On your own computer you should always login with a password. Don't share that password with anyone. If someone else wants to borrow your computer, create a guest account for that person to use instead of telling her/him your password. If you don't know how to do this, ask someone for help (or use google).
If you ever need to share your password(s) with someone legitimately (such as a service technician working on your computer) you should reset any password immediately afterwards. It's also a good idea to change your password after you've used it on someone else's computer (just in case they had a virus infections or a keylogger installed).
Don't use the same password everywhere. It's always good practice to use different passwords for different applications. This way if one password gets found out or stolen, you haven't given away the keys to the entire castle.
Keep the software on your computer up to date. Using old crusty versions of applications (or operating systems) leaves one open to malware and also theft of credentials/identity.
Be aware of whether or not wireless connections are encrypted. When connected to an open (unencrypted) wireless connection, don't login to any websites unless they are secured with SSL (https).
If you have a laptop, make sure SSL (or TLS) is enabled for both sending and receiving of email. This is also highly recommended on a desktop machine.
If you use your computer in a location that is accessible to others, set it so that the screen will lock after a few minutes of inactivity.
While this discussion is somewhat technical in nature, it is useful to understand basic concepts about Uniform Resource Locators (URLs, sometimes also referred to as Uniform Resource Identifiers (URIs)). For purposes of our discussion, we'll only be talking about "web" addresses which all start with http:// or https://—as mentioned above, the S in https:// refers to SSL and provides an encrypted connection between your computer/device and the "server" that is hosting the content you're accessing. The URL of a "link" isn't necessarily the text that you're clicking on. If you hover your mouse over the link, the URL will usually show up. To be 100% certain, you can right click your mouse on a link, select "Copy link location" from the popup menu and then paste the text into your favorite editor, like notepad, textedit or emacs.
Order is important. The really important thing to pay attention to (when analyzing a URL to try to determine if it is "safe" or "legitimate") is what's called the "domain name" of the site. This is the portion immediately to the left of the first single forward slash / that occurs in the URL. Or if there are no single slashes in the URL, the domain name is the part all the way at the right of the URL. Once you understand how this works, it's quite easy to be able to reliably identify the domain name (each domain name has one period in it, like google.com, yahoo.com, gmail.com, simons-rock.edu, etc...). And I should also mention that sometimes a numeric "IP address" is used instead of a domain name, like 10.10.10.10 (in this case there will be 4 numbers separated by 3 periods). So let's look at some examples:
So in all of the above URLs in that list, the domain name is example.com -- I tried to make the examples as confusing as I possibly could, though the one thing you'll find in real life examples is that the URLs often get much much longer than the ones I created above.
At this point you may be asking yourself "Why do I need to know what a domain name is?" which is a perfectly valid question. The basic answer is that it's always a good idea to know what server you are interacting with and the domain name component of the URL is how one knows this information.
More specifically we are interested in whether we can "trust" the server. If you have a gmail or google+ account, you should only be logging in on pages that have a domain name of gmail.com or google.com (and to again repeat the obvious, make sure that the URL is an encrypted one, i.e. https://). Likewise if you have a yahoo email account, you should only ever login to a server for which the domain is yahoo.com. And you should only ever login with your simons-rock.edu account at domain names that start with https:// and end with simons-rock.edu of course.
There's another case where URL analysis can be handy. At this point in time, it's possible for malware to be hosted on a webpage that is capable of infecting your browser, computer, phone, or other device. That is, all that's necessary is that you visit the page (so there's a danger even before you consider whether or not to enter any personal data in a webform). If you ever have any question about whether it's safe to visit a particular URL, you are welcome to send an email firstname.lastname@example.org including the full URL and asking us to check it first.
For more detailed information, please see the wikipedia entry on URLs
Technically speaking, any computer where the login you use is (ever) used by someone other than yourself should be considered a public use computer.
If a public use computer does not have the latest up to date versions of software on it, you should consider not using it to login to any personal accounts. It would also be good form to report this to the owner(s) of the machine, as malware often spreads due to lack of timely updates on common desktop software (browsers, pdf-viewers, etc...).
There is another calculus that one should probably make on any public machine. Unless one knows the owner/administrator very well, it's always probably safer to be cynical. For instance I would never consider logging into my bank from a machine in any internet cafe. I might login to facebook though. Your decision might be different depending on how important the sanctity of your facebook account is to you.
Make sure you explicitly ask for SSL enabled sites. That is to say, type in the extra s after the http directly, don't just type gmail.com or facebook.com, instead type https://gmail.com or https://facebook.com. If you're logging in somewhere that https:// doesn't work.
Understand the different behavior of Apple (Mac) computers versus Windows (PC) computers. When you are using a Mac (Apple) the application doesn't shut down when you close the last open window like it does on Windows. This is also important to understand if you are using a friend's Mac. If you want to close an application completely, you should use Apple-Q (or select "Quit" from the applications menu, just to the right of the apple symbol at the top left of your screen).Always click on the logout/signout links explicitly when you're done. Additionally, shut down the computer completely (if you can). If you can't shut down the computer, at least try to logout of the user account (so that the next user has to login before they can use the computer. Many public use computers are configured to additionally purge data when a logout or shutdown has occurred.
This Information Security Plan (the “Plan”) describes the Bard College at Simon’s Rock ("Simon's Rock") process for protecting confidential personal information.
Confidential Personal Information (“CPI”), for purposes of this Plan, includes the following categories of information:
Customer Information, as defined in the Gramm-Leach-Bliley Act (GLBA), is any nonpublic personal information that the College obtains from a customer in the process of offering a financial product or service. In the Simon's Rock context, a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent or guardian when offering a financial aid package, and offering financial account payment plans. Nonpublic personal information includes, but is not limited to, bank and credit card account numbers and income and credit histories, whether in paper or electronic format.
Personal Information, as defined in Massachusetts General Law 93H and Mass regulations 201 CMR 17.00 ("Massachusetts Privacy Law"), is any data record (electronic or paper) that contains an individual’s first name or initial and last name, in combination with any of the following data elements that relate to the individual: (a) Social Security number; (b) driver’s license number or government-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account. Personal information shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Protected Health Information (PHI), as defined by the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), includes all information related to health care that identifies an individual; and, that involves the individual’s past, present, or future physical or mental health condition, or the provision of health care to the individual, or any payments for the provision of health care. This information must be protected when it is held or transmitted in any form or media, whether electronic, paper, or oral. Simon's Rock's Health Services department, as a health care provider, is a HIPAA covered entity. However, the College, as an employer, is not covered, and employee health insurance information handled by our Human Resources department is excluded.
Protected Educational Records are information about Simon's Rock students as described by the Family Educational Rights and Privacy Act (FERPA). Under FERPA, the College designates specific categories of "directory information" which may be shared publicly with third parties. Simon’s Rock's FERPA directory information is defined in our current Student Handbook and will be reviewed and updated as necessary. Student educational records that are not designated as directory information can only used by college staff and officials who have a legitimate need to know and educational interest in the student's information. Otherwise, such information can only be released with the student's permission, or as allowed by FERPA.
All of the above are considered CPI for the purposes of this plan. These safeguards are provided in order to:
This Plan also provides for mechanisms to:
Simon’s Rock recognizes the existence of both internal and external risks to the security of CPI. These risks include, but are not limited to:
Simon’s Rock recognizes that this may not be a complete list of the risks associated with the protection of CPI. Since technology is not static, new risks are created regularly. Accordingly, the Information Technology Services department (ITS) will monitor security advisory information such as provided by the Educause Security Listserve, REN-ISAC (Research and Education Networking Information Sharing and Analysis Center), and the SANS Institute (System Administration, Networking, and Security), for identification of new risks.
The Director of Information Technology Services, Janice Gildawie, serves as the coordinator of this Plan. Compliance and monitoring is shared by all Simon's Rock department heads and the College's Provost Leadership Council. Together, they are responsible for assessing the risks associated with maintaining and transmitting CPI and implementing procedures to minimize those risks to Simon’s Rock.
Whenever the College retains a service provider that will maintain, process or have access to CPI, the College will ensure that the provider has in place an information security program sufficient to protect CPI. The College will include in the contracts with service providers having access to CPI a provision requiring the providers to have in place security measures consistent with the requirements of the Massachusetts privacy law, and to assure that such CPI is used only for the purposes set forth in the contract.
Simon’s Rock maintains a computer security system that provides, at a minimum, to the extent technically feasible:
The Information Security Plan Coordinator will work with the Provost Council and the leadership of other College departments to ensure that this security system infrastructure is appropriately maintained and properly complied with.
CPI will only be retained for as long as needed for the College’s reasonable business purposes, including for the purpose of complying with any state or federal law. Each department that stores CPI will regularly review the CPI it has retained for the purpose of determining which information may be purged.
Any employee who violates this policy shall be subject to discipline pursuant to the relevant disciplinary policy, including possible termination of employment.
Once an employee concludes his/her employment, either voluntarily or involuntarily, such employee’s access to college data systems and physical paper storage locations including CPI shall be terminated.
This Plan is subject to periodic review and adjustment. Adjustments might be necessary or advisable due to changes in technology, increases or decreases in the sensitivity of the information that is covered by this Plan, and the assessment of internal or external threats to the security and integrity of the covered information, among other reasons. Continued administration of the development, implementation and maintenance of the Plan will be the responsibility of the Information Security Plan Coordinator, who may assign specific responsibility to others for implementation and administration, as appropriate.Credit is given to our colleagues at Williams College and Wellesley College for their generosity in sharing their expertise and knowledge to facilitate Simon's Rock's development of this plan.
Bard College at Simon's Rock (hereafter known as "the College") provides members of the College community with a user account that consists of a username and password, known as a "Simon's Rock LDAP Username (and Password)". Passwords belonging to specific Simon's Rock LDAP Usernames should be kept private; use of a Simon's Rock LDAP account by someone other than the designated owner of the account is prohibited and may result in the revocation of the offending user's account and consequent network privileges (see Section 3).
As long as they are being used actively, alumni user accounts remain accessible for a minimum of one year after leaving Simon's Rock and will remain accessible until deemed inactive. User accounts for retired faculty and staff will be maintained until death. Other former faculty and staff user accounts are typically removed, although exceptions may be granted. Both e-mail notification and the ability to petition for continued user account support will precede the termination of any user account.
It is prohibited to alter the configuration of public computers made accessible to the College's community without the permission of Information Technology Services (ITS); this includes the adding or removing of software or hardware. Any printing to College-owned printers should be done with care and in moderation. Use of the public printers for excessive copying is prohibited; dedicated photocopy machines are supplied for this purpose.
Users of the Simon's Rock campus network are required to adhere to local, state and federal laws in addition to the regulations mentioned in this document. Users of the network maintain sole responsibility for the legality of their actions through use of the network and other related services including but not limited to:
Prohibited actions taken by a user through access of the network or other publicly available technology at Simon's Rock may result in termination of such access to any or all of the provided services to the user, in addition incurring other disciplinary action. Any action related to the network or other publicly available technology that violates local, state, or federal law; including gross copyright violations and illegal or otherwise unauthorized access of any computer system may be reported to the relevant law enforcement authorities.
Any user must verify that their machine is free from viruses, malevolent programs and other intrusive software. In addition, all official software updates must be completed prior to connecting to the network. If the machine runs any version of the Windows operating system it is mandatory that current anti-virus and anti-spyware programs, with the latest definitions, are installed on that machine (these programs are provided free-of-charge by ITS). Finally, the user is responsible for keeping their machine up-to-date by downloading operating system patches and new definition files for anti-virus/anti-spyware software promptly after they are made available for every applicable program and operating system installed on the machine.
Registration of a computer to a user account that is not used primarily by the corresponding user is prohibited. The registered user for a given MAC address is the sole person responsible for actions taken on his or her computer and will be held accountable for any prohibited actions taken using that computer as well as any harm to the Simon's Rock network caused by the registered and associated hardware.
Any use of an IP address on the Simon's Rock network not assigned by the College's Dynamic Host Configuration Protocol (DHCP) servers is prohibited without permission from ITS. Services that may not be run by users include but are not limited to
ITS reserves the right to deny users of its network the ability to provide the services mentioned above and potentially any others not mentioned in this document.
It is prohibited for any technology user, as a sum of their network interface devices, to abuse or monopolize the network. If a user is found to be abusing their network privileges, whether inadvertently or otherwise, they will be disconnected from the network (see Section 3). Users are responsible for ensuring that their computer and associated application programs do not impose excessive traffic demands on the network, particularly when transferring data to and from sites on the Internet.
All students share a finite amount of bandwidth to the Internet, and consequently there may be times when network access will feel slower due to high usage during peak times (typically early evenings and weekends). The College maintains traffic shaping hardware in place to, as much as possible, minimize this problem. However, the College cannot guarantee a certain quality of service. Students are encouraged to practice being good "network citizens" in order so that all network users can benefit from the College's connection to the Internet.
ITS reserves the right to monitor network traffic to and from College-maintained server systems and also to track and log activity between the campus network and any off-campus network.Individuals who violate the aims of this policy will be subject to disciplinary action or to referral to law enforcement authorities. Information Technology Services personnel are authorized to monitor suspected violations and to examine data stored on any College-maintained storage medium by individuals suspected of violating this policy.
Due to significant lobbying from the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA), the US congress has revised the Higher Education Opportunity Act (HEOA) to address copyright law and file sharing. Title IV of the HEOA legislation deals with Federal Student Assistance, including Pell Grants, the Family Education Loan Program, the Work-Study program, Direct Student loans, and Perkins Loans. However, the reporting requirements of HEOA Title IV now also stipulate that all US colleges and universities must provide:
This web page comprises part of Bard College at Simon's Rock's response to these HEOA requirements.
Copyright Law and Simon's Rock Policy
Copyright law provides protections to creators of works against the unauthorized duplication and distribution of the works. In exchange for these protections, the public is provided with specific rights for "Fair Use" of copyrighted works. More specifics about on copyright law and fair use are available at the following sites:
Copyrighted works that are easily stored in digital form, such as software, music, videos, and photographs, can be easily acquired and distributed over computer networks, using freely available file sharing software. However, despite the ease of such transfers, it is illegal to download, and especially to distribute, such copyrighted works without authorization.
Since such activity is illegal, it is of course prohibited by general college policy, and covered by the disciplinary procedures in our student and employee handbooks. In addition, using the Simon's Rock network or any other Simon's Rock technology resource to copy, store, and/or distribute copyright-infringing material is specifically prohibited by the Acceptable Use Policy. All campus users acknowledge this policy when they register personal computer equipment on the network. Loss of campus network access and/or disciplinary actions as specified in the handbooks may result from continued illegal activity by members of the college community.
Every user is responsible for his or her own compliance with the law. Using the Simon's Rock network does not in any way shield you from potential law enforcement actions; users who download or distribute copyrighted works may face civil or criminal penalties in addition to to sanctions based on college policy.
Penalties for Copyright Violation
If a copyright owner successfully prosecutes an infringer, the penalties are set at "not less than $750 or more than $30,000" per infringing work. However, if the copyright owner can establish that the violation was "willful" the penalty can be $150,000 per work. (from US Code Title 17 Chapter 5 Section 504.)
Furthermore, The US No Electronic Theft Act establishes that penalties can be charged even if the infringer did not profit in any way from the violation. Willful copyright infringement can also result in criminal penalties, including imprisonment of up to five years and fines of up to $250,000 per offense.
File Sharing Software
Much of the illegal distribution of copyrighted works is done with peer-to-peer (P2P) file sharing software. There are many different peer-to-peer protocols used for sharing, such as BitTorrent and Gnutella, but the primary characteristic of P2P systems is that there is no central server holding the shared files. Instead, every client computer can both download files for local use, and serve files for download by other peers. Thus, if you install peer-to-peer file sharing software, it is your responsibility to assure that it does not illegally serve any copyrighted material on the peer-to-peer network. Since these networks only function if many peers share, the default action of most file sharing packages is to automatically share local files.
Note that some peer-to-peer software, particularly BitTorrent, is used as a legal distribution channel for Open Source and other free software, and for other works that are in the public domain or licensed for distribution. Thus, using P2P software is not inherently illegal, but users must be aware of the licensing and distribution requirements of every file they transfer. Also, as noted above, users must be very careful to not inadvertently share copyrighted files from their own systems.
P2P file sharing can consume large amounts of network bandwidth. Since bandwidth from our campus to and from the internet is a scarce and expensive resource, ITS attempts to limit the amount of P2P traffic. If you need to download legal material from a P2P source, please contact ITS for assistance.
Tracking File Sharing
Internet communication is not anonymous: Every packet of data sent or received includes the source and destination IP addresses of the computers sending the traffic. Moreover, these globally unique addresses are registered to their providers, as this is necessary for routing data. Also, P2P client software must advertise the files it has to share, or else the P2P network would not function. Therefore, major producers of copyrighted works hire companies to track file sharing, which they can do easily by using the same P2P software as everyone else. If a peer is found to be sharing (distributing) or offering to share copyright-infringing content, the agents send violation notices to the infringer's Internet service provider (i.e. Simon's Rock). The ITS department occasionally receives notices of copyright infringement, and we are required by the HEOA regulations to take action on these notices. ITS will attempt to find the user who had use of the IP address in question, and to forward the copyright violation notice to the user.
Note that the college does not provide any network access to these copyright enforcement agents; any evidence of file sharing they detect is publicly available on the internet. We will not release any user information or network logs to such agents unless required by subpoena or other legal means.
Legal Sources for Music and Video
There are many on-line sources that give legal access to copyrighted music and video.
HEOA Compliance Statement
Bard College at Simon's Rock has implemented the following plan for compliance with the file sharing and copyright protection provisions of HEOA:
All devices that connect to the Simon's Rock wired campus network must be registered to a current Simon's Rock user ID. To register a device, the owner of the device must:
Follow instructions for wireless setup.
For computers and other wired devices with web browsing capability, you will be presented with a registration screen when a browser is opened after the device is first connected to the college network. Use your Simon's Rock user ID and password to register your devices. Note that NETREG is based on the unique address of the device's network port, so a separate registration is required for each network connection, e.g. the wired and wireless connections on a laptop will each need to be registered.
For devices that do not have web browsing capability (e.g. some game consoles) contact ITS with the device's network MAC address to have ITS register the device.
You must agree to the Network Acceptable Use Policy when you register a device on the campus network. If you do not wish abide by this policy, you may not connect to the Simon's Rock network.
Bugs in system and application software make computer systems vulnerable to malware and exploitation from the internet. Simon's Rock network users are required to keep their systems up-to-date with security patches and upgrades for all installed software. Most Operating Systems have options to automatically download and install system patches. The updates should be enabled by all users. In addition, software such as web browsers and Adobe web and PDF viewing tools must be updated and patched. This page has details on common Windows software updates: Recommended Software Versions found on the portal.
If you do not already have an antivirus program with real-time protection installed on your computer, Simon's Rock recommends Microsoft Security Essentials for Windows 7 computers. Windows 8 includes this Antivirus software, which is named Windows Defender in this version of windows.You must have an up-to-date anti-virus program installed on your Windows computer before you join the campus network.
Welcome! If you are connected to the "Instructions-for-Eduroam" wifi network on campus, you can reach only this site, which has instructions for connecting to Simon's Rock's secure "eduroam" wifi network. You must connect to eduroam to access the internet, campus printing, or any other services.
After you are connected to eduroam, this page is available at wireless.simons-rock.edu.
All users of the Simon's Rock network must abide by the campus network Acceptable Use Policy.
To automatically configure your system to connect to our Eduroam wireless network, please download and run the appropriate installer for your system from the list below. As the installer runs, it will prompt you for your Simon's Rock user name, including the domain @simons-rock.edu, and your Simon's Rock password.
Note: Although you can just select "eduroam" and enter your username and password to get an initial connection, most OSes will have a more stable connection if you use the installer to provide the proper server certificates. Links to detailed instructions for each OS installer are in the menu at the left.
After the installer finishes, select and join the "eduroam" network in your list of wireless networks. Next, delete your saved connection for the "Instructions-for-Eduroam" network so that your system will only use "eduroam".
For more details on connecting a particular device, with screen shots, please select the appropriate operating system from the sidebar. Once you have successfully authenticated to the eduroam SSID, you will no longer be automatically directed to this page.
If the automated installer does not work for you, please follow these basic instructions, or select your device from the list at the left for more detailed instructions.
Simon's Rock has a private wireless network in select areas around campus, for use by faculty, staff, and students. Accessing the network requires a Simon's Rock username and password, or network credentials from a participating eduroam institution. (Eduroam guest users authenticate to their home institutions via the Simon's Rock network, using their existing network settings.)
This network uses WPA2-Enterprise wireless security, an implementation of the IEEE 802.1X standard for secure connections. Simon's Rock uses PEAP/MSCHAPv2 as our primary authentication scheme; most devices can automatically detect and use this protocol. Simon's Rock also supports TTLS/PAP authentication.
Simon's Rock is part of the eduroam shared network for higher education. The global SSID "eduroam" is used by all eduroam member colleges and universities around the world. Once you have configured your system for the Simon's Rock eduroam network, you will be able to connect securely and automatically on the campus of any eduroam member institution. Similarly, users from other campuses can connect securely when they visit Simon's Rock. More information about eduroam, including a map of member campuses, is available at the eduroam-US site.