Stay Informed

Generative AI Guidelines for Institutional use

Generative AI is a type of Artificial intelligence capable of generating text, images, videos, or other data using generative models, often in response to prompts. Generative AI models learn the patterns and structure of their input training data and then generate new data that has similar characteristics.

As the use of Generative AI (GenAI) continues to evolve at Algonquin College, it is increasingly applied across various areas of the institution. While GenAI offers significant potential benefits, it also introduces notable risks. In response to these developments, the College Technologies Committee (CTC) has approved the creation of specific guidelines for the institutional use of GenAI tools. These guidelines are designed to align with approaches taken by multiple higher education institutions in Canada and the United States, as well as with the risks identified by the Canadian Centre for Cyber Security.

The primary aim of the Generative AI guidelines for Institutional Use is to ensure the legal, ethical, and secure use of GenAI technology within the College. By outlining best practices for using and developing GenAI models and applications for business purposes, these guidelines aim to foster a safe and informed approach to GenAI usage. Specific guidelines for educational and academic purposes will be developed and published separately.

As GenAI technologies and their applications continue to evolve, these guidelines will be updated to reflect new insights and best practices, helping to raise awareness and enable the safe integration of GenAI within the College.

The Generative AI Guidelines for institutional use are accessible via the link : AC Generative AI Guidelines for Institutional_Use

The list of College approved Generative AI tools is accessible via this link: College Approved Generative AI Tools

Zoom Privacy and Security Guidelines

What is Zoom Bombing?

Zoom bombing refers to the unwanted, disruptive behaviour of a participant(s) into a video conference call. In a typical Zoom bombing incident, a teleconferencing session is hijacked by participants engaging in behaviours that are lewd, obscene, racist, homophobic, offensive in nature or otherwise inappropriate, typically resulting in the shutdown of the session. This may include, but is not limited to, disrespectful gestures or body language, insults, display or sharing of offensive audio or visual material, inappropriate communication via chat, including sharing of malicious links or files.

Your Zoom meetings may be wide open to Zoom bombing if you don’t know how to set the host controls properly.

Review the following documents to learn how to stop bad actors and respect the privacy of meeting participants to keep your video calls on track.

Privacy and Security Guidelines for Staff

This document outlines the security and privacy safeguards that Algonquin College staff must implement when using Zoom for meetings with other colleagues or third party participants (e.g. vendors). Faculty should use the Zoom Security and Privacy Guidelines for Faculty when conducting online classes with learners.

ZOOM Security and Privacy Guidelines for Staff

Privacy and Security Guidelines for Faculty

This document outlines the security and privacy safeguards that Faculty must implement when using Zoom for conducting online classes with learners.

ZOOM Security and Privacy Guidelines for Faculty

Privacy and Security Guidelines for Employees using Zoom for Hosting Events Open to the Public

This document outlines the security and privacy safeguards that Algonquin College faculty and staff must implement to prevent and respond to Zoom bombing when using Zoom-meeting for conducting events open to the public.

Events open to the public involving a large audience are the preferred target of Zoom bombers. Where feasible and appropriate, these events should be conducted in a webinar format. If you plan to hold these events in a meeting format, follow this guide.

ZOOM Security and Privacy Guidelines for Events Open to the Public

Cloud Storage Security

cloud graphic

Cloud storage is a cost-efficient method of storing data on remote servers that can be easily accessed on the Internet from anywhere. Information is not stored locally, so hardware losses or failures do not result in information loss. Cloud storage is growing rapidly and being implemented in personal and corporate environments, providing many benefits in both areas. However, such rapid growth and usage can lead to complications in privacy and security.

At Algonquin College, employees are granted access to public, internal, and sensitive information. Employees may work from an office, from home, or from other locations, using different computers from time to time. Cloud storage is thereby becoming an excellent business solution to meet employee’s changing needs.

However, if an employee is unfamiliar with the storage solutions offered by the College, they may feel inclined to use personal cloud storage accounts, such as Dropbox, Box, or Google Drive. When employees use a non-approved cloud storage solution such as these, the College loses central, administrator access to that corporate information. As well, the College loses control over the security policies that dictate the protection of that information. For example, employees will use their own passwords with Dropbox that may not meet the College’s IT05 security policy for password complexity or periodic replacement, and in the process lower the level of security afforded the information. The use of these non-approved cloud storage solutions also needlessly creates additional costs.

Please make sure you are using ITS approved cloud storage, OneDrive. Many businesses including Algonquin College use Microsoft OneDrive for Business, which is an approved, centrally paid for, and cloud storage solution.

You can find information regarding storing sensitive information at https://www.algonquincollege.com/infosec/faculty-staff/policies-and-practices/directives/

This page includes a list of policies that contain detailed information about the legislation and policies that apply to the protection and safe storage of sensitive information within internal databases.

Please familiarize yourself with it. Help Algonquin College better secure its corporate information.

Information Security is everybody’s business.

Data Security

laptop and desk cartoon

The first step to protecting sensitive information from unauthorized access is data security. Data security refers to privacy precautions that are applied to prevent unwanted access to secure and sensitive information. By following these simple steps to stay secure, you can make a big impact on privacy and information security, both at home and at Algonquin College.

Keep it Limited – Keep the amount of personal information online to a minimum, the more sensitive information you make public, the less secure. For example, do not share your social insurance number or your banking information.

Use Strong Passwords – Make sure you are not using the same password for every account. Use at least 8 characters consisting of capitals, lowercase letters, numbers and symbols. Use a password manager such as LastPass.

Keep Software up to Date – Make sure to install the latest software on all computers and mobile devices. Having outdated software increases your chances of losing your sensitive information to a cyber attack.

Encrypt it – If you have access to sensitive information make sure it is encrypted, this will increase security when transferring files through email, USB, etc.

Do not share – Do not share your passwords with anyone and only grant access to sensitive information if necessary.

Install antivirus protection – Antivirus and anti-malware software are essentials for online security, this will help keep viruses off your devices keeping your data secure. Use anti-malware software such as Malwarebytes.

Backup regularly – Creating regular backups to an external hard drive or in the cloud is an easy way to ensure that your data is stored safely.

Following the above tips will help ensure your personal and sensitive data will stay secure, and please remember…

Information Security is everybody’s business

Laptop Protection

locked up laptop graphic

Did you know that every 53 seconds a laptop is stolen? The theft initially occurs to steal the hardware, but now it is very common for the data found in the laptops to be uploaded and sold online.

We’ve witnessed an increase in missing or stolen laptops, tablets, mobile phones, and portable media drives – both on and off campus.

Thieves know that people will forget to protect their valuable assets for a fleeting moment, leaving them clearly unprotected and visible in cars, on counters and in carts.

It only takes 5 seconds for a thief to steal your laptop!

Please be careful and protect these assets and the valuable information stored within. As an employee or student, you have a responsibility to follow College security related security policies including IT01 and IT05. See the various security tip sheets on how you can protect assets here: https://www.algonquincollege.com/infosec/faculty-staff/resources/tip-sheets

Use a strong password/pin, use encryption, and don’t store sensitive information that you don’t have to. Above all, use common sense.

The Darker Side of Social Media

There is no argument that social media has helped individuals, businesses, and causes attain exponential heights in publicity and profits in record times. Through micro-storytelling, social media has helped bring people together from all different backgrounds and origins and built many valuable friendships and relationships because of a common ground in interest or belief. But there is also no argument that social media has brought some people and businesses to depths they could never have anticipated. Businesses aren’t spending enough time researching the security implications of social media and subsequently training their staff on how to prevent compromises. This article will take you through a couple of things that you should know about particularly how social media has tricked you into thinking that a little sharing is harmless.

‘Twenty Things You Don’t Know About Me’

Many users have received private messages from their Facebook friends who have just created this list, titled ‘Twenty Things You Don’t Know About Me’. Users are invited to read it, create one for themselves, and notify others – similar to a chain letter. The list consisted of some seemingly inconsequential questions like:

What was my most embarrassing moment? Have I ever played hooky? What was the name of my first elementary school? What was my favorite pet’s name?

The first two are instances we can all relate to when we need to express a little humlity, but the last two seem a tad familiar, don’t they? Perhaps you may have used these questions when you were setting up your security verification for online banking? By providing these kinds of details, although you appear to just be sharing it with friends, you may actually be providing an easy channel for identity theft. If you feel you must partake in situations like this, first, stop and think about how/if you’ve answered these types of questions in an online space before (i.e. online banking) and second, refrain from using a similar answer.

Sharing Your Photos and Videos

Photos and videos can give away a lot of information about your identity. If you are posting an image of someone else, be aware of how you may be compromising their privacy. Never post a video or photo of anyone without getting their consent first.

Photos and videos can also reveal a lot of information unintentionally. Many cameras will embed hidden data (metadata tags), that reveal the date, time and location of the photo, camera type, etc. Photo and video sharing sites may publish this information when you upload content to their sites.

Revealing Your Location

Most social networking sites will display your location if that data is available. This function is generally provided when you use a GPS-enabled phone to interact with a social network, but don’t assume that it’s not possible if you aren’t connecting from a mobile. The network your computer is connected to may also provide location data. The way to be safest about it is to double-check your settings.

Be particularly mindful of location settings on photo and video sharing sites. Hackers and cyber criminals can use your photos, location, and contact information to break into your home. For instance, if you just posted a photo of yourself at a location other than your home, and you have other photos posted of the great new devices or equipment you just bought yourself, this could be incentive enough for cyber criminals to take things a step further. Don’t reveal too much about your whereabouts, belongings, or your identity.

Data Privacy Day and Month

Calendar graphic“Data Privacy Day” – held 28 January every year – is a fast growing, international event that aims to help educate people in understanding their privacy rights, help protect their personal privacy and identity, as well as control their digital footprints. It marks the beginning of “Data Privacy Month” (February) during which privacy-related events are held all over the world. This event began in North America in 2008 as an extension of the Data Protection Day celebration in Europe.

Data Privacy Day is held every Jan. 28 right across the world, to bring awareness about the importance of protecting personal information, sometimes called personally identifiable information (PII). By learning and practicing some simple tips on how to do so, it helps build our culture of respecting privacy, safeguarding information and enabling digital trust.

Tips

  • Personal Data of learners and employees is entrusted to us. Respect it. Protect it. – Do not collect more personal data than needed. Take every opportunity to de-personalize or “de-identify” data sets whenever you can. When sending sensitive information, make sure that you use correct email addresses. Securely dispose of sensitive information when it is no longer required. Turn in broken or no longer needed hard drives to the ITS Cyber Security Unit for secure destruction.
  • Use Strong Passwords – Make sure you are not using the same password for every account. Use at least 8 characters consisting of capitals, lowercase letters, numbers and symbols. Use a password manager such as LastPass.
  • Keep Software up to Date – Make sure to install the latest software on all computers and mobile devices.
  • At Home Protection – Follow the same guidelines when at home where personal information can easily be compromised as well. Retain from sharing personal information online or with others and keep sensitive College information out of reach from others.
  • Immediately Report Security Incidents and Data Breaches – Report to the Cyber Security Unit at infosec@algonquincollege.com

Resources

Risks of File Sharing
Protect Yourself
How to Encrypt an Excel File
How to Encrypt a Word Document
Learn More

Information Security is everybody’s business.

E-mail Phishing Attacks

Computer phishing graphicThe College continues to experience the impact of users clicking on phishing e-mails. Within ten minutes of clicking on the links in the emails, malware is loaded onto your computer, followed by your computer “calling out” to hacktivists and criminal organizations. Then, your computer will be remotely controlled to start sending out thousands of spam messages to others all over the world – using your College email address. As you can imagine, not all recipients are going to be particularly happy about receiving the spam, and some will even send back emails to that effect. Imagine the damage to our wonderful name and brand that this can cause. It often takes many hours for ITS to clean up your e-mail account before you can have it back working as normal.

What is Phishing?
Phishing is the act of a cyber-criminal using false pretenses to acquire usernames and passwords, credit card information, sensitive personal information and electronic money by masquerading as a trustworthy entity in an electronic communication such as email or texting. Phishing communications often contain links to rogue websites that are infected with malicious software, which is then downloaded to your computer to conduct further cyber-attacks on College networks. The impacts of phishing can be very significant and include account and data theft, data ransomware, identity theft, loss of money, and system compromise, among others.

What Do They Look Like?
If you receive an unexpected or unusual email, carefully examine it before clicking on an embedded link or downloading an attachment.

Spelling Mistakes and Poor Grammar
Phishes often contain obvious spelling mistakes, poor grammar and incorrect email addresses. For example, instead of @algonquincollege.com, you may see something like @a1gonqu!ncollage.com.

A Sense of Urgency or Importance
In most cases, phishing attempts have a sense of urgency or heightened importance. An example could be “Your credit card has been compromised, provide us with your personal information as soon as possible to resolve the issue!” or “Your email account is about to expire – click here to request additional quota”.

Links and Attachments – Caution
Phishing emails often contain an attachment and/or link. If you were not expecting to receive an email with an attachment, do not open it. If there is a link within the email, hover over it (without clicking on it) and you will be able to determine the true URL.

Think Before You Click!

Ransomware!

Computer bug graphicRansomware is a type of malware that prevents access to a system or its data using encryption. Once the data is encrypted, ransomware proceeds to demand a ransom in exchange for a decryption key that will provide access to the data. The desired ransom payment is usually demanded in bitcoin, which is an electronic currency that is virtually untraceable.

Businesses, such as banks, colleges, universities, and hospitals, are prime targets for this type of malware. These organizations contain sensitive data and are often willing to pay the ransom under the impulse to restore operations as quickly as possible. The act of paying the desired ransom is not recommended, because it could motivate criminals to continue this type of attack, as well as mark your organization as a target for future attacks, among many other issues.

Criminals may not be around to provide the decryption key or demand higher ransom in exchange for not leaking the data acquired. Ransomware creation and distribution is now offered as a criminal service, which indicates that even criminals with little knowledge of the malware can purchase the malware at a low cost and obtain a high reward.

The absolute best defense to protect against ransomware is regularly updated and tested backups.

Ransomware is commonly accomplished initially through email phishing, which aims to compromise a system or sensitive data by disguising malicious software as trustworthy sources. Awareness of the risks of phishing should be provided to all members of an organization, whereby members are taught the difference between safe and malicious links and files.

In summary, ransomware is currently one of the most dangerous risks in cyber security and is constantly becoming more sophisticated and easily accessible in cybercrime. Please make sure to raise awareness about ransomware and take the steps necessary to protect yourself and Algonquin College from it.

E-signatures Overview: What You Need to Know!

e signature on tablet graphic

With today’s technology, an electronic signature (e-signature) can be as simple as a typed name or a digital image of a handwritten signature. Unmistakably uncomplicated on the user’s side, with the benefit of security- an e-signature can have the same legal validity and enforceability of the traditional pen signature.

The terms “electronic signature” and “digital signature” are often confused and used interchangeably. However, the distinction is important when it comes to the integrity and security of documentation. An electronic signature is a simple way to indicate consent on a digital document, whereas a digital signature is the technology that secures the electronic signature.

Out with the old, in with the new…with good reason!

An electronic signature delivers the level of trust and security that a customer wants and needs. Some are hesitant to adopt e-signature technology because they are comfortable with paper signature, but e-signature has more security benefits than a traditional pen on paper signature! An e-signature carries layers of information about who signed what, when, where, and how, through an audit trail. This protects the integrity of your signatures, whereas paper signatures are vulnerable to forgery. After all, it’s possible to reproduce a traditional pen on paper signature as well as to alter paper documents after they have been signed.

Levels of security for a variety of users

Digital signature security ensures that the signer is who they claim to be through authentication, which is any process through which you prove and verify information. In e-signature processes, there are multiple levels of ID validation to choose from, therefore different levels of security. The minimum level is to use a valid email address. Want even more security? Further validation can include SMS, adding 3rd party customized advanced methods, or by using the ultimate solution – Public Key Infrastructure (PKI) private key generation as provided by an add-on Entrust software as a service (SaaS). Industry regulations for security in e-signature include ESIGN, UETA, PIPEDA, ECA, and the EU Digital Signature Directive.

What about even stronger protection?

Digital signature refers to the use of a key pair- a public and a private key. Public Key Infrastructure will ensure that your privacy needs are met and that a signing party cannot deny that they signed. The public key, as the name implies, is shared publicly among the aspects that come into contact with the document. The private key is not shared. A signed document is encrypted with both keys, which prevents tampering or other modifications. The only communication of keys between the client and the server are the signed certificates that contain the client public key. E-signature ensures integrity due to the PKI workflow. It makes sure that the content of the document has not been changed or altered in any way since it was digitally signed. Each document is ensured to be in-tact and tamper-evident through the cloud-based PKI Digital Signature Scheme, which assures the integrity of the document and signatures every step of the way.

Can a signer deny that they signed a document? The risk of a signer denying that they signed a document is minimized in the case of PKI based e-signature because a customer’s signature is permanently bound to the exact contents of the document at the time of signing. Since the private key is personal and secret, the signers of a document cannot make claims that they did not sign the document. Process evidence and platform monitoring protects the security of customer data. An audit trail tracks the steps in the signature process in order to verify the signer and document authenticity. This involves application and system logging that provides a digital record of the users accessing the document.

Legality in Canada

Various governments across the world recognize e-signatures. They aim to build confidence in electronic commerce and the technology underlying it. So, what is the law concerning e-signature in Canada? The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), describes the use of secure “electronic signatures” in Canada:

  • the electronic signature must be unique to the person using it;
  • the person whose electronic signature is on the document must have control of the use of the technology to attach the signature;
  • the technology must be used to identify the person using the electronic signature;
  • the electronic signature must be linked to an electronic document to determine if the document has been changed after the electronic signature was attached to it.

Algonquin – Increasing E-Signature Use!

Use of Signority (www.signority.com) – a SaaS electronic signature service – at Algonquin is growing. As just one-use case example, before e-signature was implemented within the Centre for Continuing and Online Learning (CCOL), academic staff would receive a contract attached to an email, and then print, sign, scan, and attach to another email to send it back, or fax it back or mail it back to the College. This entire process meant that it would take weeks for the College to receive all its contracts. Since implementing e-signature using Signority, it now only takes several days to send and receive most contracts each school term, and many staff have positively commented on how much they prefer the new electronic process.

Most departments have a need for routing and signing agreements of one form or another, either internally or externally. It is highly recommended to staff that they try an e-signature pilot to see how it might aid their business area. Licenses are provided by ITS thus there is no software cost to the end department. Check out Signority for yourself and see how easy it is to use!

 

Craig Delmage, CISSP

Senior Manager, Information Security and Data Privacy