Guidelines for handling Sensitive Information
Applicable to All Employees and Users of University Networked Resources
The University of Toledo is responsible
for collecting, storing, and distributing very large amounts of information. Some
of this information is federally legislated as private and must
be protected in accordance with laws such as the Family Education Rights and Privacy
Act (FERPA) of 1974 (for student records), the
Gramm-Leach-Bliley Act (GLBA) of 1999 (for personal financial information), and the
Health Insurance Portability and Accountability Act (HIPAA)
of 1996 (for personally identifiable health information). In accordance with the
Responsible Use of Information Technology Policyall
of us--faculty members, custodians, administrative assistants, secretaries, computer
support staff--have a responsibility to protect information
about our patients and students from public disclosure. It doesn't matter whether
this information is on the network computer, on a printout, a
computer screen, a diskette, a CD-ROM, etc.
Information that is classified as “sensitive” must be protected and cannot be disclosed or disseminated to the public (people who are not employees of the university). Much of the information about our patients and students is considered sensitive.
Examples of sensitive information include, but are not limited to:
Social security number | Birth date |
Home phone number | Home address |
Health information | Student grades |
Gender | Ethnicity |
Citizenship | Citizen visa code |
Veteran and disability status | Courses taken |
Schedule | Test scores |
Advising records | Educational services received |
Disciplinary actions | Patient records |
General Responsibilities for All Users
Use of any university computing resource serves as acceptance of UT's computing and security policies and practices. Faculty, staff, physicians, and students agree to abide by the policies and procedures that govern the use of the University's automated information systems, and will accept the responsibility to protect information as described within FERPA, HIPAA, the Responsible Use of Information Technology, security policies and procedures of UT as well as other applicable federal and state laws. Training opportunities should be taken advantage of as necessary in order to fully understand and fulfill these responsibilities.
Violations of University policies and applicable state or federal laws are cited in University policies, handbooks, or other guides. Penalties for violations oftheUniversity policy range from loss of computer resource usage privileges to dismissal from the University; and, may also include prosecution, and/or civil action.
Know the Basics of Information Security
- Review and comply with the Responsible Use of Information Technology. Learn about possible Security Problems and understand the implications for the information that you are responsible for!
- Review State and Federal laws governing computing standards and crimes.
- Report security incidents and concernsimmediately.
- Use the University computer resources responsibly, respecting the needs of other computer users.
Information Safeguards
All employees and users of network computing resources at UT have a role in protecting the University's information assets because their machines provide potential gateways to sensitive information stored on the network. Therefore, whether or not you deal directly with sensitive or confidential University information, you should take the following steps to reduce risk to UT’s information assets.
General Guidelines for protecting Sensitive Data
- When in doubt don't give it out!
- Identify information as "SENSITIVE" on the print-out pages, diskette, screen, etc.
- All external University email correspondence (sent to addresses other than those at
utoledo.edu) containing PHI, SSNs, Credit Card numbers or
other sensitive personal information should be encrypted prior to transmission (see
UT Electronic Mail Services Policy.)
- Instructions for sending encrypted email are available by clicking
here.
- Instructions for sending encrypted email are available by clicking
here.
- Use special care when posting grades (assign random numbers, do not use part of Social Security numbers).
- Do not leave paper documents containing sensitive information unattended; protect them from the view of passers-by or office visitors.
- Store paper documents containing sensitive information in locked files.
- Do not leave the keys to file drawers containing confidential information in unlocked desk drawers or other areas accessible to unauthorized personnel.
- Shred confidential paper documents that are no longer needed, and secure such documents until shredding occurs. If a shredding service is employed, ensure that the service provider has clearly defined procedures in the contractual agreement that protects discarded information, and that the provider is legally accountable for those procedures, with penalties in place for breach of contract.
- Make arrangements to immediately retrieve or secure sensitive documents that are printed on copy machines, fax machines, and printers.
- Restrict access of information and systems to people who need it to perform their jobs.
- Regularly review list of users who have access to systems that contain sensitive information.
- Test internal processes to ensure data integrity and security.
Physical Security of Sensitive Data
The physical security of computing resources (computers, equipment, files, etc.) is actually the first principle of good security, because as long as someone can obtain physical access to your computer he/she can gain control over it. By instituting a few simple safeguards, you can greatly limit security breaches and other unauthorized access to computing resources. Here are a few helpful hints to safeguard the physical security of items that are your responsibility:
- Do not store sensitive data on local computer hard drives (laptops or desktops), external
hard drives, or USB flash memory drives.
- Storing data on network drives such as your H: drive or departmental shares eliminates the risk of data loss should the computer be lost or stolen and ensures that that your data is backed up.
- If sensitive data must be stored on local computer hard drives, external hard drives, or flash memory drivesit must be encrypted using IT Security-approved encryption methods.
- Close and lock your office door every time you leave.
- Never allow another person to use your computer account.
- Log out when you leave your computer for long periods of time and “lock” your computer every time that you leave your computer.
- Use security devices to lock down computers that are in public or otherwise unsecured spaces.
- Restrict the number of keys to your office.
- Know who accesses your office. (It may be necessary to maintain an attendance log for high security areas.)
- Use a screen-saver that requires a password to get back into your computer after the screen saver activates.
- Workstation screens should not be visible to anyone but the authorized user of secure documents.
- Keep your passwords and computer ID's a secret.
- Report suspicious looking persons or activity to the UT Police department.
- Express any concerns about physical security to your supervisor.
Your UT Accounts and Passwords
The following standards were established to create and maintain strong passwords. Inclusion of all of the following in password composition will ensure that your password will be at a low risk for compromise.
- Your password will expire every 180 days.
- You will not be allowed to use the same password when it expires. IT will maintain a history of the last10 passwords.
- Password complexity requirements include:
-
- The use of both letters and numbers (which can include special characters ($ * !)
- The useof upper and lower case letters
- The inclusion of at least two numbers
- Aminimum of eight characters in length
- Your account has been protected from intruders who attempt to guess your password. After 5 failed password attempts, your account will be locked in order to prevent further unauthorized access attempts.
The following is a list of suggestions for keeping your password secure:
- Choose good passwords, and keep them secret. Passwords are confidential too!
- Select a password your can remember. For example, use the first (or second, or last, ...) letter of each word in a phrase: "The quick fox jumped over the lazy dog" might yield a password of "Tqfj^1ld".
- Don't use a common word, GoRockets, a friend's name, a pet's name, your nickname, etc. Co-workers, friends, and even casual acquaintances, may know this information.
- Use a different password for each system.
- Remember to destroy any paperwork that lists your ID and password.
- Change your password when you suspect that someone else may know it.
- Never write down a password.
- Do not attach the password to a monitor, keyboard, or any part of a computer.
- Never record a password on-line, and never send a password to another person via electronic mail.
- If you forget your password, or when your password expires, go to myutaccount.utoledo.edu to reset it.
Protecting the Integrity of Information
- Apply system updates to your operating system and application software on a regular basis.
- Always have your anti-virus software running and the data definitions up to date.
- Make sure that computers are reformatted by Desktop Support prior to them going to surplus property to ensure that data is removed and not recoverable. Deleting files, moving files to "trash," and emptying the "trash" file is insufficient because the files can still be recovered.
- Ensure that functions that enable data sharing on an individual workstation are either turned off or set to allow access only to authorized personnel.
- Encrypt sensitive files. Use IT Security-approved encryption methods only.
- Ensure that remote access (from off campus) connections are done securely using SSH or VPN.
Protecting E-Mail
- Understand that e-mail is not secure; it can be forged, and it does not afford privacy.
- Do not open unexpected e-mail attachments, and do not download documents or software from unknown parties.
- Clear e-mail boxes of old messages on a regular basis.
- Password protect your Outlook Personal Folder (.pst file).
- Take precautions not to send anything by e-mail that you wouldn't want disclosed to unknown parties. Recipients have been known to distribute information to unauthorized recipients or store it on unsecured machines, and viruses have been known to distribute archived e-mail messages to unintended recipients.
- All external University email correspondence (sent to addresses other than those at
utoledo.edu) containing PHI, SSNs, Credit Card numbers or
other sensitive personal information should be encrypted prior to transmission (see
UT Electronic Mail Services Policy.)
- Instructions for sending encrypted email are available by clicking here.
Secure Mobile & Cellular Devices
- Information stored on laptop computers, personal organizers (e.g., Blackberry, Palms), cellular phones, thumb drives, and other similar mobile devices are susceptible to equipment failure, damage, or theft. Information transmitted via wireless connections is not always secure - even networks using encryption are vulnerable to intruders.
- Protect and secure mobile devices from theft at all times.
- Use internal firewalls and strong authentication when transmitting information via wireless technologies.
- Use personal firewalls on laptops that will access the UTNET from a remote location.
- Back up the data on your mobile devices on a regular basis.
- Change batteries on mobile devices as soon as the "low battery" prompt appears to avoid losing information, configurations, and settings.