Best Practices

Data at Radford University is classified into three tiers, with loss of data in higher tiers causing more damage to the individual and institution.  Our classifications are:

Highly Sensitive

• Social Security Number
• Driver's License or State/Federal ID number
• Passport Number
• Credit Card/Debit Card Number or Financial Account Number

Protected

• Personal Financial Information (Tax Records, Donation/Giving Information, etc)
• Employee/Personnel Records (Pay Information, Disciplinary Records, Credentials, Attendance, Contract/Tenure, etc.)
• FERPA protected student data
• Protected Health Information (Medical or Mental History, Diagnoses, Treatment, Policy, etc.)
• Human Subject Research/Non-Public Research/Intellectual Information
• Investigative/Court Information
• Non-public Business Documents/Reports
• Controlled Unclassified Information (Other Regulated/Private/Confidential Information)

Public

• Directory Information (see our FERPA policy for the definition of this)
• Other public information such as course listings, public releases, news articles, etc.

Storing Highly-Sensitive Data

Highly sensitive data is prohibited from being stored on any mobile device (i.e. laptop, phone, tablet, USB drive, etc.) unless the data is encrypted and an exception requested; the exception must include:

• Business needs
• Risks
• Mitigating security controls
• Acceptance of risk by Agency Head or designee

Data storage media containing highly sensitive data must be physically (locked workspaces) and logically (encryption) secured.
All media storage devices (i.e. hard drives, USB drives, etc.) are required to be purged of all data when reassigned, salvaged or transferred to another agency. 

Data Storage Locations

• H Drive: Protected and Public
• OneDrive: Protected and Public
• Whale: Highly Sensitive, Protected and Public

Data Transmission

Email is not an acceptable medium to transmit Highly Sensitive data.  This is because it is saved as a copy in the sender's mailbox (under Sent Items) and recipient's mailbox, so it is stored in an unauthorized location.  Email is not encrypted in transit, which violates the confidentiality of the data transmitted.

To reiterate, Email is not an acceptable medium to transmit highly sensitive data.

You have options to transmit highly sensitive data depending upon its destination:

• Intra-department: Whale share would be best.  Files containing highly sensitive data shouldn't be stored on workstations unless exception on file.
• Inter-department: possibly a shared Whale share if that exists, otherwise XMedius SendSecure is a good solution.
• External to Radford: XMedius SendSecure is your only secure option unless the other party provides a secure portal to upload files to.

SendSecure is a secure portal you can use to securely transmit highly sensitive data with recipients internal and external to Radford University. 

Password Guidelines

• Use a longer passphrase rather than the minimum; more characters = more secure.
• Adding numbers and symbols in place of letters isn't better security; selecting a long passphrase is.
• Passphrases are phrases that are easy to remember and hard to guess and crack.
• An example of a passphrase is Unicorn-Hugs-All-Day!.  It meets our complexity requirements and easy to remember.
• Change passwords whenever there is a security concern.
• Never share your password with others.
• Never write down your password and leave it visible.
• Don't reuse passwords for multiple sites (bank, school, email, social media).
• Consider using a password manager (see below).
• Never enter passwords on untrusted web pages (look for a green padlock, or other indication of encryption security, in the address field).
• Be wary of using the "save password" option in your browser.
• Use two-factor options when available.

Password Managers

One of the most important steps you can take to protect yourself online is to use a unique, strong password for every one of your accounts and apps.  Unfortunately, it is most likely impossible for you to remember all your different passwords for all your different accounts.  This is why so many people reuse the same password. Unfortunately, reusing the same password for different accounts is dangerous, because once someone compromises your password, they can access all your accounts that use the same password.  A simple solution is to use a password manager, sometimes called a password vault.  These are programs that securely store all your passwords, making it easy to have a different password for each account.  Password managers make this simple, because instead of having to remember all your passwords, you only have to remember the master password to your password manager.

Avoid any password manager that claims to be able to recover your master password for you.  This means they know your master password, which exposes you to too much risk.  Password managers are a great way to securely store all your passwords and other sensitive data.   However, since they safeguard such important information, make sure you use a unique, strong master password that is not only hard for an attacker to guess, but easy for you to remember. 

Here are some password managers:

• 1Password - A password manager that protects a variety of data (passwords, bank account information, identities, etc.) behind one master password. It works across multiple devices and platforms. There is an annual subscription ($2.99/month, billed annually), but the first 30 days are free.
• Bitwarden - An open source, local, cloud-based, or even self-hosted password manager. With both free and paid subscription options.
• DashLane - A password manager and digital wallet that can keep track of many types of secure information. The free version works on one device and stores up to 50 passwords, but to access passwords in multiple places you'll have to go premium ($4.99/month, billed annually).
• KeePassXC - A free and open-source local password manager. KeePassXC is an updated, cross-platform version of the popular KeePass.

These days, browsers will offer to remember your passwords for you. However, browsers are frequently targeted for attacks.  It's better to use a password manager, whose sole purpose is to encrypt and protect your data.

Two-factor authentication adds a second layer of security to your online accounts. Verifying your identity using a second factor (like your phone or other mobile device) prevents anyone but you from logging in, even if they know your password.

How It Works:

1. Enter Radford University username and password as usual
2. Use your phone to verify your identity
3. Securely logged in

Why Do I Need This?

Passwords are increasingly easy to compromise. They can often be stolen, guessed, or hacked — you might not even know someone is accessing your account.

Two-factor authentication adds a second layer of security, keeping your account secure even if your password is compromised. With Duo Push, you'll be alerted right away (on your phone) if someone is trying to log in as you.

This second factor of authentication is separate and independent from your username and password — Duo never sees your password

Frequently Asked Questions

• How do I setup Duo?
• I got a new phone, how do I setup Duo on it?
• How do I add a landline for Duo?
• How do I remove a device from Duo?
• How do I set up Duo with Face ID/Touch ID?

What is Phishing?

Phishing is a fraudulent attempt by cybercriminals to obtain information such as your Radford University credentials and passwords, personally identifiable information, banking, or credit card details.  The attempts are usually via email or other forms of electronic communication.  Below are some tips you can use to protect yourself and your information:

• Always look at the sender email address, not just the sender name.  It's easy to spoof the name, but harder to spoof the email address (but not impossible).  For this exercise, the email came from noreply@radford.university, not noreply@radford.edu.
• If an email ends up in your junk mail folder, it is likely spam or it is spoofed to look like someone else sent it. Again, check the sender email address carefully.
• Does the email generate a sense of urgency?  Cybercriminals use this tactic to speed past your better judgment to take action and is a tell-tale sign that it's a phishing email.  
• Did the email require you to enter a password?  Radford University’s Division of Information Technology (DoIT), and email from legitimate banks or other sites, will NEVER ask for your password.
• If you are logging into a Radford University website, always verify the URL you are logging into is https://sso.radford.edu. That is our only Single Sign On (SSO) website.  The URL is visible in the search bar of your browser.
• If an email seems suspicious, feel free to forward the email to itsecurity@radford.edu and request IT Security take a look at it for you. 

Common Phishing Themes

Available??

• Cybercriminals regularly pretend to be department chairs, deans and directors and send email asking faculty and staff if they are available and if they can do the sender a favor.
• Responding to the email engages the cybercriminal and will likely result in a request for gift card numbers (so that they can give them as gifts).
• NEVER purchase and send gift card numbers via email without first verifying that this is a legitimate request from a trusted colleague, friend or family member.  Use another form of communication to verify – call them, stop by the Dean’s office and ask if the request was legitimate, text your friend to verify.  If you purchase the gift cards and email the numbers to the cybercriminal, you could potentially lose that money.  Not all vendors will reimburse the purchase.
• If you've fallen victim to a gift card scam, please contact itsecurity@radford.edu immediately.

Extortion

• Cybercriminals will send a threatening email indicating they've been spying on you, have your information and are demanding a ransom.  They may even include an old password of yours to create a sense of fear and urgency.  Old passwords are usually discovered when other sites are compromised and the password file is published online.
• NEVER use your Radford University account password on other sites, such as banking or social media. Maintaining a unique password for each account, enabling two-factor authentication where possible, and using strong passwords and passphrases helps protect you.
• If you feel that you've been compromised, report these emails to itsecurity@radford.edu.

Shared Files

• Cybercriminals may share a file with you, such as a class schedule or payroll information.  When you click on the email link, you'll go to a fraudulent, but look-a-like Microsoft Office365 webpage.
• Always check the URL in the email before clicking on a link.  Hover over the link to verify where it goes.   If it's not *.office.com, it's not really Microsoft Office365.
• Report emails such as these to itsecurity@radford.edu so that IT Security can block malicious websites such as those.

IT Helpdesk

• Cybercriminals may send email informing you that the DoIT Helpdesk is going to disable your account or email unless you click the link and login to cancel the deactivation.
• This email generates a sense of urgency to trick you into providing your credentials.
• If you are in doubt, call the DoIT Help Desk at 540-831-7500 to verify.
• Report emails such as these to itsecurity@radford.edu so that IT Security can block malicious websites.

Strengthen Your Browsing Habits

• Treat links to other websites with caution, even if they were posted by someone you trust.
• If unsure about the authenticity of a website, check the address in the URL bar to verify that you are actually on the correct website.
• Never allow your web browser to store personal information such as username, email address or password if using a shared computer.

Email Safety

• Never respond to emails that request personal financial information.
• Be cautious about opening attachments and downloading files from any email, regardless of its source.
• Visit important websites by typing the URL into the address bar and not by clicking on email links.
• If you receive a suspicious email to your @radford.edu email address, contact itsecurity@radford.edu for assistance in determining the legitimacy of the email.
• Never be afraid to ask. Your skepticism could save you time, money and embarrassment

Protect Your Online Profile

• Think about what you post on social networking sites.  Vacation pictures prove to thieves you are not at home.
• Most social networking sites create a public profile by default.  Lock your profile down so that only real friends can see your posts.

Protect Your Online Accounts

• Do not allow websites to store personal information such as name, addresses, and credit card data if not required.
• Never give out personal information to websites that you don’t trust.
• Limit what you share on social media that could be used by someone to impersonate you over the phone or online.
• Use a secure password strategy:
  • Use strong passwords that are not based on dictionary words.
  • For a secure, but easy to remember password, try using a passphrase.  An example would be “Flowers bloom in the spring.”
  • The longer the password the better. A minimum of 12 characters is best.
  • Do not reuse the same password for multiple websites.
  • Never write down passwords or other sensitive information.  Use a password manager instead.
  • Change passwords to sensitive accounts on a regular basis.
• Always lock your screen when leaving your computer alone to prevent unauthorized access.
• Sign out of any online accounts when you are finished using them.

Protect Against Identity Theft

• If you are asked for Personally Identifiable Information (PII) on a website or form, ask if it is really necessary.
• Check your credit reports on a regular basis for irregularities. The government allows you to access your credit report three times a year for free from AnnualCreditReport.com.
• Consider identity theft insurance policies that can be added to your homeowners or renters insurance policy. These policies can assist in the case of a full-blown identity theft.
• If you believe you are a victim of identity theft:
  • Place a fraud alert with one of the three credit reporting agencies.
  • Retrieve your credit report immediately to review your account history.
  • Create an identity theft report with the Federal Trade Commission (FTC).

Radford University uses the SendSecure solution by XMedius to securely share documents where email had traditionally been used.  SendSecure uses SafeBoxes to securely share files with anyone and then have the SafeBox destroyed after contents are downloaded. 

Please bookmark that link to prevent future phishing attempts that look like SendSecure notifications.  SendSecure requires IT Security to provision you an account; you can request access by creating a ticket at IT OneStop.  SendSecure supports two types of SafeBoxes: Personal and Enterprise.

Creating Personal SafeBoxes

Personal SafeBoxes are used by you to securely share documents and messages with external entities and only yourself.  To create a personal SafeBox, navigate to your SendSecure portal and click +New.  You will be able to add the recipient’s email address (required) and phone number (optional).  The subject you choose is referenced in the email the recipient receives, giving them an indication of what this SafeBox pertains to.  You can also attach files to the SafeBox that the recipient will have access to.  Finally, you can select your Security Option to specify how long to keep the SafeBox before destroying it.

Enterprise SafeBoxes

Departments can have an Enterprise SafeBox where you share a public link and invite anyone to create a SafeBox with you.  In this scenario, you are not creating the SafeBoxes – the external entities are.  This is useful when you need to receive documents containing highly sensitive data securely, but do not know who will be sending them, or are available to coordinate at the time.

The external entities would click your department’s secure link.  

The external entity would create the SafeBox with your department via your department's unique public link.