ECU users are responsible for the protection of any sensitive data in their custody. This includes electronic, print, voice or any other form in which the data is captured.
Social security numbers (SSN)
Credit/debit card numbers
Driver's license number
Personally identifiable patient information
Personally identifiable student information
Proprietary research data
Do not download sensitive data from ECU administrative systems to a desktop, laptop, Web server, smartphone, tablet or other device unless...
- Identity Theft Protection Committee (ITPC) approval is REQUIRED to collect, store, use, disclose or transmit SSNs
See the following resources for specific policies, regulations and instructions for working with sensitive information.
- Removal of the confidential part of the information could make the information more secure.
- Restrict access to authorized users only.
- Avoid creating databases or applications that use SSN or protected patient information as record identifiers. Create a unique identifier instead.
- Encryption is required when sensitive information is emailed outside the ECU network. See the Data Loss Prevention website for details.
- Encryption is not required if sensitive information is emailed within the ECU network.
- Do not send sensitive information through text, chat sessions or social medial such as Facebook, and Twitter.
- Download and run the Identity Finder tool (available to users April 15, 2015) to discover and remove sensitive information from your desktop or laptop.
- Computers containing sensitive data must be sanitized in accordance with the Disk Sanitation Policy before disposal or transfer of ownership.
Download and Storage
- This information grid gives specific rules for storage and transmission of sensitive information.
- Piratedrive is approved for storage of sensitive data.
- Storage of credit or debit card information is prohibited anywhere on the ECU network.
- Never store sensitive information on a Web server.
- Never download or copy sensitive data to your home computer.
- Never store unencrypted sensitive data on any portable device - see the mobile device management website on storing sensitive data on a mobile device.
- Store printed sensitive data in a locked desk, drawer or cabinet.
- Enable encryption on desktops, laptops, portable and storage devices.
- Physically secure devices easily lost or stolen such as a smartphones, iPads and laptops.
- Set passwords on desktops and laptops.
- Devices should be locked when not in use.
- Configure the AirWatch app on mobile devices.
- Regularly update operating systems and browsers.
- Keep devices updated with the latest security patches and antivirus definitions.
- Avoid peer-to-peer file sharing software (Kazaa, BearShare, etc.) on devices that access sensitive data.
- Do not download entertainment programs, applets and images from unreliable and unknown sources; you can download trouble (Trojans) with it.
Paper, CD/DVD or other Physical Media
- Shred sensitive data for disposal.
- Do not leave unattended sensitive data on your desk, copier, FAX or printer.
- Avoid social engineers who try to manipulate you into sharing sensitive information over the phone or by other means.
- Administrator must apply the ITCS Server Security Controls to all servers and meet minimum security requirements.
- Ensure the server is governed by an ITCS Service Level Agreement.
- Ensure the server administrator completes the Server Administrators Security Best Practices course in Blackboard.
- The server should be scanned for vulnerabilities as required by ITCS standard.