Since the University of Utah maintains various shared networks, facilities, and devices, it’s extremely important that students, faculty, and staff follow policies in place to protect data and infrastructure.
As a state employee and/or student, you are especially vulnerable to cybercrime since your contact information is, by default, more public than private-sector employees. Public email addresses, phone numbers, office locations, and students’ majors are available on university websites and in the Campus Directory, and employee salaries are available on the transparent.utah.gov website.
If a criminal obtains your uNID and password, that person can then access many university systems, some of which (e.g. CIS) contain your personal and confidential information.
Tip: Students can request the nondisclosure of directory information by logging in to CIS and selecting the “FERPA Directory Information Authorization” link in the “Student Records” box.
Information Security Policy
The University of Utah's Information Security Policy is one of the most important policies you can become familiar with, because it directly affects the work you do on a daily basis.
The purpose of Information Security Policy 4-004 is:
- To establish the University of Utah Information Security Program;
- To ensure compliance with all applicable federal, state, and local laws, regulations and statutes, as well as contractual obligations;
- To ensure the protection of the university information assets, information systems, and IT resources from unauthorized access or damage; and
- To maintain the confidentiality, integrity, and availability of information assets and information systems supporting the mission and functions of the university.
Compliance with the policy, rules, and procedures is required for any member of the University of Utah community — no exceptions.
Information Security Policy: Rules
Policy 4-004 has 15 supporting rules, two of which affect all users in the U community: the Acceptable Use Rule and the Data Classification and Encryption Rule. If you have questions about Policy 4-004 or any of its supporting rules, contact the Information Security Office at UofU_ISO@utah.edu.
Examples include when you are:
- Using a personal device to conduct university business
- Soliciting business from your university colleagues using your university email address
- Posting something to social media on behalf of, or as a representative of, the university
- Storing personal data on university-owned resources, such as Box
- If you're trying to determine whether the data you manage are considered restricted or sensitive.
IMPORTANT: If you store restricted or sensitive data on a laptop or any type of external storage device, including a cloud storage provider, to conduct University of Utah business, those devices must be whole disk encrypted, as well as meet all applicable Policy 4-004 requirements. If you need assistance meeting these requirements, please contact your designated help desk or IT support personnel.
- If you're trying to determine whether encryption is required for emailing data to an outside email recipient
IMPORTANT: When sending federally protected personal health information (PHI) or other restricted data over email, the communication must be encrypted. To encrypt a message from a campus account, simply add the letters PHI to the subject line of the message. You may use this encryption method for any type of communication over the UMail system — not just health information.
Phishing is an attempt to acquire confidential information, typically through email-based attacks. The email will appear to come from a trustworthy entity, like your bank or employer, and try to trick you into clicking on malicious links or entering your personal information, such as your credit card number or your username and password.
- Compare the sender's name to the sender's email address. In a phishing email, the two often will not match up.
- Ask yourself: Is this a normal process for me? Is this what my bank/employer/etc. usually does?
- Ask yourself: Is this email causing an emotional response (such as fear), thus creating a sense of urgency?
- Hover over the link with your mouse to determine authenticity (but don't actually click the link). If the URL doesn't match up with the company name or the overall subject matter of the email, it could be a phishing attempt. See the example below:
At the university:
- If you believe you have received a phishing email, report it to ISO by forwarding the email as an attachment to: firstname.lastname@example.org.
- If you have clicked on a malicious link:
- Change your password immediately
- Call the UIT Help Desk (801-581-4000, option 1) or ITS Service Desk (801-587-6000) immediately
- Report it to ISO by forwarding the email as an attachment to: email@example.com
On your personal device(s):
- Get your computer completely offline
- Restore your latest backup
- Once restored, change passwords for your apps OR do it from a different device
Forwarding your UMail account to a personal provider such as Gmail, Yahoo, or Hotmail is strongly discouraged for UMail users and is prohibited for anyone working for University of Utah Health.
Secure storage solutions
Box is a secure, university-approved cloud storage provider. All current students, faculty, and staff have access to a free Box account with 1 terabyte of secure storage space. To access your Box account, visit box.utah.edu and log in with your uNID and password.
IMPORTANT: If you store restricted or sensitive data on a laptop or any type of external storage device, including a cloud storage provider, to conduct University of Utah business, those devices must be whole disk encrypted as well as meet all applicable Policy 4-004 requirements. If you need assistance meeting these requirements, please contact your help desk or IT support personnel.
The Information Security Office (ISO) will respond to and investigate incidents related to misuse or abuse of University of Utah information and information technology resources. This includes computer and network security breaches, unauthorized disclosure or modification of institutional or personal data, and security credential malware phishing.
You can report an incident by contacting your designated help desk:
- University of Utah Health: 801-587-6000 or online via Pulse
- Main campus: 801-581-4000, option 1
Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience defines security as reducing the risk to critical infrastructure by physical means or defense cybersecurity measures to intrusions, attacks, or the effects of natural or man-made disasters.
Examples of physical security measures:
- Badge entry at doors
- Positioning monitors where they cannot be seen by the public
- Being aware of who is in your workspace
- Locking computer screens
The university’s Policy 4-004 has two supporting rules that outline how to further protect our Information Technology sector.
- Rule 4-004F: Physical and Facility Security protects the university’s premises and facilities by establishing requirements for secure operations.
- Rule 4-004G: IT Resource and Information System Security and Vulnerability Management protects the university’s IT resources and information systems.
If you see something suspicious, report it
Report a physical security incident — such as people jumping fences, or unauthorized access to facilities or maintenance areas — to campus police at 801-585-COPS (3677).
You can report a cybersecurity incident — such as sharing university passwords or accounts, bragging of compromised school/hospital information systems, or tampering with university IT resources — by contacting your designated help desk:
- Hospitals and clinics: 801-587-6000 or online via Pulse
- Main campus: 801-581-4000, option 1