Best Practices for Protecting Sensitive/Personal Data
Reduce the Exposure:
- Avoid collecting SSN or other sensitive personal data unless there is a compelling business need and it has been approved by the appropriate data manager.
- Check hard disks and document backups to ensure that SSN or other sensitive personal data isn't included in old personnel files, employee lists, student grade rosters, etc. Remove any sensitive personal data you don't need by deleting the files altogether or removing the sensitive portions.
- Do not create databases or applications that use SSN without explicit permission from the appropriate data manager.
- Avoid copying or downloading sensitive personal data from the University's administrative systems to your PC workstation, web server, PDA, laptop, etc. unless absolutely required. The University's administrative systems have implemented security controls to protect sensitive data, but these controls may not be available on other systems.
- Do not send un-encrypted sensitive personal data via email. Email messages can be intercepted by third parties during transit or mistakenly sent to the wrong address.
- Avoid social engineers who try to get you to share sensitive personal information over the phone or by other means.
- Secure your workstation. Don't let hackers or worms use your workstation as a way to access sensitive data on other computers on the network. See STARTSAFE for specific instructions.
- Practice safe computing on an ongoing basis. See RUNSAFE for specific instructions and recommendations such as:
- Keep your computer updated with the latest security patches and antivirus definitions
- Avoid Instant Messaging and Chat software.
- Avoid peer to peer file sharing software (Bittorant, Arez, Kaaza, BearShare, etc.)
- Do not download entertainment programs, applets and images from unreliable and unknown sources; you can download trouble (Trojans) at the same time
Take Additional Precautions:
- Where technically feasible, sensitive personal information should remain in the central system and not stored on another server or on a workstation.
- If sensitive personal data must be stored outside the central administrative systems, then additional security controls must be implemented. Specific requirements include:
- Configure your computer to operate with least privilege, user mode (Contact the HELPDESK if you'd like to know how).
- Remove the confidential part of the data if this is possible (e.g. remove SSN from stored personnel paperwork)
- Store the data on your Novell drive rather than on your local computer. Avoid storing sensitive personal data on a Novell drive that is shared with others, unless you make sure anyone who has rights to that drive location also has approval from the appropriate data manager to view and edit the data you plan to store-shared space is just that.
- If you need to store sensitive personal data on another server, contact IT to discuss locating it on a secure server managed by IT or how to best secure the data at another location you're contemplating.
- If you must store sensitive personal data on your local workstation computer, consider this a temporary measure. Delete or move the files immediately. Download a current copy of the data again next time you need it or move the files to a more secure location for longer-term storage.
- Make sure any workstation or server used for storage of sensitive information is in a physically secure location and requires a unique logon with a strong password for each individual authorized to use it (i.e. shared accounts or passwords are not permitted).
- Also, physically protect sensitive data on portable devices or media easily be moved such as on a PDA, laptop, USB device, CD or removable storage drive.
- Encrypt files that contain sensitive personal data
- Password protect files that contain sensitive personal data
- Protect printed documents containing sensitive data. Store print copies of sensitive data in locked cabinets. Don't leave them unattended on the copier, FAX or printer and shred those that are no longer needed.
- Contact PC Services to sanitize any computer containing sensitive data before disposal or transfer of ownership.
Keep in Touch:
- Check www.jmu.edu/computing/security for the latest ALERTS, security updates and recommendations on protecting sensitive data.