Guidelines for Sensitive Data
The rising frequency of security incidents involving network- attached devices significantly increases the probability that sensitive data if not properly utilized and protected may be exposed to unauthorized viewing or modification. Addressing the potential of identity theft has become an increasing concern of the institution. Established procedures for protection and release of sensitive information should be followed regardless of the platform that data is being stored or processed.
The purpose of these guidelines are to outline the acceptable use of computer equipment at McNeese State University.
These guidelines apply to employees, contractors, consultants, temporaries, and other workers at McNeese State University, including all personnel affiliated with third parties. These guidelines apply to all equipment that is owned or leased by McNeese State University, as well as person property used to access University information systems.
Sensitive Information is defined as any combination of the following data records:
- Social Security Number
- Personal identification numbers which may be used other than Social Security Number
- Information protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Information protected by the Family Education Rights and Privacy Act (FERPA)
- Credit card numbers
- Bank account numbers
- List of computer systems ids and/or passwords.
Strict control should be also be maintained over McNeese sensitive information that is stored on personal computers, external media(CD, tapes, or memory sticks) or centrally on servers, as well as transmitted across McNeese’s network.
The following guidelines have been developed for the storage and transmission of McNeese sensitive information.
- Where technically feasible, McNeese sensitive information should be stored on a server and not a workstation.
- When this is not feasible, a workstation used for storage of sensitive information should be in a physically secured location and require a unique logon with a strong password for each individual authorized to use it (shared accounts and passwords are not permitted). Security logs should be enabled and reviewed.
- Where the information is stored on a server or workstation, the machine should meet current operating system, hardware and software support levels.
- McNeese sensitive information should never be transmitted over the Internet “in the clear”. It should always be transmitted using IT approved encryption mechanisms.
- It is the responsibility of everyone entrusted with McNeese data to back it up and store it in a secure location.
- Backups of sensitive information should be encrypted, whenever technically feasible.
- Unencrypted backups should be physically secured and not subject to unauthorized personal at any time.
- Access controls to all McNeese sensitive information should be documented.
Offsite data Usage
- Any McNeese sensitive information that is brought offsite will be physically secured and/or encrypted.
- Any access of McNeese sensitive information will be transmitted using appropriate secure communication protocols (e.g. SSH, TLS/SSL, WPA2, etc.).
Sensitive Information on Desktops/Laptops/Tablets/Smart Phones/etc.
- Storage of sensitive information on devices that are not used or configured to operate as serving devices is only acceptable if the user responsible for the device takes proper care to isolate and protect files containing the information from inadvertent or unauthorized access or viewing. Assistance with securing sensitive information may be obtained from the IT staff.
Alternative Locations for Serving Devices
- Alternative locations should be reviewed and approved by the CITO. Such exceptions will be made only after the CITO has determined that the server providing sensitive information to the campus network/ and or to the Internet is secured through reasonable procedures.
- In cryptography, encryption is the process of encoding messages (or information) in such a way that third parties cannot read it, but only authorized parties can.[ssd.eff.org/tech/encryption]
Revision HistoryFri Dec 13 2013