Guidelines for Protecting Sensitive Data

You are responsible for the protection of any sensitive data¹ in your custody. The improper disclosure of sensitive data can cause harm and embarrassment to students, faculty, staff and the University. Breaches of certain sensitive data are subject to fines and/or criminal penalties.

Per ECU Policy, you must receive authorization from the Identity Theft Protection Committee (ITPC) to collect, use, store, disclose or transmit SSNs. If you collect, use, store, disclose or transmit SSNs, email the Identity Theft Protection Committee @ ITPC@ecu.edu for approval.

We must protect sensitive data in its many forms such as electronic, printed, voice, fiche, etc. Below are a few guidelines that will help in the protection of sensitive data:

• Avoid copying or downloading sensitive data from the University’s administrative systems to your PC, Web server, PDA, Laptop, etc. unless absolutely required. The University’s administrative systems have implemented security controls to protect sensitive data that may not be available on other systems. Ensure you have permission from your department administration and ITPC prior to downloading.
• If there are no other viable alternatives to copying or downloading data from administrative systems and you have the appropriate permissions, then additional security controls must be implemented. Below are guidelines that must be followed:
• • If the data contains SSNs, you are Required to receive the approval of the ITPC to collect, store, use, disclose or transmit SSNs (email ITPC@edu.ecu).
  • Remove the confidential part of the information from the data if this is possible (e.g. SSN)
  • Store the data on a secure server if one is available (Caution - Departmental Web servers Do NOT have the required security to store sensitive data). Call the ITCS Helpdesk for assistance if you are unsure.
  • Encrypt data 
  • Password protect data
  • Physically protect devices that can be easily moved such as a PDA and Laptop that are used to access sensitive data
• Avoid creating databases or applications that use SSN as identifiers. Create a unique identifier that does not use SSN.
• Do not send un-encrypted sensitive data via email. Email messages can be intercepted by third parties or mistakenly sent to the wrong address.
• Never download or copy sensitive data to your home computer.
• Never store un-encrypted sensitive data on a portable device.
• Protect printed sensitive data. Store sensitive data in locked desk, drawer or cabinet. Don’t leave unattended sensitive data on copier, FAX or printer. Shred sensitive data that need to be disposed.
• Avoid social engineers who try to get you to share sensitive information over the phone or by other means.
• Secure your workstation and portable devices. Don’t let hackers or worms use your workstation to access sensitive data on other computers on the network.
• • Use strong passwords on all of your computer systems
  • Keep your computer updated with the latest security patches and antivirus definitions
  • Avoid Peer to Peer file sharing software (Kazaa, BearShare, etc.)
  • Do not download entertainment programs, applets and images from unreliable and unknown sources; you can download trouble (Trojans) with it
• Any computer containing sensitive data must be sanitized in accordance with the Disk Sanitization Policy before disposal or transfer of ownership.
• If your business unit administers a server that houses sensitive data, the following guidelines must be followed:
• • If SSNs are stored, ensure that you have ITPC approval for storing SSNs.
  • Administrator must apply the ITCS Server Security Template (Contact ITCS Helpdesk to request)
  • Ensure server is governed by an ITCS Service Level Agreement (Contact ITCS Helpdesk)
  • Server should be scanned for vulnerabilities (Contact ITCS Helpdesk to request)

Refer to the SSN Policy  web site for specific requirements concerning the collection, use and disclosure of SSNs and other personal identifying information.

Refer to the FERPA and HIPAA web sites for specific guidelines required by those federal regulations.

Contact ITCS Helpdesk @ 328-9866 or http://help.ecu.edu for assistance or for departmental security awareness training.                      

¹Sensitive Data Examples:

• Social Security number (SSN)
• credit & debit card number
• driver's license number
• personally identifiable patient information
• personally identifiable student information
• personnel information
• proprietary research data
• legal data