Best Practices for Handling Electronic Institutional and Personal Information
This material is meant as a guide for department administrators and technicians working to minimize the chances of an inappropriate disclosure of Indiana University institutional or personal information. This is not meant to be an all-inclusive document. Given the local departmental environment, there may be other resources that administrators and technicians must consult, and other actions they must take to maximize the appropriate protections afforded to data.
- Document and understand the local technical environment
- Document and understand the local data environment
- Know the classification/sensitivity of data being used
- Stop collecting data unnecessarily
- Stop storing data unnecessarily
- Store collected data on secure computers
- Ensure that persons in contact with the data understand their responsibilities
- Do not store collected data on various workstations
- Restrict access to sensitive data
- Make decisions in consideration of convenience of users of data and systems, but not at the expense of appropriate data protection
- Do not send sensitive data via email
- Immediately report situations where institutional or personal data may have been inadvertently released, to the University Chief Privacy Officer and Compliance Coordinator
- Other related material
Document and understand the local technical environment.
A department can't begin to protect electronic information without first knowing what technologies they have deployed, and what risks are associated with those technologies.
- Computer Systems by IP and name, including
- Operating systems
- Operating systems version and patch level
- Services active on each computer, such as
- File Transfer Protocol (FTP) server
- Telnet server
- Web server
- File server
- Applications Software, such as
- Local department applications
- Database Management Systems (DBMS), such as
- SQL Server
- Extensions to the local network segment
- Active/always-on modems
- RAS and other remote access services
- Wireless access
- Public access terminals and workstations
Document and understand the local data environment.
Information is easily collected and easily distributed. If there is no understanding of what data a department is working with, and where the data is located, and what sensitivity the data has, protections cannot be applied commensurate with risk.
- Identify data inputs, so sources and types of data can be determined:
- Web forms
- Paper forms
- Survey instruments
- Extracts from central mainframe
- Extracts from central decision support databases
- Other departments
- Identify the locations of collections of data
- Computer file system directories.
- Backup media
- List the data elements present in all collections (e.g., Name, Age, GPA, SSN, etc.)
- Diagram the flow of data between applications, forms, files, databases, and reports
- Identify the classification/sensitivity of the data
- Consult formal classification done by the data subject area Data Steward
- Make a local determination based on:
- Applicable protections under Federal or State law (student records or employee records, for example)
- Possibility that unauthorized disclosure would endanger the personal safety of an individual,
- Possibility that unauthorized disclosure cause damage to a person's professional or personal affairs if released (medical information, credit card information, and bank account information, for example)
- Possibility that unauthorized disclosure could create liability to the University
- Possibility that unauthorized disclosure could embarrassment to the University
- Possibility that unauthorized disclosure could cause liability or at least embarrassment to the University if it was released
Know the classification/sensitivity of data being used.
- Data must be protected commensurate with it.s sensitivity, which is determined by (primarily) legal and ethical protection requirements
- Each data subject area (e.g., financial, student, human resources, etc.) has an appointed Data Steward, who is available for consultation on data usage and classification issues
- Functional offices (Registrar, financial affairs, etc.) on each campus are positioned to better understand legal and ethical protections on data elements then are other offices who are secondary users
- Visit the Committee of Data Stewards' Data Management site
Stop collecting data unnecessarily.
- Social Security Numbers should be collected ONLY where that element is appropriate for the process
- Where it is the student or employee identification number that is required, those should be the terms used, and not Social Security Number. While it is true that the current identification number is most always the same as the SSN, semantics are important
- Do not collect any other information that is not necessary for direct support of the current process. If the data isn't collected and stored, it cannot be compromised
Stop storing data unnecessarily.
- If collection of Social Security Numbers or student/employee identifiers is absolutely necessary, do with them what is necessary and then delete the files
- If it is necessary at some point in the process to associate an individual with an SSN or a student/employee identifier, another identification such as email username can be collected initially, and translated to the SSN or identifier later in the process
- Other sensitive data should not be kept for any longer than is absolutely necessary to support the process
Store collected data on secure computers.
- If Social Security Numbers or student/employee identifiers must be collected and kept for some length of time, they must be stored on computer that receives excellent administration and security attention, and one that is preferably only accessible by people and from workstations within the office area
- If the department does not have the in-house capability to store sensitive data that is critical to their operation, UITS provides a file service that may provide the security while also providing the departmental access required
- Encrypt files of sensitive data, if that data must be stored for long term. Files that are stored encrypted can be decrypted manually, or automatically by a program when that data is required for processing
- Consult the University Information Security Office for assistance, reference materials, standards, and guides related to maintaining secure systems
Ensure that persons in contact with the data understand their responsibilities.
- Each person is responsible for understanding that the data they are working with could potentially cause the institution or an individual harm
- Each person is responsible for the security of his or her own computer accounts and passwords
- Each person is responsible for the security of his or her own workstations
- Each person is responsible for ensuring that only appropriate persons have access to data under their control
Do not store collected data on various workstations.
- It is easier to give the appropriate amount of attention to one computer than it is to give that kind of attention to many. Consolidate data to a very well maintained and secure computer
- Do not permit staff to store sensitive data on their personal workstations, or on laptops
Restrict access to sensitive data.
- Only Indiana University persons with a "need-to-know" should be permitted access to sensitive ("restricted") data
- Only authorized persons may be permitted access to Indiana University computers
- Only authorized persons may be permitted access to Indiana University institutional data
Make decisions in consideration of convenience of users of data and systems, but not at the expense of appropriate data protection.
- Data must be protected commensurate with its sensitivity
- Sometimes protections cause inconvenience to the person requiring access
- Protections must be weighed with that inconvenience, and sometimes process and procedures must be changed to accommodate reasonable protections
Do not send sensitive data via email.
- While the Indiana University network is fairly secure, it is still possible for someone to intercept electronic mail being transmitted from one IU user to another
- Email being sent outside of Indiana University traverses many network segments, and security of those cannot be guaranteed
- Personal encryption software is free and easy to use once it is configured. Persons who must communicate sensitive information frequently with each other, and for which email is the most expedient method, must use personal encryption software
Immediately report situations where institutional or personal data may have been inadvertently released, to the University Chief Privacy Officer and Compliance Coordinator.
The UIPO will:
- Assist in assessing the situation
- Discuss technical issues with the department technicians and Security staff
- Assist in identifying and notifying appropriate agencies and offices
- Assist in developing an appropriate response, in coordination with
- School or Department senior administrator
- University and/or campus executive administration
- Office of the Vice President for Information Technology
- University Information Technology Services
- University Counsel
- Office of Communications and Marketing
- Indiana University Police Department
- Appropriate Data Steward(s)
- External law enforcement as necessary