Follow these general actions to start securing sensitive data.
Actions you can take to secure sensitive data
- Identify data
Identify where you have stored data under your control. In addition to your own workstation's hard drive, check to see if you have stored data on your departmental file server drives, your departmental or campus web servers, portable devices such as laptops, tablets, PDA's, and storage media (disks, USB keys, CD's, etc). You must ALSO identify where you have stored data on paper. (Note: The IU Warehouse is no longer approved for storing university-internal, restricted or critical institutional data. A list of approved vendors is available on the Purchasing website.)
- Inventory data
Inventory what kind of data you have stored in ALL of these places.
Indiana University stopped using the social security number (SSN) as the student ID in the Fall of 2004. Therefore, it is important to review student records from prior to 2004, looking for SSN's. If you have spreadsheets of historical data that absolutely must be retained locally and electronically, simply highlight the column in which the SSN's are located, and delete just that column and all the SSNs in it. If your data is on paper, look especially for colored papers (rosters used to be printed on green or blue paper) or, for records prior to 1989, for oversized sheets (about 10" by 13") of white paper. If you absolutely cannot dispose of the entire sheet of paper, use scissors to cut out the columns of SSNs.
- Dispose of data
Dispose of all Social Security numbers, credit card numbers, bank account numbers and access codes, driver's license numbers, and other sensitive personal information, unless you absolutely cannot do business without retaining this information in your own storage locations. And we mean absolutely - if you can get access to that data from the official secured data source when you need it instead of keeping it yourself, even if that would be somewhat inconvenient, DISPOSE of it!
Appropriate disposal means deletion from currently used drives (and then deleting your deleted items), securely wiping drives you no longer need, destroying storage media (disks, USB keys, CD's, etc.), and shredding paper.
- Secure remaining data
- Secure any remaining SSNs and other sensitive personal information. To do this you must KNOW which storage location is used for what purpose:
- Consult with your departmental computing professional(s) to ensure you are securing this data sufficiently — that is, on a professionally secured file server and in encrypted format.
- Ensure paper records are kept in locked storage – either in locking cabinets or locked storage rooms. (Note: The IU Warehouse is no longer approved for storing university-internal, restricted or critical institutional data. A list of approved vendors is available on the Purchasing website.)
- Leverage central services available at IU.
- NEVER use personal storage mediums, such as flash drives, discs, or unapproved online storage options.
- Stop and think
Stop and think whenever you come across or are handling critical information such as Social Security numbers, credit card numbers, bank account numbers and access codes, driver's license numbers, and other sensitive personal information as part of your daily duties. Why do I have this data? Is it necessary for this transaction?
If you do not absolutely need it to transact that business, DISPOSE of it!
If you received that data from another source, TELL THEM not to provide it to you anymore.
If you do absolutely need it for the transaction, ENSURE you are handling it securely.
DOUBLE-CHECK email addresses, fax numbers, telephone numbers before transmitting the data.
CONSULT with your departmental computing professional(s) and/or the data stewards for that data to ensure you are handling it securely and appropriately.