Security

Acceptable Use Policy

The Acceptable Use Policy governs the conduct of faculty, staff and students in the use of information technology resources. All end users of WVSOM Information Technology Resources are required to review the policy, watch the video in Moodle, sign an acknowledgment form and take the Moodle exam.

Local Administrative Authority

Due to the risks associated with local administrative authority, faculty/staff are provisioned its use by a formal request and approval process which identifies specific need.  The request form should be initiated via the DocuSign PowerForm that is located at the bottom of the Local Administrator Authority Tutorial webpage linked below.  Your request will flow through the review and approval process automatically.  Once final approval has been granted via DocuSign by the Chief Technology Officer, a follow-up training session will be administered by Server Team staff.

WVSOM Information Security Plan

Report an Incident

Please use this Incident Reporting Form for any event that could potentially cause a security or privacy violation as part of WVSOM’s Information Security Plan and institutional policies.

Accounts & Passwords

The key to protection of IT resources is the proper utilization of usernames, accounts, and passwords. When creating passwords the following rules should be applied:

  • Passwords must be at least 15 characters in length.
  • Passwords should not be guessable.
  • Passwords may not contain your user name or any part of your full name.
  • Passwords must contain three of the following: upper case letter, lower case letter, number or special character. For example, Ghrabc469 is a valid password.
  • The use of passphrases is encouraged, by increasing the password length to greater than 15, it increases its security (example I really love my 5 cats!).

WVSOM uses the Microsoft Self Service Password Reset tool to allow users to reset their passwords on their own without contacting the Help Desk. The IT staff has compiled instructions on how to register and use the Microsoft SSPR tool.

  • Passwords should be committed to memory and should never be stored in close proximity or easy access to your computer system.
  • If your system is left unattended, you should log out of applications and your account, or create a password protected screen saver.
  • Electronic media, such as CDs, that are no longer used should be destroyed.
  • Media that is still in use should be kept in a fire-resistant, locked cabinet.
  • For old surplus equipment the IT Department removes and drills hard drives or using a bootable media disk, blank data is written to the hard drive.
  • The IT department maintains nightly backups of servers and file shares used by the institution.
  • Any user information that is not backed up by the IT Department should be backed up to electronic media by the user.
  • For students, backups are solely their responsibility.
  • If a user is unsure of the proper backup procedures to follow, they should contact the IT Department for assistance.
  • Security measures should be extended to laptops, flash drives and other devices which can contain sensitive data that may not be on-site in a secured office.
  • It is the user’s responsibility to guarantee that electronic data is protected against unauthorized use, both on-site and off-site of the Lewisburg campus. This includes electronic files, emails, and all other records relating to students, employees, patients, alumni and donors.

Information technology resources are protected thru the appropriate operating system updates and insuring that computer systems have anti-virus protection software installed. For Faculty and Staff, the IT Department utilizes the WSUS (Windows Server Update Service) to deploy patches and updates to client machines. Users should always select to “Install updates and shut down” to automatically update their system when shutting down their systems. The IT Department uses Microsoft’s Advanced Threat Protection to guard against viruses. Laptops provided to students are automatically installed with Windows Defender. Students should also insure that Microsoft updates are applied to their laptops.

Users should also guard against Spyware, Adware, and Malware when using information technology resources. Spyware is a stealth program that covertly collects information about a user and their system, subsequently sending it over the internet. Adware promotes unsolicited advertisements in pop-ups to users and can operate as spyware. Malware is malicious software that can be disguised as Adware or operate as Spyware that is intentionally trying to damage or disrupt a user’s system. In addition to using software to guard against such attacks (MalwareBytes), user should follow these general guidelines:

  • Avoid bad neighborhoods on the Internet. Web sites dealing in porn, illegal software, and gambling have a higher chance of containing bad software.
  • Free software isn’t always free, it may have spyware attached.
  • Don’t use peer-to-peer software. Their installers tend to include spyware and the software you download while on a P2P network may include spyware, viruses, and worms.
  • Don’t open unsolicited e-mail. It may trigger a spyware infection!
  • Tweak Internet Explorer’s Security Settings for more security.
  • Be cautious when loading files from external media such as USB thumb drives.

Other Security Initiatives

All WVSOM faculty and staff are required to take an annual refresher course for technology and cyber security awareness within the Moodle learning management system, including topics related to the Gramm Leach Bliley Act, FERPA, HIPAA, and PCI compliance.

The IT Department performs internal risk assessments and engages with outside vendors for risk assessments including mock phishing scenarios. Users are encouraged to report phishing attempts to the catchaphish@osteo.wvsom.edu and visit the Phishbowl page for more information.