anti-Malware product as mentioned above.
New security vulnerabilities are found every day. The best way to protect a computer or device against threats is to install security updates to the operating system. Supported versions of MacOS and Microsoft updates are FREE to download.
Additionally, it is important to install security updates for any applications installed on a computer or device, such as third party web browsers, PDF readers, Java, Flash or other plugins.
ITS reserves the right to block devices from the network running vulnerable versions of software applications or unsupported operating systems that no longer receive software updates.
Peer-to-Peer File Sharing
Peer-to-Peer (P2P) file sharing allows individuals to share files with other users. Additional information about P2P file sharing can be found in a Wikipedia article located here. There are many potential legal issues surrounding inappropriate use of P2P applications and users of these programs are encouraged to review and abide by applicable copyright laws that can be reviewed here. Violation of copyright laws or other inappropriate use of P2P file sharing may result in a violation of policy IT6003 - Acceptable Use of Information Technology Resources. Sharing of copyrighted music, videos, movies, and documents are examples that may constitute a violation of University policy.
Vulnerability Response Timeline
Information Technology Services is responsible for creating a culture this is committed to information security. As an expression of this commitment, the Vulnerability Response Timeline provides guidelines for resolution and documentation of system vulnerabilities. These guidelines apply to systems and software supplied by Information Technology Services, University departments, and vendors.