As a state employee and/or student, you are especially vulnerable to cyber crime.
- If a criminal obtains your uNID and password, he/she can then access many University systems, some of which contain your personal and confidential information (e.g. CIS).
- Your contact information is, by default, more public than private sector employees.
- Public email addresses, phone numbers, office locations, and students' majors are
available on University websites and in the Campus Directory, and employee salaries are available on Utah's Right to Know.
- Students can request the nondisclosure of directory information by logging in to CIS and selecting the "FERPA Directory Info. Auth." tile.
The University of Utah's Information Security Policy is one of the most important concepts you can become familiar with, because it directly affects the work you do on a daily basis.
The purpose of the U's Information Security Policy 4-004 is:
- to establish the University of Utah Information Security Program;
- to ensure compliance with all applicable federal, state, and local laws, regulations, and statutes, as well as contractual obligations;
- to ensure the protection of the University Information Assets, Information Systems, and IT Resources from unauthorized access or damage; and
- to maintain the confidentiality, integrity, and availability of Information Assets and Information Systems supporting the mission and functions of the University.
Compliance with the policy, rules, and procedures is required for any member of the University of Utah community -- no exceptions.
Policy 4-004 includes 15 supporting rules. There are two major supporting rules that affect all users in the University community: the Acceptable Use Rule and the Data Classification and Encryption Rule. If you have questions on Policy 4-004 or any of its supporting rules, contact the Information Security Office (ISO) at UofU_ISO@utah.edu.
When should I refer to the Acceptable Use rule?
- Using a personal device to conduct University business
- Soliciting business from your University colleagues using your University email address
- Posting something to social media on behalf of, or as a representative of, the University
- Storing personal data on University-owned resources, such as Box
When should I refer to the Data Classification and Encryption rule?
- If you're trying to determine whether or not the data you manage is considered Restricted
- IMPORTANT: If you store restricted or sensitive data on a laptop or any type of external storage device to conduct University of Utah business, those devices must be whole disk encrypted, as well as meet all applicable Policy 4-004 requirements. If you need assistance meeting these requirements, please contact your designated help desk or IT support personnel.
- If you're trying to determine whether or not encryption is required for emailing data
to an outside email recipient
- IMPORTANT: When sending federally protected personal health information (PHI) or other restricted data over email, it is required that the communication is encrypted. To encrypt a message from a campus account, simply add the letters PHI to the subject line of the message. You may use this encryption method for any type of communication over the UMail system - not just health information.
Box is a secure, University-approved cloud storage provider. All current students, faculty, and staff have access to a free Box account with 1 terabyte of secure storage space. To access your Box account, simply visit box.utah.edu and log in with your uNID and CIS password.
IMPORTANT: If you store Restricted or Sensitive data on a laptop or any type of external storage device to conduct University of Utah business, those devices must be whole disk encrypted as well as meet all applicable Policy 4-004 requirements. If you need assistance meeting these requirements, please contact your help desk or IT support personnel.
Forwarding your UMail account to a personal provider such as Gmail, Yahoo, or Hotmail is strongly discouraged for UMail users and is prohibited for anyone working in Health Sciences who sends email with PHI.
The Information Security Office (ISO) will respond to and investigate incidents related to misuse or abuse of University of Utah information and information technology resources. This includes computer and network security breaches, unauthorized disclosure or modification of institutional or personal data, and security credential malware phishing.
Reporting an incident can be done by reporting to your designated help desk:
Hospitals & Clinics: 801-587-6000
Main Campus: 801-581-4000 option 1