FGB Security Tips: The Basics

The following are simple, but good security practices. They should be applied regardless of whether or not your research data are sensitive.

Make use of VU-approved storage solutions

Don’t store your research data on free cloud solutions such as Google Drive or DropBox.
Make sure your storage solution is appropriate for the security risks posed by your data. Use this guide on VU storage options to help you.

Storage on portable media must be temporary & storage on local hard drives should be properly managed

Portable media should only be used temporarily, e.g. for physically transporting data. Use this guide for further information on how to protect your data during transport.
VU-approved storage solutions have automatic back-ups to prevent data loss; if you only use portable media or your computer’s local hard drive for storage you will need to back-up everything manually.
Keep track of where on your local hard drive you are saving research data. Oftentimes, local data storage cannot be entirely avoided, for example, when using the sync client for Research Drive or Cyberduck for YODA. Make sure you know which folder directory the data have been stored in so that when you no longer need these data on your computer’s hard drive, you can fully delete all of the data.

Be careful with digital data transfers

Make sure to consider the security risks posed by your data prior to any digital transfers. Use this guide on digital data transfer to help you.

Use laptops & desktop computers in a secure manner

Enable full disk encryption on your computer. This is to prevent unauthorized access to any data on your hard drive.
Always require a strong password to login to your computer and update this regularly.
Update your computer regularly.
Always lock your screen when you are not using your computer.
When working onsite at the VU campus, keep your laptop secured to your desk and store it in a locked cabinet when you are done for the day. When offsite, don’t leave your laptop unattended.
Remove all data stored locally on your laptop before travelling with it internationally. Contact the IT Service Desk for further advice if you need to travel abroad with your laptop.

Be smart with your internet usage

Avoid the use of public Wi-Fi. If you absolutely need to use it, activate eduVPN while connected and then remove this guest network after use.
MacBook users should turn on the Firewall (via System Preferences > Security & Privacy). The Firewall is already active for Windows users.
Avoid accessing your data while travelling abroad and never use public workstations such as internet cafes to access research data. Contact the IT Service Desk for further advice if you need to access your research data from abroad.
Don’t open links found in suspicious e-mails. You can forward any suspicious e-mails as an attachment to the IT Service Desk’s contact form so that they can update their security protocols; afterwards you should delete the e-mail immediately.
Make sure your computer has an active virus scanner running on it and keep it up-to-date.

Always use strong passwords and, where possible, multi-factor authentication

Use strong passwords. This page from the University of Edinburgh provides several good tips on passwords.
- Make your passwords long (15 characters or more) and include capital and lower-case letters, as well as numbers and special characters. To help with remembering passwords, use passphrases rather than one long word and replace some of the letters in the phrase with numbers or special characters.
- More and more services at the VU are accessed via SURFconnext which uses your VUnet password. Change this password on a regular basis and never share it with anyone.
Have a plan for managing passwords. This is especially important when several people need to know these passwords, as well as to prevent loss of access to the data when a staff member stops working at VU Amsterdam.
- Consider using a password manager that runs offline, such as KeePassXC.
Whenever possible, activate multi-factor authentication (MFA). MFA must be active whenever you are working with higher-risk data (“red”, “orange”, or “yellow” data) data.

Remove data from devices when no longer required

When you are returning devices borrowed from TO3 or returning a VU workstation at the end of your employment, make sure to completely wipe all of the data files from the hard drive. You can permanently delete everything on the hard drive using tools like KillDisk.
If your computer is still in use, you sometimes need to delete files, but you don’t want to wipe the entire hard drive. If your computer has an SSD hard drive (most modern computers have this), you can simply delete the files as you normally would. No special apps are necessary. Make sure to empty the trash folder!
- If your computer does not have an SSD (instructions to check this are found here) or your computer is running a Windows version earlier than 10, contact the IT Service Desk for advice on securely deleting individual data files from your hard drive.

Report data breaches immediately

Even if a data breach (a.k.a. “data leak” or “datalek” in Dutch) is merely suspected, you must report the event to the IT Service Desk as soon as you become aware of the situation. The issue will be reviewed by experts who can assess the seriousness of the situation and determine what actions need to be taken.
- Also inform the faculty’s Research and Policy Support team of the (suspected) data breach via research.data.fgb@vu.nl. Set the e-mail to high priority and include “data breach” or “datalek” in the subject heading.

In-depth security guides

Support

The IT Service Desk has answers to the most frequently asked questions. If the answer to your question is not there, you can contact IT directly via the contact form.
The RDM Support Desk can be contacted for complex security questions related to your research data.