Learn, Do, Secure

The Information Security Standards are informed by the University’s IT Policies to provide the minimum requirements for safeguarding the University's Information and IT Resources (ITR). 

All employees are required to familiarize themselves with the standards and associated guidelines.

Training

  • All mandatory information security awareness training and other privacy training must be completed.

Policies

User Account 

  • NEIU Net IDs (for example Joe Blog is jblog@neiu.edu with no hyphen) and passwords must not be used to register accounts on any IT system or website that is not work-related. E.g. social media platforms, online retail stores, online banking, or cloud services.
  • The default password assigned to an NEIU account must be changed to a private password during account activation.
  • Strong passwords or pass phrases must be used, and must not be shared. See Password Management Policy.
  • Multi-factor authentication (MFA) must be used when accessing the University's IT systems.
  • Passwords to user accounts must be changed as soon as possible if suspected to be compromised.

Device Security

The University reserves the right to refuse network connection to devices or applications that may put its information and ITR at risk.

All users are responsible for the security of university devices in their care and the data stored on them.

All COMPUTERS USED FOR WORK

  • Must run up-to-date operating systems and security patches and have automatic updates enabled.
  • Must have active and up-to-date antivirus protection enabled.
  • Access to devices must be protected using access control features such as passwords or pin codes, which must be kept private.
  • Automatic screen locks must be enabled to prevent unauthorized access to information when a user session becomes inactive.
  • Hard disk encryption must be enabled if the feature is available.
  • Devices must have the University's asset management software installed (where practical) and recorded in the asset inventory system. Where possible, all university devices must have asset tags. For more information and support, contact property-control@neiu.edu.
  • The use of University devices for work or personal business must comply with the Acceptable Use of Information Technology Resources Policy. Personal use of University devices must be done reasonably and not conflict with work.
  • Only the official stores for app downloads such as Microsoft Store, App Store, Google Play, and Blackberry may be used. Unlicensed software must not be installed or distributed on any University devices.
  • Software restrictions and system or file security settings on University devices must not be disabled or amended. This includes disabling passwords or pin codes, and any security software installed (e.g., antivirus, hard disk encryption).
  • Unusual or random behavior of University devices (such as unsolicited window pop-ups) or suspected malware infection must be reported to the IT Service Desk as soon as possible.
  • Mobile devices such as laptops, tablets, smartphones, and hardware tokens must not be kept in open view or left overnight in a vehicle.
  • Mobile devices must be locked away during long absences from the office and at the end of work, or carried along by the user if practical.
  • Mobile devices must not be left unattended in an open area in a University building or other public places.
  • When traveling, appropriate safeguards must be used to protect University devices from loss or theft.
  • Lost or stolen devices must be reported as soon as possible to line managers, the police, and the IT Service Desk.
  • Where data wipe, device lockout or deactivation features are available on a device, they should be enabled. For support, contact IT-ServiceDesk@neiu.edu.
  • All University laptops, other devices and data stored on them remain the property of Northeastern Illinois University and the State of Illinois. They must be returned to the appropriate line manager when no longer required or when employment ends.

The University is committed to protecting its computers and other electronic devices by providing controls to safeguard such devices from events that could compromise them or the data they hold. Individuals are responsible for the use and management of their personal computers and the University's authority over the use and security of personal computers is limited in most cases.  For this reason, personal computers for work are not not permitted.

Network and Internet Security

  • Secure Wi-Fi must be used when accessing University-restricted or internal information and ITR. This also applies to remote working.
  • Personal Wi-Fi used for remote working must be configured to meet the following:
    • Default login passwords to the network device (e.g., router) and Wi-Fi must be changed to private passwords. Passwords or pass phrases should be strong and not easily guessed.
    • Automatic software updates must be enabled on the network device.
    • The wireless network must use WPA2 encryption or stronger.
  • Visits to websites and downloads from emails and the internet onto University devices must be done with care to prevent the downloading of malicious files and to protect the information that may be stored on such devices.
  • Only the University-approved VPN software may be used to access the University's internal network when working remotely.

Data Security

The University owns all work information transmitted or processed on a device during the University’s business or otherwise on behalf of the University.

  • Data must be collected and used in line with the University policies and any relevant governing legislation. See Data Governance Policy.
  • Appropriate safeguards must always be in place to prevent unauthorized access to University information on or off campus.
  • The University’s provided storage drives are the approved storage areas for University information. Storing restricted or internal work information on University mobile devices must be done reasonably and only when necessary as a temporary arrangement. Such information must be transferred to the approved storage drive as soon as practical and deleted from the mobile device.
  • Where restricted or internal data must be stored temporarily on removable storage devices such as USB drives and portable hard disks, the devices must be encrypted.
  • In remote working situations, authorization must be obtained from line managers before confidential hardcopy documents are transported and used. Such documents must be protected against unauthorized access at all times.
  • Clear desk and lock screen: Confidential information whether electronic or paper must be kept away from public view or access, in the office or when working remotely.
  • Need-to-know basis: University information must only be accessed and/or shared when required for work.
  • Email is the main form of communication for all University activities and may store confidential information. Employees must not redirect their work email to their personal email. Use of personal email for work is not permitted.
  • Cloud services: Personal cloud workspaces must not be used for work including storing, processing, or sharing University information.
  • Use of social media: Employees are responsible for the information shared on social media, and should consider the type of information they make public. Employees should check with the Division of Marketing and Communications if they need a social media user account for work. See the Social Media Practices and Procedures for more information. If you are unsure of sharing certain work information on social media, check with your line manager or email marketing@neiu.edu.
  • Investigation: The University reserves the right to access, inspect, or delete its information held on work devices, (to the extent permitted by law and for legitimate business purposes). Every effort will be made to ensure that the University does not access private information on the devices.
  • Retention and disposal: Data must be held only within the specified timeframe and in line with the purposes identified in the privacy notice or as required by law. See Records Retention for more information. University information and IT equipment must be disposed of following the University’s Data Erasure and Equipment Disposal policies. For support, contact property-control@neiu.edu.

Incident Management

Related Policies and Guidelines