Practices for Protecting Electronic Restricted Data: A Quick Reference

CONTENTS:

These practices were endorsed at the March 30, 2006 meeting of the Information Technology Security Committee and are updated periodically.

INTRODUCTION

Because of its very nature, restricted data must be protected from unauthorized access or disclosure. The following practices are designed to provide realistic, achievable steps for protecting this information. For questions or additional information about any of these practices, please see "Getting Help."

Please note: This document is intended to be a “quick-reference” only. For a more comprehensive list of practices for protecting electronic restricted data, including additional responsibilities for Managers and Service Providers, please see UCSC Practices for Protecting Electronic Restricted Data.

DEFINITIONS

Restricted Data: The University of California has defined "restricted data" as "Any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit." 

At UCSC, restricted data includes, but is not necessarily limited to:

  • Personal Identity Information (PII)
  • Electronic protected health information (ePHI) protected by Federal HIPAA legislation
  • Credit card data regulated by the Payment Card Industry (PCI)
  • Information relating to an ongoing criminal investigation
  • Court-ordered settlement agreements requiring non-disclosure
  • Information specifically identified by contract as restricted
  • Other information for which the degree of adverse affect that may result from unauthorized access or disclosure is high
Please see ITS' online glossary for information about many of these types of data.

PRACTICES FOR PROTECTING ELECTRONIC RESTRICTED DATA, INCLUDING PII

1. Securely delete restricted data when there is no longer a business need for its retention. Always shred or otherwise destroy restricted data when disposing of it. Don't forget about copies and backups that you may have made.

  • Information on how to securely delete files and email is available in IT Request: Mac / PC / email

2. Truncate, de-identify or redact restricted data that you must retain whenever possible.

3. Implement the following protections for all intact restricted data you must retain: 

a. Be sure that you have proper authorization prior to accessing restricted data, and never share or discuss restricted data with unauthorized individuals.

b. Always store the minimum amount of restricted data possible, and remember #1, above.

c. Use cryptic passwords that can't be easily guessed, and protect your passwords

  • Good, cryptic passwords use a mixture of upper and lower case letters, numbers, and symbols; are at least 8 characters in length (or longer if they’re less complex); are difficult to guess and easy to remember (so you don’t have to write them down).
  • Don’t share your passwords or private account information.
  • Use different passwords for accounts that provide access to restricted data than for your less-sensitive accounts.
  • For more information, see UCSC's Password Standards.

d. Make sure your computer has all necessary OS and third-party application security updates or “patches,” as well as anti-virus, and that you know what you need to do, if anything, to keep them current.

  • Shut down or restart your computer at least weekly -- and whenever your programs tell you to in order to install updates. Shutting down or restarting your computer regularly helps to make sure software and security updates are properly installed.
  • Turn on auto-updates for everything you can.

e. Ensure proper physical security of electronic and physical restricted data.

  • Secure your work area before leaving it unattended.
    • Lock up portable equipment and sensitive materials
    • Lock windows and doors, take keys out of drawers
    • Never share your access code, card or key, or hold secure doors open for people you don’t know
  • Physically secure (lock down) workstations whenever possible.
  • Don’t leave sensitive information lying around, including on printers, fax machines, or copiers.
  • Be especially careful with portable electronic devices that store restricted data (such as laptop computers, CDs/floppy disks, memory sticks, PDAs, data phones, etc.). These items are extra vulnerable to theft or loss.
    • Don't keep sensitive information or your only copy of critical data on portable devices unless they are properly protected. 

f. Secure laptop computers and mobile devices at all times; keep it with you or lock it up before you step away, even for a very short time -- in your office, at meetings, conferences, coffee shops, etc.

  • Make sure it is locked to or in something permanent.
  • Take special care with a device that includes restricted data; in the event of theft, not only will the laptop be lost, any restricted data on it will be compromised.
  • Laptop lockdown cables are available at the Bay Tree Bookstore and most computer or office supply stores.

g. Protect information when using the Internet and email

  • Don't provide personal or sensitive information (including your password) to Internet sites, surveys or forms unless you are using a trusted, secure web page.
    • Look for “https” (not http) in the web address (URL) to indicate that there is a secure connection.
  • Don't send restricted data or personal information via email or instant message (IM). These are not secure methods of communication (see k, below). If you receive restricted data via email, keep it for the shortest amount of time possible and delete it securely (see #1, above).
  • Don't post restricted or personal information to social networking sites (e.g. Facebook, MySpace, Twitter), personal web pages or blogs.
  • Don’t click on unsolicited or unknown links in email, instant messages (IM), Facebook, Twitter, pop-ups, etc. These can infect your computer or take you to web pages designed to steal information.
  • Be especially careful about what you do over wireless. Information and passwords sent via standard, unencrypted wireless are especially easy for hackers to intercept (most public access wireless is unencrypted). See eduroam for encrypted wireless at UCSC.
  • Configure your email client to delete attachments when emptying the trash. Most email programs have this choice in the preferences, settings, or options.
  • Contact the ITS Support Center with email questions or problems.

h. Beware of Scams

  • Don't give anyone your password, even if they say they work for UCSC, ITS, or other campus organizations..
  • Don't open email attachments or click on links unless you really know what you're opening. If you can't tell for sure, don't open or click it.
  • Don’t give sensitive personal, financial, log-in, business, system or network information to anyone you don’t know or who doesn't have a legitimate need for it -- in person, over the phone, via e-mail, IM, text, Facebook, Twitter, etc.
  • Delete spam and suspicious emails; don't open, forward or reply to them.

i. Don't install unknown or unsolicited programs on your computer. These can harbor behind-the-scenes computer viruses or open a “back door” giving others access to your computer without your knowledge.

j. Shut down, lock, log off, or put your computer and othr devices to sleep before leaving them unattended, and make sure they require a secure password to start up or wake-up. 

  • PC: <ctrl> <alt> <delete> or <Windows><L>
  • Mac: Apple menu or power button
  • Also set your devices to automatically lock whrn they're not in use.

k. Restricted data must be encrypted when it is transmitted. This includes email, remote access, file transfers, and workstation/server communications.

  • If you need to send files or attachments containing restricted data, work with ITS to set up a way to send them securely.
  • Avoid standard (unencrypted) email and unencrypted Instant Messaging (IM)
  • See Send Passwords and Restricted Data Securely for additional information and pointers.

l. Additional cautions about storing restricted data:

  • Be sure you know who has access to folders before you put restricted data there!
  • Don’t put sensitive information in locations that are accessible from the Internet.
  • Don’t send or download restricted data to an insecure or unknown computer.
  • Consider encryption for stored restricted data. Work with ITS to determine if this is an appropriate option. Also see Encryption Information.

m. Disposal and Re-Use: Restricted data must be destroyed or completely and securely removed from computers and electronic media (including backups) before disposal, re-use or re-assignment. See #1, above, for links to tools.

n. Don’t use actual restricted data in test or development systems, or for training purposes. If actual restricted data must be used, it must be protected appropriately.

o. Set up your workstation so that unauthorized people and passers-by cannot see the information on your monitor. If you show your computer screen to others, make sure it doesn’t have anything sensitive or revealing on it.

p. Immediately report suspected security incidents and breaches to your supervisor and the ITS Support Center.

  • Also report lost or missing University computing equipment to the Campus Police, or to local authorities if the incident occurred away from campus.
  • For more information see: Report a Security Incident

q. Be familiar with UC and UCSC policies relating to restricted data. Links to many of these policies are available on the ITS' Restricted Data Resources page. Also applicable are UCSC's Acceptable Use PolicyMinimum Network Connectivity Requirements, and any specific non-disclosure agreements that apply to information that you work with.

GETTING HELP

Contact the ITS Support Center for questions or additional information about any of the above information: itrequest.ucsc.eduhelp@ucsc.edu, 459-HELP (4357), or 54 Kerr Hall M-F 8 AM to 5 PM

ADDITIONAL RESOURCES:

Rev. 2/28/12

Privacy Policy and Terms of Use