University colleges and departments that collect and store sensitive information on computer systems including such data as Social Security Numbers, driver’s license information and individual financial information (such as credit card numbers, bank account numbers, or financial statements), should have the following security controls in place to maintain data integrity and confidentiality.
1. Authorization Controls: Such systems must require a user ID and password for access, and be restricted based on an individual’s job responsibilities.
2. Network Security Controls: Such systems must be protected by a host or network firewall and comply with PPM 10-3 Network Security / Firewall Policy. Colleges or departments should contact the University’s IT Service Desk at 626-7777 to request firewall service if needed.
3. Audit Controls: All attempts to access such a system must be recorded. Identified failed logon attempts and other information that indicate unauthorized attempts to access sensitive information must be recorded and reported to College or Division Data Security Steward. Logs should be retained for a period of 90 days. (Security goal in progress)
4. Security Monitoring Controls: Anti-virus software must be installed and it is recommended anti-spyware software be installed to detect viruses, worms, spyware, Trojan horses, computer hackers, and other computer threats that can compromise sensitive information. University students, faculty, and staff can use McAfee Virus Scan Enterprise and install the ePolicy Orchestrator Agent (ePO) tool at no cost from the University’s IT Service Desk.
5. Physical Security Controls: Servers and workstations managing sensitive information, as well as related electronic storage media (such as USB drives, memory sticks, disks, backup tapes, CD ROMS and other removable media), must be located in a secured area to which only authorized individuals have access.
6. Encryption: Sensitive information should be encrypted whenever possible. Backup tapes and other media used for off-line storage should also encrypt sensitive information. (Security goal in progress)
7. Data Disposal: Computer hard disk drives containing electronic records with sensitive information that are no longer needed should be securely erased using an approved data erasure utility.
The following are also required to protect sensitive information:
Laptops and Workstations: Sensitive information should never be stored on computer laptops and other portable computer devices unless strong data encryption is employed. Sensitive information may be stored on local workstations, but each workstation must have the following security controls:
• User ID and password access.
• The auto-lock feature enabled.
• The workstation must be located in a secured area.
Transmission: Confidential, Restricted or High-Risk information should never be transmitted by e-mail or through insecure file transfer methods (such as FTP).
Appropriate Handling of Requests for Information: Requests from third parties for sensitive information must be referred to individuals who are authorized to handle these types of requests and trained in safeguarding sensitive information. Historical records containing Social Security Numbers in offline storage—such as paper, tape, cartridge, fiche, microfilm or magnetic media—may be maintained as long as it is physically secured and access to these off-line records is limited to authorized individuals.
All computer security breaches or systems with sensitive information discovered to be lacking these recommended security controls must be immediately reported to the College or Division Data Security Steward or the University’s IT Service Desk 626-7777.