Practices for Protecting Electronic Restricted Data: A Quick Reference
These practices were endorsed at the March 30, 2006 meeting of the Information Technology Security Committee and are updated periodically.
Because of its very nature, restricted data must be protected from unauthorized access or disclosure. The following practices are designed to provide realistic, achievable steps for protecting this information. For questions or additional information about any of these practices, please see "Getting Help."
Please note: This document is intended to be a “quick-reference” only. For a more comprehensive list of practices for protecting electronic restricted data, including additional responsibilities for Managers and Service Providers, please see UCSC Practices for Protecting Electronic Restricted Data.
Also note: This document includes practices for protecting restricted data in general. It DOES NOT address specific requirements for protecting specially protected categories of restricted data, such as protected health information (PHI/HIPAA data), credit card information (PCI), research data subject to specific federal or grant requirements requirements, etc.
Restricted Data: The University of California has defined "restricted data" as "Any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit."
At UCSC, restricted data includes, but is not necessarily limited to:
- Personal Identity Information (PII)
- Electronic protected health information (ePHI) protected by Federal HIPAA legislation
- Credit card data regulated by the Payment Card Industry (PCI)
- Information relating to an ongoing criminal investigation
- Court-ordered settlement agreements requiring non-disclosure
- Information specifically identified by contract as restricted
- Other information for which the degree of adverse affect that may result from unauthorized access or disclosure is high
The best way to protect restricted data is not to have it in the first place.
1. Store the minimum amount of restricted data possible, and know where it is stored.
2. Securely delete restricted data when there is no longer a business need for its retention.
- Don't forget about email, attachments, screenshots, old or previous versions of files, drafts, archives, copies, backups, CDs/DVDs, old floppies, etc.
- Always shred or otherwise destroy restricted data when disposing of it or equipment that contains it.
- Information on how to securely delete files and email is available in IT Request: Mac / PC / email
- Also see 4.l, below, for disposal and re-use of devices and electronic media.
3. Truncate, de-identify or redact restricted data that you must retain whenever possible.
4. Implement the following protections for all intact restricted data you must retain:
- Be sure that you have proper authorization and training prior to accessing restricted data.
- Never share or discuss restricted data with unauthorized individuals.
- You may also be required to read and sign UCSC's Access to Information Statement (required for all ITS staff).
b. Use cryptic passwords that can't be easily guessed, and protect your passwords:
- Good, cryptic passwords use a mixture of upper and lower case letters, numbers, and symbols; are at least 8 characters in length (or at least 10 if they’re less complex); are difficult to guess and easy to remember (so you don’t have to write them down).
- Don’t share your passwords or private account information.
- Use different passwords for accounts that provide access to restricted data than for your less-sensitive accounts.
- For more information, see UCSC's Password Standards.
c. Updates and Anti-Virus:
Make sure your computer has all necessary OS and third-party application security updates or “patches,” as well as anti-virus, and that you know what you need to do, if anything, to keep them current.
- Shut down or restart your computer at least weekly -- and whenever your programs tell you to in order to install updates. Shutting down or restarting your computer regularly helps to make sure software and security updates are properly installed.
- Turn on auto-updates for everything you can.
- Anti-virus information
d. Physical Security:
Ensure proper physical security of electronic and physical restricted data.
- Secure your work area before leaving it unattended.
- Lock up portable equipment and sensitive materials
- Lock windows and doors, take keys out of drawers
- Never share your access code, card or key, or hold secure doors open for people you don’t know
- Physically secure (lock down) workstations whenever possible.
- Don’t leave sensitive information lying around, including on printers, fax machines, or copiers.
- And in general, don't print restricted data, including screenshots.
- Be especially careful with portable electronic devices that store restricted data (such as laptop computers, CDs/floppy disks, memory sticks, PDAs, data phones, etc.). These items are extra vulnerable to theft or loss.
- Don't keep sensitive information or your only copy of critical data on portable devices unless they are properly protected.
e. Secure laptop computers and mobile devices at all times:
Keep them with you or lock them before you step away, even for a very short time -- in your office, at meetings, conferences, coffee shops, etc.
- Make sure it is locked to or in something permanent.
- Take special care with a device that includes restricted data; in the event of theft, not only will the laptop be lost, any restricted data on it will be compromised.
- Laptop lockdown cables are available at the Bay Tree Bookstore and most computer or office supply stores.
f. Protect information when using the Internet and email:
- Keep restricted data out of the cloud -- including Google. Additional info about using free/low cost services...
- Don't provide personal or sensitive information (including your password) to Internet sites, surveys or forms unless you are using a trusted, secure web page.
- Look for “https” (not http) in the web address (URL) to indicate that there is a secure connection.
- Don't send restricted data or personal information via email or instant message (IM). These are not secure methods of communication (see k, below). If you receive restricted data via email, keep it for the shortest amount of time possible and delete it securely (see #2, above).
- Don't post restricted or personal information to social networking sites (e.g. Facebook, MySpace, Twitter), personal web pages or blogs.
- Don’t click on unsolicited or unknown links in email, instant messages (IM), Facebook, Twitter, pop-ups, etc. These can infect your computer or take you to web pages designed to steal information.
- Be especially careful about what you do over wireless. Information and passwords sent via standard, unencrypted wireless are especially easy for hackers to intercept (most public access wireless is unencrypted).
- Configure your email client to delete attachments when emptying the trash. Most email programs have this choice in the preferences, settings, or options.
- Contact the ITS Support Center with email questions or problems.
g. Beware of Scams:
- Don't give anyone your password, even if they say they work for UCSC, ITS, or other campus organizations..
- Don't open email attachments or click on links unless you really know what you're opening. If you can't tell for sure, don't open or click it.
- Never click on a "mystery link" unless you have a way to independently verify that it is safe. Cryptic or shortened URLs (e.g. Tiny URLs) are particularly risky because you can't easily tell where they are supposed to go.
- Don’t give sensitive personal, financial, log-in, business, system or network information to anyone you don’t know or who doesn't have a legitimate need for it -- in person, over the phone, via e-mail, IM, text, Facebook, Twitter, etc.
- Delete spam and suspicious emails; don't open, forward or reply to them.
h. Don't install unknown or unsolicited programs on your computer.
These can harbor behind-the-scenes computer viruses or open a “back door” giving others access to your computer without your knowledge.
i. Shut down, lock, log off, or put your computer and other devices to sleep before leaving them unattended, and make sure they require a secure password to start up or wake-up.
- PC: <ctrl> <alt> <delete> or <Windows><L>
- Mac: Apple menu or power button
- Also set your devices to automatically lock when they're not in use.
j. Restricted data must be encrypted when it is transmitted.
This includes email, remote access, file transfers, and workstation/server communications.
- If you need to send files or attachments containing restricted data, work with ITS to set up a way to send them securely.
- Avoid standard (unencrypted) email and unencrypted Instant Messaging (IM)
- See Send Passwords and Restricted Data Securely for additional information and pointers.
k. Additional Cautions about Storing Restricted Data:
- Be sure you know who has access to folders before you put restricted data there!
- Don’t put sensitive information in locations that are accessible from the Internet.
- Refrain from capturing restricted data in screenshots.
- Don’t send or download restricted data to an insecure or unknown computer.
- Consider encryption for stored restricted data. Work with ITS to determine if this is an appropriate option. Also see Encryption Information.
l. Disposal and Re-Use of Electronic Devices and Media:
Restricted data must be destroyed or completely and securely removed from computers, electronic devices, and electronic media (including backups) before disposal, re-use or re-assignment. This includes workstations, laptops, portable devices, printers, copy machines, faxes, data sticks, external hard drives, CDs/DVDs, tapes, etc. -- basically anything with a hard drive or external storage that is used with restricted data. See #2, above, for links to tools.
m. Test, Dev and Training:
Don’t use actual restricted data in test or development systems, or for training purposes. If actual restricted data must be used, it must be protected appropriately.
n. Prevent Shoulder-Surfing:
Shield devices so others can't see passwords as you type them in or sensitive information on the screen. Set up your workstation so that unauthorized people and passers-by can't see the information on your monitor. If you show your screen to others, make sure it doesn’t have anything sensitive or revealing on it.
o. Reporting Security Incidents:
Immediately report suspected security incidents and breaches to your supervisor and the ITS Support Center.
- Also report lost or missing University computing equipment to the Campus Police, or to local authorities if the incident occurred away from campus.
- For more information see: Report a Security Incident
Be familiar with UC and UCSC policies relating to restricted data. Links to many of these policies are available on the ITS' Restricted Data Resources page. Also applicable are UCSC's Acceptable Use Policy, Minimum Network Connectivity Requirements, and any specific non-disclosure agreements that apply to information that you work with.
- See the expanded General Practices for Protecting Electronic Restricted Data, items P&Q for additional policy references and information about UC’s sanction policies.
- The IT Security Web site
- Restricted Data Resources
- Personal Identity Information (PII) Resources
- Expanded Practices for Protecting Electronic Restricted Data
- Minimum Network Connectivity Requirements
- Access to Information Statement