Keep your data secure: UB's standards for information security

Published April 2, 2019

graphic of a drawing of a person standing on a tablet, phishing.

Data is a part of everyone’s work at the University at Buffalo—we are all responsible for handling it wisely. Guidelines for university-owned and configured computing devices will take the guesswork out of keeping you and your data secure.

In April 2017, Provost Zukoski asked VPCIO Brice Bible to oversee a coordinated effort to address IT security on campus, and bring UB in line with the SUNY-wide Information Security Policy, as well as the security requirements being mandated by more state and federal research grants in order to better manage cybersecurity risks and maximize the impact of each research dollar spent.

Later that year, with input from faculty across UB’s schools, two standards were developed. These are similar to requirements put into place at the majority of AAU universities for the safe operation of their institutions.

When implemented correctly, these standards help UB faculty and staff to avoid devastating ransomware attacks, and faculty have greater eligibility for research grants with security requirements.

Why now?

The time is right—UB already maintains a massive amount of critical, confidential data assets and systems, and the amount of data collected by UB researchers grows each day.

“Not keeping your devices secure is like leaving your parked car unlocked with the keys in it,” says Mark Herron, UB’s Information Security Officer. Meanwhile, the tactics used by malicious actors to “break into” your private data for profit are getting more sophisticated.

Security is necessarily a balance between convenience and safety. The guidelines balance the need to ensure the availability, confidentiality, and integrity of sensitive data for research and operations, with the need to minimize the threat of security breaches.

What do I need to do?

The standards apply to university-owned devices, including desktop/laptop/tablet computers, smart devices, and mobile devices. You can find a complete list of requirements in the guidelines, but here are a few easy things you can do to start securing your personal devices:

  • Don’t run your devices using “admin” accounts that have full machine privileges
  • Enable automatic updates for software and applications
  • Set a password to log into your machine or any programs
  • Install anti-virus and malware software, available for download from the UBIT website

How does this benefit me?

Despite the growing need to keep devices and data secure, these changes can feel daunting. But it’s worth it—in fact, UB’s security standards should be regularly used on personally-owned machines and at home. If you’re feeling hesitant, here are some additional benefits to keep in mind.

Avoid devastating ransomware

“Ransomware” attacks holding devices and data hostage increased 57% over the last year, according to the McAfee Labs Threat Report.

Devices are most vulnerable to this type of attack when the person using the device is running it as an administrator—that is, using an account that has all possible machines privileges enabled.

UB’s guidelines suggest using a separate, non-admin account for daily work whenever possible. Admin access isn’t required for most everyday tasks, such as updating software like Microsoft Office.

If you believe you need admin privileges for your university-owned devices, talk to your IT support staff—they will evaluate your request and work with you to develop a strategy for your work that will minimize your vulnerability.

Adhere to standards required for many grants

Federal research standards adhere to the National Institute of Standards and Technology (NIST) Cybersecurity Framework. If you do research at UB—or support people who do—then you’ll want to adhere to these standards to be eligible for more grants.

By adhering to UB’s standards, you’re automatically in line with the latest security standards for research grants on the state and federal level, which makes the process of applying for grants, and conducting research, easier.

When you travel

Traveling with UB-owned devices involves a certain amount of risk. If the device is stolen or lost, your personal and institutional data would be at risk.

If you need to travel with a UB-owned device, talk to your IT staff first so they can ensure the device is properly secured. Check out UB’s recommendations for people traveling to “high risk” countries with digital devices.

What if I need an exception?

Lastly, the standards were designed with some flexibility in mind, but exceptions to these guidelines are rare. They are generally not merited for computers and laptops used as regular office workstations running Microsoft Office and similar, standard administrative and teaching activities.

Here are some examples of circumstances where exceptions or a waiver process may be merited upon further evaluation by your IT staff.

  • Computers being used as scientific instruments, where these guidelines may interfere with their function
  • Computers performing real-time and time-sensitive data acquisition or production
  • Computers used for high-performance computing (aka, “super-computing”) and visualization
  • Computers performing high-throughput and data-intensive activities

If you believe your work merits an exception, talk to your IT staff.

Your IT staff can help

Your IT staff will do the hard work of putting everything into place. Complying with the security standards is a team effort across the entire university. If you have any questions, don’t hesitate to ask!