ECU users are responsible for the protection of any sensitive data in their custody. This includes electronic, print, voice or any other form in which the data is captured.
Examples of Sensitive Information
- Social security numbers (SSN)
- Credit/debit card numbers
- Driver’s license number
- Personally identifiable patient information
- Personally identifiable student information
- Personnel information
- Proprietary research data
- Legal data
Working with Sensitive Data
Do not download sensitive data from ECU administrative systems to a desktop, laptop, web server, smartphone, tablet or other device unless…
- Absolutely required
- Prior approval is obtained
- Physical security controls are active on the device
General Guidelines
Approvals
Resources
See the following resources for specific policies, regulations and instructions for working with sensitive information.
Data Usage
- Removal of the confidential part of the information could make the information more secure.
- Restrict access to authorized users only.
- Avoid creating databases or applications that use SSN or protected patient information as record identifiers. Create a unique identifier instead.
- Email encryption is required when sensitive information is emailed outside the ECU network. See the email encryption website for details.
- Email encryption is not required if sensitive information is emailed within the ECU network.
- Do not send sensitive information through text, chat sessions or social medial such as Facebook, and Twitter.
- Download and run the Identity Finder tool to discover and remove sensitive information from your desktop or laptop.
Disposal
- Computers containing sensitive data must be sanitized in accordance with the Disk Sanitation Policy before disposal or transfer of ownership.
Download and Storage
- This information grid gives specific rules for storage and transmission of sensitive information.
- Piratedrive network storage and OneDrive cloud storage are approved for storage of sensitive data.
- Storage of credit or debit card information is prohibited anywhere on the ECU network.
- Never store sensitive information on a Web server.
- Never download or copy sensitive data to your home computer.
- Never store unencrypted sensitive data on any portable device – see the mobile device management service on storing sensitive data on a mobile device.
- Always store printed sensitive data in a locked desk, drawer or cabinet.
Physical Security
- Electronic
- Enable encryption on desktops, laptops, portable and storage devices.
- Physically secure devices easily lost or stolen such as a smartphones, iPads and laptops.
- Set passwords on desktops and laptops.
- Devices should be locked when not in use.
- Configure the Microsoft Intune app on mobile devices. See these instructions from Microsoft.
- Regularly update operating systems and browsers.
- Keep devices updated with the latest security patches and antivirus definitions.
- Avoid peer-to-peer file sharing software on devices that access sensitive data.
- Do not download entertainment programs, applets and images from unreliable and unknown sources; you can download embedded malware with it.
- Paper, CD/DVD or other physical media
- Shred sensitive data for disposal.
- Do not leave unattended sensitive data on your desk, copier, FAX or printer.
- Avoid social engineers who try to manipulate you into sharing sensitive information over the phone or by other means.
Servers (Departments)
- Administrator must apply the ITCS Server Security Controls to all servers and meet minimum security requirements.
- Ensure the server is governed by an ITCS Service Level Agreement.
- The server should be scanned for vulnerabilities as required by ITCS standard.