Guidelines for Protecting Sensitive Data
ECU users are responsible for the protection of any sensitive data in their custody. This includes electronic, print, voice or any other form in which the data is captured.
Examples of Sensitive Information
Credit/debit card numbers
Driver’s license number
Personally identifiable patient information
Proprietary research data
Working with Sensitive Data
Do not download sensitive data from ECU administrative systems to a desktop, laptop, Web server, smartphone, tablet or other device unless…
- Absolutely required
- Prior approval is obtained
- Physical security controls are active on the device
- Identity Theft Protection Committee (ITPC) approval is REQUIRED to collect, store, use, disclose or transmit SSNs
See the following resources for specific policies, regulations and instructions for working with sensitive information.
- SSN Policy website outlines specific requirements concerning the collection, use and disclosure of SSNs and other personal identifying information (PII). Email ITPC@edu.ecu for more information.
- Institutional Review Board (IRB) rules for collecting sensitive information for research.
- Refer to the FERPA and HIPAA websites for specific guidelines required by those federal regulations.
- Contact IT Help Desk at 252-328-9866/800-340-7081 for assistance or for departmental security awareness training.
- See this easy-to-read grid for the proper storage and transmission of sensitive data.
- Removal of the confidential part of the information could make the information more secure.
- Restrict access to authorized users only.
- Avoid creating databases or applications that use SSN or protected patient information as record identifiers. Create a unique identifier instead.
- Encryption is required when sensitive information is emailed outside the ECU network. See the email encryption website for details.
- Encryption is not required if sensitive information is emailed within the ECU network.
- Do not send sensitive information through text, chat sessions or social medial such as Facebook, and Twitter.
- Download and run the Identity Finder tool to discover and remove sensitive information from your desktop or laptop.
- Computers containing sensitive data must be sanitized in accordance with the Disk Sanitation Policy before disposal or transfer of ownership.
Download and Storage
- This information grid gives specific rules for storage and transmission of sensitive information.
- Piratedrive is approved for storage of sensitive data.
- Storage of credit or debit card information is prohibited anywhere on the ECU network.
- Never store sensitive information on a Web server.
- Never download or copy sensitive data to your home computer.
- Never store unencrypted sensitive data on any portable device – see the mobile device management website on storing sensitive data on a mobile device.
- Store printed sensitive data in a locked desk, drawer or cabinet.
- Enable encryption on desktops, laptops, portable and storage devices.
- Physically secure devices easily lost or stolen such as a smartphones, iPads and laptops.
- Set passwords on desktops and laptops.
- Devices should be locked when not in use.
- Configure the Microsoft Intune app on mobile devices. See these instructions from Microsoft.
- Regularly update operating systems and browsers.
- Keep devices updated with the latest security patches and antivirus definitions.
- Avoid peer-to-peer file sharing software on devices that access sensitive data.
- Do not download entertainment programs, applets and images from unreliable and unknown sources; you can download embedded malware with it.
- Paper, CD/DVD or other Physical Media
- Shred sensitive data for disposal.
- Do not leave unattended sensitive data on your desk, copier, FAX or printer.
- Avoid social engineers who try to manipulate you into sharing sensitive information over the phone or by other means.
- Administrator must apply the ITCS Server Security Controls to all servers and meet minimum security requirements.
- Ensure the server is governed by an ITCS Service Level Agreement.
- Ensure the server administrator completes the Server Administrators Security Best Practices course in Blackboard.
- The server should be scanned for vulnerabilities as required by ITCS standard.