Information found on social networks can be used to steal your identity, trick you into installing malware or divulging personal information such as date of birth, address, phone number and even establish your relationships to other users. 

• Be careful about what you post. Remember they are public sites.
• Be careful when creating connections to people. They may not be who they claim to be.
• Use strong passwords.
• Check the security settings for your account. Make sure you are only sharing what you want.
• Third party applications may share your information, always check.
• Keep up to date with the sites privacy policies. This is information about you and how they manage it.
• Be cautious of clicking on posted links, regardless of source.

Reduce the risk of Internet browsing by following this advice.

• Keep your browser updated.
• Understand your browsers security features.
• Use a pop-up blocker.
• Don’t click on suspicious links.
• Be cautious of what you download.
• When visiting secure sites examine any warning messages carefully.

Attackers can use your personal information to commit a number of criminal activities including fraud. There are a number of ways in which they can gather your information, using technology, social engineering and the information you post online are examples. Being aware of the risk and following the suggestions given within this site will help reduce the risk of your identity being stolen.

Attackers can use email to infect your computer with malware.

General guidlines

• Do not open any files attached to an email unless you know what it is, even if it appears to come from someone you know. Some viruses can replicate themselves and spread through email automatically. Be safe and confirm that they really sent it.
• Do not open any files attached to an email if the subject line is questionable or unexpected. If you have to, always save the file to your hard drive before doing so.
• Delete chain emails and junk email. Do not forward or reply to any to them. These types of email are considered spam, which is unsolicited, intrusive mail that wastes network and system resources.
• When in doubt, always err on the side of caution and do not open, download, or execute any files received as an email attachment. Not executing is the more important of these cautions.

Detailed guidelines

What to do:

• When creating a password use the following criteria:
• Contain both upper and lower case characters (e.g., a-z, A-Z).
• Have digits and punctuation characters as well as letters e.g. 0-9, !@#$%^&*()_+|~-=\ {}[]:";'<>?,./).
• Are at least eight alphanumeric characters long.
• Are not words in any language, slang, dialect, jargon, etc.
• Are not based on personal information, names of family, etc.

TIP: One way to create passwords that can be easily remembered is to base them on a song title or phrase. For example, the phrase: "This May Be One Way To Remember" could be used to create the password: "TmB1w2R!?”

What not to do:

• Never disclose your password to ANYONE.
• Never talk about a password in front of others.
• Never share passwords.
• Don't use the "Remember Password" feature of applications (e.g., Web browsers, E-mail reader, etc).
• Don't write passwords down and leave them unsecured anywhere in your office.
• Never store passwords in a file on ANY computer system (including PDAs or similar devices) without encryption.

If someone demands to know your password, refuse and refer them to the IT Services Helpdesk for advice.

If you suspect that one of your accounts or passwords has been compromised then you must report this to your local IT support staff, the central Helpdesk or the University of Glasgow Computer Emergency Response Team (GLA-CERT) email: cert@gla.ac.uk and change all your passwords.

Related links

• GUID passwords
• University Password Policy

IT Services performs regular backups of the Universities centrally managed network file servers. Users of Standard Staff Desktop (SSD) and Common Student Computing Environment (CSCE) workstations will automatically be provided with access to a network file server.

You are responsible for backing up all other files. We recommend that you make two, or even three, backups of all documents not stored on a file server. One backup should be stored in a different location from the others.

• Policy on Confidential Data in the University
• Authorisation of Confidential Data Use and Storage

Confidential data guidelines

An overview of best practice guidelines for handling information particularly when it is of a confidential nature.

Confidential data:

• when stored on central filestore is on secure machines maintained in secure physical environments.
• should not be held on local disk storage (e.g. C: drive) of a desktop machine.
• should not be held on a laptop unless this is absolutely unavoidable and encryption used to protect the data.
• should not be stored on mobile phones or PDAs.
• when stored on a memory stick must be encrypted.
• should not be stored or exchanged on portable media such as: floppy disks, CDs, DVDs, unless individual files are appropriately encrypted.
• when exchanged with external Organisations (or individuals) must be encrypted.
• when sent via email should be encrypted and sent through University managed e-mail services.

Detailed guidelines

If you have an SSD or a locally supported and managed system then Antivirus and Malware protection is managed for you.  Contact your local IT support or the Helpdesk for details.

If you manage your own system then you are responsible for ensuring that your system has the most up to date Antivirus and Malware protection installed.  The University supplies or recommends a number of solutions that can be used.

If you have an SSD or a locally supported and managed system then your systems Firewall protection is managed for you.  Contact your local support or the Helpdesk for details.

If you manage your own system then you are responsible for ensuring that your system is protected with a firewall.   Most systems now have a firewall installed and enabled by default.  It is your responsibility to ensure that this is the case and to manage the firewall rules to protect not only your system but to protect other systems on the University network.  See your system and software documentation for help with this.

Related links

• Connection Policy
• Bastion Host Policy
• Guidelines for System and Network Administrators

If you have an SSD or a locally supported and managed system then your systems updates are managed for you.  You are responsible for ensuring any third party software which is not managed or supplied by your IT support is kept up to date on your system.  Contact your local support or the Helpdesk for details.

If you manage your own system then you are responsible for ensuring that it receives updates for the operating system and any software that is installed.  The University provides update services for Microsoft operating systems and software.  For all other types of systems pleases refer to the suppliers documentation.

Smartphones and tablets may contain a lot of confidential information, possibly including banking details.

• Treat a smartphone like your wallet or purse.
• Treat a tablet like your laptop.

Steps that can be taken to increase the security of your smartphone:

• Use a PIN to protect the phone/tablet from casual unauthorised use. (do this right now)
• Set a timeout to lock the device.
• Consider configuring remote wiping.
• Some manufacturers provide remote wiping as a service. Contact your supplier for details.

NOTE: Devices which use 'Activesync' (iOS, Windows mobile, some Android) to connect to your University email can be remotely wiped using the appropriate email web interface( at http://www.gla.ac.uk/it/webmail) under options > mobile

• Be careful which apps you install and the permissions you give them.
• If you configure GPS location services, be aware of what information they share.
• Email security rules apply for smartphones and tablets.
• Keep a copy of your IMEI number (if applicable) in case of loss or theft.
• Backup the information on your devices.
• Ensure secure disposal of your devices at end of life.

Theft, data loss, and physical damage are all threats if individuals can access your computer without your knowledge. Reduce this risk by:

• Controlling access to the computer itself. Only authorized people should have access. If someone can get physical access to your computer they can get full control of it.
• Ensuring your computer is in a room that can be locked when unattended.
• Securing the computer to non-movable furniture (such as desks).
• Locking your computer so that the case cannot be opened (protects internal components).
• Positioning your computer so that people cannot watch passwords being typed in. If machines are in front of windows, behind glass walls, avoid having the monitor or keyboard in a location where they can be seen from the outside.

It's important not to forget that physical security is as much about preventing computers or their components from being stolen as it is about preventing access to the operating system or data.

The use of P2P applications is strictly prohibited. BitTorrent is an example of a P2P application. P2P applications are commonly used to download copyrighted material.

Copyright Law

It is an offence under UK law to make copies of commercially-produced music recordings, videos, images and computer software. You are not permitted to make copies for personal use. You must have permission from the rights holder to copy any such material.

Copyright infringements may result in legal action against the individual concerned and the University, with resulting impact on the University's image and reputation. This will also be in breach of both the University of Glasgow IT regulations and the JANET Acceptable Use Policy.

Many P2P applications automatically make downloaded files available to other P2P users. This is dealing in digital contraband, resulting in increased seriousness of the copyright breach committed.

Security Risks

P2P applications can lead to abuse either by those supplying the software or by third parties. Applications can include license agreements whereby the licensee allows the licensor the right to use all available CPU and network resources on the installed machine for any reason they see fit. The University cannot accept such a condition.

Many P2P downloads contain malware (viruses, worms, trojans). It is often impossible to know whether a file being downloaded via P2P is really what it claims.

Users of P2P can also share more than they intended to with other users. Such as sharing your documents folder by accident and putting your data at risk.

Legitimate Use

If you have a legitimate use for P2P applications, please inform IT Services at p2p@gla.ac.uk; we can provide advice on reducing the risks involved.

Sanctions

Sanctions for inappropriate use may include:

• Temporary or permanent loss of access to University's computer and network resources.
• Legal proceedings from copyright holders.
• Action under University disciplinary procedures.

IT Services does not support Skype as a desktop collaboration tool. The Multimedia Communications Unit can advise on use of standards-based IP telephony applications.

If you must use Skype, IT Services requires that you follow these steps:

• Use the latest version of Skype and keep it up to date.
• Configure Skype as follows.

1. In Tools / Options / General / General Settings:

• Untick the box labelled "Start Skype when I start Windows"

2. In Tools / Options / Advanced / Connection:

• Set the port for incoming connections to 41234
• Untick the box labelled "Use port 80 and 443 as alternatives for incoming connections"

3. Quit and restart Skype.

• Only launch Skype when you need to use it - this may require co-ordination by other means e.g. email, instant messaging or calendar
• Keep calls as short as possible
• Close the Skype application when it is not in use. Right-click on the Skype system tray icon and choose quit from the menu