Description This article addresses the acceptable operating systems and the end of life and out of support operating systems process for CSU-owned and personal devices. Consistent with the CSU IT Security Policy, devices used to access CSU resources — whether CSU-owed or personally owned — are required to use software that is supported by the vendor and patched against vulnerabilities. Importantly, this includes the operating system (OS) running the device (Windows, macOS, etc.). This requirement applies to the CSU network, as well as remotely accessing CSU resources via the VPN (gateway.colostate.edu). Continued use of non-supported operating systems puts the university and our devices at increased risk of compromise. Allowing compromised machines to connect to the CSU network — even through a secure, authenticated service — puts CSU’s network at risk. Continued use of older, non-supported OS on your devices may also make your machine more vulnerable to viruses and other security risks, and it will likely not be compatible with the latest hardware and software releases by other manufacturers. Acceptable Operating Systems A list of acceptable operating systems is included on the list of Minimum Technology Standards. Exceptions For any exception to the CSU IT Security Policy, work with your IT departmental IT staff to submit an exception request for consideration.

Description This article provides users with instructions for reporting suspicious emails as phishing from their Outlook clients. Prerequisites: In order to access this functionality, you must be utilizing an updated version of Microsoft Outlook. Instructions: Navigate to the email you believe is suspicious Right-Click on the email to open the context menu Navigate to 'Report' in the context menu Select 'Report Phishing' Outcome:  Completing the steps above will report the email as phishing and remove it from your inbox. It will also concatenate your report with other users to determine how many users may have received the offending email and get it removed from all users who received the email. Further reading https://learn.microsoft.com/en-us/defender-office-365/submissions-outlook-report-messages

Microsoft Email Encryption allows users to send encrypted messages and attachments to recipients inside and outside of the University. It is available through desktop and web clients but not on mobile devices. Prerequisites A compatible version of Outlook (2016, version 1804 or later) Access to Microsoft 365 via desktop or web clients Encryption Options There are four email message protection options available: Encrypt: Allows you to send encrypted messages to any recipient, whether inside the organization or not. If the recipient uses Microsoft 365 (Outlook, Outlook on the Web, or Outlook for mobile), they can open the encrypted email without extra steps. For recipients outside Microsoft 365, they will receive an email with a link to the encrypted message, securely stored on Microsoft 365 servers. Recipients with a Gmail address must sign in with their Google credentials, and those using other email services must use a Microsoft account or a one-time access code. Do Not Forward: Sends an encrypted message with restricted content, preventing it from being forwarded, printed, or copied. Note that a camera can still capture the message content. Colorado State University – Confidential: Grants read and modify permissions for the protected content to recipients using CSU M365 only. Colorado State University – Confidential View Only: Grants read-only permission for the protected content (cannot reply, forward, save, or export) for recipients using CSU M365 only. Instructions Note: You can access Microsoft email encryption only through the desktop or web versions of Microsoft 365. Email encryption is not available on mobile devices. How to Encrypt Email Using Outlook on Windows Check that you are using Outlook 2016, version 1804 or later by selecting File > Office Account and reviewing the version under "About Outlook." If you have an earlier version, contact your local IT support. Open an email message in Outlook. Select Options, then click Encrypt. Choose the encryption type, such as Encrypt-Only or Do Not Forward. Note: If you encounter a “Connect to Rights Management Servers and get templates” message, please contact your local IT support. How to Send Protected Messages Using the Office 365 Portal Sign in to the Outlook web portal with your NetID@colostate.edu email address and password. Click New message to compose a new email. Select the Options tab, then click the lock icon to open encryption options. Choose the Encrypt option (recommended in most cases). Note: If you are replying to an email, you can also encrypt it by following the same instructions. How to Send Protected Messages Using Office for Mac Compose a message in the Outlook client. Click on the Options tab in the ribbon. Click the Permissions button to choose the desired encryption setting. How to Identify a Protected Message Protected messages will have a padlock icon and a header indicating the protection policy, depending on the client being used. Protected Message Example Protected Message Example Protected Message Example How External Users Can Open a Protected Message The external user receives a normal-looking message, but all content is removed, leaving only a link. Authenticate with a Microsoft account or request a one-time access code, which is sent to the original recipient's email. Note: External recipients may need to follow different steps depending on their email provider. A Microsoft account or one-time access code is required to access the message. Gmail or Yahoo users can use their respective credentials to access the message. Troubleshooting Common Issues Error After Duo Authentication: If you receive an internal server error after authenticating with Duo, close Outlook and relaunch the service. You may need to authenticate again. If the issue persists, contact your local IT support. Other Error Messages: If you encounter any other type of error message, follow up with your IT liaison for further assistance. Outcome After following these steps, users will be able to send encrypted emails securely, ensuring that only the intended recipients can view or interact with the content.

Description: The purpose of this document is to address frequent questions about the required annual cybersecurity training from campus IT Directors, Managers, and the CSU IT Community. Content: Campus Community IT Directors and Managers Campus Community: Why are we doing this? What is the purpose of implementing a security training program across campus? New federal regulations on Cybersecurity require us to complete annual training as a first line of defense against attacks. The training covers a variety of topics that every individual should know in order to safeguard our information. This training is part of the IT Strategic Plan to enhance our Cybersecurity profile. Who is required to participate in this training program? All faculty, staff, and researchers (Faculty, AP, SC, NSH, Other Salaried, Associates, Temporary) who work in the CSU System. Students, student hourly, Graduate Assistants, emeritus, and retirees are out of scope and not included in the requirement at this time. Employees on Extended Leave are out of the scope of this requirement until they return to their duties. How often is this training program conducted? The training is required to be completed annually. New employees are invited to complete the training as part of their onboarding process and annually after. The New Employee Welcome Packet has been updated to reflect this change. How are employees notified? Faculty, staff, researchers and associates will find out from a variety of sources that include department and campus leadership, IT Managers and Directors, and the new employee manual. Employees should receive an email from the IT manager as well as from the department or division leadership. Multiple follow-up emails will be sent to those who are required to complete the training from the Division of IT. Emails will be sent from the Division of IT Security Training email address, division_of_it_security_training@colostate.edu. What happens if required users fail to complete the training by the deadline? Users who do not complete the training on time risk having their MFA access paused, preventing access to OUR systems and resources. How is the completion of the training program tracked? Each employee's progress is tracked electronically through our learning management system, and completion status is monitored by our Information Security Training Specialist. Who should I direct users to who have questions or concerns with the training materials? Employees can contact the Division of IT help desk or email the security and privacy team at Division of IT Security Training email with any questions or concerns related to accessing or interacting with the training material. What actions should individuals take? Researchers, associates, faculty, and staff members are required to complete the training annually. The training is already assigned through the LMS. The training will take approximately 20 minutes to complete. Users can also access the training from the Division of IT cybersecurity webpage. When is the deadline to complete it? All required individuals must complete the training by the third Friday in December. This training will occur on an annual basis. What if I have student employees who need to be security trained because of the systems they work with or data they have access to? At this time, students, including student employees and GRAs, are not included in the cybersecurity awareness training. Please reach out to work with the Information Security Training Specialist through the Division of IT Security Training email if you have concerns about student employees who are working with sensitive data or systems. IT Directors/Managers Why are we doing this? What is the purpose of implementing a security training program across campus? This training is part of the IT Strategic Plan to enhance our Cybersecurity profile. How are employees notified? Faculty and staff will find out from a variety of sources that include department and campus leadership, IT Managers and Directors, and the new employee manual. Employees should receive an email from the IT manager as well as from the department or division leadership. Multiple follow-up emails will be sent to those who are required to complete the training from the Division of IT. Emails are sent from the Division of IT Security Training email address, division_of_it_security_training@colostate.edu. Message will not be sent to email addresses outside of M365. Will I receive reports about completion rates for my department or division? Yes. IT directors and managers will receive monthly reports throughout the year, with more frequent reporting toward the annual deadline. What if my department already requires security training for our employees? As this program and content has been approved by campus leadership based on compliance and security requirements for all campus users, all faculty and staff will be required to complete the Annual cybersecurity training, in addition to or in lieu of departmental security training. The Annual cybersecurity training does not cover topics like HIPAA or FERPA. For those topics, you should continue to rely on departmental-specific training. What authority do I have as the IT Director or Manager to remove access to CSU resources once the user's MFA access is disabled? The Division of IT is responsible for the authentication and identification of our campus users. Access to resources beyond the campus identifier and M365 services is controlled and managed by each College or Division and their respective IT departments. Access to these services is at the sole discretion of the College or Division and their IT departments. What is expected of me as an IT Director or Manager? As your department's IT Leader, we ask that you share this information with your faculty, staff, and researchers. Please customize it to fit the culture of your organization. Let your executive leadership know that this is a high priority for our CSU System, and we will be encouraging our community to complete the training.

¡Hola! Esperamos que esté bien. Se le ha asignado el curso anual de capacitación en seguridad del Sistema CSU 2025. Debido al aumento de ciberataques, todos los profesores, personal y investigadores deben completar esta capacitación anualmente. Por favor, inicie sesión en la plataforma de capacitación para completar la capacitación asignada. Capacitación Anual en Ciberseguridad 2025: Qué: Serie en línea autodirigida con videos y puntos de control. Por qué: Requerido por regulaciones federales y parte de nuestro Plan Estratégico de TI. Quién: Todos los profesores, personal e investigadores que trabajen con datos, sistemas o recursos del Sistema CSU. Acciones: Acceda a la plataforma de capacitación a través de litmos.colostate.edu o desde la página web de Ciberseguridad de la División de TI, IT.csusystem.edu/cybersecurity. Inicie sesión con su NetID y contraseña; la capacitación ya está asignada a su perfil. La capacitación toma aproximadamente 20 minutos para completarse. La fecha límite para completar la capacitación es el 31 de diciembre de 2025. Agradecemos tu cooperación y damos la bienvenida a cualquier comentario. Por favor, comunícase con el equipo de capacitación en seguridad en Division_of_IT_security_training@colostate.edu si tiene alguna pregunta. Gracias, La División de TI Colorado State University System Division_of_IT_security_training@colostate.edu