Guidelines for Protecting Sensitive Data

Identity theft occurs when someone uses your personal information without your permission to commit fraud or other crimes. No one wants to go through the hassle of trying to clean up the mess that can occur as a result of identity theft. In addition to identify theft, the improper disclosure of sensitive data can cause harm and embarrassment to students, faculty, staff and the University. Therefore, it is to everyone’s advantage to ensure that sensitive data is protected. A few examples of sensitive data are:

• Social Security number (SSN)
• credit card number
• drivers license number
• personally identifiable patient information,
• personally identifiable student information
• personnel information
• proprietary research data
• confidential legal data
• proprietary data that should not be shared with the public

It is imperative that you are authorized to store or transmit SSN. If you have not received approval for the use, collection, storage of disclosure of SSN, please email ITPC@ecu.edu for information.

We must protect sensitive data in its many forms such as electronic, printed, voice, fiche, etc. Below are a few guidelines that will help in the protection of sensitive data:

• Avoid copying or downloading sensitive data from the University’s administrative systems to your PC, Web server, PDA, Laptop, etc. unless absolutely required. The University’s administrative systems have implemented security controls to protect sensitive data that may not available on other systems. Ensure you have permission from your department administration prior to downloading.
• If there are no other viable alternatives to copying or downloading data from administrative systems, then additional security controls must be implemented. Below are guidelines that must be followed:
• • If the data contains SSNs, ensure you have the approval of the ITPC to store, use, dislcosure or transmit SSNs (email ITPC@edu.ecu .
  • Remove the confidential part of the information from the data if this is possible (e.g. SSN)
  • Store the data on a secure server if one is available (Caution - Departmental Web servers Do NOT have the required security to store sensitive data). Call the helpdesk for advice if you are unsure.
  • Store the data on the Piratedrive rather than on your local computer. This is recommended over local storage but contact IT Security for tracking purposes
  • Encrypt data 
  • Password protect data
  • Physically protect devices that can be easily moved such as PDA and Laptop
• Avoid creating databases or applications that use SSN as identifiers. Create a unique identifier that does not use SSN.
• Do not send un-encrypted  sensitive data via email. Email messages can be intercepted by third parties or mistakenly sent to the wrong address.
• Never download or copy sensitive data to your home computer
• Never store un-encrypted sensitive data on a portable device
• Protect printed sensitive data. Store sensitive data in locked desk, drawer or cabinet. Don’t leave unattended sensitive data on copier, FAX or printer. Shred sensitive data that need to be disposed.
• Avoid social engineers who try to get you to share sensitive information over the phone or by other means.
• Secure your workstation. Don’t let hackers or worms use your workstation to access sensitive data on other computers on the network.
• • Use strong passwords on all your computer systems
  • Keep your computer updated with the latest security patches and antivirus definitions
  • Avoid Peer to Peer file sharing software (Kazaa, BearShare, etc.)
  • Do not download (doc) entertaining programs, applets and images from unreliable and unknown sources; you can download trouble (Trojans) with it
• Any computer containing sensitive data must be sanitized in accordance with the Disk Sanitization Policy before disposal or transference of ownership.
• If your business unit administers a server that houses sensitive data, the following guidelines must be followed:
• • Administrator must apply the ITCS Server Security Template (Contact ITCS Support Services to request)
  • Server should be scanned for vulnerabilities (Contact ITCS Support Services to request)

Refer to the SSN Policy  web site for specific requirements concerning the collection, use and disclosure of SSNs and other personal identifying information.

Refer to the FERPA and HIPAA web sites for specific guidelines required by those federal regulations.

Contact ITCS Support Services @ 328-9866 for assistance or for departmental security awareness training.