Safeguarding sensitive University data standard
Purpose
The purpose of this standard is to establish the guidelines for the process of safeguarding sensitive university data from improper disclosure.
Scope
This standard applies to all faculty, staff, students, and third parties that access sensitive university data. All members of the university community should know what sensitive data is and their responsibility for ensuring the protection of this information.
Standard
Improper disclosure of sensitive data can cause personal and financial harm to students, faculty, and staff, and can cause severe reputational and/or legal damage to the university. It is for these reasons, that it is everyone鈥檚 responsibility to safeguard sensitive university data.
Some examples of sensitive data can include but may not be limited to:
- Social Security Numbers (SSN)
- Credit Card Numbers
- Driver鈥檚 License Numbers
- Personally identifiable patient information
- Personally identifiable human research subject information
- Personally identifiable student information
- Personally identifiable employee information
- Personally identifiable donor information
- Proprietary research data
- Confidential legal data
- Confidential financial data
- Other types of sensitive data that should not be shared with the public
A more comprehensive list of data with corresponding sensitivity classifications can be found by viewing 91探花鈥檚 Data Classification Table.
The following are guidelines for securing sensitive university data:
General precautions
- Individuals accessing sensitive university data must sign a non-disclosure agreement.
- Enterprise communication systems including email may contain privileged, sensitive or confidential information. As such, the duplication or unauthorized disclosure of the aforementioned information is prohibited as it may result in the violation of federal regulations.
- Do not download or copy sensitive data from university servers to your devices unless absolutely required and once you have documented permission to do so from management.
- Remove any confidential parts of information if possible.
- Be cautious of creating your own file shares, whereby such data may be accessible by unauthorized individuals.
- Physically secure devices that can be easily moved such as laptops, portable USB drives, backup tapes etc.
- Never store unencrypted sensitive data on a portable device.
- If you absolutely must store sensitive data on a portable device, always use some form of encryption, at minimum at the file level but whole disk encryption is highly recommended.
- Keep the data on such a device only for the shortest time period you need to accomplish the task.
- If you absolutely must store sensitive data on a portable device, always use some form of encryption, at minimum at the file level but whole disk encryption is highly recommended.
- Do not create databases or applications that use SSN as identifiers unless there is an unavoidable business need. Whenever possible, create unique identifiers that do not use an individual鈥檚 SSN.
- If you are storing sensitive data elements access to this data should be restricted to only those individuals whose job function absolutely requires access to the data.
- Never download or copy sensitive data to your personal computer.
Password protections
- Access to university data must be restricted using strong passwords, per university policy 91.004 University Credentials.
- Desktop and mobile devices that contain or provide access to university data must be password protected per university policy 91.004 University Credentials against unauthorized access.
Physical security
- Computers and devices should be locked when unattended and require password reauthentication upon fifteen (15) minutes of inactivity.
- Portable media and devices containing university data should always be kept in a location that prevents theft, unauthorized access, or accidental disclosure.
Secure data transmission
- University data may only be forwarded to external email accounts for specific job-related purposes. University data that is electronically transmitted externally, including an external email account, should be securely transmitted.
- When transmitted via email, university data should be encrypted, password protected, and sent as an attachment to the email message. The password for the encrypted attachment must always be transmitted under separate cover or via telephone or voicemail.
- Whenever university data is transmitted to a third party, for business operations purposes only, it must be transmitted over a secure communication protocol, such as SSL, or secure file transfer protocol (SFTP).
Protections for mobile devices
- Given the portability of mobile devices, they are more susceptible to loss and theft. The following measures should be used to secure university data contained on mobile devices.
- Keep your device secure by keeping it with you or in a physically secured location.
- Enable strong device pass-code protection features and select a passcode or PIN that is difficult to guess.
- Enable mobile device idle timeout and other device specific locking features when possible.
- If available, enable the feature that will erase data after ten (10) failed passcode attempts.
- Delete any university data on the device when no longer needed.
- Enable device encryption so that university data on the device is encrypted. Or at minimum, if whole device encryption is not available, encrypt university data on the device.
- Enable and configure device tracking features (e.g. Find My iPhone).
- If you are using a cloud service (e.g., iCloud) to back up or otherwise store your data, use a strong password.
- Keep software updated to protect against hacking attempts.
- Minimize the number of apps on your device and only load apps or software on your device that come from a trusted source.
Protections for paper files
- University data that is kept in hard copy form must also be secured and protected. Such data should be stored in a location that prevents unauthorized or accidental disclosure.
- Don鈥檛 leave unattended sensitive data on a copier, fax, printer, or any other area that is unsecured.
Secure disposal
- When disposing or transferring ownership of devices, media or any other form of electronic storage ensure that medial is properly sanitized in accordance with the information security standard Media Sanitization.
- When disposing of paper documents that have sensitive university data, individuals should place documents in a shredder or designated bin of a document destruction service. Documents should not be placed in the trash or in campus recycling.
Reporting lost or stolen devices or the suspected disclosure of University data
If you know or suspect that university property or a privately-owned device containing university data has been lost or stolen promptly contact the campus police department, with any identifying information such as make, model, and identifying stickers.
To prevent unauthorized access to your data and accounts, you should change your access passwords as soon as possible, since most mobile devices store passwords so that mobile apps can automatically access remote computer applications without a prompt for user name and password.
Definitions
Personally Identifiable Information (PII): any information that can be used to identify, contact, or locate an individual, either alone or combined with other easily accessible sources. Examples of data elements that can be classified as PII include, but are not limited to, fingerprints or other biometric data, email address, telephone number, or social security number. Such data elements can be found in sources such as medical, educational, financial and employment information.
Secure Sockets Layer (SSL) certificates: sometimes called digital certificates, are used to establish an encrypted connection between a browser or user鈥檚 computer and a server or website. The SSL connection protects sensitive data from being intercepted from nonauthorized parties during the session.
File Transfer Protocol (FTP): a standard network protocol used for the transfer of computer files between a client and server on a computer network.
References
- Policy 91.004 University Credentials
- Policy 91.005 Information Security
- Policy 91.006 Information Security Risk Management
- Policy 93.001 Data Classification
- NIST 800 Series Publications
- Information Security Standard: Acceptable Encryption
- Information Security Standard: Media Sanitization
- Information Security Standard: Mobile Device
- Information Security Standard: Security Incident Reporting & Breach Notification
Exceptions
All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.
Request an exception:
Complete Exception request form.
Governance
This standard will be reviewed and approved by the university Information Security Governance Committee as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.
Reviewers
The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:
- Information Technology: Ed Carter (Chair)
- Human Resources: Michael Courtney
- Faculty: Hans Kruse
- Finance and Administration: Chad Mitchell
- Associate Dean: Shawn Ostermann
- Regional Higher Education: Larry Tumblin
- Research and Sponsored Programs: Maureen Valentine
- Enterprise Risk Management and Insurance: Larry Wines
History
Draft versions of this policy were circulated for review and approved May 6, 2021.