Security Quick Wins
#6 - Verify the "from" address of unexpected emails
When you receive an email you weren't expecting, check the actual email address of the sender (don’t just trust the “From” name).
#5 - Set Up Eagle VPN
ITS recommends you use Eagle VPN when connecting your smartphone, tablet, or laptop to any public or hotel WiFi. When you use BC's Eagle VPN, even for personal vacation use, the traffic to/from your device is encrypted so the online criminals can't see it.
#4 - Download and Install Duo Mobile App
BC 2-Step Verification uses Duo Security technology to confirm your identity using a second device such as a mobile phone, tablet, or landline phone. 2-Step Verification is required for EagleVPN, PeopleSoft, and other BC services. ITS recommends you use the Duo Mobile App for the best experience with BC 2-Step.
#3 - Keep your software and devices up-to-date
When a computer is not up-to-date with software updates, it is more vulnerable to ransomware attacks, malware, and data breaches. Updates for your operating system, browsers, antivirus program, and any other program you run on your computer help protect your devices (and your files) from the latest threats.
We recommend you set your operating system and software to update automatically to ensure the latest security vulnerabilities are addressed.
#2 - Learn about Get Tech
When you use your BC email address or BC computer to sign up for online services or get software, even if they are free, you may be putting your personal information and Boston College data at risk.
To be cyber safe, if you are interested in any software, hardware, or technology services, even if they are free, please use the “Get Tech” process.
Quick Wins Cybersecurity Campaign
Each month through December 2022, faculty and staff will receive an email with a tip that takes about 10 minutes to complete. The tip will help protect their accounts, data, and Boston College.
#1 - Verify your data is backed up
When ransomware hits, a criminal takes ownership of the infected device’s files and insists they will not be unlocked unless “ransom” is paid. If your computer is backed up, you are less likely to be exploited by a ransomware attack.
You can unknowingly download ransomware onto a device by opening an infected email attachment, clicking an ad, following a bad link, or even visiting a website that has malware embedded.
Storing Confidential Data
The Regulated Data Chart can be used to help you determine where to store your files in accordance with important data security rules and regulations.
Important: Due to constantly changing regulatory and grant changes, please consult with your Data Security Officer (DSO) to determine the safest place to store your confidential data.
Google Drive Security Guidelines
The BC Data Security Policy defines 3 categories of data: Public, Internal Use Only, and Confidential.
The Data Security Committee, General Counsel, and the university’s FERPA officer have informally agreed that an additional, 4th category of data will be added to the Data Security Policy that is even more sensitive than “Confidential.” Data that falls in this additional category will not be allowed to be stored off-campus except with written permission (see below). Google Drive is off-campus, and thus data that falls in this category must not be stored on Google Drive.
Until a formal policy revision is made and approved, you should use the following as a guideline:
Restricted. Due to legal restrictions or security concerns, some legally protected and highly sensitive information must not be stored on Google Workspace or other “cloud-based” systems without permission of the responsible Vice President or the Provost’s Office. This information, much of which was formerly classified as “Confidential,” includes:
Social Security Numbers
Financial or credit account numbers
Personal financial information (e.g. financial aid data)
Account log-in credentials
Driver's license number or state-issued identification number
Health and medical records, including HIPAA-protected information
Human-subject research information
Other sensitive information that the information sponsor or responsible Vice President has determined must remain on a secure BC server.
Confidential. FERPA data (i.e. student records) is generally defined as Confidential, and can be stored on BC Google Drive, except as noted above. Other Confidential data, except as noted above, can also be stored on BC Google Drive.
Internal Use Only: Acceptable to store on BC Google Drive.
Public: Acceptable to store on BC Google Drive
For more information, contact email@example.com.
Boston College uses Identity Finder as a tool to aid in the process of finding and handling confidential data on faculty and staff computers. ID Finder scans computers for credit card numbers and social security numbers only. This type of information is called Personally Identifiable Information (PII).
Version 8.1 of ID Finder software will automatically be installed on your computer.
ID Finder automatically scans computers four times a month. If you have PII on your computer, you will receive an email asking you to remove the PII from your computer or move it to a secure location. Data Security Officers (DSOs) can monitor the results of the scans for employees in their areas using an online console.
ID Finder may not find all Personally Identifiable Information (PII) on your computer and it also may think some information on your computer is PII, when it is not. This is to be expected.
- There may be a discrepancy between the number of results from the manual scan verses what was reported in the email to you. This is most likely due to permission differences between the manual scan and the automated scan.
- If you are using a laptop, you should plug it into a power outlet rather than running on battery power while scanning to avoid draining the battery quickly.
- Remember: ID Finder is only a tool to aid in the process of finding confidential data, so it may not find all PII on your computer and it also may think some information on your computer is PII, when it is not. This is to be expected.
- The first time you manually scan, the process may take several hours depending on the amount of data on the machine. This is expected. Subsequent scans will be shorter as IDFinder will not scan files that were unchanged since the last search.
- Open Identity Finder (v 8.1): Mac: Look in your Applications Folder.
Windows: Click Start > All Programs > Identity Finder.
Important: The initial scan can be time-consuming, as it scans all files. We recommend that you run an initial scan at the end of your work day and leave your computer on. Subsequent scans only look for changes and will not take as long.
- To begin the scan, click Start.
If you are using Outlook on Windows, you will be prompted to enter your Secondary Password.
A window will appear showing you the progress of the scan. Identity Finder will continue scanning even if you close the progress window.
- When the scan completes, click Advanced.
A list of files containing Personally Identifiable Information (PII) will appear.
- For each item displayed in the list, click on the file to view its contents in the pane on the right. Files that contain multiple matches have a triangle to the left of the item. Click the triangle, then click each of the individual reported matches to display the contents in the pane on the right.
If you have PII on your computer, you will receive an email asking you to remove the PII from your computer or move it to a secure location.
Option 1: "Shred" (Delete) the File
- Check the box in front of the file you want to delete from your computer.
Note: If you want to retain the file containing the sensitive information, copy it to a secure location (such as your department server) before deleting it from your computer.
- In the toolbar, click Shred.
- If you cannot shred the file, make sure you have the proper permissions to delete the file.
- The Secure and Quarantine buttons have been disabled and will not function for this version of Identity Finder.
- When prompted to confirm that you would like to delete the items permanently, click Yes.
- When a window appears stating that items have been deleted, click OK.
Option 2: Delete the PII from the File
Option 2A: Use the "Scrub" feature
You can only scrub Office 2007 and higher files (e.g., docx, xlsx, pptx) and text files (i.e., *.txt, *.log, *.ini).
To delete PII from the file using the "Scrub" feature:
- Check the box in front of the file you want to delete the PII from.
- Make sure the PII is highlighted in the preview pane on the right.
- In the toolbar, click Scrub.
The PII is removed from the file.
- The next time Identity Finder scans, it will not find PII in this file.
Option 2B: Manually delete the PII
To manually delete PII from the file:
- Open the file containing PII and just delete the PII, then save.
- The next time Identity Finder scans, it will not find PII in these files.
Option 3: Request to "Ignore" the PII
If the PII found is not actually PII, you can request that it be ignored in subsequent scans:
- Check the box in front of the file you want to ignore.
- Click Ignore > This Item Location or This Identity Match.
- When prompted, click Yes.
Ignore requests will automatically be sent to your DSO for approval.
If the DSO approves it, the next time Identity Finder scans, it will ignore this PII.
Option 4: Move the File to a Secure Location
- Copy the file to a secure location (such as your department server). Contact your DSO to learn about your department's preferred storage location.
- Move the orginal file off your computer to the Trash, then Empty the Trash.
Note: If you cannot move the file to the trash, make sure you have the proper permissions to delete the file.