Keep It Safe - Enterprise Information Stewardship - Michigan State ...
Keep It Safe - Enterprise Information Stewardship - Michigan State ...
Keep It Safe - Enterprise Information Stewardship - Michigan State ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Keep</strong><br />
<strong>It</strong> <strong>Safe</strong><br />
A guide to securing institutional<br />
data for MSU employees<br />
1
Securing Institutional Data<br />
Effective January 1, 2011, a new Policy for protecting the<br />
security and integrity of <strong>Michigan</strong> <strong>State</strong> University’s<br />
Institutional Data was released. While many units and<br />
individuals have been supportive of the managing sensitive<br />
data initiative rolled out to the campus in 2005, the new<br />
Institutional Data Policy establishes minimum requirements<br />
for the appropriate stewardship of the University’s<br />
Institutional Data.<br />
The Policy on Institutional Data applies to all University<br />
business and academic units and all MSU employees. Unit<br />
administrators and supervisors will be implementing training<br />
and procedures in support of this Policy. The Institutional<br />
Data Policy calls for:<br />
• Members of the University community to access and use<br />
Institutional Data only for University purposes.<br />
• Institutional data to be used, stored, transferred,<br />
disseminated, and disposed of in ways that minimize the<br />
potential for their improper disclosure or misuse.<br />
• Members of the University community to be individually<br />
responsible for the security and integrity of Institutional<br />
Data in their possession or control, including their<br />
proper storage and disposal.<br />
Mitigating the risk of unauthorized exposure and protecting<br />
the University’s information assets is the responsibility of<br />
every member of the MSU community. You can help protect<br />
yourself, our network, and University resources by following<br />
the practices outlined on this guide.<br />
1
2<br />
Confidential Institutional Data<br />
MSU’s Institutional Data Policy sets minimum expectations<br />
for members of the MSU community for the stewardship of<br />
institutional data, especially Confidential Data. Faculty, staff,<br />
and students have individual responsibilities for protecting<br />
the security and integrity of institutional data.<br />
What are institutional Data?<br />
Institutional data are all of the data held by MSU, in any<br />
form or medium, for normal business operations.<br />
What Data are Confidential?<br />
• Institutional data that can be used for identity theft or<br />
related crimes, e.g., Social Security numbers, account<br />
numbers, date of birth, and mother’s maiden name<br />
• Institutional data whose public disclosure is restricted<br />
by law, contract, university policy, professional practice,<br />
e.g., student records, medical records and donor records<br />
• <strong>Information</strong> concerning MSU’s plans, procedures and<br />
methods for securing data, e.g., passwords, decryption<br />
keys, data access controls, and threat assessments<br />
• Institutional data whose value would be lost or reduced<br />
by unauthorized disclosure or whose unauthorized<br />
disclosure would otherwise adversely affect the<br />
university financially, e.g., research data, technical<br />
information and property appraisals<br />
The policy, including purpose, applicability, definition of<br />
terms, responsible use requirements, authorized release of<br />
data, implementation, violations, and additional examples<br />
and resources are available at eis.msu.edu/sid.<br />
If you are uncertain if particular data are considered<br />
confidential, err on the side of caution and treat the data as<br />
confidential. Ask your supervisor or unit administrator.
What’s at Stake?<br />
• Your privacy and the privacy of others—Protecting<br />
personally identifiable confidential information helps<br />
keep it private, safe from identity thieves, avoids possible<br />
criminal and civil legal action and penalties, and helps the<br />
university comply with federal and state regulations, e.g.,<br />
Family Educational Rights and Privacy Act (FERPA).<br />
• Computer and network performance—<strong>Keep</strong>ing your<br />
computer secure with anti-virus software; active firewalls;<br />
application patches; and up-to-date operating systems<br />
helps to keep the university network secure and stable.<br />
• MSU’s reputation—Securing Confidential Data from<br />
unauthorized access helps ensure compliance with<br />
federal law (e.g., HIPAA), state law (e.g., <strong>Michigan</strong><br />
Social Security Number Privacy Act) and contracts (e.g.,<br />
PCI/DSS) that protect privacy. <strong>Keep</strong>ing Confidential<br />
Data secure avoids adverse publicity, and protects the<br />
university’s reputation and public trust.<br />
• Your reputation—Members of the university<br />
community may be held individually responsible for the<br />
appropriate collection, creation, usage, storage, transfer,<br />
dissemination, and disposal of institutional data to which<br />
they have access. Confidential data should be handled in<br />
ways that comply with university policy and professional<br />
practice that protects privacy.<br />
3
Your Role<br />
<strong>Michigan</strong> <strong>State</strong> University (MSU) employees need to<br />
protect the security of MSU’s institutional data as well as<br />
the associated computer systems and networks that handle<br />
the data. We have both a legal and an ethical responsibility<br />
to work responsibly with and safeguard the privacy of<br />
confidential information. We need to comply with state and<br />
federal legislation, funded research program requirements,<br />
and associated university policies and guidelines that address<br />
protecting the security and confidentiality of institutional<br />
data.<br />
We all have roles to play in managing institutional data:<br />
unit administrators and administrative staff, IT staff and<br />
end users — anyone who collects, creates, stores, maintains,<br />
distributes, uses, archives, deletes, destroys, or handles<br />
institutional data in any way.<br />
Recognize and remember your position of trust:<br />
• Institutional data should only be made available and<br />
used on a “need-to-know” basis for university purposes,<br />
the fulfillment of employment responsibilities, and<br />
participation in university governance processes.<br />
• We are each responsible for the appropriate use, release<br />
and disposal of institutional data.<br />
• We are each responsible for the security and integrity<br />
of institutional data.<br />
• Treat all Confidential Data as a highly valuable asset.<br />
• Minimize the chance of its release to an unauthorized user.<br />
• Do not share Confidential Data with unauthorized<br />
individuals or store on shared websites or file servers.<br />
4
Know Your Personal Responsibilities<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Provide information on a need-to-know basis only.<br />
Do not store, transmit, or use Confidential Data unless<br />
needed to perform your assigned duties and responsibilities.<br />
Carefully weigh the need for storing, transmitting,<br />
and using the data against the risk of exposure and the<br />
administrative responsibilities for protecting it.<br />
Properly secure Confidential Data you do need<br />
<strong>Keep</strong> Confidential Data you do need only for as long as<br />
necessary to do your job.<br />
Dispose of Confidential Data as soon as it is no longer<br />
needed.<br />
Exercise caution when using cloud computing computing<br />
services such as Google Apps, Gmail and Microsoft Office<br />
Live. Guidelines for working “in the cloud” are available<br />
through the Featured Links at eis.msu.edu/sid/keepitsafe.<br />
5
6<br />
<strong>Keep</strong> Confidential Data Secure<br />
Practice Smart Habits<br />
• Store Confidential Data on a secured server. Avoid<br />
storing copies of Confidential Data on laptops, desktops,<br />
smartphones, or portable devices, e.g., USB drives.<br />
• If you need to access Confidential Data connect to a<br />
secured MSU server.<br />
• Don’t leave Confidential Data or portable media<br />
unattended. Physically secure data when not in use.<br />
• Do not open unexpected attachments or attachments<br />
from unknown sources. Be skeptical and use caution<br />
when downloading anything—know the person or<br />
entity who sent it before downloading.<br />
• Avoid sending Confidential Data electronically. When<br />
necessary, send the data over a secured communication<br />
method (or make sure the data are encrypted). Contact<br />
your local technical staff for details.<br />
• Ensure that your<br />
screen saver is set to<br />
require a password before the<br />
desktop can be reactivated.<br />
• Turn your computer<br />
off when not in<br />
use. Lock it when<br />
you step away from<br />
your desk.
Protect Your Computer<br />
A computer should be secured before it connects to the<br />
network, e.g., virus protection and firewall. An unprotected<br />
computer can be taken over in minutes and often without<br />
any outward signs. Take steps to help ensure your system is<br />
secure. See your local technical staff for details.<br />
Password Protection Tips<br />
Best practices for passwords include:<br />
• Try to memorize your password.<br />
• Make them hard to guess. Use strong passwords.<br />
• Change passwords often.<br />
• Do not share them with others.<br />
• Use different passwords for different accounts.<br />
• If you must write it down, keep it in a secure, locked<br />
place or as a strongly encrypted file.<br />
• Contact your security administrator and change your<br />
password immediately if you suspect a problem.<br />
Strong password tip...<br />
Password requirements typically enforce length and use of<br />
certain types of characters. An MSU NetID is required to<br />
have a password at least eight characters long and contain<br />
three of the four character types (upper case letters, lower<br />
case letters, numeric characters, symbols). A great way to<br />
create a secure password is by using an easy-to-remember<br />
sentence. For example: “I typically ate pizza three times per<br />
week” when used as a base, can become “<strong>It</strong>8p3xpwk.”<br />
Limit Data Exposure<br />
• Do not use Social Security numbers as an identifier.<br />
• Educate yourself about the most common tactics<br />
imposters use to gain access to confidential information.<br />
• See your technical staff to learn how to protect data on<br />
the server.<br />
7
Action Plan for Units and Individuals<br />
1. Inventory your data — What Confidential Data do you<br />
have? Where is it? How is it used? Who has access to it?<br />
2. Assess the impact of exposure — What laws and/or<br />
policies apply? What are the consequences of exposure?<br />
3. Reduce the risk of exposure — Be aware of good<br />
security habits and practices, keep your inventory current,<br />
physically and digitally secure the data<br />
• Unapproved and unsecured wireless networks, e-mail, and<br />
public computers are particularly vulnerable to breaches.<br />
• Reputable organizations will never ask you to share<br />
confidential information, especially passwords.<br />
8<br />
Remember:<br />
• You may need to exchange or use Confidential Data daily.<br />
Examples include credit/debit card numbers, driver’s<br />
license numbers, Social Security numbers, personal<br />
identification numbers, digital keys and passcodes. These<br />
are Confidential Data that could be used for identity theft,<br />
fraud, or other crimes.<br />
• Confidential data are more easily stolen when shared<br />
between users, so take note of the type of connection used.
Report a Data Security Breach Immediately<br />
A reportable incident occurs when:<br />
• An unauthorized person is believed to have gained the<br />
ability to access institutional data that are stored on a<br />
university data system, or<br />
• A person who is authorized to access the information<br />
misuses that data.<br />
Examples of reportable incidents include:<br />
• The theft or physical loss of computer equipment<br />
(including personal equipment) known to hold files<br />
containing Social Security numbers or other Confidential<br />
Data.<br />
• An unencrypted list of university donors with gift<br />
amounts is e-mailed to an unauthorized recipient.<br />
• A computer known to hold Confidential Data is accessed<br />
or otherwise compromised by an unauthorized party.<br />
• Materials with personally-identifiable information, such<br />
as printed copies of grades or applications, are discovered<br />
in a publicly-accessible location.<br />
Aware of suspicious activity?<br />
Any known or suspected compromise of institutional<br />
data should be reported immediately to:<br />
MSU’s ATS Help Desk: (517) 432-6200<br />
Detailed information on what a reportable incident is,<br />
how to report it, and procedures regarding notification<br />
to affected persons is available at eis.msu.edu/sid in the<br />
document entitled Guidelines for Internal and External<br />
Reporting of Data System Security Breaches.<br />
9
Destroy What Isn’t Needed<br />
• When you no longer need Confidential Data, it is best<br />
to destroy it. Shred papers with Confidential Data and<br />
sanitize hard drives when disposing or transferring<br />
computers.<br />
• The <strong>Michigan</strong> Identity Theft Protection Act requires<br />
destruction of data containing personally-identifiable<br />
information when the data are “removed from the<br />
database” and not retained for a permitted use.<br />
• Follow the Best Practices in Disposal of Computers and Electronic<br />
Storage Media listed in the Featured Links section at<br />
eis.msu.edu/sid/keepitsafe.<br />
• Sanitize data by following information contained in<br />
Learn How to Sanitize Data for Disposal and Day-to-day Security<br />
available in the Featured Links section at eis.msu.edu/<br />
sid/keepitsafe.<br />
10
How Do I <strong>Keep</strong> Data Confidential?<br />
• Know what data are confidential<br />
• Know your responsibilities<br />
• Access and use ONLY as needed to do your job<br />
• <strong>Keep</strong> data secure<br />
• <strong>Keep</strong> ONLY as long as needed<br />
• Destroy when no longer needed<br />
Libraries, Computing and Technology<br />
400 Computer Center<br />
East Lansing MI 48824-1042<br />
(517) 353-0722<br />
vplct@msu.edu<br />
11