Securing Sensitive Data
University employees have a legal responsibility to protect personal faculty, staff and student data. Unprotected data can lead to identity theft and put the university at risk of being out of compliance with a number of legal requirements and standards (see below). Protected data should not be stored on mobile, laptop or desktop computing devices.
The following guidelines are essential to protecting sensitive data:
- Protect sensitive data by storing it in secured, university-hosted locations, such as MyDocs or a Gizmo departmental file share.
- Store grades in Blackboard Learn or UAConnect (formerly ISIS).
- Save password protected Microsoft Excel grade books or other sensitive spreadsheets to a Gizmo departmental file share.
- Use VPN to access protected data remotely.
- Instead of saving passwords to document files or on paper, use tools such as Password Keeper or KeePass to manage passwords.
Protect your mobile, laptop and desktop computing devices and the information stored on them by:
- Keeping electronic devices within view or securely stored at all times, for example, by using a cable lock to secure a laptop
- Keeping electronic devices in your custody and not packing them in checked airport luggage
- Ensuring that your electronic device is shut down and secured when not in use. Use password protection on devices offering such capabilities.
- Ensuring that university-approved antivirus software applications and signatures are up-to-date
- Installing and configuring personal firewalls on all devices when available
- Avoiding the use of unsecured or untrusted wireless or wired networks
- Using encryption to safeguard all storage media, for example, hard drives, USB flash drives, etc.
- Notifying UAPD and IT Security at firstname.lastname@example.org immediately if any device storing sensitive information has been lost or stolen
Legal Requirements and Standards
There are many forms of sensitive personal data, some protected by legal requirements and standards such as:
- HIPAA: The Health Insurance Portability and Accountability Act of 1996 ensures the privacy of a patient's medical records.
- FERPA: The Family Educational Right and Privacy Act of 1974 protects the privacy of a student's education records.
- FISMA: The Federal Information Security Management Act of 2002 recognizes the importance of information security to the economic and national security interests of the United States. As a result, federal agencies and any other parties collaborating with such agencies must follow information security requirements to effectively safeguard IT systems and the data they contain.
- GLBA: The Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999, contains privacy provisions requiring the protection of a consumer's financial information.
- PCI/DSS: Payment and Credit Card Industry Data Security Standards were developed by major credit card companies to support the prevention of credit card fraud, hacking and various other security issues. Companies processing card payments must be PCI compliant or risk losing the ability to process credit card payments.