5 Steps to Help Maintain Security at KU

Security at KU

Information security at KU is a top priority. KU IT offers many resources for helping maintain security for different levels of data and research, your account, and the work you do on or off campus. Additionally, there are ways you can help us maintain a secure environment. See the list below to get started in helping us create and maintain security at KU.

Contact & Help

If you have questions on any of the topics below or other questions regarding security, you can contact our IT Security team at itsec@ku.edu. Additionally, faculty or staff can reach out to the Technology Support Staff or the IT Customer Service Center at any time. Students, please contact the IT Customer Service Center.

Helpful Links

5 Steps to Security at KU

What is Multifactor Authentication?

MFA is the process of confirming a person’s identity using multiple pieces of evidence to verify who they are when accessing systems. This evidence is typically something they know, such as a username and password, and something they have, such as a device with a code or app.

Duo multifactor authentication is required for:

  • Faculty and staff
  • Students
  • Graduate research assistants, graduate teaching assistants and graduate assistants
  • Individuals using sponsored temporary account (STA)
  • Undergraduate student employees at the request of their department

How Does Duo Work?

Once you have set up Duo, log in to any KU system via single sign-on (SSO) as usual. After entering your KU Online ID and password, you will be prompted to verify your identity using Duo. Confirm your identity through the Duo app, and you will be logged in. It’s that simple! Using the Duo app on your smartphone is the easiest and most convenient way to confirm your identity. If the mobile app is not an option for you, please contact your Technology Support Staff if you are a faculty or staff member or the IT Customer Service Center if you are a student to discuss your options.

Beware of Fake Approval Requests!

If you receive a Duo notification that you didn’t initiate, it probably means your KU Online ID and password have already been compromised and a hacker is trying to access your account. Contact KU IT immediately at 785-864-8080!

  • DO NOT approve any Duo push or phone call notification you receive unless you are actively logging in to a system.
  • NEVER provide a Duo code to anyone who requests one. Duo codes are only to be entered into a verified KU log in page. When logging in, double-check the URL of page to ensure it is an authentic KU website (i.e., URL ends in “ku.edu”).

For more information about multifactor authentication at KU including FAQs, visit our MFA overview site.

At KU, security is a shared responsibility. During the course of your day at KU, you access many types of information, some of it sensitive and/or confidential. To maintain privacy and data security at KU, you are required to properly handle data and information.

Your responsibilities include:

  • Understanding what type of data is sensitive.
  • Following proper handling procedures to maintain privacy.
  • Keeping physical areas secure.
  • Protecting mobile devices that are easily lost or stolen.

Data Classification Levels

The KU Data Classification and Handling policy details three levels of data and the security protections required for the handling of data at each level. All KU employees are responsible for classifying and handling data according to the policy. Below is an excerpt from the policy describing three data classification levels. Please read the full policy in the KU Policy Library.

Level 1 - Confidential Information Protection

STOP! SPECIAL CARE IS REQUIRED!

High risk of significant financial loss, legal liability, public distrust or harm if this data is disclosed.

Examples of Level I Data:

  • Data protected by HIPAA (health information).
  • Data protected by FERPA: Student information including grades, exams, rosters, official correspondence, financial aid, scholarship records, etc.
  • Personally Identifiable Information (PII).
  • Individually identifiable information created and collected by research projects.
  • Data subject to other federal or state confidentiality laws.
  • Personnel data.

Level II - Sensitive Information Protection

BE VERY CAUTIOUS!

Moderate requirement for confidentiality and/or moderate or limited risk of financial loss, legal liability, public distrust or harm if this data is disclosed.

Level III - Public Information Protection

PROCEED WITH AWARENESS

Low requirement for confidentiality (information is public) and/or low or insignificant risk of financial loss, legal liability, public distrust or harm if this data is disclosed.

Proper Handling of Sensitive Data

Help maintain privacy by doing the following:

  • Adopt a clean desk and clear screen policy
  • Lock your screen when you step away from your desk
  • Set your the timeout for your screen at 10 minutes or less
  • Don't retain un-needed data (electronic or paper)
  • Destroy sensitive data in the proper way:
    • Old computers, hard drives, mobile devices, etc. should be sent to eWaste Recycling
    • Paper documents should be securely shredded. Contact KU Procurement Services for more information about secure shred bins.

Where Can I Store Files?

The proper place to store files depends on a number of factors including the level of data, who needs access, and how and with whom you need to share files. Before storing or sharing any Level 1 data (Critical/Confidential) in any location, speak with your Tech Support staff.

Secure File Location Options may Include:

  • Departmental/Central File Storage (CFS)
  • Research File Storage (RFS)
  • Microsoft Teams, SharePoint, or OneDrive
  • Canvas

If You Find Improperly Stored Data

Immediately contact the KU IT Security Office at itsec@ku.edu or 785-864-9003.

What Constitutes a Security Breach?

"Security breach" is the unauthorized access to a system, device, application or data by circumventing security policies, practices, procedures or mechanisms. Read the State of Kansas statute.

Many KU researchers engage in research that involves the collection or use of identifiable private information. Federal law and KU policy provide specific guidance for protecting identifiable research information.

Data Classification and Handling Policy

Classification is necessary to understand which security practices should be used to protect different types of information. The more protected the information needs to be, the more practices are required. Please review the Data Classification and Handling Policy.

Sensitive Research Data

KU research may deal with sensitive information that does not directly relate personally identifiable information. Proprietary information subject to confidentiality requirements, information with national security implications and other types of information may require extra security precautions. Researchers are encouraged to consult with KU IT to determine the proper security measures needed for these types of data.

Working with KU IT

We provide a number of services to help protect the data and systems of the University and our customers:

  • Consulting and assessments
  • Training
  • Firewall management
  • Antivirus software
  • Information resources
  • Email encryption

Please contact the IT Security Office at itsec@ku.edu to discuss the information security requirements of your research and how we can best assist you.

Visit the IT Security for Researchers for information on breach notification requirements and principal investigator (PI) responsibility.

While no place is 100% safe from cybersecurity threats, the KU campus is typically a safer work environment than off campus for several reasons:

  • KU campus systems have advanced security protections and robust defense mechanisms and 24/7 monitoring.
  • KU has a dedicated team of cybersecurity and other IT experts focused on protecting data and systems.
  • Endless variables off campus (e.g., device manufacturers, internet service providers, operating systems, software, etc.) make it difficult to fully guard against cybersecurity threats.

This means KU employees must be even more educated on potential threats and vigilant in managing devices and following cybersecurity best practices to protect themselves and the KU community.

In General

  • Limit your use of personal devices. Important: Work-related files saved to your personal computer will be subject to the Kansas Open Records Act, just as they would be if saved to your office computer.
  • Never conduct KU business on public computers at airports, hotel business centers, libraries, internet cafes, etc.
  • Secure your router and connections.
  • Use the KU Anywhere VPN (virtual private network) to securely connect to KU servers and other resources, including your group storage.

Guard Your Privacy and Devices

  • Lock your workstation when you step away from it—every time—especially in public.
  • Be aware of who is around you, and what they can see and hear.
  • Maintain physical control of your laptop if you use it outside of your home and store your laptop and bags out of sight in your vehicle, preferably in the trunk.
  • All KU-owned laptops should already have whole disk encryption. If you will be taking a KU-owned desktop computer home for working remotely, please contact your departmental Technology support staff to have it encrypted.

Wi Fi

  • Don’t transmit or download confidential or sensitive data while on public Wi-Fi, such as student record information.
  • Don't download or install software or apps while on public Wi-Fi.
  • Always verify the name of the public Wi-Fi network before connecting.
  • Use eduroam, if available. You can log in to eduroam with your KU Online ID and password at many institutions around the world to access their secured Wi-Fi network.
  • Consider using a pay-as-you-go or contract service personal Wi-Fi hotspot, or set up a hotspot using your smartphone.

Video Conferencing

  • Keep your computer’s camera covered when you’re not actively using it.
  • Make sure there isn’t anything private or inappropriate in the background behind you.
  • Make sure participants can’t see private or confidential data when sharing your screen.
  • Don’t post meeting links on publicly available websites.
  • Lock down your meetings. Follow the steps in this Knowledge Base article to control who can join your meeting and what they can share.
  • Always double check your microphone and screen sharing settings.

Resources

Visit the IT Security for Remote work site for more detailed information on how you can work safely when remote.

Visit our Working Off Campus Overview for more information about remote work, including a link to KU's remote work policy.

 

What is Phishing?

Phishing refers to malicious emails that try to trick you into giving out confidential personal information (e.g., credit card and bank account numbers, Social Security number, passwords, etc.) by impersonating a legitimate organization, offering a chance to win a prize if you register, etc.

Phishing messages may appear to be from organizations you do business with (e.g., banks, software companies, healthcare, etc.) or work for. They might threaten to close your account or take other action if you don’t respond.

Legitimate organizations, including KU, will never ask you to provide a password or full Social Security Number in an email or in an unsolicited phone call.

KU IT periodically conducts self-phishing exercises to help assess and improve security awareness within the KU community. Knowing what exploits our KU customers fall for will help us better target our security awareness training efforts.

Phishing Examples

Criminals are thinking up new phishing attacks all the time. These are just a few examples of common phishing messages:

  • "We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."
  • “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”
  • “You have won a free $500 Walmart gift card. Click here to collect your card."
  • “Test the new iPad and keep it when you’re finished. Just use the iPad and tell us what you think. Call us to become part of this exclusive test.”

Report Suspicious Emails

"Outlook Report Message Button"

Use the "Report Message" button in Outlook or forward suspicious messages to abuse@ku.edu.

Resources

Visit the Malicious Emails & Phishing site for more information on:

  • Malicious email examples
  • How to protect yourself
  • What to do if you believe you were a victim of phishing