Information Computing and Technology Services

Guidelines for Protecting Sensitive Data

ECU users are responsible for the protection of any sensitive data in their custody. This includes electronic, print, voice or any other form in which the data is captured.

Examples of Sensitive Information

Social security numbers (SSN)
Credit/debit card numbers
Driver's license number
Personally identifiable patient information
Personally identifiable student information
Personnel information
Proprietary research data
Legal data

Working with Sensitive Data

Do not download sensitive data from ECU administrative systems to a desktop, laptop, Web server, smartphone, tablet or other device unless...

  • Absolutely required
  • Prior approval is obtained
  • Physical security controls are active on the device

General Guidelines

Approvals

Resources

See the following resources for specific policies, regulations and instructions for working with sensitive information. 

  • SSN Policy website outlines specific requirements concerning the collection, use and disclosure of SSNs and other personal identifying information (PII). Email ITPC@edu.ecu for more information.

  • Institutional Review Board (IRB) rules for collecting sensitive information for research.

  • Refer to the FERPA and HIPAA websites for specific guidelines required by those federal regulations.

  • Contact IT Help Desk at 252.328.9866/800.304.7081 for assistance or for departmental security awareness training.

  • See this easy-to-read grid for the proper storage and transmission of sensitive data.

Data Usage

  • Removal of the confidential part of the information could make the information more secure.
  • Restrict access to authorized users only.
  • Avoid creating databases or applications that use SSN or protected patient information as record identifiers. Create a unique identifier instead.
  • Encryption is required when sensitive information is emailed outside the ECU network. See the Data Loss Prevention website for details.
  • Encryption is not required if sensitive information is emailed within the ECU network.
  • Do not send sensitive information through text, chat sessions or social medial such as Facebook, and Twitter.
  • Download and run the Identity Finder tool (available to users April 15, 2015) to discover and remove sensitive information from your desktop or laptop.

Disposal

  • Computers containing sensitive data must be sanitized in accordance with the Disk Sanitation Policy before disposal or transfer of ownership.

Download and Storage

  • This information grid gives specific rules for storage and transmission of sensitive information.
  • Piratedrive is approved for storage of sensitive data.
  • Storage of credit or debit card information is prohibited anywhere on the ECU network.
  • Never store sensitive information on a Web server.
  • Never download or copy sensitive data to your home computer.
  • Never store unencrypted sensitive data on any portable device - see the mobile device management website on storing sensitive data on a mobile device.
  • Store printed sensitive data in a locked desk, drawer or cabinet.

Physical Security

Electronic
  • Enable encryption on desktops, laptops, portable and storage devices.
  • Physically secure devices easily lost or stolen such as a smartphones, iPads and laptops.
  • Set passwords on desktops and laptops.
  • Devices should be locked when not in use.
  • Configure the AirWatch app on mobile devices.
  • Regularly update operating systems and browsers.
  • Keep devices updated with the latest security patches and antivirus definitions.
  • Avoid peer-to-peer file sharing software (Kazaa, BearShare, etc.) on devices that access sensitive data.
  • Do not download entertainment programs, applets and images from unreliable and unknown sources; you can download trouble (Trojans) with it.
Paper, CD/DVD or other Physical Media
  • Shred sensitive data for disposal.
  • Do not leave unattended sensitive data on your desk, copier, FAX or printer.
  • Avoid social engineers who try to manipulate you into sharing sensitive information over the phone or by other means.

Servers (Departments)

  • Administrator must apply the ITCS Server Security Controls to all servers and meet minimum security requirements.
  • Ensure the server is governed by an ITCS Service Level Agreement.
  • Ensure the server administrator completes the Server Administrators Security Best Practices course in Blackboard.
  • The server should be scanned for vulnerabilities as required by ITCS standard.

Contact Us

ITCS Admin - 252.328.9000
IT Help Desk - 252.328.9866
IT Help Desk - 800.340.7081
Classroom Tech - 252.328.9830
ITCS Leadership - 252.328.9000

Need Help?