Information security resources for both personal and Princeton computing.
Information Security Policy
All students, faculty, and staff should familiarize themselves with Princeton's Information Security Policy.
Secure your devices
-
-
- When vendors release updates, hackers can determine how to break into systems that have not been updated.
- Your device’s operating system and application programs should be configured to apply or notify you of automatic updates when available.
-
-
- Your antivirus software should be configured to apply updates automatically and as frequently as possible. University-managed devices have antivirus software installed.
-
-
- Check with the Information Security Office ([email protected]) to determine if the software is recommended for University use.
- For personal software, read product reviews and download software from reputable sites (e.g., vendor websites, official app stores, etc.)
-
-
The following is applicable to personal and University-unmanaged devices:
- Restrict network access to your system, especially on a public or home network (e.g., set up your system to not be discoverable, not share network folders, and not accept remote desktop connections).
- Use firewall software and/or hardware to prevent other computers from accessing your system.
-
-
- Set up your day-to-day account with user-level privileges (University-managed devices are set up this way). Since most user-level accounts typically cannot install software, viruses cannot be installed and executed on your system without entering the administrator ID and password.
-
-
- Anyone who can access your unlocked device can do whatever you can do on your system, so:
- Set an automatic screen lock to 15 minutes (or less) of inactivity.
- Manually lock logged-in devices whenever they are left unattended.
- Use a cable lock on portable devices.
- Anyone who can access your unlocked device can do whatever you can do on your system, so:
-
-
- Resist the urge to plug in unfamiliar USB devices. Malicious software, or malware, can be spread by infected USB devices (like thumb drives, external drives, and other types of removable media). This malware can spread quickly to other devices on the network and can lead to stolen personal and University data.
-
-
- Deleting a file does not actually erase it. Systems delete files by marking the storage space the file occupies for reuse. Until that space is reused, the data is still there. For more information on IT asset recovery at Princeton, see knowledge base article #13860.
Secure remote learning, teaching, & working
-
-
If you’re using a personal device for business, follow the instructions outlined by the Information Security Office.
- Keep software up-to-date, including antivirus software
- Enable a firewall
- Install operating system patches
- Visit the ISO’s position paper for helpful links
-
-
- Secure your home network. For help, see the ISO’s webinar and handout on securing your home network.
- Take advantage of Virtual Private Network (VPN) technology, which improves security by encrypting all data passing between your devices and the organization providing the VPN service. This service is required to access a number of University services from off campus. It can also be useful by providing additional protection when connecting to public wireless, like in a coffee shop. To learn how to configure your VPN at Princeton, visit knowledge base article #6023.
- Use eduroam secure wireless where it's available on campus and in other locations (eduroam is an international service).
-
-
- Beware of "Zoom-bombing" or uninvited guests joining your Zoom meetings. Visit our Zoom Best Practices knowledge base article to learn how to lock down your meeting. If you are using software other than Zoom, check out this article containing general security tips for videoconferencing.
-
-
Always be on alert for scams, specifically phishing (through email) and vishing (by phone). To learn more, visit our recognizing common scams webpage, and remember to visit the University’s Phish Bowl for the latest phishing alerts.
-
-
For guidance visit the ISO's position paper "Personal Devices in China."
-
Secure your data
-
-
- Information is considered sensitive if its exposure to unauthorized individuals would cause financial or reputational loss, including information that:
- Can result in identity theft, such as social security numbers, account numbers, driver’s license numbers, birth dates, passwords, etc.
- Is protected by law or contract, or would pose any other risk to the University, if exposed.
- Without understanding the sensitivity of the information held on your devices, you may inadvertently make sensitive information available to unauthorized individuals. Visit the Protect Our Info website to learn about the administrative data classifications at Princeton:
- Restricted
- Confidential
- Unrestricted within Princeton
- Public
- Visit the Princeton Research Integrity & Assurance website to learn about research data classifications"
- Level 1 - Benign information about individually identifiable people
- Level 2 - Sensitive information about individually identifiable people
- Level 3 - Very sensitive information about individually identifiable people
- Information is considered sensitive if its exposure to unauthorized individuals would cause financial or reputational loss, including information that:
-
-
For a list of storage options available at Princeton, visit:
- Protect Our Info website
- Which storage option should I choose? (knowledge base article #11121)
- File storage feature matrix
-
-
- Students, faculty, and staff should contact their University computing support representative for more information concerning data backup options.
-
-
- Always ensure that individuals to whom you give information are properly authorized.
- Make sure that, for any files and folders containing sensitive data, you indicate who specifically can access those files and folders and what they can do (e.g., read only, update, delete).
- Beware of individuals using social engineering techniques to gain your confidence and trick you into giving away personal information or access to data.
- Review your privacy settings on social media sites and be careful of what you share. Information you share could be used to steal your identity or be viewed by a prospective employer, etc.
-
-
- Unencrypted, sensitive data can be viewed when it travels across the internet or is transmitted over an unsecured wireless network.
- When you send sensitive information to a web application, look for a lock icon displayed on your browser. It tells you that the traffic is encrypted.
- Be careful when your browser shows that the identity of the target website cannot be verified (also known as a certificate warning). It may be a counterfeit site.
- Virtual Private Network (VPN) technology improves security by encrypting all data passing between your devices and the organization providing the VPN service. This service is required to access a number of University services from off campus. It can also be useful by providing additional protection when connecting to public wireless, like in a coffee shop. To learn how to configure your VPN at Princeton, visit knowledge base article #6023.
- Use eduroam secure wireless where it's available on campus and in other locations (eduroam is an international service).
-
-
- If you store sensitive information on your computer, mobile device, or storage medium, encrypting your information reduces the risk of it being exposed if the device is lost or stolen.
- Ask your IT support person or the Service Desk at (609) 258-HELP for recommended encryption products.
-
-
- You should assume that any email message sent to or received from an off campus address is at risk for exposure.
- If you must send or receive sensitive information via email, use secure file sharing methods. For more information,visit the Send Files Securely webpage.
-
-
- Be suspicious of unsolicited web messages, warnings, popups, and free services.
- Avoid unknown or questionable websites.
- Before clicking a link, view the website’s address by passing the cursor over the link (but not clicking). The website address that displays should point to a site name that you expect.
- Use incognito browsing when conducting web searches of a sensitive nature.
-
Beware of the phishing threat & other scams
-
- Phishing is a scam that tricks you into providing personal information while pretending to be from a legitimate institution or someone you know.
- Reputable organizations do not ask for personal information.
- Be discerning when clicking links or attachments.
- If you receive a suspicious message to your princeton.edu email, see if it has been reported to The Phish Bowl. If the suspicious message has not been reported, forward to: [email protected].
- For additional information, visit our phishing and common scams' webpages.
-
-
- Learn more about securing data and devices while traveling.
Lock down your login
-
-
- Visit the ISO's page on passwords for tips.
- Learn Princeton's password requirements.
- To change your Princeton password, visit the Princeton Service Portal.
-
-
- Use an encrypted password manager to generate, remember, organize, and fill in your passwords. Princeton offers LastPass password manager accounts to students, faculty, and staff for free. For details, visit our LastPass webpage.
-
-
-
Add another layer of protection to your accounts by using two-factor authentication (2FA) (also referred to as multifactor authentication - MFA) . You are required to use DUO two-factor authentication to access many Princeton resources. View knowledge base article #1207 to get started.
-
Note that DUO is an independent, third party application and can be used to secure many personal accounts. There are other multifactor services available, and you can visit the following websites to learn more:
-
2FA Directory to learn about sites that support 2FA/MFA
-
Two Factor Auth for an overview of 2FA/MFA
-
-