IT Security

Last Updated:  Fri July 8, 2011 GBOS

Welcome!  This is the Home Page for information on IT Security topics and issues at the University of Guelph.  Enterprise IT policies and guidelines are also available on our site.

The IT Security Officer, Gerrit Bos, is the CIO's designate for reporting complaints or potential violations of the University's Acceptable Use Policy (AUP).  The IT Security Office can be reached at extension 58006 or email incident@uoguelph.ca.

The Portfolio Management Office is responsible for developing and administering a comprehensive IT Security Program. The program will be iteratively and progressively expanded as new policies and control practices are implemented. An IT Security Policy Framework has been developed to organize IT policies in a structure that is compatible with recognized best practice and international standards.  The approved Framework document is available here Information Technology Security Policy Framework.  

New: Recent Scams and Phishing Attempts.

Got a suspicous email?  Check our list of recent reported scams and phishing attempts before you reply!.

 New:  Tips to protect yourself against Phishing Attempts:

Don’t take the bait: Many people are familiar with the traditional phishing attack, which arrives in an email that appears to have been sent from your bank or ISP, warning that your account will be suspended unless you take some action immediately, usually clicking a link and “verifying” your account information, user name, password, etc. at a fake site. Commercial emails that emphasize urgency should be always considered extremely suspect, and under no circumstances should you do anything suggested in the email.

Phishers count on spooking people into acting rashly because they know their scam sites have a finite lifetime; they may be shuttered at any moment (most phishing scams are hosted on hacked, legitimate Web sites). If you’re really concerned, pick up the phone (gasp!) and call the company to find out if there really is anything for you to be concerned about.

Links Lie: Don’t take links at face value. The most important part of a link is the “root” domain. To find that, look for the first slash (/) after the “http://” part, and then work backwards through the link until you reach the second dot; the part immediately to the right is the real domain to which that link will take you. 

“From” Fields can be forged: Just because the message says in the “From:” field that it was sent by your bank doesn’t mean that it’s true. This information can be and frequently is forged. If you want to discover who (or what) sent a message, you’ll need to examine the email’s “headers,” important data included in all email.

When in doubt, type it out: If you’re not sure about the validity of an email, don’t click on the link in the message. Instead, take a moment to visit the Web site of the sender in question by typing the URL into a Web browser, and access your account normally.

Keep in mind that phishing can take many forms: Why steal one set of login credentials for a single brand when you can steal them all? Increasingly, attackers are opting for approaches that allow them to install a Trojan that steals all of the sensitive data on victim PCs. So be careful about clicking links, and don’t open attachments in emails you weren’t expecting, even if they appear to come from someone you know. Send a note back to the sender to verify the contents and that they really meant to send it.

If you didn’t go looking for it, don’t install it: Password stealing malware doesn’t only come via email; quite often, it is distributed as a Facebook video that claims you need a special “codec” to view the embedded content. There are tons of variations of this scam. The point to remember is: If it wasn’t your idea to install something from the get-go, don’t do it. Do your homework before installing programs, plug-ins, or ActiveX controls, and always try to download the installer directly from the vendor’s Web site if you can.

 The City of Guelph Police Services has posted a Phishing Fraud Alert on July 7, 2011 (Scroll to item 3) and most financial institutions have a phishing reporting page.  On our page of recent reported scams and phishing attempts we focus on UofG-specific scams and phishing attempts.

New: Courselink now uses Single Sign-On (SSO).

Single Sign-On creates IT Security advantages because it provides a trusted, more secure, and more easily verifiable single point for authentication.  It also saves you time.  With more services taking advantage of SSO, it is important to keep the following in mind

• Choose a secure password.  See http://www.uoguelph.ca/ccs/my-accounts
• NEVER give your password to anyone.  The University will NEVER ask for it.
• Please logout and close your browser at the end of your session
• Lock your screen if you step away.  Shortcut: Windows Logo key+L

Mobile computing and encryption guidelines: Increasingly mobile computing devices are generating new security and compliance challenges.   Here are two documents from the Ontario Privacy Commissioner that provide an excellent introduction to this topic:   An IPC Brochure on the Mobile Workplace and an IPC "Fact Sheet" on Mobile Devices.

The University's Campus Community Police department administers the "STOP" Program for protecting laptops. We recommend all University portable computing devices take advantage of this program!

Link to CCS IT Security page...IT Security information.