Protecting Data

Documents for the handling of electronic information

These are provided to aid in understanding IT and other university policies.

Actions you can take to secure sensitive data

  1. What can everyone do?
  2. How do exposures occur and what should I do?

What can everyone do?

Identify
Identify where you have stored data under your control. In addition to your own workstation's hard drive, check to see if you have stored data on your departmental file server drives, your departmental or campus web servers, portable devices such as laptops or PDA's, and storage media (disks, USB keys, CD's, etc). You must ALSO identify where you have stored data on paper.
Inventory

Inventory what data you have stored in ALL of these places.

Indiana University stopped using SSN as the student ID in the Fall of 2004. Therefore, it is important to review student records from prior to 2004, looking for SSN's. If you have spreadsheets of historical data that absolutely must be retained locally and electronically, simply highlight the column in which the SSN's are located, and delete just that column and all the SSNs in it. If your data is on paper, look especially for colored papers (rosters used to be printed on green or blue paper) or, for records prior to 1989, for oversized sheets (about 10" by 13") of white paper. If you absolutely cannot dispose of the entire sheet of paper, use scissors to cut out the columns of SSNs.

Also, UISO currently recommends a tool called Identity Finder which is designed to search your own data and other files stored in your individual computer accounts on University-owned systems. Please note the warning about following IT-07 the University's privacy policy, when using this tool.

Dispose

Dispose of all Social Security numbers, credit card numbers, bank account numbers and access codes, driver's license numbers, and other sensitive personal information, unless you absolutely cannot do business without storing this information in your own storage locations. And we mean absolutely - if you can get access to that data from the official secured data source when you need it instead of keeping it yourself, even if that would be somewhat inconvenient, please DISPOSE of it!

Appropriate disposal means deletion from currently used drives (and then deleting your deleted items), securely wiping drives you no longer need, destroying storage media (disks, USB keys, CD's, etc.), and shredding paper.

Secure
  • Secure any remaining SSNs and other sensitive personal information. To do this you must KNOW which storage location is to be used for what purpose:
    • CONSULT with your departmental computing professional(s) to ensure you are securing this data sufficiently — that is, on a professionally secured file server and in encrypted format.
    • For paper records, ensure they are kept in locked file cabinets or are otherwise access controlled, for example, kept in a locked storage room
  • NEVER use personal storage mediums, such as flash drives, discs, or online storage options.
  • Utilize services available at IU, such as services offered by the Advanced Information Technology Core
Stop and Think
Stop and think whenever you come across or are handling Social Security numbers, credit card numbers, bank account numbers and access codes, driver's license numbers, and other sensitive personal information as part of your daily duties. Why do I have this data? Is it necessary for this transaction? If you do not absolutely need it to transact that busines