Sign In / Sign Out
Navigation for Entire University
- ASU Home
- My ASU
- Colleges and Schools
- Map and Locations
Best practices are the most efficient and effective way of accomplishing a task, based on repeatable procedures that have proven themselves over time for large numbers of people. The following information is provided as a service to the university community.
Default passwords are one of the very first things that should be changed on any system to enhance security. Passwords should also be "strong". A strong password is one that:
Copy and save the files and folders you would cry over if you lost them. If you're not on good terms with your thumb or flash drives, check out My Files, ASU’s new and improved way for enrolled students, faculty, and staff to store files on the ASU Network. With 4 gigabytes of storage space, My Files (formerly known as AFS Manager) is free of charge and is a great way to keep files organized and secure. Access My Files at my.asu.edu.
Physical access is synonymous with physical security. In today’s environment laptops, HDD, USB/Thumb drive, mobile devices, and even servers are portable. There is no need for an attacker to conduct a highly sophisticated attack on your network if the attacker can just physically pick up a device and walk away with the device in hand. Often time the most low-tech attacks are the most effective.
Attackers could use an unsecured computer connected to the network to access or delete information that's important to your business. Workstations at unoccupied desks or in empty offices (such as those used by employees who are on vacation or have left the company and have not been replaced) or at locations easily accessible to outsiders, such as the front receptionist's desk, are particularly vulnerable.
Disconnect and/or remove computers that aren't being used and/or lock the doors of empty offices, including those that are temporarily empty while an employee is at lunch or out sick. Laptops and handheld computers pose special physical security risks. A thief can easily steal the entire computer, including any data stored on its disk as well as network logon passwords that may be saved. If employees use laptops at their desks, they should take them with them when they leave or secure them to a permanent fixture with a cable lock.
Handhelds can be locked in a drawer or safe or just slipped into a pocket and carried on your person when you leave the area. For portables that contain sensitive information, full disk encryption, biometric readers, and location software that will "phone home" if the stolen device connects to the Internet can also compliment physical precautions.
All ASU maintained computers, backup media, and other devices used to store electronic data should be secured using full-disk encryption (FDE) everywhere possible, with key escrow adequate to provide for third-party data recovery in the event of legal requirements or business need. In addition to full disk encryption, All ASU computers should encrypt individual files containing sensitive data. The minimum standard for encryption algorithms should be 128-bit AES, or the highest level allowed by export controls in the case of international applications.
Devices should comply with minimum hardware and software requirements for ASU-sanctioned FDE solutions. If a device cannot be encrypted because its operating system is obsolete, the device should be upgraded to a current operating system. If a device lacks the recommended hardware (e.g., minimum system requirements for compliant operating system, chipset including compliant TPM chip), the device should be upgraded or replaced with a compliant device.
Where possible, devices should use ASU's Active Directory environment for key escrow. If this is not possible, the administrative or academic unit responsible for a device must establish and document a key escrow process to ensure authorized third-party access to encryption keys when necessary.
The following documents provide information on how to encrypt your computer and individual files. Consult your departmental technical support personnel for assistance.
The use of computer management software such as SCCM or JAMF is a best practice as it allows for central management of information systems and allows you to quickly apply critical patches, updates, and other software in a network environment.
It's a good idea to check for system updates daily to keep your computer current and secure.
In today’s information technology age, antivirus software is a requirement. Antivirus software protects your system(s) from becoming infected by any number malicious types of software. Antivirus software becomes even more important when working in a networked environment. One infected machine can infect many systems that are connected to the same network. Antivirus software will help prevent the spread of the malicious software.
A firewall is similar to walking through the security check at the airport; the firewall inspects Internet traffic and either allows information to pass through to your computer or denies it and tells it to go home.
The principle of least privilege means giving a user account the minimum privileges required for the user to perform their duties. For example, a user account for the sole purpose of creating backups does not need the access to install software. Hence, the user account only has the rights needed to run backup and backup-related procedures. Any other privileges, such as installing new software, are not allowed. For instructions on setting up user accounts with least privileges, click here.
Ensuring that sensitive data stays is one way where DLP solutions an assist. At ASU we use Cloudlock to help protect sensitive data in Google, Dropbox, and Salesforce. We also have a Proofpoint email DLP solution that protects sensitive data included in outbound emails. These services are two examples where we have deployed technology to assist us in ensuring that only the appropriate people have the ability to view sensitive information.