HomePolicies & SecurityPrinter Friendly Version

Policies & Security

1. Frequently Asked Questions

1.1. How do spammers get my name and how can I protect myself?

Free services. Many Web sites carry paid advertising as a way to generate revenue.  But many web-based services also require that you register, by supplying your name and e-mail address, before you can use their “free” services.  Selling the information they collect is part of their business plan.  And guess who buys that information?  (The correct answer is “spammers”).

Newsgroups. Think twice before posting to a newsgroup.  Spammers often release information-gathering programs called “bots” to collect the names and e-mail addresses of people who post to specific newsgroups.  Bots can get this information from both recent and old posts.  And, since many newsgroups are special-interest communities, spammers can learn what you’re interested in—which makes you a better target for spam.


How to protect yourself:

Never reply to a spammer. Replying to spam—no matter how good the offer sounds—will guarantee that you get more spam, because you’ve shown yourself as susceptible.  Also ignore any offer to “click here to be removed from our list.”  All your request does is tell the spammer the message arrived and that a live person is reading the mail at that address.  Any response increases your value to list-sellers.

Surf wisely. Be sure to look for the TRUSTe “trustmark” included on many commercial Web sites.  This logo certifies that the site owners follow their published privacy policy.  Every policy is different, so you’ll still have to read each one carefully before divulging personal information.  But at least you’ll be reasonably certain the site owners won’t sell your name if they’ve promised not to.  Go to www.truste.org for more info on this service.

Use filters. Every e-mail program has some sort of built-in filtering system.  Check your client’s online help section for info on setting up filters.  Filters aren’t perfect, though, because you have to enter the spammer’s e-mail address, and the addresses change often and are commonly disguised.  Another good use for filters: blocking messages from one person who keeps sending you unwanted (but not spam) messages.


How to complain

You can forward objectionable e-mail with full headers to abuse@uvawise.edu.

Be sure to include the "Internet Headers" when you forward a message.  The "Internet Headers" identifies every computer that handled the message before it arrived at your in-box.  We need this information to determine the origin of the message.  Every e-mail client has its own way to show "Internet Headers"; click the online help section to learn more.

In Outlook, with the email open click the in the "Tag" section of the Ribbon to bring up the "Properties" box and to show the "Internet Headers" which you can then select and copy into your email.


1.2. What constitutes harassing or inappropriate e-mail, and what can I do about it?


1.3. What campus policies, procedures and/or guidelines should I be aware of?


1.4. How do I know if I am on a "secure" Web page?


1.5. What should I know about creating a good password?


1.6. Can I connect my game system or play PC games on the College network?


1.7. How do I know if my computer has been compromised?


1.8. What should I know about securing my personal computer?


1.9. How do I protect myself from computer viruses?


1.10. How can I automatically delete/clear private data when exiting Mozilla Firefox?

To automatically clear private data in Mozilla Firefox:

  1. Open Firefox. 

  2. Select Tools from the toolbar. 

  3. Select Options from the pull-down menu. 

  4. Select the Privacy Tab. 

  5. Click on the checkbox, to put a check mark, under Private Data section: “Always clear my private data when I close Firefox”. 

  6. Click on the Settings… box. 

  7. Make sure that all of the checkboxes are selected with checks. 

  8. Click OK. 

  9. Click OK. 

10. Every time you close Firefox you will prompted to “Clear Private Data Now”.


2. Reporting Abuse

2.1. What You Should Report

The security and protection of the College’s resources is everyone’s responsibility. If you witness or know of a threat to or misuse of any of the resources on campus, large or small, whether that threat is internal (from someone on campus) or external (someone not on campus), then you have an obligation to report what you know to the proper authorities abuse@uvawise.edu. All reports will be investigated and the appropriate actions will be taken. You can make a difference. We are all working toward one goal and success requires the assistance and perseverance of every individual.

***All emails should be forwarded with full headers.

Threatening emails should be reported immediately. If you feel threatened by the contents of an email received through your uvawise.edu account during normal business hours (M-F 8:00-5:00) you can report it to abuse@uvawise.edu or (276) 376-4640 or contact the Campus Police anytime at 911 or (276) 328-COPS. Do not disregard a threat, take all threats seriously.

If you are receiving harassing emails to your uvawise.edu account please forward the email to abuse@uvawise.edu and/or call extension 4640 to report the abuse.

2.2. Copyright Notifications

Pursuant to 37 CFR 201.38, UVa-Wise has designated the following person to receive notification from copyright owners of claimed infringement of copyright

Scott Bevins, Ph.D.
Associate Vice Chancellor of Information Services
Information Technology Center - Room 273
1 College Avenue
Wise, VA  24293
Phone:  (276) 376-4578
Fax:  (276) 376-1045
E-Mail: pb8q [at] uvawise.edu


3. Information Security Awareness Training

3.1. IT Security Awareness Tutorial (ITSA) Information

Background

All UVA faculty, staff, and other employees, including the Health System and UVa-Wise, must complete the Information Technology Security Awareness tutorial (ITSA) annually, as part of the revised IRM-002 – Acceptable Use of the University’s Information Technology Resources policy. For this year, we will send a reminder email to all UVA faculty, staff, and other employees to remind them to complete the training.  The email reminder will be sent out in waves based on the "original hire date" (visible in Workday).

Important to Know

  • Emails reminding you to complete the training will be done in waves.  If you are uncertain about the validity of our email reminder, please contact the IT Security and Policy Coordinator or your LSP to verify it.  If you suspect that you may have received a phish, please email abuse@uvawise.edu so that we can help you determine the message's validity.  You should also check the UVA Security Alerts and Warnings webpage to see if it's listed and learn more about identifying phishing emails.
  • Token Joint VPN (JVPN) and High Security VPN (HSVPN) users: If you have received an invitation to begin your security awareness training and you do not successfully complete the training by the designated due date, your access to the JVPN and HSVPN will be blocked until you:

1. Visit Information Security Awareness Training (ISAT) in Workday and complete the ITSA, and

2. Contact the IT helpdesk (276-376-4509) during regular business hours, but no sooner than 24 hours after receiving this email.



3.2. ITSA Frequently asked questions (FAQ's)

  1.  I already took this quiz, do I have to do it again?
  2. If you have been notified to take the quiz then you must complete it, annually. The auditors are now requiring all University faculty, staff, contractors, and student employees to complete information security awareness training annually. The tutorial has changed from previous years and takes about 10 minutes to complete.

  3.  I’m not on Grounds, do I need to complete the quiz?
  4. Yes! It’s not about where you are, it’s about your status as a faculty, staff, contractor, or student employee, and accessing any of UVA’s technology resources. State auditors are now requiring all University faculty, staff, contractors, and student employees to complete information security awareness training annually.

  5.  Do I have to do the quiz?
  6. [See #11 below for variant on this question.]

    If you have been notified to take the quiz, then you must complete it. The state auditors are now requiring all University faculty, staff, contractors, and student employees to complete information security awareness training annually.  If you do not complete the quiz, you may lose access to University systems.

  7. I was a student employee but I don’t work for UVA any longer, can you take my name off the list?
  8. According to our records you are still listed as an active student employee. Any employee who is listed as active cannot be removed from the quiz.  You should contact the department you used to work for and ask them to remove you from their payroll list.

    If you do not work for UVA anymore, then there is no need for you to take the quiz.  However, if you do not want to get further emails about the quiz, you need to contact your former department and get them to remove you from their rolls.

  9. I am a wage employee but I don’t work for UVA any longer, can you take my name off the list?

  10. According to our records you are still listed as an active employee. Any employee who is listed as active cannot be removed from the quiz.  You should contact the department you use to work for and ask them to remove you from their payroll list.

    If you do not work for UVA anymore, then there is no need for you to take the quiz. However, if you do not want to get further emails about the quiz, you need to contact your former department and get them to remove you from their rolls.

  11. How do I know if I successfully completed the quiz?
  12. Once you have completed the quiz you will come to a screen that shows a certificate of completion.

    In addition, you will also receive an email stating that you have completed the tutorial. This email will provide you with some links that were referenced in the tutorial. These links will also help you expand your knowledge of information security.

  13.  I don’t use UVA systems, do I have to take the quiz?
  14. Based on our records, you still have access to UVA systems (including email). You may not use this access, but you still have access therefore you are required to take this quiz.

  15. Is this a phishing email?
  16. No, this is a legitimate email. If you are uncertain, please call IT Security at (276)376-4640.

  17. How do I re-enable my JVPN or HSVPN access?
  18. Complete the quiz and then contact Access Management (434-924-0817) during regular business hours, at least 24 hours after you have completed the quiz.

  19. What is HSVPN?
  20.  HSVPN is another high security network similar to the JointVPN. You would know if you have HSVPN access, so since you don’t know what HSVPN is, you do not need to worry about it. 

  21. I recently completed the Responsible Computing Quiz (RCQ - the student version of the ITSA tutorial), do I still need to take the ITSA (the employee version)?
  22.  Yes, you still need to complete the ITSA tutorial for faculty and staff (https://quiz.its.virginia.edu/itsarc). We apologize if you were directed incorrectly to complete the RCQ. If you can let us know who directed you to take the RCQ, we can contact them to prevent this mix-up in the future, hopefully.

    As you may have noticed, the RCQ is geared specifically to students. The ITSA tutorial has security awareness information for faculty and staff, so we hope you find that more useful than the RCQ. Again, we apologize for the mix-up. Please let us know if you have any further questions.

4. NetBadge

4.1. Student Instructions for obtaining/resetting NetBadge

NetBadge Resets/Duo Instructions - Students

NOTE: If you are new to UVa-Wise you will need to email your text enabled cellphone number to NetBadge@uvawise.edu from your @uvawise.edu email account and ask that your email and cell number be added for NetBadge access. 

NOTE: If you have changed cell phones you need to download the Duo Mobile app and contact NetBadge@uvawise.edu from your @uvawise.edu email account and request that your Duo device be "reactivated".

NOTE: If you have a new cell phone number you will need to send an email to NetBadge@uvawise.edu from your @uvawise.edu email account and ask that your phone number be changed in Duo.

NOTE: If you are a returning student and remember your password and you do not fall into one of the previous NOTE categories you should be able to login to NetBadge protected resources without further action, however if you do not remember your NetBadge password you will need to follow the steps below:

You will need to visit the Create or Manage Your UVA Computing ID and Password page in your browser to reset your NetBadge password:


  • Click on “Reset Your UVA Password” (***this is the same thing as NetBadge)

  • Choose “Option 3: Request a PIN sent to your recovery email or mobile number

  • Type in your computing id (This is the first part of your email address example abc2d)
  • Type in your Birth Date – formated mm/dd/yyyy
  • Check the Checkbox
  • Click SUBMIT
  • Choose “email sent to your recovery email address” which is your computingid@uvawise.edu
  • You will receive an email with a PIN, which you will use to complete step 3 “Validate” your identity and give you access to reset your password
  • Select I agree
  • Type in a password (at least 12 characters, including at least 1 number, 1 special character, Upper and lower case letters)
  • Retype the password  ( this is the password for NetBadge access *** this password changes neither your UVa-Wise access to login nor your @uvawise.edu email login)
  • Click RESET PASSWORD
  • Click OK
  • If available Click FINISH otherwise
  • After you have created your password and on your first attempt to login to NetBadge you will be asked to set up an Authentication Device (usually your cell phone).
  • Provide the information and follow the prompts, the service will allow you to receive a call to authenticate or to receive a "Push" notification from Duo Mobile (for the push notification you will need to install Duo Mobile from your app store) make sure that you allow notifications.
    • Only follow this step if you were not redirected to the Duo enrollment page: Go to the 2-Step Login Management Portal and follow the prompts to complete the 2-step authentication (Duo) by registering your cell phone or choosing another method of verification. This is required by UVA.
  •  Go to the previous tab and click on “Identity and Access Management Portal” and choose “Create or manage your personal security questions”
  •  Please complete these questions and answers so that you can access the NetBadge password reset by answering the security questions.

4.2. What is Enhanced NetBadge?

A NetBadge is an electronic identification "badge" that is issued to your Web browser when you log into the NetBadge service.  NetBadge verifies your identity as a valid user of the Web resource you are trying to access, using your University computing ID and password credentials.

"Enhanced" NetBadge is a higher-security edition of NetBadge that will look slightly different from the "original" NetBadge and increase protection of your sensitive personal data (i.e. no longer use SSN).  To use "Enhanced" NetBadge requires verification of identity through a process known as Identity Verification.

4.3. Why you need an “Enhanced” NetBadge account

At UVa, there are 3 levels of identity assurance, depending upon the sensitivity of the data you are attempting to access.  Systems which require “Enhanced” NetBadge now or in the near future include Oracle; the Integrated System; and UVa’s Student Information System.  Other systems which require NetBadge login include, but are not limited to: on-line training modules Security Awareness, Search Committee, Preventing Sexual Harassment, and Preventing Employment Discrimination.

4.4. 2-Step Authentication (DUO) required for NetBadge logins

Once you have downloaded and installed Duo Mobile from your Apps store

Allow notifications

Open the text message for activating Duo Mobile

Tap the link

Open the link in Duo Mobile

Should say “adding account”

If this does not happen then try to login to NetBadge and tap the + on the Duo Mobile screen.

Duo Mobile Account Activation

But stop on the screen that asks you to authenticate by Phone call or code… now read this next section carefully to set up the automatic “Push” feature…

If your administrator enabled self-service device management, the Duo Prompt displays a "My Settings & Devices" link on the left.

If you enabled the option to automatically send you an authentication request via push or phone call, you'll need to cancel the push or phone call in progress before you can click the "My Settings & Devices" link.

My Settings & Devices link

To manage your devices, choose an authentication method and complete two-factor authentication (you may need to scroll down to see all authentication options). You can't get in to the device management portal if you do not have access to any enrolled devices; you'll need to contact your Duo administrator for help.

Authenticate to My Settings & Devices

After authenticating you'll see the device management portal. This is where you can enroll a new device by clicking Add another device and following the device enrollment steps, or reactivate, edit, or delete your existing devices.

My Settings & Devices

To exit My Settings & Devices, click the Done button below your listed devices or click your organization's logo on the left (or the Duo logo if shown).

Default Authentication Options

If you authenticate with more than one device, you can specify which you would like to be the default. Click the Default Device: drop-down menu and pick your default device for authentication. Click Save if you're done making changes.

Choose Default Device

If this is the device you'll use most often with Duo then you may want to enable automatic push requests by changing the When I log in: option and changing the setting from "Ask me to choose an authentication method" to "Automatically send this device a Duo Push" or "Automatically call this device" and click Save. With one of the automatic options enabled Duo automatically sends an authentication request via push notification to the Duo Mobile app on your smartphone or a phone call to your device (depending on your selection).

Enable Automatic Authentication

Manage Existing Devices

Click the Device Options button next to any of your enrolled devices to view the actions available for that type of device. You can Reactivate Duo Mobile for an enrolled smartphone, Change Device Name for any type of phone, or delete any authentication device.

Device Options

Reactivate Duo Mobile

Click the Reactivate Duo Mobile button if you need to get Duo Push working on your phone, for example, if you replaced your phone with a new model but kept the same phone number. After answering some questions about your device, you'll receive a new QR code to scan with your phone, which will complete the Duo Mobile activation process.

Reactivate Duo Mobile

Change Device Name

Clicking Change Device Name will open up an interface to change the display name of your phone (hardware tokens can't be renamed). Type in the new name and click Save.

Change Device Name

After successfully modifying your phone's name, not only will you see this from now on when managing devices, but it will also be how your phone is identified in the authentication dropdown.

Renamed Device



5. Phishing & Fraud

6. Policies

6.1. UVa Policies which apply to UVa-Wise resources

Acceptable Use

Data Protection

Information Security

Privacy and Confidentiality

Exceptions

***Please note that questions regarding any of these policies should be directed to the Helpdesk, (276) 376-4509.

6.2. State laws which apply to computing resources

It is against policy and against Virginia Law to knowingly (and sometimes unknowingly) illegally use, misuse, interfere and/or modify network systems. Depending on the violation, the person is guilty of a Class 1 Misdemeanor up to a Class 6 Felony. 1

1 Va. Code§§ 18.2-152.1 to-152.15,§ 19.2-249.2


6.3. UVa-Wise Policy Index

UVAW – 1

Firewall Configuration Policy – Configuration changes, documentation, stateful inspection, additional firewalls, review

UVAW – 2

System Configuration Policy – standards, vendor supplied defaults, documentation, review, systems containing sensitive information

UVAW – 3

Information Sensitivity Policy – administrative data, access, ownership, data responsibility roles

Appendix A

Definitions and Examples of Administrative Data Categories

Appendix B

Roles and Responsibilities Related to College Administrative Data

UVAW – 4

Encryption Policy – where and when to use encryption, type of encryption to be used

UVAW – 5

Anti-Virus Software Policy – software, updates, definitions

UVAW – 6

Operating System (OS) and Application Security Policy – updates, patches, fixes, documentation, back-out procedures

UVAW – 7

Unique Identifiers – unique user ID, password (identity) verification, background checks, contracts, encryption, user revocation, group/shared passwords, password complexity and rules

UVAW – 8

Physical Access to Sensitive Data Systems – access controls, data retention

UVAW – 9

Sensitive Data Access Tracking and Monitoring – access, auditing logs, event entries, system clocks and times, reviewing logs, audit trails

UVAW – 10

Periodic Testing of Security, Systems, and Processes – scans, penetration testing, IDS/IPS

UVAW – 11

Risk Management and Disaster Recovery Policy – completion and review of Risk Management/Disaster Recovery plans

UVAW – 12

Security Awareness Training and Communication Policy – training, documentation, communication methods

UVAW – 13

Information Technology Security Incident Handling Policy – Incident response procedures, teams, notification methods, involvement

UVAW – 14

Policy on Electronic Mail and Mass E-mail(s) – Listserves, appropriate uses, expectations, repercussions

UVAW – 15

University of Virginia’s College at Wise Monitoring/Review of Employee Electronic Communications or Files Policy – expectation of privacy; court orders; what, when and who can be monitored

Appendix A

Guidance for Vice Chancellors on University of Virginia’s College at Wise Policy on Monitoring/Review of Employee Electronic Communications or Files

UVAW – 16

Computer/Hard Drive Disposal Policy - To establish processes and procedures for the disposal of all computers and/or hard drives including but not limited to those containing sensitive data in any format including electronically and/or digitally

UVAW – 17

Change Management Policy and Form








*All UVa-Wise IT policies and standards that apply to The University of Virginia’s College at Wise are defined, approved by management, and communicated via the OIT website to the Wise Campus and Community. The CIO, IT Managers, and the IT Security and Policy Coordinator will meet annually to review, revise and approve all new and revised policies which will then be presented to the Senior Staff for approval. All approved policies will then be posted on the IT website within a week of approval.

7. Password Policies & Security

7.1. Password Complexity Requirements

  1. Minimum of eight (8) characters.
  2. No proper names, dictionary words, variations of your name, or Social Security Numbers
  3. At least one (1) number.
  4. At least one (1) symbol.
  5. At least one (1) capital letter.