Protecting Sensitive Information
University colleges and departments that collect and store sensitive information on computer systems including such data as Social Security Numbers, driver’s license information and individual financial information (such as credit card numbers, bank account numbers, or financial statements), should have the following security controls in place to maintain data integrity and confidentiality. 91¶ÌÊÓƵ must assure the security and protection of Sensitive Information in the University’s custody, whether in electronic, paper, or other forms.
For more information on what is sensitive information, please visit our page.
- Authorization Controls: Such systems must require a user ID and password for access and must be two-factored enabled. 91¶ÌÊÓƵ uses Duo for 2-Factor authentication and access will be restricted based on an individual’s job responsibilities and provisioning state.
- Passwords used for University access must not be the same as passwords used for personal accounts (banks, personal email, and credit cards).
- A password that is at least 8 characters long and is a combination of upper and lower case letters, numbers and characters. Strong passwords do not include phrases, names, or other types of dictionary words.
- The level of security controls applied to the University’s network must at least match the highest level of classification of the data being transmitted (Ref. PPM 10-1).
- Network Security Controls: All transmission of Sensitive Information via the Internet must be through a properly secured connection point to ensure the network is protected. Such systems must be protected by a host or network firewall and comply with PPM 10-3 Network Security / Firewall Policy. Colleges or departments should contact the University’s IT Service Desk at 626-7777 to request firewall service if needed.
- Servers on the university’s network that require inbound access from the Internet must be approved and registered with the Information Security Office via the Firewall Rule Registration requirements. To register, please fill out 91¶ÌÊÓƵ Firewall Rule Registration Form.
- Audit Controls: All attempts to access such a system must be recorded. Identified failed logon attempts and other information that indicate unauthorized attempts to access sensitive information must be recorded and reported to College or Division Data Security Steward.
- Security Monitoring Controls: All computing systems must install the University approved management policy framework to manage antivirus and anti-spyware software.
- Physical Security Controls: Servers and workstations managing sensitive information, as well as related electronic storage media (such as USB drives, memory sticks, disks, backup tapes, CD ROMS and other removable media), must be located in a secured area to which only authorized individuals have access.
- Sensitive information, electronic or paper, must not be left in an accessible location to prevent unauthorized viewing and must be secured when unattended.
- Sensitive Information must only be used temporarily on portable equipment and then only for the duration of the necessary use and only if encrypted and physically secured.
- Sensitive Data may only be stored on personal computers, servers or other computing equipment if the requirements outlined in BOR R345, Information Technology Resource Security, are adhered to.
- Encryption: Sensitive information must be encrypted at all times.
- Encryption technology will be utilized for local, portable or central storage and transmission of Sensitive Information.
- Data Disposal: Computer hard disk drives containing electronic records with sensitive information that are no longer needed should be securely erased using an approved data erasure utility.
- All computing labs will utilize freezing or wiping software in such a way that minimizes the possibility of Sensitive Information from one User being accessible by any other User.
The following are also required to protect sensitive information:
Laptops and Workstations: Sensitive information should never be stored on computer laptops and other portable computer devices unless strong data encryption is employed. Sensitive information may be stored on local workstations, but each workstation must have the following security controls:
- User ID and password access.
- The auto-lock feature enabled.
- The workstation must be located in a secured area.
Transmission: Confidential, Restricted or High-Risk information should never be transmitted by e-mail or through insecure file transfer methods (such as FTP).
Appropriate Handling of Requests for Information: Requests from third parties for sensitive information must be referred to individuals who are authorized to handle these types of requests and trained in safeguarding sensitive information. Historical records containing Social Security Numbers in offline storage — such as paper, tape, cartridge, fiche, microfilm or magnetic media — may be maintained as long as it is physically secured and access to these off-line records is limited to authorized individuals.
Report Breachs: All computer security breaches or systems with sensitive information discovered to be lacking these recommended security controls must be immediately reported to the College or Division Data Security Steward or the University’s IT Service Desk 626-7777.