Keep It Safe - Enterprise Information Stewardship - Michigan State ...

Keep
It Safe
A guide to securing institutional
data for MSU employees
1

Securing Institutional Data
Effective January 1, 2011, a new Policy for protecting the
security and integrity of Michigan State University’s
Institutional Data was released. While many units and
individuals have been supportive of the managing sensitive
data initiative rolled out to the campus in 2005, the new
Institutional Data Policy establishes minimum requirements
for the appropriate stewardship of the University’s
Institutional Data.
The Policy on Institutional Data applies to all University
business and academic units and all MSU employees. Unit
administrators and supervisors will be implementing training
and procedures in support of this Policy. The Institutional
Data Policy calls for:
• Members of the University community to access and use
Institutional Data only for University purposes.
• Institutional data to be used, stored, transferred,
disseminated, and disposed of in ways that minimize the
potential for their improper disclosure or misuse.
• Members of the University community to be individually
responsible for the security and integrity of Institutional
Data in their possession or control, including their
proper storage and disposal.
Mitigating the risk of unauthorized exposure and protecting
the University’s information assets is the responsibility of
every member of the MSU community. You can help protect
yourself, our network, and University resources by following
the practices outlined on this guide.
1

2
Confidential Institutional Data
MSU’s Institutional Data Policy sets minimum expectations
for members of the MSU community for the stewardship of
institutional data, especially Confidential Data. Faculty, staff,
and students have individual responsibilities for protecting
the security and integrity of institutional data.
What are institutional Data?
Institutional data are all of the data held by MSU, in any
form or medium, for normal business operations.
What Data are Confidential?
• Institutional data that can be used for identity theft or
related crimes, e.g., Social Security numbers, account
numbers, date of birth, and mother’s maiden name
• Institutional data whose public disclosure is restricted
by law, contract, university policy, professional practice,
e.g., student records, medical records and donor records
• Information concerning MSU’s plans, procedures and
methods for securing data, e.g., passwords, decryption
keys, data access controls, and threat assessments
• Institutional data whose value would be lost or reduced
by unauthorized disclosure or whose unauthorized
disclosure would otherwise adversely affect the
university financially, e.g., research data, technical
information and property appraisals
The policy, including purpose, applicability, definition of
terms, responsible use requirements, authorized release of
data, implementation, violations, and additional examples
and resources are available at eis.msu.edu/sid.
If you are uncertain if particular data are considered
confidential, err on the side of caution and treat the data as
confidential. Ask your supervisor or unit administrator.

What’s at Stake?
• Your privacy and the privacy of others—Protecting
personally identifiable confidential information helps
keep it private, safe from identity thieves, avoids possible
criminal and civil legal action and penalties, and helps the
university comply with federal and state regulations, e.g.,
Family Educational Rights and Privacy Act (FERPA).
• Computer and network performance—Keeping your
computer secure with anti-virus software; active firewalls;
application patches; and up-to-date operating systems
helps to keep the university network secure and stable.
• MSU’s reputation—Securing Confidential Data from
unauthorized access helps ensure compliance with
federal law (e.g., HIPAA), state law (e.g., Michigan
Social Security Number Privacy Act) and contracts (e.g.,
PCI/DSS) that protect privacy. Keeping Confidential
Data secure avoids adverse publicity, and protects the
university’s reputation and public trust.
• Your reputation—Members of the university
community may be held individually responsible for the
appropriate collection, creation, usage, storage, transfer,
dissemination, and disposal of institutional data to which
they have access. Confidential data should be handled in
ways that comply with university policy and professional
practice that protects privacy.
3

Your Role
Michigan State University (MSU) employees need to
protect the security of MSU’s institutional data as well as
the associated computer systems and networks that handle
the data. We have both a legal and an ethical responsibility
to work responsibly with and safeguard the privacy of
confidential information. We need to comply with state and
federal legislation, funded research program requirements,
and associated university policies and guidelines that address
protecting the security and confidentiality of institutional
data.
We all have roles to play in managing institutional data:
unit administrators and administrative staff, IT staff and
end users — anyone who collects, creates, stores, maintains,
distributes, uses, archives, deletes, destroys, or handles
institutional data in any way.
Recognize and remember your position of trust:
• Institutional data should only be made available and
used on a “need-to-know” basis for university purposes,
the fulfillment of employment responsibilities, and
participation in university governance processes.
• We are each responsible for the appropriate use, release
and disposal of institutional data.
• We are each responsible for the security and integrity
of institutional data.
• Treat all Confidential Data as a highly valuable asset.
• Minimize the chance of its release to an unauthorized user.
• Do not share Confidential Data with unauthorized
individuals or store on shared websites or file servers.
4

Know Your Personal Responsibilities
Provide information on a need-to-know basis only.
Do not store, transmit, or use Confidential Data unless
needed to perform your assigned duties and responsibilities.
Carefully weigh the need for storing, transmitting,
and using the data against the risk of exposure and the
administrative responsibilities for protecting it.
Properly secure Confidential Data you do need
Keep Confidential Data you do need only for as long as
necessary to do your job.
Dispose of Confidential Data as soon as it is no longer
needed.
Exercise caution when using cloud computing computing
services such as Google Apps, Gmail and Microsoft Office
Live. Guidelines for working “in the cloud” are available
through the Featured Links at eis.msu.edu/sid/keepitsafe.
5

6
Keep Confidential Data Secure
Practice Smart Habits
• Store Confidential Data on a secured server. Avoid
storing copies of Confidential Data on laptops, desktops,
smartphones, or portable devices, e.g., USB drives.
• If you need to access Confidential Data connect to a
secured MSU server.
• Don’t leave Confidential Data or portable media
unattended. Physically secure data when not in use.
• Do not open unexpected attachments or attachments
from unknown sources. Be skeptical and use caution
when downloading anything—know the person or
entity who sent it before downloading.
• Avoid sending Confidential Data electronically. When
necessary, send the data over a secured communication
method (or make sure the data are encrypted). Contact
your local technical staff for details.
• Ensure that your
screen saver is set to
require a password before the
desktop can be reactivated.
• Turn your computer
off when not in
use. Lock it when
you step away from
your desk.

Protect Your Computer
A computer should be secured before it connects to the
network, e.g., virus protection and firewall. An unprotected
computer can be taken over in minutes and often without
any outward signs. Take steps to help ensure your system is
secure. See your local technical staff for details.
Password Protection Tips
Best practices for passwords include:
• Try to memorize your password.
• Make them hard to guess. Use strong passwords.
• Change passwords often.
• Do not share them with others.
• Use different passwords for different accounts.
• If you must write it down, keep it in a secure, locked
place or as a strongly encrypted file.
• Contact your security administrator and change your
password immediately if you suspect a problem.
Strong password tip...
Password requirements typically enforce length and use of
certain types of characters. An MSU NetID is required to
have a password at least eight characters long and contain
three of the four character types (upper case letters, lower
case letters, numeric characters, symbols). A great way to
create a secure password is by using an easy-to-remember
sentence. For example: “I typically ate pizza three times per
week” when used as a base, can become “It8p3xpwk.”
Limit Data Exposure
• Do not use Social Security numbers as an identifier.
• Educate yourself about the most common tactics
imposters use to gain access to confidential information.
• See your technical staff to learn how to protect data on
the server.
7

Action Plan for Units and Individuals
1. Inventory your data — What Confidential Data do you
have? Where is it? How is it used? Who has access to it?
2. Assess the impact of exposure — What laws and/or
policies apply? What are the consequences of exposure?
3. Reduce the risk of exposure — Be aware of good
security habits and practices, keep your inventory current,
physically and digitally secure the data
• Unapproved and unsecured wireless networks, e-mail, and
public computers are particularly vulnerable to breaches.
• Reputable organizations will never ask you to share
confidential information, especially passwords.
8
Remember:
• You may need to exchange or use Confidential Data daily.
Examples include credit/debit card numbers, driver’s
license numbers, Social Security numbers, personal
identification numbers, digital keys and passcodes. These
are Confidential Data that could be used for identity theft,
fraud, or other crimes.
• Confidential data are more easily stolen when shared
between users, so take note of the type of connection used.

Report a Data Security Breach Immediately
A reportable incident occurs when:
• An unauthorized person is believed to have gained the
ability to access institutional data that are stored on a
university data system, or
• A person who is authorized to access the information
misuses that data.
Examples of reportable incidents include:
• The theft or physical loss of computer equipment
(including personal equipment) known to hold files
containing Social Security numbers or other Confidential
Data.
• An unencrypted list of university donors with gift
amounts is e-mailed to an unauthorized recipient.
• A computer known to hold Confidential Data is accessed
or otherwise compromised by an unauthorized party.
• Materials with personally-identifiable information, such
as printed copies of grades or applications, are discovered
in a publicly-accessible location.
Aware of suspicious activity?
Any known or suspected compromise of institutional
data should be reported immediately to:
MSU’s ATS Help Desk: (517) 432-6200
Detailed information on what a reportable incident is,
how to report it, and procedures regarding notification
to affected persons is available at eis.msu.edu/sid in the
document entitled Guidelines for Internal and External
Reporting of Data System Security Breaches.
9

Destroy What Isn’t Needed
• When you no longer need Confidential Data, it is best
to destroy it. Shred papers with Confidential Data and
sanitize hard drives when disposing or transferring
computers.
• The Michigan Identity Theft Protection Act requires
destruction of data containing personally-identifiable
information when the data are “removed from the
database” and not retained for a permitted use.
• Follow the Best Practices in Disposal of Computers and Electronic
Storage Media listed in the Featured Links section at
eis.msu.edu/sid/keepitsafe.
• Sanitize data by following information contained in
Learn How to Sanitize Data for Disposal and Day-to-day Security
available in the Featured Links section at eis.msu.edu/
sid/keepitsafe.
10

How Do I Keep Data Confidential?
• Know what data are confidential
• Know your responsibilities
• Access and use ONLY as needed to do your job
• Keep data secure
• Keep ONLY as long as needed
• Destroy when no longer needed
Libraries, Computing and Technology
400 Computer Center
East Lansing MI 48824-1042
(517) 353-0722
vplct@msu.edu
11