Securing Sensitive Information
Management of Portable Media Devices and Sensitive Documents
The University must take every reasonable precaution to secure both sensitive personal data and paper records, under federal and state law. Threats to the security of sensitive items come in several forms and each threat must be dealt with a unique counter measure. An important element in Information Security is an effective on going security education and training program. The CSU system has access to a number of security training programs available online at http://csuso.cosaint.net, such as Security of Mobile Devices, along with a general awareness program. All members of the campus community with access to sensitive personal data will take the Information Security Awareness program within csuso.cosaint.net. These individuals will be identified by the University's Information Security Officer. Initial training through Cosaint will be followed up annually by visits from the security officer to document ongoing efforts to secure sensitive data. Access to these programs can be arranged via the HR office on campus.
Sensitive data: Any information, which through loss, unauthorized access, or modification could adversely affect the privacy of individuals. For example: security numbers (SSN), driver's license number, credit card number, bank account number, tax information, date and location of birth, and all such personally identifiable information as specified under FERPA, and counseling records.
Portable Device: An electronic device that is capable of storing data. A portable media device includes, but is not limited to laptop and desktop computers, USB storage devices, DVD, CDs, tape or portable hard-drives. Also included are point of sale or (POS) devices used to process credit cards.
The most effective procedure to limit exposure of Sensitive Data is to consolidate storage of this information in a secure environment. Eastern's policy will prohibit the storage of Sensitive Data on any portable media devices. All digital material of a sensitive nature required for business operations will be stored on a designated network server drive, with password protection, within the University's secure datacenter. If necessary, this data will be encrypted to further enhance security. The university will not allow this data to be removed from the network drive and placed on a portable device. However, remote access is possible if a legitimate business requirement exists.
The use of Virtual Private Network (VPN) for remote access to data on Eastern's servers over the Internet will be required instead of copying information to portable media. Training on the use of the VPN and other technologies will be provided by ITS. When employees are off campus and engaged in the VPN accessing sensitive material, they must never leave the computer unattended. This may result in compromising data shown on the screen.
No data will be transmitted from the University without taking appropriate security measures. For example, Sensitive Data cannot be transmitted via EMAIL unless encrypted. Encryption devices can be obtained from ITS. Transmitting data to a third party or contractor will require a legal review and contract language stipulating the data must be destroyed at the end of the contract period or when the project is complete, whichever is sooner.
Several offices on campus are required to maintain paper and digital copies of important records which contain sensitive personal data. Paper and digital records must be secured and access limited to a need to know basis when conducting official University business. The paper records will be secured in a lockable cabinet. The cabinet will be located on University property with the office area having lockable doors and windows. All records will be destroyed based on the state of Connecticut records retention schedule using an approved contractor or on campus shredding machines.
Whenever an ECSU computing device, storage media, including but not limited to laptops and desktop computers, is found missing, stolen or lost, the individual responsible for the device or media will report the loss to his or her supervisor and the Information Security Officer within one hour of ascertaining the loss. In the event of a breach, the CIO will process the event following the Universities ITS Incident Response Team protocol to ensure a full record of the event is documented.
Paperwork will subsequently be filed with the Property Control Unit to appropriately track the asset. The president and Chancellor will be notified through a separate reporting channel, by the CIO.
If there is a compelling business need to store Sensitive Data on a portable media device the following actions must be completed. The respective area Vice President will conduct and document a risk analysis outlining the threats, benefits and counter measures for allowing Sensitive Data to be stored on a portable media device. The business case and risk assessment will then be presented to the President or designee for review and authorization. Unless it cannot be done, Sensitive Data stored on portable media will be encrypted with a CSUS-approved encryption method.
Information Security Officer: Walt Zincavage, email@example.com, 860-465-4363
Chief Information Officer: Joseph Tolisano, firstname.lastname@example.org, 860-465-0075, Cell: 860-539-4916
Associate CIO: Brenda Whalen, email@example.com, 860-465-5525
April 28, 2008