Guidelines for Protecting Sensitive Data
You are responsible for the protection of any sensitive data1 in your custody. The improper disclosure of sensitive data can cause harm and embarrassment to students, faculty, staff and the university. Breaches of certain sensitive data subject the university to fines and/or criminal penalties and harm to its reputation.
Per ECU Policy, you must receive authorization from the Identity Theft Protection Committee (ITPC) to collect, use, store, disclose or transmit SSNs. If you collect, use, store, disclose or transmit SSNs, email the Identity Theft Protection Committee at ITPC@ecu.edu for approval.
We must protect sensitive data in its many forms; examples include electronic, printed, voice, fiche, etc.
Below are a few guidelines to help protect sensitive data:
- Avoid copying or downloading sensitive data from the university’s administrative systems to your PC, Web server, smartphone, iPad, laptop, etc., unless absolutely required and with proper encryption, security controls and approvals. The university’s administrative systems have implemented security controls to protect sensitive data that may not be available on other systems.
- Download of patient information (HIPAA), credit or debit card information (PCI), and SSNs require additional approvals and safeguards. Ensure you have permission from your department administration and ITPC (SSN) prior to downloading. Other personally identifiable information that can lead to identity theft must also be protected. Call the IT Help Desk at 252.328.9866/800.340.7081 for assistance.
- If there are no other viable alternatives to copying or downloading data from administrative systems and you have the appropriate permissions, then additional security controls must be implemented. Please follow these guidelines:
- If the data contains SSNs, you are required to receive the approval of the ITPC to collect, store, use, disclose or transmit SSNs (email ITPC@edu.ecu).
- Remove the confidential part of the information from the data if this is possible (e.g. SSN, patient identifiers, personal identifiable information, etc.).
- Store the data on a secure server, if one is available, or the university Piratedrive (Caution - departmental Web servers DO NOT have the required security to store sensitive data). Call the IT Help Desk at 252.328.9866/800.340.7081 for assistance if you are unsure.
- Only allow authorized individuals to access sensitive data.
- Encrypt data saved on a local computer, portable device or storage device.
- Password protect ECU data.
- Physically protect devices that can be easily moved such as a smartphones, iPads, and laptops.
- Avoid creating databases or applications that use SSN or protected patient information as identifiers. Create a unique identifier that does not use protected identifiers.
- Do not send unencrypted sensitive data via email, text, chat sessions, and any other electronic means of communication such as Facebook, Twitter, etc. No sensitive data should be sent external to ECU, unencrypted. Information can be intercepted by third parties or mistakenly sent to the wrong address.
- Never download or copy sensitive data to your home computer.
- Never store unencrypted sensitive data on any portable device.
- Protect printed sensitive data. Store sensitive data in a locked desk, drawer or cabinet. Don’t leave unattended sensitive data on your desk, copier, FAX or printer. Shred sensitive data for disposal.
- Avoid social engineers who try to get you to share sensitive information over the phone or by other means.
- Secure your workstation and portable devices. Don’t let hackers or worms use your workstation to access sensitive data on other computers on the network.
- Use strong passwords on all of your computer systems.
- Keep your computer updated with the latest security patches and antivirus definitions.
- Avoid peer-to-peer file sharing software (Kazaa, BearShare, etc.) on devices that access sensitive data.
- Do not download entertainment programs, applets and images from unreliable and unknown sources; you can download trouble (Trojans) with it.
- Any computer containing sensitive data must be sanitized in accordance with the Disk Sanitization Policy before disposal or transfer of ownership.
- If your business unit administers a server that houses sensitive data, the following guidelines must be followed:
- If SSNs are stored, ensure that you have ITPC approval for storing SSNs.
- Administrator must apply the ITCS Server Security Controls to all servers and meet minimum security requirements (Contact ITCS Help Desk at 252.328.9866/800.340.7081 to request assistance).
- Ensure server is governed by an ITCS Service Level Agreement (Contact ITCS Help Desk at 252.328.9866/800.340.7081 to request assistance).
- Ensure server administrator completes the Server Administrators Security Best Practices course in Blackboard (Contact ITCS Help Desk at 252.328.9866 to request assistance).
- Server should be scanned for vulnerabilities as required by ITCS standard (Contact the IT Help Desk at 252.328.9866/800.340.7081 to request assistance).
Refer to the SSN Policy website for specific requirements concerning the collection, use and disclosure of SSNs and other personal identifying information.
Contact IT Help Desk at 252.328.9866/800.304.7081 or http://help.ecu.edu for assistance or for departmental security awareness training.
1Sensitive Data Examples:
- Social Security number (SSN)
- credit & debit card number
- driver's license number
- personally identifiable patient information
- personally identifiable student information
- personnel information
- proprietary research data
- legal data