Practices for Protecting Electronic Restricted Data
- Minimize Storage
- Practices for Protecting Restricted Data
- Getting Help
- Additional Resources
These practices were endorsed at the March 30, 2006 meeting of the Information Technology Security Committee and are updated periodically.
Because of its very nature, restricted data (see definition below) must be protected from unauthorized access or disclosure. Everyone in the University community has a responsibility to protect restricted data under their jurisdiction or control. The following practices are designed to provide realistic, achievable steps for protecting this information. They do not supersede UC Business and Finance Bulletin IS-3 requirements for protection of restricted and essential data. For questions or additional information about any of these practices, please see "Getting Help."
Please note: UCSC's Minimum Network Connectivity Requirements apply to all devices that connect to UCSC's network, regardless of whether they contain or access restricted data. The information below is in addition to these requirements.
Also note: This document includes practices for protecting restricted data in general. It DOES NOT address specific requirements for protecting specially protected categories of restricted data, such as protected health information (PHI/HIPAA data), credit card information (PCI), research data subject to specific federal or grant requirements requirements, etc.
Restricted Data: The University of California has defined "restricted data" as "Any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit."
At UCSC, restricted data includes, but is not necessarily limited to:
- Personal Identity Information (PII)
- Electronic protected health information (ePHI) protected by Federal HIPAA legislation
- Credit card data regulated by the Payment Card Industry (PCI)
- Passport number
- Passwords providing access to restricted data or resources
- Information relating to an ongoing criminal investigation
- Court-ordered settlement agreements requiring non-disclosure
- Information specifically identified by contract as restricted
- Other information for which the degree of adverse affect that may result from unauthorized access or disclosure is high
- Store the minimum amount of restricted data possible, and know where it is stored.
- Securely delete restricted data when there is no longer a business need for its retention.
- Don't forget about email, attachments, screenshots, old or previous versions of files, drafts, archives, copies, backups, CDs/DVDs, old floppies, etc.
- Always shred or otherwise destroy restricted data when disposing of it or equipment that contains it.
- Information on how to securely delete files and email is available in IT Request: Mac / PC / email
- Also see "O", below, for disposal and re-use of devices and electronic media.
- Truncate, de-identify or redact restricted data that you must retain whenever possible.
Implement the following protections for any intact restricted data you must retain:
A. Encrypt it:
- Restricted data MUST be encrypted when it is transmitted. This includes email, online, remote access, file transfers, and workstation/server communications.
- Restricted data MUST be encrypted at rest. This includes restricted data stored in a database (physically located on-site or in the cloud), on a file server, or in an archival server. Work with ITS to determine the best option. Also see Encryption Information.
- This is especially important for portable and mobile devices.
B. Authorized use only:
- Be sure that you have proper authorization and training prior to accessing restricted data.
- Never share or discuss restricted data with unauthorized individuals.
- You may also be required to read and sign UCSC's Access to Information Statement (required for all ITS staff).
C. Use passwords that can't be easily guessed, and protect your passwords:
- Passwords that protect restricted data must meet UCSC's Password Standards. In short, they must use a mixture of upper and lower case letters, numbers, and symbols; and be at least 8 characters in length (or at least 10 if they’re less complex). See the Standards for additional requirements.
- Password protect all of your devices.
- Don’t share your passwords or private account information.
- Use different passwords for accounts that provide access to restricted data than for your less-sensitive accounts.
- Also use different passwords for university and personal accounts.
- Be aware that you may get locked out of university systems after multiple failed login attempts.
D. Keep devices and applications up to date:
Make sure your devices and applications have all necessary security updates or “patches” and that you know what you need to do, if anything, to keep them current.
- Shut down or restart your computer at least weekly -- and whenever your programs tell you to in order to install updates. Shutting down or restarting your computer regularly helps to make sure software and security updates are properly installed.
- Turn on auto-updates for everything you can.
E. Use anti-virus software:
All laptop and desktop computers connected to UCSC's network must run current, up-to-date software to detect viruses, spyware, and other malicious software. Set it to auto-update as frequently as the settings will allow. Anti-virus information...
F. Turn on your firewall.
Make sure your computer's firewall is enabled. Default settings are typically acceptable for most people. If you have special needs, or if you are unable to find or access your computer's firewall, contact the ITS Support Center for assistance.
G. Physical Security:
Ensure proper physical security of electronic and physical restricted data.
- Secure your work area before leaving it unattended.
- Lock up portable equipment and sensitive materials.
- Lock windows and doors, take keys out of drawers.
- Never share your access code, card or key, or hold secure doors open for people you don’t know.
- Physically secure (lock down) workstations whenever possible.
- Don’t leave sensitive information lying around, including on printers, fax machines, or copiers.
- And in general, don't print restricted data, including screenshots.
- Store paper documents that include restricted data in a locked filing system.
- Be especially careful with portable electronic devices that store restricted data. These items are extra vulnerable to theft or loss. (See "H", below.)
- Prevent Shoulder-Surfing: Shield devices so others can't see sensitive information on the screen or passwords as you type them in. Set up your workstation so that unauthorized people and passers-by can't see the information on your screen. If you show your screen to others, make sure it doesn’t have anything sensitive or revealing on it.
- Offer to assist people who are in areas where they may not belong.
H. Secure laptop computers and mobile devices at all times - lock them up or carry them with you:
- In your office or dorm room, at coffee shops, meetings, conferences, etc.
Remember: Phones, tablets, and laptops get stolen from cars, homes, and offices all the time.
- Make sure it is locked to or in something permanent.
- The same applies to CDs/DVDs, memory sticks, external hard drives, etc. These items are also vulnerable to theft or loss.
- Don't keep sensitive information or your only copy of critical data on portable devices unless they are properly protected. You have to assume that any information on a lost or stolen device could be compromised.
- Laptop lockdown cables are available at the Bay Tree Bookstore and most computer or office supply stores.
I. Protect information when using the Internet and email:
- Keep restricted data out of the cloud -- including Google. Additional info about using non-UC services...
- Don't provide personal or sensitive information (including your password) to Internet sites, surveys or forms unless you are using a trusted, secure web page.
- Look for “https” (not http) in the web address (URL) to indicate that there is a secure connection before you enter restricted or personal information, including your password.
- Don't send restricted data or personal information via email or instant message (IM). These are not secure methods of communication (see "M", below). If you receive restricted data via email, keep it for the shortest amount of time possible and delete it securely (see above). This includes attachments.
- Don't post restricted or personal information on social networking sites (e.g. Facebook, Snapchat, Twitter), personal web pages or blogs.
- Don’t click on unsolicited or unknown links in email, instant messages (IM), Facebook, Twitter, pop-ups, etc. These can infect your computer or take you to web pages designed to steal information.
- Be especially careful about what you do over wireless. Information and passwords sent via standard, unencrypted wireless are especially easy for hackers to intercept (most public wireless is unencrypted).
- Configure your email client to delete attachments when emptying the trash. Most email programs have this choice in the preferences, settings, or options.
- Be extremely careful with file sharing software (BitTorrent, Kazaa, eDonkey, Limewire, etc.). Improperly configured filesharing software can allow others access to your entire computer, not just to the files you intend to share. Filesharing also opens your computer to the risk of malicious files and attackers. Additional information...
J. Beware of Scams:
- Don't give anyone your password, even if they say they work for UCSC, ITS, or other campus organizations.
- Delete spam and suspicious emails; don't open, forward or reply to them.
- Don't click on links or attachments unless you can verify that they are legitimate. If you can't tell for sure, don't open or click it. DELETE IT!
- Don’t give sensitive personal, financial, log-in, business, system or network information to anyone you don’t know or who doesn't have a legitimate need for it -- in person, over the phone, via e-mail, IM, text, Facebook, Twitter, etc.
- Don’t click on links in pop-up ads or windows. Use your web browser’s pop-up blocker, if it has one, to help prevent these from getting through.
K. Don't install unknown or unsolicited programs on your computer.
These can harbor behind-the-scenes computer viruses or open a “back door” giving others access to your computer without your knowledge.
L. Shut down, lock, log off, or put your computer and other devices to sleep before leaving them unattended, and make sure they require a secure password to start up or wake-up.
- PC: <ctrl> <alt> <delete> or <Windows><L>
- Mac: Apple menu or power button
- Also set your devices to automatically lock when they're not in use.
M. Restricted data must be encrypted when it is transmitted.
This includes email, remote access, file transfers, and workstation/server communications.
- If you need to send files or attachments containing restricted data, work with ITS to set up a way to send them securely.
- Avoid standard (unencrypted) email and unencrypted Instant Messaging (IM)
- When distributing restricted information to others, be sure you notify them that the data is restricted and requires security protections.
- Never send or download restricted data to an insecure or unknown computer.
- See Send Passwords and Restricted Data Securely for additional information and pointers.
- Also see UCSC's Remote Access Requirements for additional information about safe remote access.
N. Additional Cautions about Storing Restricted Data:
- Be sure you know who has access to folders before you put restricted data there!
- Don’t put sensitive information in locations that are accessible from the Internet.
- Refrain from capturing restricted data in screenshots.
- Design database systems so that restricted data can be identified, and avoid using restricted data elements as the "key" to a database.
O. Disposal and Re-Use of Electronic Devices and Media:
Restricted data must be destroyed or completely and securely removed from computers, electronic devices, and electronic media (including backups) before disposal, re-use or re-assignment. This includes workstations, laptops, portable devices, printers, copy machines, faxes, data sticks, external hard drives, CDs/DVDs, tapes, etc. -- basically anything with a hard drive or external storage that is used with restricted data. See above, for links to tools.
- Also remember to shred physical documents with restricted data when they are no longer needed.
P. Test, Dev and Training Systems:
Don’t use actual restricted data in test or development systems, or for training purposes. If actual restricted data must be used, it must be protected appropriately.
Q. Reporting Security Incidents:
Immediately report suspected security incidents and breaches to your supervisor and the ITS Support Center.
- Also report lost or missing University computing equipment to the Campus Police, or to local authorities if the incident occurred away from campus.
- For more information see: Report a Security Incident
- All employees who work with restricted data must be familiar with UC and UCSC policies relating to restricted data. Links to many of these policies are available on ITS' Restricted Data page. Also applicable are UCSC's Acceptable Use Policy, Minimum Network Connectivity Requirements, department or Division-specific policies, procedures and guidelines; and any specific non-disclosure agreements that apply to information that you work with.
- A signed statement of receipt and understanding of applicable policies & requirements may be required prior to obtaining access to restricted data.
- Sanction Policy: Employees who violate UC policies or State or Federal laws regarding privacy or security of confidential, restricted and/or protected information may be subject to corrective or disciplinary actions in accordance with existing University personnel policies, bargaining agreements, and guidelines. (See Personnel Policies for UC Staff Members (PPSM 62), UC BFB IS-3, applicable bargaining agreements, UC Academic Personnel Manual (APM 015, 016 & 150), and UCSC Campus Academic Personnel/Procedures Manual (CAPM 002.015 & 003.150).)
- Contact Staff Human Resources or the Academic Personnel Office for additional information.
- Violation of local, State and Federal laws may carry additional consequences of prosecution under the law, costs of litigation, payment of damages, (or both); or all.
- Background Checks: Background checks and/or fingerprinting may be required when hiring or reassigning individuals to critical positions that will require access to restricted data. For additional information, contact Staff Human Resources or the Academic Personnel Office.
- Education and Training: All employees whose jobs involve working with restricted data should receive training on basic computer security awareness, security incident response, practices for protecting restricted data, and policy requirements relevant to restricted data. General training materials are available on ITS' Security Awareness Training page. Additional training may be required for access to specific restricted data sets.
S. Disaster recovery and emergency procedures:
All critical restricted data must be backed up regularly to a secure location.
- Backup media containing restricted data must be physically secure, encrypted, and must be transported securely.
- Be familiar with your department's or unit's disaster recovery plan and emergency operations procedures for the protection of restricted data in the event of a disaster.
T. Third Party/Vendor Relationships:
Be aware that appropriate contract language must be in place before providing UC restricted data, or access to systems containing UC restricted data, to external business partners, agents or affiliates ("third parties"). UCSC's Procurement and Business Contracts offices can assist you with this requirement. Information is also available at http://its.ucsc.edu/security/appendixds.html.
- Information Security Web site
- Restricted Data Resources
- Personal Identity Information (PII) Resources
- Minimum Network Connectivity Requirements
- How to Stay Secure
- Access to Information Statement
Rev. March 2017