Information Security FAQs
Frequently Asked Questions
- Does the University have Information Security policies? Where are they?
- What is HIPAA?
- Who is my TSR?
- What is computer security?
- What is the difference between information security and computer security?
- Why have good passwords?
- What is a good password?
- What is a virus?
- What can I do to keep from getting a virus?
- What is hacking?
- Do I have a virus?
- My computer is acting up. Do I have a virus?
- What are virus hoaxes?
- Why do I have to worry about information security?
- What anti-virus software is available?
- How do I install anti-virus software?
- Why should I update my anti-virus software?
- Does the University monitor my Internet usage?
- Does the University read my email?
- What about file sharing utilities?
- What are my options if I want to save or share files on the cloud?
- Why shouldn't I download music and video onto my work computer?
- Can I download games or utilities to my work computer?
- What are the differences between the different *wares (shareware, freeware, etc.)?
- How can I protect my data when I travel outside the U.S.?
Does the university have information security policies? Where are they?
Yes, UT Health San Antonio currently has 29 information security policies. These policies can be found in section 5.8 of the Handbook of Operating Procedures (HOP). Information security and assurance also works closely with many other departments on information security-related topics, incidents and activities. For this reason, the Information Security and Assurance department has collected the HOP entries related to Information Security on to one page.
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996, also know as Public Law 104-191. It has three parts: transaction code sets, privacy and security. The Information Security and Assurance department works with the privacy rule as well as with the Office of Regulatory Affairs and Compliance, who has responsibility for the privacy rule. The security rules state that sensitive patient data, also referred to as electronic protected health information (ePHI), must be protected in all forms while being stored (e.g., on servers), while being moved (e.g., on CDs or portable media), or while being transmitted (e.g., in email or other electronic data transfers).
Who is my TSR?
Your technical support representative, or TSR, is your first line of defense for computer-related problems, both hardware, software and information security. These individuals can put you in contact with the people responsible for computer support, network support and information security, or assist you by resolving the problem on the spot. Review our listing of TSRs to find the TSR assigned to your department. If your department is not on the list, contact the Customer Service Desk at 210-567-7777 or at 7-7777 on campus and they will help locate your departmental TSR.
What is computer security?
Computer security is the set of technological and managerial procedures applied to computer systems to ensure the availability, integrity and confidentiality of information managed by the computer system. It is often synonymous with information security, but is really a subset.
What is the difference between information security and computer security?
While computer security deals with the processes applied to computer systems, information security concerns all of the aspects regarding the system of policies and/or procedures for identifying, controlling and protecting information from unauthorized disclosure. While often synonymous, information security is actually a superset of computer security, encompassing the fields of data security, transmission security, network security, physical security, personal security and personnel security, among others.
Why have good passwords?
The combination of your username and password uniquely identifies you to the UT Health San Antonio network. They are required to log on to your computer, access your email, visit certain university web sites and other University resources and all network activity is routed with them. A good, strong password keeps anyone else from logging on to the network with your username and impersonating you. If someone else accesses the network with your credentials, any harm, misuse, abuse and/or impropriety of the network or university email will link back to you, not the intruder. Remember to pick a good password and protect it. Never share it with anyone.
What is a good password?
Most simply put, a good password is easy for the user to remember but extremely difficult for an intruder to guess. As a general rule, the longer the password, the better and passwords that are both long and more complex are the safest option. Making a password complex involves combining both upper and lowercase letters, numbers and special characters in such a way that the user can easily remember it. Pick passwords that are obscure (your mother-in-law's maiden name and birthday) or acronyms (Wdwgfh? = Where do we go from here?) or parts of words (GeoCatJoh3! = the first three letters of George, Cathy and John, along with something extra at the end), but never anything from the dictionary (local or foreign) or popular culture. Currently, the university requires all passwords to be at least eight characters in length and they must include at least three of the following: upper case letters, lower case letters, special characters and numbers.
What is a virus?
A virus is a program or piece of code that is loaded onto a computer without the user's knowledge and runs against the user's wishes. Most viruses can also replicate themselves and, in many cases, redistribute themselves. Virus activity can be as simple and benign as a prank, or so destructive that valuable data is lost. Viruses, or malware, can be distributed by hard media, by accessing maliciously configured web pages, across network shares or through attachments in electronic mail.
What can I do to keep from getting a virus?
The single most important tool for preventing computer virus infection is awareness. Users should always maintain knowledge surrounding the
History of Virus Transport and Infection
- When malware (malicious software) developers first started writing their code, the primary means of information exchange was diskette, so the viruses were small enough to infect the files on the disk and even the disk itself. In this case, you had to be aware of what the files on the disk were and where the disk came from.
- As networking improved and the Internet became popular, it provided a widespread transport system for the viruses. Still, if you knew it to be a relatively trustworthy site (one that inspected its files before they were made available to the public), you were able to make an assumption of safety. Again, awareness of where the file was coming from and what the application was supposed to do were key.
- Lately, though, viruses have become more sophisticated, as have the methods of delivery. In the past, you had to copy the infector to the floppy or download the infected file, but it had to be a conscious act on your part. Now the primary method of infection is electronic mail (email). The most recent and prolific infectors are disguised as legitimate files sent from people you know; the viruses infect someone's computer and then mail themselves as attachments to the names listed in the user's email address book. The subject appears innocent, the sender is someone you know and the message encourages you to view the attachment, but when you do, the cycle starts over again. In this case, you must be aware of whether or not you were expecting a message from the sender. If you're not sure, contact the sender and inquire; if they did not consciously send it, then it was most likely sent by the virus and your conversation lets the sender know he or she is probably infected. If this is the case, delete the email and its attachment immediately and then empty your email deleted messages.
- Another of the latest trends is to put the infector on a web page that infects the viewer's computer when the page is accessed with a browser; this is referred to as a "drive-by infection". Frequently, the address to that web page is sent in an email and appears to be from someone the viewer knows; this is another aspect of the previously-mentioned process, except that the virus doesn't send itself as an attachment, just the link to the infected web page. Again, be aware of unsolicited email messages, even from someone you may know.
- Finally, be aware of and use the latest anti-virus software on your computer. Well-managed email and file servers have their own anti-virus software designed to look for infected files passing through them; our own email gateway watches for infectors coming in to and out of the University. However, keeping an up-to-date anti-virus tool on your computer greatly reduces the possibility of infection, especially through those less well-known avenues.
What is hacking?
Long-time computer users and technology professionals consider "hacking" as pushing a computer system to its extreme and beyond, attempting to improve the operation, functionality and/or security by finding what causes it to fail or what allows the "hacker" to take control of the system. Lately, though, mainstream media have begun using the term to mean hacking for criminal intent, or "cracking". "Crackers" are considered hackers who have gone over to the dark side and intrude into systems with the intent to damage, defraud, or destroy the system or its data. Cracker motives range from personal entertainment to monetary to political, or any combination of factors. Many times, crackers get the bad press, but the true hackers are the ones who help catch them.
Do I have a virus?
Another question to ask is "If I have a virus, where did it come from?" If your antivirus software is active and up-to-date, you haven't opened any unknown email attachments, visited an untrustworthy website, don't have any open shares on your system or haven't accessed files from another user's computer, you probably aren't infected. The best way to be sure is to make sure your antivirus software is running and current and run a full scan of your system, all drives, all files. If you're not sure how to run a scan or would like a second opinion, contact your technical support representative.
My computer is acting up. Do I have a virus?
Not always. Though many viruses cause visible symptoms like slow processing, hard disk drive access and display messages, most don't. In fact, many ordinary applications show those same symptoms and are often interpreted as virus activity.
What are virus hoaxes?
Virus hoaxes are messages originally sent by one or more hackers describing some virus or worm that is extremely dangerous and urges the reader to take some action against their own computer and send the message on to everyone they know. This is social engineering in its purest form: the virus writer does nothing to your computer, they get you to do it. Just about every virus hoax has some combination these characteristics: it invokes the names of one or more large, reputable companies who have reported the virus, the virus is referred to as the "most destructive ever" with none of the top anti-virus vendors being able to stop it and it instructs the user to send the message to everyone they know. Valid virus reports are usually sent by the anti-virus vendors themselves as a public service and they will always provide links back to their sites so that the user can read the full threat report. Here are three of the top virus hoax explanation sites, in no particular order:
Why do I have to worry about information security?
Everything today, concerning you, your family and your job is either stored on or transferred through computers. Information Security (InfoSec) not only takes into account the security of data, but the people you work with (personnel security), the area you work in (physical security) and the networking environment (transmission security). If any of these fail, the probability of having data corrupted or stolen rises significantly. That data can be personnel, student or patient files, grant information, research data, financial records or your own personal data, just to name a few.
What antivirus software is available?
There are several reputable vendors, including Symantec and McAfee, which are paid software and Microsoft offers free antivirus software called Microsoft Security Essentials. The University has a site license for the Microsoft Forefront product, which can be installed on any University system. Since many users work at home, the license also allows the product to be installed on any faculty, student or staff personal computer; this license applies only so long as the user is currently employed or enrolled at the University, after which time the software must be removed. For personal use systems, please contact the Service Desk at 210-567-7777 or firstname.lastname@example.org.
How do I install anti-virus software?
If you are unfamiliar with installing software on a personal computer, please contact your TSR or call the Triage Help Desk at 210-567-7777 or on-campus 7-7777.
Why should I update my anti-virus software?
It is estimated that there are over 72,000 viruses, worms, Trojan horses and other problem software in existence today and about 300 variants are developed monthly. Though most never successfully replicate "in the wild," there are enough to keep life interesting. Add to the mix the millions of computers tied together through thousands of networks and the possibility of exposure to one or more of the bugs rises drastically. Antivirus vendors base their reputations on their ability to respond quickly to new viruses and to get new updates to the field as soon as possible. A properly configured antivirus product, with the latest virus definitions, is your best protection from the malware developers and distributors.
Does the University monitor my Internet usage?
The University does not monitor your Internet usage directly. As part of daily operations, Systems and Network Operations and Information Security and Assurance monitor traffic levels coming in to and leaving the University network. This is done for performance and tuning and not to watch any one user. If InfoSec notices a higher-than-normal volume of traffic for a particular system, we will investigate only that system since traffic spikes generally point to infected or hacked computers or systems using unauthorized peer-to-peer (P2P) file-sharing software.
Does the University read my email?
No. We don't want to nor do we need to. If you follow the guidance in the Handbook of Operating Procedures regarding email usage, there should never be a reason for the University to take an interest. Evidence of misuse, though, such as personal gain, spamming, threatening, etc. or anything causing high levels of email traffic, can bring an email account to the attention of Systems and Network Operations, Information Management Client Support Services and/or Information Security. Also, since the email is generated on University-owned computers and transported on University-owned networks, they may fall under records retention guidelines, could become part of the public record and may even be subpoenaed. The best rule: Don't send anything through email that you wouldn't want posted on a hallway bulletin board.
What about file sharing utilities?
Because of the legal and security ramifications of peer-to-peer (P2P) applications, their use is not authorized at the University; the Handbook of Operating Procedures policy details these ramifications. The legal issues deal with downloading and storing copyrighted material on State-owned University computers, including music, movies and software. P2P-downloaded software is frequently "hacked" so that is doesn't need serial numbers or it has the serial number included and has been known to be purposely or accidentally infected with malicious software. Software piracy is a serious and expensive problem for individuals as well as the University, with fines in the millions of dollars.
What are my options if I want to save or share files on the cloud?
The University currently has multiple cloud storage solutions that offer comparable features for online storage as well as Web-based collaboration. There are a number of criteria that you should consider when determining what type of cloud service you should use. For additional information, please see the Cloud Storage Options page.
Why shouldn't I download music and video onto my work computer?
First and foremost, your work computer is a state-owned information resource and must be used in accordance with state and University policies. If your department allows you to play music on your computer, get permission and follow the departmental policies. Music, movies, television shows and other forms of entertainment are generally copyrighted to their developers, writers, networks, artists, etc. Downloading and/or sharing these types of media using free or shared sources frequently bypass the payment to those who hold the copyrights. There are several legitimate sites to purchase and download music, movies and television, the most common of which is the Apple iTunes store. For other issues concerning file sharing, see the previous topic.
Can I download games or utilities to my work computer?
As stated in the previous response, your work computer is a state-owned information resource and must be used in accordance with state and University policies. Utilities that allow you to better perform your job may be allowed, but you must check departmental policies first. Games on the other hand, are not work-related and shouldn't be installed on your work computer.
What are the differences between the different “wares” (shareware, freeware, etc.)?
Shareware is generally copyrighted software that is give out without a fee for evaluation and to raise awareness of the product (marketing, for instance). A fee is usually required to get full functionality from the product or to remove notices or advertising. Freeware is exactly that - fully-functional software that is given away without cost. Nagware blurs the line; it is sometimes shareware, sometimes freeware. The software is usually fully-functional, but it nags the user to register to pay to get additional functionality or to remove advertisements. Adware is malicious software installed on a user's computer that displays advertisements while using the browser. These advertisements generate revenue of the advertiser, but are a source of annoyance to the user; additionally, the functions of the adware can interfere with the operations of the user's computer. Adware can also have hidden functionality, making it spyware. Spyware is malicious software that obtains information from a user's computer without the user's knowledge or consent. The software is also generally installed unknown to the user. It may be installed as part of another program (Trojan horse), as part of a virus or worm or by visiting a compromised web page (a drive-by download). The types of information collected and sent back to the intruder include username/password combinations, credit card information and bank data, among others. Malware is just short for "malicious software".
How can I protect my data when I travel outside the U.S.?
International travel has unique risks compared to domestic travel. The difference in legal statutes between nations and the process of crossing international borders can frequently render typical security controls we use to protect sensitive data unworkable. Learn more about what you can do before, during, and after international travel to protect University data: International Travel Guidelines.