In today’s nearly paperless culture, it is increasingly important to protect sensitive and confidential information. This page provides ITS’s recommendations on best practices for securing both USC’s data and your personal information.
For additional information on the latest security threats, phishing attempts, and critical software and operating system patches, follow the ITS security blog at it-security.usc.edu.
Phishing is a common type of email scam used to elicit sensitive or confidential information. To avoid falling subject to a phishing email, keep an eye out for the following warning signs:
- Urgent action requests that threaten negative consequences
- Bad grammar and spelling mistakes
- An unfamiliar or generic greeting
- Inconsistencies in email addresses, links or domain names
- A sender email address that does not match who the email claims to be from (e.g., an email posing as USC, sent from USC@gmail.com instead of email@example.com)
- Links that do not go to the URL they advertise (e.g., a link claiming to go to Amazon but using the URL www.Am-azon.com)
- Suspicious links or attachments
- Unexpected attachments
- Attachments with two file extensions (e.g., Attachment.pdf.zip)
- Attachments with file extensions that do not match the function (e.g., the attachment is named Attachment.exe but the file should be a PDF)
- Documents that require macros to be enabled
- The use of macros is a common business practice, be 100% positive of validity before enabling
- Links that automatically download a file
- Request for login credentials, payment information, or sensitive data
- Links to password reset/login pages
- Remember: USC will never request personal information or passwords via email
- Links to password reset/login pages
- Unexpected emails
- For example, an email from UPS regarding package delivery when you are not expecting any packages
- Emails that are too good to be true
For more information on phishing scams, visit the Phishing FAQ.
The following are best practices for the use of passphrases:
- Use strong passphrases
- Use 16+ characters including upper/lower case letters, symbols, and numbers
- It is helpful to start with a phrase you like (e.g., song lyrics, poems, quotes, etc.) and add/substitute numbers and symbols<l/li>
- Do not include personally identifiable information such as your name, birthday, or company name
- Use a different/unique passphrase for each account
- For help remembering passphrases, use a secure password manager.
- Create a unique passphrase even when using your USC email address to sign up for an external account (e.g., Amazon, NetFlix, Calm, etc.)
- Use Two-Factor Authentication (2FA)
- This additional layer of security allows you to control access to your accounts by verifying login attempts. Even if someone knows your password, they will not be able to access your account.
- Visit www.twofactorauth.org for a list of all sites and apps that offer 2FA. Choose the Docs image next to the site/app for setup instructions.
- Password-protect your mobile device(s) and computer(s)
- Fingerprint/FaceID is most secure, if available
- Lock your device(s) anytime they are not in use]
For more detailed information, visit our Password Tips page.
Never keep information on your computer or in email that you wouldn’t want to become public knowledge. This especially includes sensitive information such as (but not limited to) social security numbers, banking numbers, tax information, etc.
- The Microsoft Office 365 suite is approved at USC for secure file/information storage and sending. Use OneDrive to keep documents and share with other members of USC. It is provided free of cost with your USC Microsoft Suite. This eliminates any need to keep files on your computer and backs them up should anything happen to your device.
- For more information on available storage options for USC, visit itservices.usc.edu/storage.
- For storage and sending of legally protected, high-risk, or restricted information please reference USC policy regarding Data Classification.
- Password managers work well for secure and quick note storage.
- If you choose to keep files stored locally on your personal computer, encrypt them with FileVault or Bitlocker. Doing so will ensure your files cannot be read by attackers.
- Be sure that the password and SSID for your home Wi-Fi are not the ones that came with the router.
- Don’t keep the model number in the SSID
- If you use Mac and/or iOS devices, follow Apple’s recommended settings: support.apple.com/en-us/HT202068
Always be mindful of what you’re doing and sending when on unsecured Wi-Fi. It is possible for hackers to intercept anything you do or send while on the network.
- If you travel often and/or regularly connect to unknown networks, set up a virtual private network (VPN) connection to protect your information. Doing so will route your traffic through a secure network.
- Use USC’s virtual private networking (VPN) software, Cisco AnyConnect, when connecting to open or public wireless networks. For more information on using VPN, see itservices.usc.edu/vpn.
- Disable file sharing
Firewalls limit outside connections to your computer
- Enable your Mac firewall: support.apple.com/en-us/HT201642
- Enable your Windows firewall: support.microsoft.com/en-us/help/4028544/windows-10-turn-windows-defender-firewall-on-or-off
Antivirus software is designed to detect and destroy computer viruses. Always make sure you are using the most up to date antivirus software
- Windows 8 and newer Windows versions have Windows Defender built in.
- USC provides free antivirus software (Sophos Endpoint Security) for USC account holders at <https://software.usc.edu”>software.usc.edu. See itservices.usc.edu/security/sophos for more information on Sophos Endpoint Security.
- Sophos Endpoint Security is designed to detect, remove, and prevent the spread of viruses, spyware, and other security risks.
Use encryption to protect personal information on mobile computing devices such as laptops, tablets, and phones.
- The Windows, Mac OS X, and iOS operating systems have built-in encryption functions. For more information on using these built-in functions, see itservices.usc.edu/encryption.
Mobile Device Security
See below for secure practices for mobile device operation. To view secure settings for your device, see the Mobile Device Security page.
- Always install the latest updates.
- Always password protect your device and use biometric protection, if available
- Options include a password, personal identification number (PIN), pattern, and biometric identifiers such as a thumbprint or FaceID.
- Be sure to download only legitimate apps from well-known, trusted app stores. Always check for ample reviews on an app if you’re unsure of an app’s legitimacy.
- Avoid charging mobile devices in public locations (public charging stations, airports, coffee shops, etc.) as your data can be compromised.
- Tip: USB Data blockers can protect against this and can be found online.
- Be mindful of where you view sensitive information. If you’re in a public location where people can look over your shoulder, avoid viewing sensitive or confidential information.
- To find out what qualifies as sensitive or confidential information, visit the Senstive and Confidential Information page.
- If you send sensitive information via text message, be sure to use secure messaging apps such as Signal or WhatsApp. Using these apps will encrypt your messages.
- Be cautious when connecting your phone via Bluetooth or USB to a rental car as information may be stored onto the cars entertainment system.
Sign up for identity theft protection or credit monitoring services
- Proactively setup security freezes or fraud alerts on your credit reports.
- Security freezes: will stop anyone that does not already have a financial relationship with you from looking at your credit.
- This will need to be removed anytime you are applying for something credit-reliant and takes up to three days. Fees apply.
- Learn more at www.consumer.ftc.gov/articles/0275-place-fraud-alert
- Monitor and set up alerts for your credit card and other accounts.
- Setup alerts for large transactions, changes in account/contact information, international transactions, etc.
- Stop unsolicited credit card offers by opting out with the major credit bureaus (Equifax, Experian, Innovis, and TransUnion) by going to optoutprescreen.com or calling 888-567-8688. This will stop credit bureaus from selling your name to lenders.
Clear Desk, Clear Screen
Protect your information by keeping a clear workspace and locking your computer or mobile device screens. For more information, see itservices.usc.edu/security/clear-screen.
For questions regarding these information security tips and best practices, please email firstname.lastname@example.org.