IT Security

Find best practices for using devices and other applications securely to protect your and others' information.

Security Best Practices

  • Passwords

    • Never use your Central Piedmont login or password on a non-Central Piedmont website or application.
    • Do not share your password with anyone (including the ITS Help Desk, your instructors, employees, supervisors, administrative assistants, etc.).
    • Never use your Central Piedmont credentials on a machine you don't trust (e.g., a rented computer, a public computer, or even at a friend's house).
    • Use long, unique passwords for every account.
    • Change your password if you think someone else might know it.
    • Supplement your password with additional security through multi-factor authentication. Central Piedmont offers multi-factor authentication with Duo.
    • Use a password manager like KeePass, 1Password, or LastPass to help you create and manage strong, unique passwords for each of your accounts.
    • Always logout when you are finished using a system or service.
  • Workstations

    • While your workstation will auto-lock itself after 15 minutes of inactivity, you are encouraged to lock it manually whenever you leave your area. You can lock your Windows workstation by holding the Windows key and pressing the letter L. When using the Central Piedmont Cloud, the "Disconnect" option is equivalent to locking the virtual workstation.
    • Log off your workstation at the end of the day. Doing so will protect you from losing unsaved work and also make it easier for us to provide critical patches and updates to your computer.
    • Only install software required to fulfill your role at the college.
    • Only install and use P2P, torrenting, and other file sharing software for legitimate purposes. Sharing copyrighted media is a violation of college policy and could put you and the college at risk.
  • Email

    • Do not open any email attachments or click on links in email messages from senders you do not know. Some of the linked websites can download malware on your computer without your knowledge.
    • To report phishing or other suspicious email, please attach it as an email Item to a new message addressed to phish@cpcc.edu. This will ensure that the original message details remain intact for analysis by our security team and automated systems.
    • If you receive spam or other unwanted email, you can visit spam.cpcc.edu and add the sender to your blocked senders list. Learn more about employee email spam filtering.
    • To report spam email, please attach it as an email Item to a new message addressed to spam@cpcc.edu.
    • Consider disabling the auto-preview feature in your email settings. This prevents emails with malicious content from being automatically displayed. If you’re not familiar with how to disable the auto-preview feature, contact the ITS Help Desk.
    • Never provide personally identifiable information (Social Security Number, birth date, password, credit card information) to anyone through email. No legitimate entity will ask you for such information via email.
    • Email is not an encrypted format. While in transit, emails may pass through networks and devices that are outside of our control. Assume that anything you write in an email is public — do not send anything over email that is not public information.
    • Always verify the email address of a message, not just the displayed name. It is common for malicious emails to spoof a display name of someone you know.
  • Web

    • Use a well-known, up-to-date browser like one of those listed at BrowseHappy.com. Other great options include Chromium and Brave.
    • Consider disabling Javascript, Java plugins, ActiveX controls, and other media add-ons if you don't need or use them. These are increasingly used to deliver harmful content.
    • Be very careful when typing a URL into your browser. Commonly misspelled versions of some domains are often phishing sites set up to look like the real thing.
    • Consider installing browser plug-ins that force sites that support HTTPS to use it by default. We recommend HTTPS Everywhere by the Electronic Frontiers Foundation.
    • Consider installing browser plug-ins to block ads and trackers. We recommend uBlock Origin and Privacy Badger for these purposes, respectively.
  • Mobile Devices

    • Never store sensitive information on a mobile device, as mobile devices can be easily lost or stolen.
    • Keep mobile devices with you at all times; do not leave them unattended. If that is not possible, keep them in a locked location.
    • Set your mobile device to lock after a timeout period and require a strong password or pin to unlock the device. Doing so will prevent someone you don’t want accessing it if it is lost or stolen.
    • Enable remote wiping capabilities. Doing so can allow you to remotely access and disable the device should it get lost or stolen.
    • Be careful about what apps you install. If allowed access, apps can share your contacts, emails, files, and text messages with third parties.
    • Make sure you keep your mobile device updated. Obsolete devices can be susceptible to attacks, which could result in data theft or even financial loss.
    • Set Bluetooth devices to “hidden mode” and disable Bluetooth when it is not in use. This will prevent unwanted users from connecting to your device.
  • Telephones

    • Do not trust caller ID. If you receive a call appearing or claiming to be from your bank, the IRS, or other institution, do not provide any information. Request a name, extension, or reference number, hang up, and call them back at the number listed on a known trusted document, such as a bank statement, the back of your credit card, an official government website, etc. Legitimate institutions should be accommodating to these security measures. If you are met with resistance or feel pressured, you may be dealing with a scam artist.
    • Never give out your password over the phone.
    • In a large educational institution, you probably haven't met everyone. Before giving information to a caller you do not recognize, verify they are who they say they are (e.g., by calling their office number or the office of a co-worker that you do know).
  • Removable Storage Devices

    • Beware of unrecognized USB sticks and CDs that you find lying around. They may have been planted for the sole purpose of infecting any machine they are inserted into.
    • Do not transport confidential or personal information on CDs, laptops, USB keys, portable hard drives, etc., unless necessary. If you do use these tools, only use them in a way that is encrypted and secure (contact ITS for advice and assistance with this).
  • Social Networks

    • Restrict who can view your profile and information.
    • Avoid providing personal information, such as your Social Security number, birth date, address, telephone number, class/work schedule, or location.
    • Be wary of answering online surveys that people post on your wall, comments, etc. Although they appear innocent, they can provide an attacker with useful information about you. This information can then be used for things like answering your secret questions to gain access to accounts or reset passwords.
    • Remember that anyone can see what you post on the internet. Always think about what you post and what people post about you.
    • Don’t click on suspicious links or download files in messages, chat windows, or status updates. This can infect your computer with malware and spread to your contacts.
    • Report spam, phishing, and access violations to the social network provider.
  • WiFi

    • Be careful what you access on public WiFi networks. Attackers can hijack sessions and view your data, unless you use encrypted services such as HTTPS websites or use a VPN to "tunnel" your traffic through an encrypted connection.
    • Always enable personal firewalls, run up-to-date anti-virus software, and install system updates before connecting to public WiFi networks and hotspots. This can protect your system from malware and vulnerabilities.
    • Never leave a personal WiFi router open without requiring a long password. You should also avoid using WEP or WPA encryption, as these have known weaknesses. You should use at least WPA2 encryption to secure your network.
    • As an extra layer of access control, you can enable MAC address filtering on your wireless router. MAC filtering only allows the  devices you specify to access your wireless network.
    • Avoid sharing your WiFi password. Most routers allow setting up a guest network with a different password.

Resources