ON THIS PAGE

• Staying Secure with Google
• Secure Transmission
• Google Privacy Policy and Terms of Service
• Google Security Mythbusters
• Google Security-Related Articles

Google's two-factor authentication uses a code in addition to your username and password. Each time you log in, Google sends a new code via text or voice message that you will need to enter. This means that to access your account, a hacker would not only need your username and password, but also your phone in order to get in. Instructions from Google

(back to top)

• Don't reveal it to anyone
• Don't re-use it for other accounts
• Set or change your CruzID Blue password

(back to top)

Don't use Google to send or store highly sensitive information such as PII or other restricted data. If you must, encrypt it first.

• Email security: Remember that email is inherently neither private nor secure. This is true for our campus email systems as well as most third-party email providers, including Google. Highly sensitive information should never be sent through email unless it is protected, e.g. by encryption. This includes attachments.
• Protect our most sensitive information: Highly sensitive information should be stored on UC servers designed for its storage or should be encrypted. Attachments containing highly sensitive information should be encrypted. Google does not encrypt documents, so be sure to encrypt your docs before putting them in Google.
  • And remember to securely delete highly sensitive information when you no longer have a business need to keep it. The less you have to store, the better!
• Ask ITS for assistance or alternatives (contact info at "Get Help" above).
• Encryption information

(back to top)

With UCSC moving to Google, it is increasingly likely that people will use non-UC devices, especially mobile devices, for work. All devices used for work must meet UC and UCSC security requirements. Tips for protecting mobile devices are available on ITS' "Mobile Devices and Wireless" page.

(back to top)

It is important to know the default settings and sharing options in order to avoid accidents related to over- or under-sharing.

When creating a new document or collection in Google, it will either default to be private to you or inherit the permissions of the collection under which you created it. Click on the “Share” button to review who it is shared with.

• You can delete people by clicking the "x" to the right of their entry on the sharing screen.You can add people by name, email, or group (pre-existing groups in Google only) in the "Add people" box. Be sure you know who is in groups before sharing with them.
• To the right of the 'Add people' box, there will be a role drop down menu which defaults to "Can edit". Unless you really want someone to be able to edit, change their access level to something else.
• For documents/collections that others can edit:
  • The default sharing settings allow editors to change permissions, including who has access to documents, their access levels, and where the documents are stored. This can result in documents and collections "disappearing." The following change will help prevent this:
  • Find the line at the bottom of the sharing box that says "Editors will be allowed to add people and change the permissions." Click on "[Change]" and select "Only the owner can change the permissions."
• It is important to understand that when you move or delete a Google doc or collection, you are moving the ORIGINAL doc/collection, not your own, personal copy.
  • Only the creator/owner can permanently delete a doc/collection. If something has been moved, the owner can still find it in the "Owned by me" section of their Google Docs/Drive homepage.
• Once permanently deleted from the trash, Google Docs and collections cannot be recovered. This is also true for Google sites, email, and anything else under your Google account that has been permanently deleted for any reason.

A note about Google Sites:
Google Sites is used to display information to others. The default in Google Sites is to share the Site with everyone in the UCSC domain -- this means everyone with an @ucsc.edu account can find and edit the site. If you want to change this,

• Click on the Share button
• Click on "Change..." next to this setting to select a more appropriate option
• If you want everyone in the UCSC domain to be able to view but not edit the site, uncheck the "Allow anyone within UC Santa Cruz to edit" checkbox.

More about Sharing Google docs
Additional Tips

(back to top)

Be sure you know who you are sharing your calendar and meeting information with.

Meetings:
Meeting privacy settings are at the bottom of each meeting's Event details page. There are three options:

• Default: the event's privacy setting is the same as the calendar's overall privacy setting. See "Calendar settings," below.
• Public: makes that event's details available to people who normally only have free/busy access to your calendar.
• Private: only you, meeting invitees, and people you have granted 'Make changes to events' or 'Make changes AND manage sharing' privileges to your calendar can see the event and its details.
• Additional information about these settings

Calendar settings:
To review your calendar sharing settings, click the down-arrow button next to your calendar's name in the My Calendars list on the left side of the page, then select Share this Calendar.

• Share this calendar with others should be checked unless you want your calendar to be private to only you and specific individuals you designate (see below).
• Make this calendar public should be un-checked. Checking this box will make your calendar publicly available and searchable on the Internet.
• Share this calendar with everyone in the organization UC Santa Cruz should be checked unless you chose not to share your calendar in step 1.

To share your calendar with specific people:

• Follow the instructions in "Calendar settings," above, to get to your Share this Calendar page.
• In the text box under Share with specific people, enter the complete email address of the person you want to share your calendar with.
• From the drop-down menu, select a permission level, then click Add Person. Once you click "Add Person," the person will receive an email invitation to view your calendar.
  
  You can grant any of the following levels of access to each individual user when sharing your calendar:
• Make changes AND manage sharing
  This person has owner rights to this calendar, and can do anything that you (as the owner) can do
• Make changes to events
  This person can see and change all events, including private ones.
• See all event details
  This person can view the details of all events except those marked as private.
• See free/busy information (no details)
  This person can see when your calendar is booked and when it has free time, but will not be able to see the names or details of any of your events.
  
  You can currently share your calendar with up to 75 users per day. If you'd like to share your calendars with more users, wait 24 hours and try again.

Additional information from Google about sharing your Google Calendar:
Calendar Sharing Options for Google Apps
Share your calendar

(back to top)

Report spam and phishing directly to Google. This helps put these emails on their radar. You must do this from your email on Google's website. If you don't normally access your email via the web, go to email.ucsc.edu and log in with your username and CruzID Blue password. When your mailbox loads, select the message you'd like to report.

• For spam, click on the spam button in the toolbar above your message list (the one that looks like a stop sign with an exclamation mark).
• To report phishing, please open the message and click on the little drop-down arrow next to the reply button in the top right corner of the email and select "Report phishing" (you can also report spam this way). See Google's instructions for more details.

(back to top)

Last Account Activity
Last account activity can help you detect if someone is using your gmail account without your knowledge. It shows information about recent access to your email, including when, from where, and how your mail was accessed. It also lists the IP address that accessed your mail. There is also an option at the bottom of the page to show an alert for unusual activity.

To see your recent email account activity, click the Details link next to the Last account activity line at the bottom of any Gmail page. Additional information

Account Activity - Beta
"Google Account Activity creates monthly reports on your usage of Google products. Depending on which products you use, you can see how many emails you've sent, who your most popular contacts are, what searches you've performed, or what computers you've used to sign in. Account Activity Reports are a great way to help ensure that your account is safe and to understand your use of Google products."

To activate this feature, click on the down arrow next to your user name in the upper right corner of any Google Apps page, then click "Settings," click "Products," click "Account Activity." See Google's instructions for additional instructions and details.

(back to top)

Be sure to sign out of your Google account when you're finished, especially when using a public computer. Just click on your username at the top right corner of the screen and select "Sign out." If you're using a public or shared computer and want to be extra thorough, you can also clear the browser's cache, cookies and history. Then, completely close the browser.

(back to top)

http://gmailblog.blogspot.com/2009/10/gmail-account-security-tips.html

(back to top)