Best Practices for Protecting Data
within the Typical University Office Environment
Current advances in information technology (IT) have contributed to a rise in the accessibility of information, ease of use, productivity and efficiency. Significant risks have also been introduced to Auburn University as a result of these advancements. According to information obtained by the Privacy Rights Clearinghouse, well over 11 billion records containing sensitive personal information have been reported as having been exposed as a result of security breaches since 2005. A review of these known breaches shows a significant percentage of these breaches have occurred at higher education institutions.
Auburn's IT policies state that it is the responsibility and duty of any individual who has access to University computer systems and networks to protect University data resources in whatever form, from unauthorized modification, destruction or disclosure. While various technologies are in place to help protect confidential information, employees play a significant role in helping protect confidential data.
This document offers practical advice on how to protect sensitive or confidential information in a general university office environment. Following these best practices will significantly lower the risk of unintended data disclosure within a typical office environment. You will notice that some of these practices will be very easy to implement while others may require assistance from your IT provider, computer coordinator, OIT/ITS or the Office of the CIO.
Identify confidential information sources within your office environment
In order to appropriately protect confidential information, it is imperative you know which data is considered confidential and where it is housed within your department.
There are many sources of confidential information on a University campus, common types include, but are not limited to:
- Social security numbers
- Certificate / license numbers
- Passport number
- Grades (including test scores, assignments, and class grades)
- Personal financial information
- Medical information
- Credit card numbers
- Bank account numbers
- Human subject information
- Insurance benefit information
- Account Passwords
When thinking about the information types above, consider not only that information that your office has access to within Banner, but any such information that is stored, processed or transmitted to, or from, your office. Be sure to identify data that exists on new or old paper forms, email, & computer files (to include document files, spreadsheets & databases) even if these documents originated somewhere else on- or off-campus. Review this list of confidential data periodically and for each identified review the list of best practices for data protection. (See AU's AU's Data Classification Policy) or AUM's Electronic Data Disposal Policy.
Protect information communicated orally
- Do not discuss confidential information outside of the workplace or with anyone who does not have a specific need to know it.
- Be aware of the potential for others to overhear communications about confidential information in offices, on telephones, and in public places like hallways, elevators, restaurants, and sidewalks and find ways to minimize this possibility.
- Develop and document procedures used to verify the identity of individuals on the phone prior to releasing confidential information.
Information on paper
Documents that include confidential information need to be secured during printing, transmission (including by fax), storage, and disposal.
- Implement a clean desk policy, especially if you cannot completely control the access to your workspace.
- Do not leave paper documents containing confidential information unattended; protect them from the view of passers-by or office visitors.
- Store paper documents containing confidential information in locked files.
- Do not leave the keys to file drawers containing confidential information in unlocked desk drawers or other areas accessible to unauthorized personnel.
- Store paper documents that contain information that is critical to the conduct of University business in fireproof file cabinets. Keep copies in an alternate location.
- Shred confidential paper documents that are no longer needed, and secure such documents until shredding occurs. If a shredding service is employed, ensure that the service provider has clearly defined procedures in the contractual agreement that protects discarded information, and that the provider is legally accountable for those procedures, with penalties in place for breach of contract. Set up a Shredding or Purging Schedule for Paper Documents.
- Make arrangements to immediately retrieve or secure confidential documents that are printed on copy machines, fax machines, mail and printers.
- When needing to send confidential documents/information between offices it is best to have an office employee hand carry the information in a sealed envelope between offices.
- When printing reports, include only necessary information and do not include confidential data you do not want accidently disclosed (e.g. Do not include Personally Identifiable Information (PII) (e.g. SSN, DOB) if it is not absolutely necessary. If a student/employee identifier is needed on a printed report, only include the Banner ID and NOT SSN).
- Double-check fax messages containing confidential information:
- Recheck the recipient's number before you hit 'start.'
- Verify the security arrangements for a fax's receipt prior to sending.
- Verify that you are the intended recipient of faxes received on your machine.
Information on computers
All employees have a role in protecting information assets. Computers provide gateways to private information stored elsewhere on the network. Therefore, whether or not you deal directly with confidential information, you should take the following steps to reduce risk to AU's information assets.
Additional Readings: (I'm Hacked, Now What?)
Protect Stored Computer Files
- Know where files containing confidential information are stored.
- Use a tool such as Spirion Identity Finder to search office computers and servers for sensitive SSN or Credit Card data.
- Locate all older media storage (e.g. CD-ROM, DVD, Floppy Drives, Hard Drives, and USB Flash Drives) and physically destroy media no longer needed. (Your Computing Coordinator can help with this.)
- Eliminate the storage of documents containing confidential information if they are no longer required.
- Store files containing confidential information on a central OIT server, which are generally more secure than local desktop/laptop computers and where backup is assured.
- For files stored on central servers, make sure the file share location is accessible only to those with a business need to access the files. If unsure who has access to a specific file share location contact your Computing Coordinator.
- Do not store confidential or legally protected University data in the cloud unless a properly executed contract protecting the University's interests to protect the data is in place.
- Never store confidential data on unencrypted portable devices (e.g. flash drives, laptops, tablets, smartphones, etc.)
- Files containing SSNs, if they must be stored, should be stored in encrypted/password protected files wherever possible.
- Where possible, old records containing SSNs, but still needed, should be recoded using Banner ID eliminating the use of SSNs.
- Desktops, laptops, flash drives and other mobile devices (tablets, etc.) should be protected using disk encryption when feasible (e.g. BitLocker for Windows, FileVault for MAC).
- Backup, Backup, Backup. The best way to protect against some malware infections is to regularly backup your computer files using the AU/AUM provided backup utility. Ransomware is on the rise and this form of malware can encrypt your computer's storage so that it is no longer accessible to you without paying a ransom to the malware author. If you have a backup of the files on your computer, you can easily recover these files.
Additional Readings: (Using the Cloud Securely, Encryption, Backup & Recovery, Ransomware)
- Understand that e-mail is not secure; it can be forged, and it does not afford privacy.
- Do not open unexpected e-mail attachments, and do not download documents or software from unknown parties.
- Do not click on links within e-mails unless you trust the email sender and were expecting email from them.
- Know how to identify Phishing e-mails. (http://www.auburn.edu/oit/phishing/) and do not respond to emails requesting sensitive information without very careful review of the request to determine if it is legitimate.
- When sending or receiving e-mail containing confidential information we suggest you encrypt the information in an attachment and communicate the password via telephone to protect the security of the information and to prevent later disclosure in case of breach.
- Use Auburn's FileMover to send large files instead of email.
- Delete old email messages on your computer that are unnecessary to retain.
- Take precautions not to send anything by e-mail that you don't want disclosed to unknown parties. Recipients may distribute information to unauthorized recipients or store it on unsecured machines, and viruses have been known to distribute archived e-mail messages to unintended recipients.
- Use a non-University email address for personal email.
Additional Readings: (Email Do's and Don'ts, CEO Fraud)
Physically Protecting Your Computer
- Orient your computer screen away from the view of passing people.
- Turn off your desktop computer at the end of the workday, unless automatic updates, backup processing, and/or various other maintenance operations are scheduled during off-hours, in this case, activate a password-protected screen saver.
- Make sure a password-protected screen saver on your desktop computer is configured to display after a reasonable period of non-use (15 minutes is recommended).
- Enable the screen saver lock immediately upon leaving your desk (e.g. click +L on a Windows computer).
- Use cable locks to secure computers that are in public or otherwise unsecured spaces.
- Sanitize the hard drives of computers that you declare surplus and of those that are going out of service for other reasons to ensure that data is removed and not recoverable (see AU's Electronic Data Disposal Policy or AUM's Electronic Data Disposal Policy.) Deleting files, moving files to ''trash,'' and emptying the ''trash'' file is insufficient because hackers and data thieves can still can still recover the files.
- Employ passwords that are easy for you to remember but impossible for someone else to guess. Consider using unique passphrases as passwords. A passphrase is a series of random words or a sentence. Passphrases are easier to remember than highly complex passwords and harder for malicious actors to hack.
- Secure your passwords (or passphrases), and restrict access to them. Passwords written on a post-it in a work area, placed under a keyboard, or stored in an unlocked desk drawer are not safe from unauthorized access.
- Never share passwords or accounts.
- Change your passwords periodically. The more sensitive the information being protected, the more frequently you should change your passwords. Both AU's Information Security Policy and the AUM's Password Policy state passwords should be changed every periodically.
- Do not use the same password for every resource. You have logins at many non-University websites – shopping sites, banks, social media, etc. – if any one of these sites is breached, your data on ALL of these sites is suddenly at risk.
- Use two-factor or multi-authentication options when sites offer this protection.
- Use a secure password management solution on your desktop or phone to safely store the many passwords you have.
Additional Readings: (Passphrases, Password Managers, Lock Down Your Login)
Laptop/tablet/smartphone mobile device security
- Password protect your laptop, password or PIN protect your smartphone and tablet.
- Set the screen to automatically lock after a fairly short period of non-use.
- Enable storage encryption on your device, use whole disk encryption for laptop computers and smartphones. Don't forget to encrypt any memory cards inserted into your phone.
- If you lose your smartphone or tablet, contact OIT/ITS to see if your device can be remotely wiped to prevent access to the data stored on the device.
- When traveling, be aware that laptops and other portable devices can be stolen so always maintain eye contact on the device and place the laptop through security screening last so that you will be through security when the laptop makes its way through.
- When traveling internationally, do not bring your work computer or smartphone. Instead, bring a newly configured device with only the applications installed that you may need while traveling. If you need access to email while traveling you should use the web portal on this device to access it instead of using Outlook installed on the laptop or via publicly available computers.
Additional Readings: (Disposing of Your Mobile Device, Securing Your Mobile Devices, Encryption, Staying Secure on the Road)
Safeguarding the integrity of your system
- Apply system updates for your computer systems in a timely manner.
- Keep local applications updated and patched. Ensure that your computer is configured to automatically download and install the latest patches.
- Do not place any confidential information on an unsecured online location.
- Secure local servers in a locked room and limit the access to the room to system administrators only. Departmental servers containing confidential information should be located in the OIT/ITS data center (which is physically secure, environmentally controlled and monitored 24/7) rather than within the department.
- Use VPN when connecting your laptop to public or semi-public off-campus networks.
Additional Readings: (Four Steps to Staying Secure)