Protection of Sensitive Data

POLICY INFORMATION
Major Functional Area (MFA): Finance and Administration
Policy Title: Protection of Sensitive Data
Responsible Executive (RE): Vice President for Finance and Administration
Sponsoring Organization (SO): Information Technology Services
Dates: Effective Date: August 17, 2009 Revised:
Annual Review: August 17, 2010

 

I. INTRODUCTION

The Idaho State University (ISU) Protection of Sensitive Data policy defines and establishes the practices and standards required by the University for secure, electronic storage of sensitive data and information. Sensitive data resides on ISU's information technology (IT) systems, which may include, but are not limited to, information systems, networking and telecommunications systems, data processing hardware and software, data transmission equipment and transmission media, and data storage devices. It may also reside on department or college servers, or on individual employees' computer hard drives or other storage media. Sensitive data includes information or data processed, stored, or transmitted across ISU's IT systems, as well as department or college systems. This policy applies to all University employees and/or individuals accessing or processing University data.

The following policies are incorporated into this policy by reference:

II. POLICY STATEMENT

  • Idaho State University is strongly committed to maintaining the privacy and security of confidential personal information and other sensitive data it collects. Accordingly, the University expects all who use and/or store such information and data to treat these data with the utmost care. This expectation arises from the various University policies, federal and state laws and regulations, and contractual obligations that govern how sensitive data must be protected. This policy identifies specific requirements that must be met by all who use and/or store sensitive data on electronic devices or electronic media, regardless of whether such media are owned by the University or the individual. This policy does not supplant any other policies, legal requirements, or contractual obligations.
  • Authorized Users (see definitions) of ISU's IT system (see definitions) must not retain Private Sensitive Information (see definitions) on non ITS-managed electronic devices or electronic media unless the following three conditions have been met:
    • The Authorized User must justify in writing to the Dean, Department Chair, or Vice President why having Private Sensitive Information stored locally is absolutely necessary to conduct the business of the institution and to perform his or her official duties; and
    • The Dean, Department Chair, or Vice President must grant written permission to the Authorized User, with a copy being sent to the departmental System Administrator (see definitions) and to ITS. While permission is not required to retain student grades, letters of recommendation, patentable research findings, etc., that are used regularly in the performance of faculty and staff duties, the Authorized User must exercise the same Reasonable Security Precautions (see definitions) to secure the data as if written permission were required.
    • The Authorized User must exercise Reasonable Security Precautions to secure the Private Sensitive Information that resides on non ITS-managed electronic devices or electronic media.
  • Private Sensitive Information transferred electronically, other than via fax, must be conveyed using an encrypted method as defined under Reasonable Security Precautions. When sending Private Sensitive Information by fax it must be clearly marked as confidential. Every effort should be made to ensure that only the intended recipient has access to the faxed information.

III. AUTHORITY AND RESPONSIBILITIES

The author of this policy is the ISU Department of Information Technology Services (ITS). The ISU Security Working Group, in conjunction with representatives from the ISU Office of the Provost and Vice President for Academic Affairs and the Office of the Vice President for Finance and Administration review all changes and updates. Final approval and execution rests with the President of ISU in consultation with university counsel.

IV. DEFINITIONS

For purposed of this policy governing the use of information technology systems and Private Sensitive Information at ISU the following definitions are applicable.

  • Authorized Users: Include but are not limited to faculty, staff, students, contractors, and guests that are in good standing with ISU and have a valid account for accessing ISU's IT system.
  • Confidentiality: The state where information can be viewed only by entities that have been authorized to view it. Such authorization may or may not come from the owner or individual.
  • Crack, or Crackable (as in passwords): A program for discovering passwords that encrypts strings of characters and compare the encrypted text against a file of encrypted passwords. If the two encrypted strings are the same, the string of characters is a valid password.
  • Due Process: The procedures and practices established and approved by ISU, including notice and an opportunity to be heard , prior to suspension or removal of user privileges where reasonably practicable, and where not reasonably practicable, or in the event of an emergency, as soon thereafter as may be reasonable under the circumstances.
  • Information Technology Administrator (ITA): the person or office charged with ensuring proper administration and maintenance of ISU's information technology system. The ITA is appointed by the Office of the President. The ITA position may be filled by, but is not limited to, the Chief Information Officer, the Chief Information Security Officer, Information Technology Services and/or other entities designated by the Office of the President.
  • ISU's IT system: includes, but is not limited to, information systems, networking and telecommunications systems, data processing hardware and software, data transmission equipment and transmission medium, and data storage devices. It also includes stand-alone systems in use by colleges or departments.
  • Private Sensitive Information:
    • Personal information that, if compromised, could lead to identity theft. Personal information means the first name or first initial and last name of an individual, in combination with and linked to any one or more of the following data elements about the individual:

      • Social security number;
      • Driver's license number or state identification card number issued in lieu of a driver's license number;
      • Passport number; or
      • Financial account number, credit card or debit card number, or financial account access codes.
    • Student record information protected by FERPA. ISU Student Records are maintained in accordance with the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g; 34 CFR Part 99). This includes student education records combined in any way with any unique identifying number, characteristic, or code that makes a student's identity easily traceable.
      For information and guidance on Student Records contact the University Office of the Registrar, or their Website, and the U.S. Department of Education.
    • Heath information protected by HIPAA.
      • ISU maintains "individually identifiable health information" in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (45 CFR Parts 160, 162, and 164). HIPAA was designed to improve people's access to health care, as well as provide requirements for health care providers and health plans (insurers) to more efficiently and securely share health care data and information. Under HIPAA, Protected Health Information (PHI) is confidential, personal, identifiable health information about individuals that is created or received by a health care provider or health plan and is transmitted or maintained in any form. Data gathered during a patient-provider relationship is considered PHI. "Identifiable" means that a person reading this information could reasonably use it to identify an individual. HIPAA affects many of the University's clinics which provide health care. However, other ISU units may have access to and/or receive certain health information and also have responsibilities under HIPAA, (for example, those units performing research and education). The University is committed to protecting the confidentiality of patient information and complying with Federal and State regulations regarding PHI.
      • Health records maintained in student files, i.e., immunization history, that are provided by the student for educational purposes are not considered PHI. Such information becomes part of a student record and is covered by FERPA.
        For information and guidance on HIPAA protected data visit: http://www.isu.edu/security/hipaa.html, http://www.isu.edu/ucounsel/hipaa.shtml, and http://www.hhs.gov/ocr/hipaa/.
  • Reasonable Security Precautions:
    Individuals creating, maintaining, using or disseminating private sensitive information must take reasonable precautions to protect it from loss, misuse, unauthorized access or disclosure, and unintended alteration or destruction
    For more information and guidance on security precautions required by Idaho State University visit: http://www.isu.edu/security/precautions.html or see Attachment A below.
  • Privacy: the expectation that activities and information stored on a network will not be known by any other individual or entity on the network without authorization or permission of the owner.
  • SPAM: Unsolicited "junk" e-mail sent to large numbers of people to promote products or services. Sexually explicit unsolicited e-mail is called "porn spam."

    Also includes inappropriate promotional or commercial postings to discussion groups or bulletin boards.

  • System Administrator: an individual designated by the appropriate dean or director charged with administration of local systems that are attached to ISU's IT system. The ITA is notified of such appointments.

PRESIDENTIAL CERTIFICATION

Approved: Arthur C. Vailas, President, Idaho State University
Date: June 26, 2009

Attachment A: Security Precautions

  1. Check computing devices at least weekly for compliance with respect to all available operating system and application service packs, patches and hotfixes.
  2. If the computing device requires and initial setup or installation, this must be done without the computing device having direct access to the Internet. Many computing devices can be compromised before they are fully installed and patched if they are connected directly to the Internet without some form of protection.

  3. Whenever user accounts can be created as a means of granting access to a computing device, such accounts must be created; with a unique, non-generic account being given to each user needing access. Verify at least once each semester that all users (and especially those users with administrative rights) have strong passwords. Disable default anonymous or generic accounts.
  4. This is often required by law if the system houses sensitive data.

  5. Ensure that account permissions provide sufficient access to perform job functions and no more. Check at least once during each semester that users have only the access permissions they need to do their job.
  6. If the computing device contains sensitive data that could be used for identity theft, this is required by law.

  7. Provide physical security:
  8. Computing devices with sensitive information should be kept behind locked doors or in locked cabinets with access limited to only those individuals who have a legitimate need for access.

    When there is no one working at or with a particular computing device, access to the device should be restricted by either locking the device away, logging out, or "locking" access to the console and keyboard so that a password or key is required to regain access.

    The room where a computing device with sensitive data is used should be arranged in a way that unauthorized individuals cannot see how the device is accessed (combinations, passwords, etc.), nor is a screen easily viewed by unauthorized users in the event that sensitive data is being displayed.

    Written evidence of user ID's and passwords should not be left lying around.

  9. Implement backup procedures:
  10. Securely store all original installation media and license keys.

    Create and maintain regular daily backup copies in encrypted format (see #9 below) of at least the data files on the computing device.

    Include some form of secure storage of backup media at a location owned and maintained by Idaho State University but physically separate from the location where the computing device being backed up resides.

    Create and maintain a current emergency repair disk if possible.

    Test your restore procedures at least weekly to verify that backups are valid and restorable.

  11. Use and maintain up-to-date anti-virus software and daily virus definition updates.
  12. Disable any unnecessary services.
  13. Computing devices such as personal computers and servers often come with many default services enabled (such as e-mail). In many cases you do not need these services and they should be disabled.

    Computing devices that can attach to a network also make use of communication "ports," many of which could become the path used by an attacker to gain unauthorized access to your system. You should block access to unneeded ports on your computing device. The most common blocking method used is a local firewall.

  14. Enable security logging on all computing devices that provide logging capabilities. Scan the security logs on a daily basis looking for anomalies.
  15. In certain cases (such as for systems containing sensitive information) this may be required by law.

  16. Store all Private Sensitive Information in an encrypted format using at a minimum a key length of 16 bytes (128 bits).
  17. This is often required in order to comply with various regulatory mandates.

    AES is the recommended algorithm.

IDAHO STATE UNIVERSITY

921 South 8th Avenue
Pocatello, Idaho, 83209