Being connected to the internet suggests that the internet is connected to you. Without concern and proper safeguards to protect the information you share, you are at a greater risk of cybercrime.

The university assumes its share of responsibility to protect sensitive information but you must do the same. The vast majority of data and identify thefts are not the result of enterprise breaches but a direct consequence of individuals who are complacent about sharing sensitive information or unaware of the risks.

Please take a moment to review this video to obtain a better understanding of how you can help protect yourself from cybercrime.

FDU’s VPN Client Software, is also known as the “Cisco AnyConnect Secure Mobility Client”.

1. Use any web browser (Google Chrome, Mozilla Firefox, Safari) to navigate to vpn.fdu.edu. Please refrain from using the Internet Explorer web browser when installing the FDU VPN Client

2. Select your role within the University from the Group pulldown menu and enter your NetID Information in the username and password fields (user@fdu.edu)

3. On the left-hand side menu, click on “AnyConnect“, then click on “Start AnyConnect”

4. Download the VPN applet by clicking on “Download for Windows” or “Download for macOS” depending on your operating system. The browser will then download the VPN software client. When finished downloading, click on the file and select “open” within your browser

Chrome

Firefox

Safari

The browser will open a new window asking for permission to download the applet, click on “Allow”. When finished downloading, double click on the file to open the installation package and start the installation process.

5. Follow the steps prompted to accept all changes and grant requested permissions to install FDU VPN software. Note, Java Runtime Environment software may also need to be installed. A copy of the software download will be prompted to be installed or can be accessed using the link below:

6. The installation will continue, and an icon for the “Cisco AnyConnect Secure Mobility Client” with a “lock” icon will appear in your system tray once the installation is complete

1. Log into your computer

2. Launch the Cisco AnyConnect Secure Mobility Client from the Start Menu. Ensure the address “vpn.fdu.edu” is entered into the corresponding text box and then press the “Connect” button

3. Select your correct Group name on the dropdown menu, then enter your FDU NetID username and current FDU NetID password in the corresponding boxes. Click “OK“

4. Ensure a successful connection was made by checking on your system tray at the bottom right portion of your screen, or if on macOS, the client application window will display a screen check over the lock icon

The following instructions are the same for both Windows and macOS users.

1. Register with Duo MFA

• If you are an existing Duo user, please skip to Step 2
• For new Duo users, please follow the guide below for registering your DUO Account

2. Launch the “Cisco AnyConnect Secure Mobility Client” from the Start Menu or your Mac’s application folder if on macOS

3. Ensure the address “vpn.fdu.edu” is entered into the corresponding text box and then click the “Connect” button

4. Select your correct Group name on the dropdown menu

5. Enter your FDU NetID username and current FDU NetID password in the corresponding boxes. Click “OK”

6. In response, you’ll receive the Duo challenge dialog box. To use the preferred method type push in the Answer: dialog box, then click “Continue“

7. Tap “Approve” on the Duo login request received at your phone

8. Ensure a successful connection was made by checking on your system tray at the bottom right portion of your screen, or if on macOS, the client application window will display a screen check over the lock icon

Additional DUO Information

Users with multiple registered Duo devices will need to enter push1 for their primary device or push2 for their backup device. If you are unsure which device is your primary or secondary device, open the Duo Mobile app on your mobile device, click Fairleigh Dickinson University and enter the passcode displayed.

Additional DUO Authentication Options

Type	Instructions
Push (Preferred)	Push a login request to your phone (if you have Duo Mobile installed and activated on your iOS or Android device). Review the request and tap “Approve” to log in.
Passcode	Open the Duo Mobile App. Tap “Fairleigh Dickinson University” and the passcode will be displayed, or call the Fairleigh Dickinson University Technical Assistance Center (UTAC) for a passcode.
Phone	Have Duo call your phone to authenticate your login.(Users with multiple devices will need to include a number indicating desired device i.e. Phone2). This option is only available to Faculty, Staff and approved Students.
SMS	Have Duo text a passcode to your phone. (Users with multiple devices will need to include a number indicating desired device i.e. SMS2). NOTE: This option is only available to Faculty, Staff and approved Students.

Additional Resources for Cisco DUO

What is a phishing scam?

Phishing refers to the act of using a fraudulent identity and scenario to extract personal information or something else of value. Although phishing scams can occur over various mediums including text messages, phone calls, and social media, they are most frequently carried out via email.

Scammers have many means of acquiring bulk email addresses. Receiving a phishing attempt does not mean that your account has been singled out or has been compromised in any way.

Fairleigh Dickinson University’s email accounts employ Microsoft’s Advanced Threat Protection (ATP) which, in addition to traditional spam filtering, removes malware infected attachments and utilizes Safelinks to scan messages for malicious links. Additionally, we have appended the subject line of messages coming from outside of the FDU domain with the “[External]” tag. Although phishing can occasionally come from inside of our domain, messages with the external tag demand extra scrutiny.

Despite all of these efforts, keeping up with the latest scams is always a cat and mouse game. It is best practice to have a solid foundational knowledge of how these scams work.

Detecting a Phishing Scam

Although each phishing scam is unique, there are certain common traits which can serve as red flags. The most common “tell” is a sense of urgency. Generally, phishers would like for you to act promptly and without careful consideration. As a result, they will pepper their email with phrases such as “immediate action required” and “to avoid the immediate suspension of your account”.

Although an urgent tone is likely to be your first clue, there are plenty of other red flags that you will begin to notice over time. Many phishing attempts are poorly constructed emails. Incorrect spelling and grammatical errors are common. The message could contain a blank subject line and the sender’s signature may only list their title instead of their name. Be wary of messages in which the quality of writing does not meet your expectations for the purported institution.

The goal of many scams is to make a request for your personal information. This can take the form of bluntly asking for your social security number. However, it may also take a subtler approach. Many phishing attempts will create a mock version of a University, banking institution, or commerce website and ask you to log in. Once you enter your account information, the scammers have acquired your password.

Although most phishing scams cast a wide net, some recent attacks have specifically targeted individual members of the University. If someone is claiming to be your colleague or supervisor, check to confirm that the message is coming from their FDU account. Do not trust messages claiming to be from FDU employees which originate from external accounts such as Gmail and Yahoo.

Many of these personalized scams also have a very specific common thread. After a bit of conversation, the scammer will request that you purchase gift cards for common services such as iTunes, Google Play, or Amazon. No, your boss does not urgently require you to purchase gift cards out of pocket.

Also, beware of solicitations coming to your FDU email address from businesses offering deals or asking you to click on a banner to receive a promotion. Make sure that the email is coming from the domain of the company offering the sale or promotion.

What does a phishing scam look like?

Now that you know what to look for, let’s look at a sample phishing attempt:

Reporting a Phishing Scam

You can use your newfound expertise to assist the FDU community. When you see a message that you believe to be a phishing scam, please report it to us. Via Outlook this can be accomplished via our reporting tool. Please see Reporting Phishing or Junk Emails for more information. If you are using an alternative mail client such as Apple Mail, you can forward the suspected scam to phishing@fdu.edu.

How should I proceed if I have already replied to a Phishing Scam?

Please change any passwords that you have provided to the scammer. Once this is completed, please contact the Fairleigh Dickinson University Technical Assistance Center (UTAC) for further instructions.

Fairleigh Dickinson University provides an extensive array of technological resources and services tailored for our students. This guide is designed to assist students in navigating and utilizing these tools effectively, ensuring they can easily set up, access, and manage their accounts, while also offering comprehensive information on each service.

ID and Email

Academic Systems

Webcampus is a course content management system. FDU’s Webcampus is also known as the Blackboard System. On-line courses are taught through this system which also allows for interaction between the student and faculty member as well as on-line class discussions.

To learn more about how to access Webcampus, review the guide below:

Self-Service is an interactive web application that enables students to view their individual information contained in FDU’s Student Information System. Students can use Self-Service to do things like view their financial aid, pay their bills, and register for classes.

Review the Tutorial below to learn how to use Self Service:

Connectivity

Using your FDU NETID, you can connect to the FDU Wireless Network. For instructions view the links below:

Security

Understanding and implementing cybersecurity measures is crucial for protecting your personal and institutional information. This section provides essential resources to help you navigate the landscape of cyber threats.

Stay safe online by reviewing the articles below:

Software

Fairleigh Dickinson University has both licensed and open-source software, that is offered for academic and/or personal use for students. The links below point out to commonly used software, both licensed and open source, that are offered for academic and/or personal use to all Fairleigh Dickinson University faculty, staff and students.

In our digital learning environment, mastering online tools is essential for academic success. These resources are designed to guide you through the process of engaging in classes virtually via Zoom and accessing your files on OneDrive.

Printing and Labs

Computing Services has multiple computer labs available on both New Jersey Campuses for classroom instruction and student use.

FDU also provides remote access to many of the software applications typically found in university computer labs through our platform FDU Anywhere. You can access it using your FDU NetID credentials using the link below:

FDU Anywhere

Review the FDU Anywhere Tutorial below to learn how to use our virtual labs:

For any IT related questions and support, contact our Fairleigh Dickinson University Technical Assistance Center (UTAC):

SAMI Support

This Vendor Cybersecurity Assessment Form is designed to evaluate and assure the strength and comprehensiveness of the cybersecurity practices followed by our vendors. By completing this form, the FDU Point of Contact will help us to understand the existing cybersecurity measures better, identify potential areas of vulnerability, and maintain a reliable, secure network within our FDU ecosystem. This rigorous assessment is crucial in our broader cybersecurity strategy, minimizing risks and fortifying data security.

All employees of Fairleigh Dickinson University are responsible for conducting business in a safe and secure way. Select employees may be required to view Personal Information (PI) and Personal Health Information (PHI) as part of their daily responsibilities, while others may handle sensitive information of another nature. All employees receive correspondence from outside the University. Ensuring that our community remains safe and diligent in the face of today’s cyber landscape is vital. The policy below will provide a baseline understanding of the data security protocols in place and the expectations on FDU employees to uphold them.

Effective Date: 05/28/2024
Last Revision: 12/01/2022
Last Review: 05/13/2024

I. OBJECTIVE

The objective of Fairleigh Dickinson University (“University”) in the development and implementation of this comprehensive Written Information Security Program (“WISP”) is to create effective administrative, technical and physical safeguards for the protection of Personal Information (“PI”) and Protected Health Information (“PHI”). The WISP sets forth the University’s procedure for evaluating its electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting PI and PHI.

For purposes of this WISP, PI means:

1. User name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.
   
2. Biometric data that can uniquely identify a person based on their physical, behavioral, or physiological characteristics. These characteristics can include:
   1. Fingerprints
   2. Palmprints
   3. Voiceprints
   4. Facial, retinal, or iris measurements
   5. Handwriting and signature
   6. Facial geometry (the shape of a person’s face)

3. Someone’s name and any one of the following data elements:
   
   1. Social Security number, Social Insurance number, National Insurance number, or equivalent;
      
   2. Date of birth (MM/DD/YYYY),
      
   3. Driver’s license number, state-issued identification card number, or provincially-issued identification card number;
      
   4. Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account;
      
   5. Passport number;
      
   6. Medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional or health insurance information; or
      
   7. Student/Employee (i.e., Datatel) ID number coupled with a password or security question and answer or any portion of any item in the list above that would permit access to an online account.

For purposes of this WISP, PHI includes information that is created, received, and/or maintained by the University that is related to an individual’s health care (or payment related to health care) that directly or indirectly identifies the individual.

PI or PHI shall not include information that is lawfully obtained from publicly available information, or from federal, state, provincial or local government records lawfully made available to the general public.

Notwithstanding the above and irrespective of whether or not it’s considered PII or PHI, one should always take care and caution to use the minimum data elements necessary to perform the business function at hand.

All University employees except those listed under section IX must complete online or in-person WISP training and test with a passing score of at least 80% every 24 calendar months.

II. PURPOSE

The purpose of the WISP is to better:

1. Ensure the security and confidentiality of PI and PHI;
   
2. Protect against any anticipated threats or hazards to the security or integrity of such information; and
   
3. Protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.

III. SCOPE

In formulating and implementing this WISP, the University has addressed and incorporated the following protocols:

1. identified reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing PI and PHI;

2. assessed the likelihood and potential damage of these threats, taking into consideration the sensitivity of the PI and PHI;

3. evaluated the sufficiency of existing policies, procedures, information systems, and other safeguards in place to control risks;

4. designed and implemented a WISP that puts safeguards in place to minimize those risks, consistent with the requirements of the regulations in this document; and

5. implemented regular monitoring of the effectiveness of those safeguards.

IV. DATA SECURITY COORDINATOR

The University has designated the Chief Information Security Officer (CISO), working together with the Chief Information Officer (CIO) and the Data Security Information Response Team (DSIRT), to implement, supervise and maintain the WISP. See Appendix II for contact information for the CISO, CIO and DSIRT. Together, they will be responsible for:

1. Initial implementation of the WISP;
   
2. Regular testing of the WISP’s safeguards;
   
3. Evaluating the ability of each of the University’s third party service providers to implement and maintain appropriate security measures for the PI and PHI to which the University has permitted them access, consistent with the regulations outlined in this document; and requiring such third party service providers by contract to implement and maintain appropriate security measures;
   
4. Reviewing the scope of the security measures in the WISP at appropriate intervals, including the review of any material change in the University’s business practices that may implicate the security or integrity of records containing PI and PHI; and
   
5. Conducting in-person or online, synchronous or asynchronous, training sessions for all University employees, and independent contractors, including temporary and contract employees on the elements of the WISP. All attendees at such training sessions are required to certify their attendance at the training, and their familiarity with University requirements for ensuring the protection of PI and PHI.

V. INTERNAL RISKS

To combat internal risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing PI and PHI, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and effective immediately:

Internal Threats

1. The University shall only collect PI and PHI of students, their parents, alumni, donors, suppliers, vendors, independent contractors or employees that is necessary to accomplish the University’s legitimate need to access said records, and for a legitimate job-related purpose, or necessary for University to comply with state, provincial, or federal regulations.
   
2. Access to records containing PI and PHI shall be limited to those persons who are reasonably required to know such information in order to accomplish a University legitimate business purpose or to enable the University to comply with state, provincial or federal regulations.
   
3. All persons who fail to comply with this WISP shall be subject to disciplinary measures, up to and including termination, irrespective of whether PI and PHI was actually accessed or used without authorization. Any such discipline shall be in accordance with processes and procedures of Human Resources and subject to any protections afforded under the University’s agreement with “Office & Professional Employees International Union”, the “Faculty Handbook”, and similar documents.
   
4. Access to PI and PHI shall be restricted to authorized University personnel only.
   
5. Any PI and PHI stored shall be disposed of when no longer needed for business purposes or required by law for storage. Paper or electronic records (including records stored on hard drives or other electronic media) containing PI and PHI shall be disposed of only in a manner that complies with the regulations outlined in this document and as follows:
   
   1. Paper documents containing PI and PHI shall be shredded upon disposal so that PI and PHI cannot be practicably read or reconstructed; and
      
   2. Electronic media and other non-paper media containing PI and PHI shall be destroyed or erased upon disposal so that PI and PHI cannot be practicably read or reconstructed.

6. A copy of this WISP must be distributed to each current University employee and to each new University employee at the commencement of their employment.

7. Procedures for Terminated Employees (whether voluntary or involuntary)
   
   1. Terminated employees must return all records containing PI and PHI, in any form that may at the time of such termination be in the former employee’s possession (including all such information stored on laptops or other portable devices or media, and in files, records, work papers, etc.)
      
   2. A terminated employee’s physical and electronic access to PI and PHI must be immediately blocked. Such terminated employee shall be required to surrender all keys, IDs or access codes or badges, business cards, and the like, that permit access to the firm’s premises or information. Moreover, such terminated employee’s remote electronic access to personal information must be disabled.

8. Physical Assets Protocol
   
   1. All assets must be secured from theft by locking up and maintaining a secure workplace, whether that work takes place in University stores, offices, at a client site, in a car, hotel or in a home.
      
      1. All University laptops shall be deployed with encryption capabilities enabled. End users may not disable such encryption. Exceptions to this policy are as follows:
         
         1. With the explicit written authorization of the CISO;
            
         2. May be disabled by OIRT personnel for temporary maintenance purposes only;
            
         3. Loaner laptops temporarily assigned with the understanding they will not be used to store or access any information that is considered to be protected under this policy.
            
      2. All laptops should be placed in the trunk of vehicle when and wherever they are parked. If no secure trunk or other storage is available, employees should, whenever possible, keep their laptops in their possession or find a way to secure and conceal it.
         
      3. Laptops, PDAs, phones and other portable devices that may contain or have access to PI and/or PHI left in the office or at home over night should be kept in a locked and secure location.
         
      4. Employees must have assets secured or within their physical possession while on public or private transportation, including air travel.
         
      5. Files containing PI and/or PHI are not to be stored on local computer hard drives, shared drives or other external media (which include externally hosted services such as, but not limited to OneDrive, Google, and Drop Box) without prior written authorization from the CISO. If approved, the method of storage and access to the data will be determined by the CISO during the discussion and placed in writing. (See Appendix I for more detail).

9. Access Control Protocol
   
   1. Access to electronically stored PI and PHI shall be electronically limited to those University employees having a unique log-in ID.
      
   2. Employees must ensure that all computer systems under their control are locked when leaving their respective workspaces. Employees must not disable any logon access.
      
   3. Employees must log off of the VPN or Virtual Desktop (VDI) when they are not directly using those resources.
      
   4. All Ellucian (Datatel) sessions that have been inactive for 60 or more minutes shall require re-log-in.
      
   5. After 5 unsuccessful log-in attempts by any Ellucian (Datatel) or MS Active Directory NetID, that user ID will be blocked from accessing those systems until access privileges are re-established by University Systems and Networking.
      
   6. Employees must maintain the confidentiality of passwords and access controls:
      
      1. All Ellucian (Datatel) or MS Active Directory NetID passwords are required to adhere to strong password rules.
         
      2. All Ellucian (Datatel) or MS Active Directory NetID passwords are required to be changed every 3 months.
         
      3. Employees must not share accounts or passwords with anyone.
         
      4. Employees should not record passwords on paper or in a document or in a place where someone other than the employee might have access to it. Tip: The University has identified a password vault application (Keepass, Dashlane or Lastpass); those interested should open a ticket with the UTAC requesting assistance on setting it up.
         
   7. Where practical, all external or internal visitors to a department are restricted from areas where files containing PI and PHI are stored. Alternatively, visitors must be escorted or accompanied by an approved employee in any area where files containing PI and PHI are stored.
      
10. Educational Records
    
    1. The Family Educational Rights and Privacy Act (FERPA) of 1974 prohibits educational institutions from disclosing education records without the written consent of an eligible student.
    2. Limited exceptions to non-disclosure include directory information and specific school officials with a legitimate educational interest.
    3. The transmition of education records covered under FERPA must follow the same PI/PHI guidelines as depicted in Appendix I of this policy.

VI. EXTERNAL RISKS

To combat external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing PI and PHI, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and effective immediately:

External Threats

1. Firewall protection, operating system security patches, and all software products shall be reasonably up-to-date and installed on any computer that stores or processes PI and PHI.
   
2. All system security software including, anti-virus, anti-malware, and internet security shall be reasonably up-to-date and installed on any computer that stores or processes PI and PHI.
   
3. To protect against external threats, all PI and PHI shall be handled in accordance with the protocols set forth above under “Internal Threats”.
   
4. In the event an individual inadvertently discovers he/she received PI or PHI from an external party, such PI or PHI shall be handled in accordance with the protocols set forth under “Internal Threats”.
   
5. There shall be secure user authentication protocols in place that:
   
   1. Control user ID and other identifiers;
      
   2. Assigns passwords in a manner that conforms to accepted security standards, or applies the use of unique identifier technologies;
      
   3. Control passwords to ensure that password information is secure.
      
6. PI and PHI shall not be removed from the business premises in electronic or written form absent a legitimate business need and use of reasonable security measures, as described in this WISP.
   
   1. PI and/or PHI that MUST be transmitted in electronic form shall not be sent without encryption.
      
   2. PI and/or PHI in paper form must be secured.
      
7. All computer systems shall be monitored for unauthorized use or access to PI and PHI.

VII. IN CASE OF LOSS/THEFT OR SUSPECTED LOSS/THEFT

If you have reason to believe that any PI or PHI has been lost or stolen or may have been compromised or there is the potential for identity theft, regardless of the media or method, you must report the incident immediately by contacting the Fairleigh Dickinson University Technical Assistance Center (UTAC) at (973)-443-8822. The UTAC is available 24 x 7.

VIII. OTHER APPLICABLE POLICIES

Data Security Information Response Plan (September 15, 2019, not published on Web)

IX. EXCEPTIONS

The following groups are exempt from taking the mandated bi-annual WISP training as described in section I of this policy:

1. Those currently not employed by the University but who are granted Net ID’s with only email access (no other access to FDU IT resources or services).
   
2. Retired full-time faculty not employed by the University but who are granted email access for life as a retired tenured full-time faculty member.
   
3. Retired full-time executive emeritus not employed by the University but granted email access for life as a retired full-time executive emeriti.

Requests for other exceptions to this policy should be directed in writing to the Chief Information Security Officer. Only the Chief Information Security Officer in consultation with the DSIRT may grant such exceptions and will do so only after careful review and in writing.

X. REVIEW

This policy shall be reviewed annually by the Data Security Incident Response Team (DSIRT) at the first meeting in April.

Appendix I

Technical requirements for the storage of files containing PI or PHI regardless of where the storage occurs will include but not be limited to the following:

1. All file(s) should be secured with AES 256bit encryption unless actively open for review or modification.
   
2. It is the responsibility of the person handling the PI or PHI file to securely delete any files created as a product of the manipulation of those files. As an example, temporary files created by Microsoft Office programs or any other programs would need to be securely deleted as well as the clear text versions of the original file after the encrypted version is properly created and verified.
   
3. Programs used for Encryption/Decryption and secure file deletion must be approved by the CISO including the methods in which they are to be used.
   
4. If the complete or partial PI or PHI containing file(s) are inadvertently written to a local hard drive, it is the user’s responsibility to diligently make sure the contents are securely deleted.

Appendix II

DATA SECURITY INCIDENT RESPONSE TEAM (ROLES AND RESPONSIBILITIES)

The Data Security Incident Response Team membership includes the Chief Operating Officer, the Chief Information Officer, the Chief Information Security Officer, the Chief Academic Officer, the University General Counsel and the University Risk Manager. Each member of the Data Security Incident Response Team (DSIRT) has responsibilities related to the security of all the organization’s sensitive information. The DSIRT members listed below have specific responsibilities with regard to the reporting and handling of data security incidents. Note that one person may serve in multiple roles.

Senior Vice President and Chief Financial Officer: Frank Barra
Daytime telephones: office: (201)-692-2237; Email: fbarra@@fdu.edu

Chief Information Officer (CIO): Neal Sturm
Daytime telephones: office: (201)-692-8689; Email: sturm@fdu.edu

Chief Information Security Officer (CISO): Kimberley Dawn Dunkerley
Daytime telephones: office: (201)-692-7672; Email: ddunkerley@fdu.edu

Privacy Officer: Kimberley Dawn Dunkerley
Daytime telephones: office: (201)-692-7672; Email: ddunkerley@fdu.edu

Senior Vice President and University Provost: Benjamin Rifkin
Daytime telephones: Office: (201)-692-7093; Email: brifkin@fdu.edu

Office of the General Counsel: Steve Nelson
Daytime telephones: office: (201)-692-2466; Email: snelson@fdu.edu

University Risk Manager: Gail Lemaire
Daytime telephones: office: (201)-692-7083; Email: lemaire@fdu.edu

Vancouver Campus Executive: Wilfred Zebre
Daytime telephone: office: (604)-648-4462; Email: wilfred_zerbe@fdu.edu

Associate Vice President for MIS: Saul Kleinman
Daytime telephone: Office: (201)-692-2065; Email: saul@fdu.edu

---