THE UNIVERSITY OF THE WEST INDIES

Information Security Policy Guidelines

Version Number: 2.0

Version Date: October 2016 Page 1 of 9
Version Status: FINAL
These guidelines have been produced to assist members of the University community and
those using University of the West Indies (UWI) ICT facilities to secure UWI information
assets. These guidelines complement UWI’s Information Security Policy and should be read
in conjunction with it.

1. General
These apply to all users within the University community.

1.1 Do not let others see your computer keyboard or screen when you are typing your
username and password or when you are processing sensitive data.
1.2 If you need to leave the computer temporarily, take your memory stick and other
materials with you and lock the computer (ALT+CTRL+DEL), that way, no one will be
able to see your files. If you cannot take the materials you should lock them away.
1.3 Before you print materials on a shared printer, make sure you know where the printer
is located. Collect your printouts as soon as possible and ensure you lock the computer
(ALT+CTRL+DEL) before going to collect your printouts.
1.4 When using web-based services, ensure that the data transferred between your
computer and the website are encrypted. The data are encrypted if https:// appears in
the address bar and a lock icon is displayed (at the bottom of the screen or to the left of
the https://).
1.5 Passwords (Appendix I has additional details on selecting strong passwords)
1.5.1 Use strong passwords and keep them safe.
Passwords should not be the same as the user ID and should be at least six
characters, and contain at least one alphabetic and one numeric character, e.g. "I-
l0v3-d4ta-pr0t3ct1on". (Be sure to contact CITS at your campus for the minimum
password requirements at that campus.).
1.5.2 Change your password at least once per academic year.
1.5.3 Do not use the same password in succession.
1.5.4 Never send your password to anyone in an email.
1.5.5 Never save your password in a web browser.
1.5.6 Never save passwords or use “Remember Me” options on a public computer.
Version Number: 2.0
Version Date: October 2016 Page 2 of 9
Version Status: FINAL
 1.5.7 Never write down your password.
1.6 E-Mail
1.6.1 Use caution with e-mails. The sender of an e-mail may be someone other than the
person whose name shows up in your inbox. Viruses may also send e-mail without
any user action.
1.6.2 E-mail attachments may be infected with malware. Beware of all unusual e-mails and
especially e-mail attachments. Do not open suspicious e-mails.
1.6.3 Oftentimes unsolicited advertisements and chain letters are spam. Delete them
immediately. Do not answer such emails or forward them to other users. You should
only forward these when making a report to the CITS at your campus.
1.7 The Internet
1.7.1 Data transmitted over the internet is often insecure. Be careful to ensure that
sensitive data are not transmitted via the internet unless by way of a trusted VPN
connection.
1.7.2 Be selective about what you download and which sites you download from. Some
sites are set up just to lure you into downloading Malware to your computer.
1.7.3 Be careful when downloading from sites, even those which appear legitimate, that
offer free stuff. Sometimes free software come with Malware embedded in them and
are installed when you install the software.
1.7.4 Do not disclose personal/private information to persons who you do not know, i.e., a
person you have not met, and trust. Not everyone on the internet is who they purport
to be.
1.7.5 Do not let any web browser, even the one on your own personal computer, remember
your personal information. This is difficult especially since it makes doing business,
and personal banking, on the internet easier, however, it also makes you more
susceptible to identity theft. So remember, turn off browser options to remember
personal information.
2. Staff
In addition to the General Guidelines (above), the following should also be considered by
members of staff.
Version Number: 2.0
Version Date: October 2016 Page 3 of 9
Version Status: FINAL
2.1 Your staff username and password should be used by you alone. Not even IT staff
should know your password. You are responsible for all activities carried out
under your username.

2.2 If the IT Helpdesk provides you with a new password, change it immediately to a
password that is known only by you.

2.3 In order to prevent shared resources from creating security vulnerabilities on your
computer, consult a CITS representative for guidance if you wish to share resources
with other users on the network.

2.4 Some staff have proximity or smart Id cards for identification purposes and for
accessing restricted areas. As the owner of the card, you are responsible for the use
of your proximity or smart card, therefore:
 ensure that you have your proximity or smart Id card on you at all times;
 do not lend your proximity or smart Id card to others – even fellow staff members;
 do not use your proximity or smart Id card to admit others – even fellow staff
members – to restricted areas.

2.5 If you handle confidential information should not allow anyone to be in the proximity
where information can be easily seen or read.

2.6 There should be several persons authorized to access confidential or sensitive

information. This will allow work to continue if persons become unavailable or
preoccupied during the period when work using the confidential or sensitive
information needs to be undertaken.

2.7 If you retrieve information, classified as confidential, in an editable format from any
system, you should immediately secure this information or alert a staff member
authorized to do so. Securing this information may be as simple as applying a
password to restrict access to the document containing the confidential information,
or may mean removing the document containing the confidential information from
the system altogether.

3. Students
In addition to the General Guidelines (section 1), the following should also be considered by
students.
3.1 The University, through CITS, assigns each student a user name and password for
accessing UWI systems. Immediately change the password from the initial one

Version Number: 2.0

Version Date: October 2016 Page 4 of 9
Version Status: FINAL
 provided by CITS to one known only by you. You are responsible for all activities
carried out under your username.

3.2 When you send an email, ensure that you know the correct email address of the
recipient. Check the email address for typographical errors before sending the email.

3.3 Be cautious about sharing your University assigned email address with persons on
the internet or in internet fora. Consider registering for a free email address (Hotmail,
Gmail, etc.) using a pseudonym and fictitious address for use on the internet and for
and Social networking (Facebook, MySpace, etc.).

4. Custodians of IT Systems (usually IT staff)

4.1 Encrypt data stored on UWI equipment: Encryption is essential to protecting
sensitive data and to help prevent data loss due to theft or equipment loss. Ensure
that data (both at rest and in-transit) are encrypted using the latest available key
strength..

4.2 Encrypt data stored in the Cloud: Many cloud applications do not encrypt by
default. Check and manage the security settings on the public cloud services that
handle data to ensure data are encrypted.

4.3 Use digital certificates to sign all of your sites: Obtain digital certificates from one
of the trusted authorities and save these to devices other than web servers (as is
traditionally done).

4.4 Have a plan for replacing breached Certificate Authorities: Digital certificates are
vulnerable to fraud, and must be replaced when compromised. Develop a
management process to ensure business continuity by quickly replacing a
compromised certificate and its accompanying encryption keys.

4.5 Use appropriately strong encryption keys: Find out what the latest recommended
key strength is and use it to encrypt data.

4.6 Rotate SSH Keys Annually: This should be done to ensure that staff who leave the
University do not retain remote access to critical infrastructure.

4.7 Implement Data Loss Prevention (DLP) and auditing: Use data loss prevention
and file auditing to monitor, alert, identify, and block the flow of data into and out of
your network.

Version Number: 2.0

Version Date: October 2016 Page 5 of 9
Version Status: FINAL
4.8 Implement a removable media policy: Restrict the use of USB drives, external hard
disks, thumb drives, external DVD writers, and any writeable media. These devices
facilitate security breaches coming into or leaving the network.

4.9 Secure websites against Man-In-The-Middle and malware infections: Use SSL;
scan your website daily for malware; set the “Secure” flag for all session cookies; use
SSL certificates with Extended Validation.

4.10 Use a spam filter on email servers: Use a time-tested spam filter to remove
unwanted email from entering your users' inboxes and junk folders. Teach your users
how to identify junk mail even if it's from a trusted source.

4.11 Network-based security hardware and software: Use firewalls, gateway antivirus,
intrusion detection devices, honey pots, and monitoring to screen for Denial of
Service attacks, virus signatures, unauthorized intrusion, port scans, and other "over
the network" attacks and attempts at security breaches.

4.12 Maintain security patches: Ensure that software and hardware defenses stay up to
date with new antimalware signatures and the latest patches. If automatic updating
is turned off, set up a regular scan and remediate plan for all systems.

4.13 Educate your users: The most vulnerable element in any network is almost always
the human element. An informed user is a user who behaves more responsibly and
takes fewer risks with valuable University data, including email.

4.14 Shared Printers: There may be several printers that exist on the network with the
same model number. To prevent users from being assigned the wrong printer, the
share name should be changed to reflect the department/unit/section with which the
printer is associated. Access (security) groups should also be created to use shared
printers.

5. Campus IT Services (CITS)

Campus IT Services is the generic description for the department on each campus that
provides information technology and related services to the campus (and UWI affiliated
units at that campus). All Centre departments are affiliated with a campus and are therefore
serviced by the CITS unit at the campus with which that Centre department is affiliated.
Below is a list of and contact information for all UWI CITS.
Version Number: 2.0
Version Date: October 2016 Page 6 of 9
Version Status: FINAL
 Campus Campus-specific Name Contact
Cave Hill Campus IT Services (CITS) Email: [email protected]
https://livesupport.cavehill.uwi.edu
https://reset.cavehill.uwi.edu (Self Service
Password Reset)

Service Desk Line:

(246) 417-4191 (Staff Support)
(246) 417-4595 (Student Support)
Mona Mona IT Services (MITS)  Telephone Support : (876) 927-2148 or
extensions 2740, 2739, 2992 or Digicel
lines (876) 618-6466/618-6469/473-
9358
 Electronic Support:
[email protected]
 Phishing email contact :
[email protected]

Open Computing and Technical  Telephone: (868) 663-8155

Services (CATS)  Fax: (868) 645-9741
 Email: [email protected]

St Augustine Campus IT Services (CITS) Service Desk

Email: [email protected]
Dell PC Orders
Email: [email protected]
Webmaster: [email protected]
Telephone: 1-(868)-662-2002 ext. HELP
(84357)

Version Number: 2.0

Version Date: October 2016 Page 7 of 9
Version Status: FINAL
Appendix I – Selecting a Strong Password
The weakest link in your information security chain is usually your password.
Unfortunately, with the advance in password-cracking techniques, the traditional advice for
creating passwords no longer holds. A password created with that advice,
like jal43#Koo%a, is very easy for a computer to break and very difficult for a human to
remember and type.

The following was provided by WordPress.com

(http://en.support.wordpress.com/selecting-a-strong-password/).

There are many different approaches to generating a strong password, but password
managers and passphrases are the best. Choose the one that works for you, and then read its
corresponding section further along in this article to learn how to get started.

Best: Use a Password Manager – A password manager is a software application on your

computer or mobile device that generates very strong passwords and stores them in a secure
database. You use a single passphrase to access the database, and then the manager will
automatically enter your username and password into a website’s login form for you.

You never have to worry about choosing a good password, remembering it, or typing it again.
This is the easiest and most secure method available today, and we strongly recommend that
you use it.

Good: Create a Passphrase instead of a Password - A passphrase is similar to a password,

except that it’s based on a random collection of words, rather than just one. For
example, copy indicate trap bright.

Because the length of a password is one of the primary factors in how strong it is,
passphrases are much more secure than traditional passwords. At the same time, they are
also much easier to remember and type.

They’re not as strong as the kinds of passwords generated by password managers, but
they’re still a good option if you don’t want to use a password manager. They’re also the best
Version Number: 2.0
Version Date: October 2016 Page 8 of 9
Version Status: FINAL
way to generate the master password for a password manager or your operating system
account, since those can’t be automatically filled in by the password manager.

How to Create a Passphrase

Creating a passphrase follows similar rules to creating a traditional password, but it doesn’t
need to be as complex, because the length of the phrase will provide enough security to
outweigh the simplicity.

1. Choose 4 random words.

2. Add spaces between the words if you prefer.
At this point, you should have something that looks like: copy indicate trap bright

You can stop there if you’d like, or you can add some extra strength by following these steps:

1. Make a few of the letters upper-case.

2. Add in a few number and symbols.
After applying those rules, it will look something like: Copy indicate 48 Trap (#) bright

Things to avoid:

 Don’t place the words in a predictable pattern or form a proper sentence; that would
make it much easier to guess.
 Don’t use song lyrics, quotes or anything else that’s been published. Attackers
have massive databases of published works to build possible passwords from.
 Don’t use any personal information. Even when combined with letters and
numbers, someone who knows you, or can research you online, can easily guess a
password with this information.

Version Number: 2.0

Version Date: October 2016 Page 9 of 9
Version Status: FINAL