Search Google Appliance

Information Technology

Home Data Protection Resource Guide

Note: Under a new university-wide contract, Sophos Intercept X Advanced is replacing McAfee endpoint protection at UMass Amherst. More information will follow.
For questions, contact the IT professional in your department as applicable, or IT User Services.


Statement of Liability

When accessing institutional information and research data (university data) on a personally owned device, you are responsible for whatever happens to university data on that device. It is incumbent upon you to take the necessary steps to follow best practices (foundational controls) in safeguarding your device. This guide is meant to assist you in following best practices as you fulfill your responsibilities to protect university data.

What are Foundational Controls?

Foundational controls are basic protections meant to help computers resist most attacks on their data.  Broadly speaking, there are five components to foundational controls:

  • Anti-virus
    • Currently the anti-virus being deployed on University owned computers is McAfee Endpoint Security.  UMass Amherst IT also provides a version for non-University owned devices such as personally owned machines.  
  • Patch Management
    • Patch management is roughly defined as keeping your system updated with the latest operating system patches and versions, as well as keeping other software and drivers up-to-date.  This is controlled centrally on all managed University owned devices.  On personally owned machines, this is largely done manually.
  • Data Encryption
    • Encryption software uses strong mathematical algorithms to encrypt (scramble) data, rendering it unreadable to anyone who does not have the key to decrypt (unscramble) the data. Encryption makes it difficult for unauthorized individuals to access encrypted files, folders or computers, and reduces the risk of data breaches in the event a computer is lost or stolen.
      University owned and managed machines are encrypted automatically through McAfee, with the decryption key being stored by the central system.  The key is automatically provided when you turn your machine on, but may be required to be provided manually under certain circumstances.
      Encryption at home would require the owner of the machine to record and store the key in a safe and secure place.
  • Firewalls
    • All major modern operating systems provide a default firewall.  The firewall is responsible for blocking incoming, and in some cases outgoing, attacks.  University owned and managed machines are configured centrally by McAfee.  If there is a change to the firewall policy, that gets pushed out to all the managed machines.  A personally owned device will have a default firewall, but there may be certain settings that should be enabled in order to provide better security.
  • Secure Disposal
    • When a system has reached the end of its useful life it is important to ensure the data on the system is destroyed prior to system disposal. UMass contracts with a company to physically destroy all hard drives for university owned systems.

Implementing Foundational Controls at Home

UMass Amherst IT’s best practice recommendations for implementing foundational controls at home include, but are not limited to, installing a strong anti-virus program; keeping your operating system, programs, and drivers up-to-date on a regular basis; encrypting your hard drive; enabling certain firewall defenses.
Here are some of the ways to implement foundational controls at home:

Install an Anti-Virus

The University offers a robust, enterprise strength anti-virus solution with McAfee Endpoint Security.  It is available for all supported versions of Windows and for Mac OS X.

McAfee Endpoint Security is offered to all students, faculty, and staff for free, but if you have a reputable anti-virus solution that you prefer, by all means use it.  The point is to have a solid line of defense against malware, in order to reduce the possibility of attack.

Patch Management

Patch management is achieved on University owned devices through various remote management software solutions.  This is not available for personally owned devices, but you can and should keep your system up-to-date with a minimum of effort.  Keeping your system current requires action on three fronts:

  • Operating system – whether you’re using Windows or Mac OS X, the operating system must remain up-to-date in order to keep your machine in good health.  Oftentimes, the updates include patches that fill security gaps in the operating system itself, so it’s critical to allow the machine to update itself.  Ignoring it, or putting it off will potentially put data in peril, as many updates revolve around patching security holes
    To determine how you can configure and update your operating system, please consult the IT Web site on how to Keep Your Computer's Operating System Up-to-Date (Windows) or Keep Your Computer's Operating System Up-to-Date (Macintosh), depending on your machine’s operating system.  
  • Macintosh systems generally don’t have a lot of options for updating, but you should not ignore or put off updates that are pending.  
    • If you see that the App Store has an update waiting, you should update your system at the earliest possible convenience.  These updates may or may not require a restart.
    • If you see that a new version of the operating system is being offered, you may choose to upgrade your system.  It is suggested that you do an upgrade before your current operating system is no longer being supported.
    • You may check your current operating system version by going to the Apple Menu in the upper left-hand corner of the screen, and left-clicking About This Mac.  The name and version number will be there.
  • Windows 10 systems have several advanced options that are recommended:
    • Give me updates for other Microsoft products when I update Windows.
      Choosing this option will automatically update your Microsoft products, making it one less thing you’ll have to do.  
    • We’ll show a reminder when we’re going to restart.
      If you want to see more notifications about restarting turn this on.  Many people don’t want to update their operating system because of the forced restarts.  Turning on this option will give you more ample warnings and some other restart options.
    • To turn both of these options on, go to Settings -> Update & Security -> Advanced options.  You’ll find them there.
  • Drivers – Drivers are software designed to make peripherals and subsystems on your computer function properly.  Your printer has drivers, as does your video system, speakers, mouse, and other items either internal or external to your computer.  Sometimes, these are updated by the operating system updates, and others (like printers) are updated through dedicated software.
  • Applications – Applications are the programs that you run on your computer, like Chrome, or Adobe Acrobat Reader.  There are updates that are released on a regular basis.  It is incumbent upon the owner of the device to check for updates to that software.  
    • Mac OS X - On the Mac OS X operating system, software that’s been installed through the App Store will usually be automatically updated through the same mechanism.  You should check the app store periodically for updates.
      Software installed from another source (Adobe Acrobat Reader, for example), will have another means of updating.  Often, you may find the option to update the software either in the Help menu or the application’s main menu.  If you are unable to find the updates, consult the publisher’s site for more information.
    • Windows – Apps purchased through the Microsoft Store will be updated through the Microsoft Store, as the default setting is to do automatic updates.
      Other purchased or free software will have to be updated manually.  Consult the publisher’s site for more information.  Some other software will notify you of new versions that are available (Java, for example).  It is recommended that you download and install the latest versions, as they will often contain security updates.

Data Encryption

Data encryption on University owned machines is handled centrally through the McAfee server.  When a machine is encrypted by McAfee, a special key is created to unlock the encryption, so that the device may be used.  All of this happens in the background, and is completely transparent to you. The key that has been generated is stored (or “escrowed”) in a database, so that in an emergency, you or a technician can get to the contents of the drive should that be needed.

Because you’ll be encrypting your own personal devices, it will be up to you to take note of the key that is generated through the encryption process.  This key should be stored securely in one or more of several ways:

  • Write it down.  This may be the easiest and most comfortable way for some people to keep this information.  If you choose this method, however, it will be up to you to keep it both safe and available.  This piece of paper will be of no use of it goes missing.  Also bear in mind that transcribing a key of this length is prone to error.  Be sure that the key that you write down matches exactly the key that has been generated by the encryption process.
  • Recovery USB.  The encryption process may prompt you to save your key to a USB drive.  This is a good option, as it’s not prone to mistakes.  Be sure to label your USB drive, and store it in a place where you are likely to find it again.
  • Cloud storage.  Macs will offer you the option of storing the key on iCloud, and UMass offers Box.com storage, that is guaranteed to keep your data secure.  If you have another secure cloud storage solution that you trust with sensitive information, these may be used as well.  Most online password managers also offer the option of secure notes, so if you’re using one, that would be a good secondary choice for storage.

Remember, it’s best to have the key stored in more than one place, so using two or more of these options is preferable to a single storage location. 

Encryption Instructions:

Windows 8.1/10 Professional:

  1. Select the Start button, type BitLocker, select Manage BitLocker
  2. BitLocker will open. Click on Turn on BitLocker
  3. The Backup Recover Key dialog box will appear. It will offer you three choices. You may choose one or more of the se options:
    • Save to your Microsoft Account
      This will save the key to your Microsoft account. It should be noted that Microsoft extends no security guarantees, and that the University has no contract with them that guarantees security. Saving to your Microsoft account is not recommended, for these reasons.
    • Save to File
      This option will not let you save the key to your local drive, for the obvious reason that if the key is on your local drive, and you can't get to your local drive because it's encrypted, then it has accomplished nothing. You will need to save the key to an external device like a thumb drive or an external hard drive. It will be incumbent upon you to make sure you store the external drive securely in a place you can locate later, if you need it,
      Once the key is saved, you can also copy it to a secure location like Box.com, or even to a secure note in a trusted password manager. This will give you a fallback position, should the thumb drive be lost or corrupted.
    • Print Recovery Key
      Printing the recovery key is a similar option to saving it to an external device.  If you choose this option, be sure to store the key in a secure location that you will be able to locate at a later date, should you need it.
  4. The Save BitLocker recovery key as dialog box will appear.  Navigate to the external device, and save and left-click on the Save button.  Be sure that you keep the suggested filename, as it will contain the key for verification.
  5. The Choose how much of your drive to encrypt dialog box will appear.  If it is brand new machine, it is suggested that you choose Encrypt used disk space only, but if it’s a machine that you’ve been using, the suggested setting will be Encrypt entire drive.

  6. The Choose which encryption mode to use dialog box will appear.  Because we’re encrypting the local hard drive, you should accept the default of New encryption mode.

  7. The Are you ready to encrypt your drive dialog box will appear.  This is mostly informational, but it is suggested that you check the Run BitLocker system check, to ensure that the selected unlock method is working.  BitLocker will restart your machine to continue the encryption process.

  8. Clicking on the restart notification will bring up the restart dialog box.  Clicking on Restart now should restart your machine.  If it doesn’t, you should manually restart.  After restarting, BitLocker will encrypt the drive in the background, and you may continue working while it does.

 

Mac OS:

  1. Open System Prefences, either from the dock, or by going to the Apple Menu -> System Prefences.  System Preferences will open.
  2. Select Security & Privacy
  3. The FileVault window will appear.
  4. Click on the lock in the lower left-hand corner.
  5. You will be prompted for your username and password. You will need to enter a username and password for an account that has administrative rights (most Macs are set up to have administrative rights when setting up the machine).
  6. The FileVault options window will now be unlocked.
  7.  You will be given a choice to create a recovery key on your iCloud account.  Because the iCloud service can’t guarantee security, and the University has no contract with them to guarantee security, it is not recommended to save the key to your iCloud account.  Left-click on Create a recovery key and do not use my iCloud account, and then click on Continue.
  8. FileVault will now display the key.  You can write this key down on a piece of paper.  Be sure to store this in a safe place that you can find in the event that you’ll ever need it.
    Alternatively, you can create a screen shot of the key by clicking Command-Shift-4, and then hitting the space bar, followed by clicking on the window.  A file will be created on your desktop that you may either save to a USB device, or to a secured cloud service like your UMass Box account.
    Click on Continue to proceed.
    dialog showing a recovery key (hopefully this is not someone's actual recovery key)

  9.  

    The Security & Privacy settings box will reappear, showing you the progress of the encryption.  This will take some time, but you may continue to work as it progresses.

 

Firewall

Both Windows and Mac OS X come with a native firewall that should be turned on and blocking unwanted traffic to one degree or another.  If you have installed the UMass version of McAfee, there will be a pre-configured firewall designed to monitor incoming and outgoing traffic.  It is recommended that you either install McAfee Endpoint Protection for your home computer, or another robust antivirus program that has a strong firewall.  If you are working with University data, you should be using McAfee Endpoint Protection in order to ensure compliance with University security protocols.