How do I dispose of data containing SSN stored on my computer?
Dragging files to the “Recyle Bin” and choosing “Empty Recyle Bin” on your computer does not really delete data from your hard drive. You must use an approved data deletion program to delete the data by overwriting it with random characters. Systems that contain sensitive data must have their hard drive contents destroyed in accordance with MSU Property Control policy and procedures. Information about the campus site licensed WipeDrive Pro software that provides Department of Defense compliant disk wiping is available from the ITS Webpage under Software. (http://www.its.msstate.edu)
There is sensitive information such as SSNs in documents that we currently store. What should we do with such documents?
Many older documents and files exist that include SSN. This material is a major security concern. Paper copies must be kept locked and inaccessible to unauthorized users. Electronic copies must be moved to secure storage and/or encrypted. Many data files are simple to sanitize. (IE. just delete the SSN column from an old class roster).
Conduct an assessment of your data to determine if it is still required. If the data is no longer required, the best answer is to simply delete.
What should I do with an email that asks for personal information such as my password or SSN?
You should never respond to any such email, and you should never share your NetPassword with anyone. And please note that MSU would never request you to email your password or any personal information to anyone. These "phishing" attacks have become very common and you donít want to become a victim.
How do I take the mandatory Information Security Training/Certification?
All MSU faculty and staff can take the Information Security training via the portal. (my.msstate.edu) The training is available under the "Office" tab.
Do I have to have a password protected screen saver?
Yes. Workstation inactivity must trigger a password protected screen saver on your desktop. For systems that access sensitive data the inactivity timer must be 20 minutes or less. General purpose desktops must be 60 minutes or less.
Is it okay to share a computer account?
No. Computer accounts, passwords, and other types of authorization are assigned to individual users and should not be shared with others.
See complete policy at: http://www.msstate.edu/dept/audit/0112.html
Do I have to run an anti-virus program on my PC?
Yes. All users of the MSU network must have operational anti-virus software on their systems and maintain updated virus definitions. See complete policy at: http://www.msstate.edu/dept/audit/0112.html
All faculty, staff and students can download and install Sophos Anti-Virus software from the ITS webpage (http://www.its.msstate.edu) on their work and personal systems at NO COST.
How do I report an information security incident?
After hours the above numbers go to an automated voicemail system. Please choose the Security Incident option to page an ITS support staff member.
Incidents that involve threats to personal safety, physical property or other illegal activities should be immediately reported to the University Police department.
What is "phishing"?
Scam artists try to gain information from victims by pretending to be schools, banks, stores or government agencies. They do this over the phone, in e-mails and in postal mail. They are looking for passwords, banking or personal information. The term "social engineering" is also used to describe ways to manipulate users into providing personal information.
General information about protecting your identity is available at:
How can I tell if an email is a legitimate request or a phishing attack?
These phishing messages can be very sophisticated with good graphics, but many have poor English and are easy to spot. Vague emails about "account problems" or the "new upgrade" but which provide no specific details and want you to give out personal information are not legitimate.
Here are some key phases that can be a big clue.
"Dear MsState.Edu Subscriber" or "Dear msstate.edu account owner"
"Verify your account" or "CONFIRM YOUR EMAIL IDENTITY" - MSU will never request a password via email.
"Warning!!! Failure to do this will immediately render your email address deactivated from our database." - The scam artist is trying to put pressure on you to reply quickly and or else.
"Thanks, Your msstate.edu Upgrade Team" - The signature is not from a real MSU unit.
The email "FROM" address might look legitimate but the "Reply-To:" address is to a Yahoo, Hotmail, or Gmail account.
The message may have a link to the official logo of the university or your bank but the URL address the message wants you to click on is really to some location that does not have a real domain name assigned. IE. http://41.240.149.###/mybank
Be careful of all links that request personal information. The site could be a "clone" of the official IRS, bank or corporate website created solely to steal your identity. Go directly to the web site of the company rather than clicking on a URL in unsolicited email.
What kind of phishing attacks have we seen at MSU?
MSU users are under constant phishing attack. The attacks targeting user information at banks, Paypal and large companies such as Ebay or Amazon are very frequent. Many are well enough known that the StopSpam.MsState.Edu system can block them.
Some of the more recent scams that were specifically targeted against users at Mississippi State University include messages with the following subjects:
"VERIFY YOUR MSSTATE.EDU EMAIL ACCOUNT NOW" -------- Original Message -------- Subject: Confirm Your Email Address! Date: January 14, 2008 12:50:48 PM CST From: THE MsState UNIVERSITY WEBMAIL TEAM <email@example.com> Reply-To: SOMEBODY@yahoo.com.hk To: undisclosed-recipients:; Confirm Your Email Address! Dear msstate.edu Subscriber, To complete and verify your msstate.edu account, you must reply to this email immediately and enter your password here (*********) Failure to do this will immediately render your email address deactivated from our database. You can also confirm your email address by logging into your MsState.edu account at https://webmail.msstate.edu/ Thank you for using MsState.EDU! THE MsState UNIVERSITY WEBMAIL TEAM -----------------------------------------------------------------
And the subject:
"Confirm Your Email Address!" -------- Original Message -------- Dear msstate.edu email account owner, This message is from msstate.edu messaging center/ technical upgrade team to all msstate.edu email account owners. We are currently upgrading our data base and e-mail account center. We are deleting all unused msstate.edu email accounts to create more space for new accounts. To prevent your account from being de-activated, you will have to update it as directed below so that we will know that it's a presently a used account. CONFIRM YOUR EMAIL IDENTITY BELOW Last Name:....................... Email Username : .......... ..... EMAIL Password : ................ Warning Code:.................... YOU ARE REQUIRED TO SEND THESE DETAILS TO OUR UPGRADE ACCOUNT TEAM BY SIMPLY REPLYING TO THIS EMAIL Warning!!! Account ownerS who refuse to update their accounts within seven (7) days of receiving this warning will loose his or her account. Thank you for using msstate.edu Warning Code:VX2G99AAJ Thanks, msstate.edu Upgrade Team" -------- Original Message -------- From: Online Services <firstname.lastname@example.org> Subject: Re: Important Email Account Verification Update!!!!! To: email@example.com Reply-to: firstname.lastname@example.org Dear MSSTATE.EDU Email Account Owner, This message is from MSSTATE.EDU messaging center to all MSSTATE.EDU email account owners. We are currently upgrading our data base and e-mail account center. We are deleting all unused MSSTATE.EDU email account to create more space for new accounts. To prevent your account from closing you will have to update it below so that we will know that it's a present used account. CONFIRM YOUR EMAIL IDENTITY BELOW Email Username : EMAIL Password : Address : Department : Attention!!! Account owner that refuses to update his or her account within ten days of receiving this Notification will lose his or her account permanently. Thank you for using MSSTATE.EDU! Notification Code:VX2G99AAJ Sandra Dubois ONLINE SERVICES -----------------------------------------------------------------------------
What should I do if I think I have been phished?
You should immediately change your NetPassword at http://netpassword.msstate.edu. Depending on the situation and what information was exposed you would need to contact University Police at 662-325-2121. You can contact to the ITS Helpdesk to see if your account has any logs of inappropriate access. Additional identity protection information is available at: http://www.infosecurity.msstate.edu/idp/steps/