Handling Sensitive Data
These general concerns are beneficial to everyone, but they are particularly important if you work with confidential data or other sensitive information.
- Keep what you view on your computer screen private.
- Consider if it is possible for someone to walk into your workspace and see sensitive data on your screen. Take steps to prevent this, such as turning your monitor or using a privacy screen.
- Keep your equipment safe.
- One of the most common ways data is lost is via stolen hardware. Don’t give someone an opportunity to walk off with equipment where you keep sensitive data, such as your computer, mobile, or portable storage devices. Sensitive data stored on devices you take out of your workspace is at particular risk. Steps to prevent hardware theft include locking your computer down and storing small devices out of view, preferably in locked drawers, when they aren’t in use.
- Keep security in mind whenever you work off campus.
- Visit the IU Knowledge Base document: The Basics of VPN at IU to review how you can ensure all of your network traffic is secure when working or connecting remotely.
- Find out what backup solutions your department recommends, and keep data backed up.
- Regular backups not only protect you against losing all your work, but if your computer is lost or stolen, having the backed-up data at hand makes it possible to determine what sensitive data may be at risk.
Do-it-yourself backup solutions pose risks. For example, data may be backed up on an irregular basis, or it may put confidential data at risk by storing it on external hard drives that are easy to steal. For this reason, do-it-yourself backup solutions are discouraged. Use a backup service that guarantees data is backed up regularly and stored securely. Contact your department’s technical support staff for recommendations.
Specific requirements for confidential data
- Encrypt any passwords stored on your computer that access confidential data.
- Keep confidential data stored only as long as is necessary to complete the work for which it is intended. That applies whether the confidential data is stored on your computer or a departmental file server.
- Always transmit confidential data securely.
- You must not send confidential data in an email, in the body of a message, or in an attachment, unless the data is encrypted. While Microsoft Office 2007 includes a facility for appropriately strong encryption of documents, the password-protection feature found in older versions of Word and Excel is not sufficient. Similar facilities in other applications may or may not fulfill this requirement.
- You must not send confidential data in an IM (instant message) or a text message.
- Slashtmp is a good approach for exchanging sensitive data with both others at IU and external users.
- Always store confidential data securely.
- Confidential data should only be stored on a file server if it is in a folder that can only be accessed by people authorized to see it.
- Confidential data must not be stored on a server that is also used to host a web site open to the public.
- Backups of confidential data are always subject to the same restrictions as the original data.
For more in-depth information about handling electronic information, consult the following documents: