Skip to main content

Policies and Good Practices

Authentication

Considering the Resolution of the Council of Ministers no. 41/2018 as a legal reference, passwords should "contain at least 9 characters" and are required to include 3 to 4 of the following sets of characters:

  1. Lowercase letters (a, b, c, ... z);
  2. Uppercase letters (A, B, C, ... Z);
  3. Numbers (0, 1, 2, ...9);
  4. Special characters (~ ! @ # $ % ^ & * ( ) _ + | ` - = \ { } [ ] : " ; ' < > ? , . /).

In order to ensure the safety of confidential data, the National Cybersecurity Centre suggests:

  • Keeping passwords confidential
  • Memorising passwords and not writing them on visible papers or places
  • Changing passwords frequently, even if it is not required by the system
  • Using cyphers to save passwords
  • Not using the same passwords in both professional and personal systems
  • Using passwords which are easy to memorise

To create a safe password, think of a sentence that is easy to memorise and then develop a method to turn that sentence into a password.

  • Sentence: I bought my first car in 2017!
  • Method: Use the first letter of each word and alternate irregularly between uppercase and lowercase letters; only use the last two digits and keep special characters.
  • Password: IbmFCiE17! (Do not use this example)

Email

The University of Porto provides an email account to each user registered in SIGARRA to communicate efficiently and in a dematerialised form. This address is the main means of communication. It is equivalent to the traditional forms of official communication; therefore, it should not be substituted by external solutions.

The use of electronic mail is conditioned by an Acceptable Use Policy that includes respect towards the rights of other users, as well as compliance with legal obligations.

UPdigital guarantees that this service works as expected in terms of connectivity, monitoring and integrity of information. Even though there is still a significant amount of spam that enters the inbox folder, 95% of messages of this type are eliminated by filters.

Good practices

  • Always insert a brief and objective description of the message content in the Subject line (so it can be easily searchable).
  • Avoid sending messages to an excessive number of recipients, as well as using too many upper case letters. By doing this, it is less likely that the message will be considered spam.
  • Use a grammar and spell checker and read the whole message before sending it.
  • Make sure that no attachments are missing. If they exist, make sure they have an average size.
  • Larger files can be compressed, and they should be made available through U.Porto's Filesender.
  • Clean your mailbox regularly and archive attachments of larger dimensions in order to optimise the allocated space.
  • Use webmail when the protocols adopted in your location do not allow you to send messages through the client application that you normally use.

Security

  • Messages can be digitally signed (via Digital Certificate, for example, the one used in the Citizen Card), so that the sender looks more trustworthy to the recipient.
  • Crucial or sensitive data should only be sent by email if required by the duties performed. In that case, the message should be encrypted.
  • Users should protect themselves from phishing attacks by rejecting any message that is not addressed to them directly, contains subjects not requested or raises doubts.
  • You should never provide personal information or credentials from this service.
  • Hover the mouse over any pointer inserted in the message to confirm that it corresponds to the visible text before accessing it.
  • Do not open attachments that finish in .exe, .scr, .bat, .com, or other executable files that are not trustworthy or raise doubts.

Extra care

  • Do not use electronic mail to send advertising messages, in particular to recipients who did not request it.
  • Share a message with third parties in Cc (carbon copy, known to third parties with visible addresses) or Bcc (blind carbon copy, known to third parties with hidden addresses), only when those people need to have that information.
  • Use Reply All sparingly, since no one likes to have their inbox filled with messages not addressed to them.
  • Use Forward to share the message with another person if you want to continue following the topic, and use Redirect if the topic is not of your interest.

External Mobile Devices

  • Be suspicious of external devices (USB sticks, etc) with unknown origins.
  • Disable the autorun feature.
  • Before accessing any file, analyse it with an antivirus.

Printouts

You should take the printouts from the printer as soon as possible. If you are printing documents with sensitive data, stay near the printer while the sheets are being printed.

If you want to destroy documentation with important information (for example, personal data), do it in a reliable way, like using a paper shredder.

Information Security Incidents

If there is an abnormal situation that could put your resources at stake (loss of a device, virus infection, suspecting that your credentials were violated, accidental destruction of personal data, etc.), report the security incident immediately.

Malware prevention

Instal the antivirus (software that acts as a defense against malicious code) and keep it updated.

Secure configurations

  • Only use software from legitimate sources and always keep it updated.
  • Change predefined passwords and, if needed, the default configurations.
  • Do not continue to use software that is not supported by the provider.

Use

  • Do not open files of questionable origin.
  • Do not access links of unknown origins – analyse them previously.
  • Do not use your work equipment for personal purposes.

Phishing is a cybercrime where a fraudulent email is sent with the purpose of obtaining personal or business data. The sent email is fake, usually created on behalf of a credible entity like a Bank, Facebook, Twitter, Microsoft, Vodafone, etc. but in reality, its sole purpose is to collect data or infect systems.

Under no circumstance will U.Porto's services ask you to reveal your access credentials.

Wi-Fi networks

Avoid connecting to Wi-Fi Networks from unknown entities or without authentication. If you cannot avoid it, take measures to protect yourself. For example:

  • Use a VPN;
  • Do not access critical services;
  • Confirm if the websites you are accessing are safe by clicking twice above the lock that appears in your browser next to the address field (which should start with "https://" and not with "http://").

Other recommendations

See the website of the National Cybersecurity Center - Portugal (portuguese only).

More information:

Unit of Information Security
E-mail: [email protected]