General Practices for Protecting Electronic Restricted Data

Home UCSC Information Security Security & Technology Policies and Guidelines General Practices for Protecting Electronic Restricted Data

| Introduction | Getting Help | Definitions | Recommended practices for protecting electronic restricted data | Additional practices for Managers | Additional practices for Service Providers |

"Quick reference" of selected information from this document

INTRODUCTION

All individuals in the University community have a responsibility to protect restricted data under their jurisdiction or control (see definition below). This document provides information and guidance to help protect UCSC's electronic restricted data and reduce the risk of unauthorized access or disclosure. It does not supersede UC Business and Finance Bulletin IS-3 requirements for protection of restricted and essential data: http://www.ucop.edu/ucophome/policies/bfb/is3.pdf

Certain types of restricted data, such as electronic protected health information (ePHI) and credit card data (PCI), have specific protection requirements. For information, see ITS' Restricted Data Resources page at http://its.ucsc.edu/security_awareness/restricted_data_resources.php.

GETTING HELP

For assistance with any of these practices, please contact the ITS Support Center or your ITS Divisional Liaison (DL) or Local IT Specialist (LITS):

• The ITS Support Center at 459-HELP, help@ucsc.edu, or in person M-F 8AM-5PM, 54 Kerr Hall


• Your ITS Divisional Liaison (DL)

DEFINITIONS

Restricted Data: The University of California has defined "restricted data" as "any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit." Please see UC Business and Finance Bulletin IS-2 for a complete definition: http://www.ucop.edu/ucophome/policies/bfb/is2.pdf.

At UCSC, restricted data includes, but is not necessarily limited to

• Personal Identity Information (PII),
• Electronic protected health information (ePHI) protected by Federal HIPAA legislation,
• Credit card data regulated by the Payment Card Industry (PCI),
• Records of students with a "Non-Release of Public Information" (NRI) flag in UCSC's Academic Information System (AIS),
• Information relating to an ongoing criminal investigation,
• Court-ordered settlement agreements requiring non-disclosure,
• Information specifically identified by contract as restricted,
• Other information for which the degree of adverse affect that may result from unauthorized access or disclosure is high.

Please see ITS' online glossary for information about most of these types of data.

RECOMMENDED PRACTICES FOR PROTECTING ELECTRONIC RESTRICTED DATA

This section provides guidance for protecting restricted data, in general. This section also includes information about getting help. A 3-page non-technical "quick reference" of selected information from this section is available online at Quick Reference.

Key data management practices

1. Store the minimum amount of restricted data necessary for completing job functions.

2. Identify where you store restricted data and make sure your supervisor knows about it. The first step in protecting restricted data is knowing where it is.

• It is important to remember that restricted data can be "hidden" in many places on your computer, such as your email trash, outbox, and attachment folder; old copies of files; archives; temporary files; web caches; and backups. If you work with restricted data – or have worked with it in the past – the ITS Support Center or your ITS Divisional Liaison can provide assistance identifying sources of stored restricted data (see "Getting Help," below, for contact information).

3. Securely delete restricted data when there is no longer a business need for its retention. This includes extra copies of restricted data and restricted data that has exceeded its required retention period. Always shred or otherwise destroy restricted data before disposing of it. For information on how to securely delete files, see: Mac / PC.

4. Truncate, de-identify, or otherwise redact restricted data that you must retain whenever possible.

5. Implement the following protections for all intact restricted data you must retain:

1. Authorization
2. Passwords and Authentication
3. Transmission and remote access of restricted data
4. Session Protection
5. Physical Security
6. Laptop Security
7. Email Safety
8. Internet Safety
9. Other steps to avoid malicious computer software, such as viruses and spyware, and hackers
10. Transferring, distributing and downloading restricted data
11. Disposal and Re-Use of files, equipment and portable media containing restricted data
12. Additional Data Management Practices
13. Testing, Training and Development Systems
14. Education and training
15. Documentation and distribution of policies
16. Sanction policy
17. Background Checks
18. Security incidents and breaches
19. Disaster recovery and emergency procedures
20. Third Party/Vendor Relationships

• Individuals with access to restricted data should, and in some cases are required to, read and sign the UCSC Access to Information Statement: http://its.ucsc.edu/services/accounts/online_forms/acc_info_stmt.pdf. Return the signed form to the requester.
  • Access to Information Statements required for access to campus systems should be sent to the ITS Support Center (mailstop: ITS-Kerr).
  • Forms required by a department should be filed according to departmental procedures.
• Be sure you have proper authorization before accessing restricted data.
• Never share or discuss restricted data with people who don't have a business need for it or aren't authorized for access to the information.

• Don't share your passwords or private account information.
  • Shared accounts are not permitted for access to systems or applications that contain or access restricted data.
  • You may not use your own User ID and password to log someone else in to any system that contains restricted data.
• Make sure your passwords can't be easily guessed:
  • Use a mixture of upper and lower case letters, numbers, and symbols.
  • Passwords should be at least 8 characters in length (or at least 10 characters in length if they don't use the different types of characters listed above),
  • Make sure your password is difficult to guess. Don't include real words or personal information like your user name, names of family or pets, birthdays, addresses, hobbies, etc.
  • Choose passwords that are easy for you to remember so you don't have to write them down. Having a hard-to-guess system or pattern is one way to do this. Using passphrases is another (see the link above for more information about passphrases).
• Use different passwords for accounts that provide access to restricted data than for your less-sensitive accounts.
  • Also, don't use the same passwords for University-related activities as for your personal accounts.
• Passwords need to be transmitted securely so attackers can't intercept them.
  • Make sure that web pages have https (not http) in the web address (URL) before you enter a password. If they don't, don't log in with a password that provides access to restricted data.
  • Make sure that any applications you log into on your computer (such as email) are set for secure authentication, if possible. Instructions for how to do this for CruzMail are available at http://its.ucsc.edu/service_catalog/cruzmail/email_client.php
• Be aware that you may be locked out of a system that contains or accesses restricted data after a certain number of failed login attempts.
  

• See Email Safety, Internet Safety, and Transferring, distributing and downloading restricted data, below, for additional information about securely transmitting data.
• If you need to access your work computer remotely (e.g. work from home, a motel, a coffee shop, etc), work with ITS (contact info below) to ensure compliance with applicable policies and security standards for the types of information being accessed.
  • See UCSC Remote Access Guidelines for additional information about safe remote access.

• Make sure a password is required for access to your computer.
  • Set up your computer (or have it set up) to require a password on startup (enable login on startup).
  • Set up your computer to require a password to wake up from sleep or screensavers.
• Make sure you shut down, lock, log off of, or put your computer to sleep before leaving it unattended: <ctrl> <alt> <delete> or <Windows><L> on a PC; Apple menu or power button on a Mac.
  • Set up your computer to "lock" or "auto log-off" and require you to enter a password if it is left unattended.
  • Always shut your computer down before you turn it off; don't just turn off the power or the monitor.
• Be sure that automatic login and guest accounts are disabled on your computer.

• Physically secure your area and equipment before leaving them unattended:
  • Lock up any sensitive materials and portable equipment before you leave your area.
  • Lock doors, windows, and drawers (take keys out of drawers).
  • Physically secure (lock down) workstations whenever possible.
  • Never share your access code, access card, or key.
  • Don't hold doors open for unknown people.
  • Offer to assist people who are in areas where they may not belong.
• Be aware of and follow any special security policies or procedures for areas you may be in.
• Be sure your workstation is set up so that unauthorized people and passers-by cannot see the information on your monitor.
• Don't leave sensitive information lying around, including on printers, fax machines, or copiers.
• Be especially careful with portable electronic devices, such as laptops, smart phones, disks/CDs, USB "thumb" drives, etc. that store restricted data, since they are difficult to secure physically.
  • Don't keep sensitive information or your only copy of critical data on portable devices unless they are properly protected. These items are extra vulnerable to theft or loss.
  • If you are going to store restricted data on a portable device, even temporarily, it is best if the data can be encrypted. Work with ITS (contact info below) if you need assistance.

• Make sure it's locked to or in something permanent.
• Take special care with a laptop or any portable electronic device that includes restricted data; in the event of theft, not only will the laptop or device be lost, any restricted data on it will be compromised.
• Laptop lockdown cables are available at the Bay Tree Bookstore and most computer or office supply stores.

• Don't open email attachments or click on website addresses in emails unless you are confident that you can trust what you are opening.
• Delete spam and suspicious emails; don't open, forward or reply to them.
• Email that contains restricted data must be treated with care and should not be preserved any longer than absolutely necessary.
  • Also, configure your email client to delete attachments when emptying the email trash or when deleting the email message. Most email programs have this choice in the preferences, settings, or options.
• Standard email is vulnerable to being intercepted by hackers. This is true for Instant Messaging (IM), too. If you send or receive email or IM containing restricted data, work with the ITS Support Center, your ITS DL, or LITS to set up a way to do this more securely (contact info below). In the absence of a secure or encrypted solution, restricted data should not be emailed or IM'ed.
  • Also, don't send restricted data in email attachments unless you've worked out a way to protect them.
• Make sure your email client (Eudora, Thunderbird, Apple Mail, Outlook, etc.) is configured for secure authentication (sign-in) and secure sending and receiving of email. For how to do this, see http://its.ucsc.edu/service_catalog/cruzmail/email_client.php.
• To help avoid viruses, don't use Outlook Express unless you have a business need to do so. More secure email clients may include Thunderbird, and Apple Mail.
• Contact the ITS Support Center with email questions or problems (contact info below).

• Don't provide personal or sensitive information (including your password) to Internet sites, surveys or forms unless you are using a trusted, secure web page.
  • Make sure that web pages have https (not http) in the web address (URL) and the little locked padlock that appears in the corner of most browser windows to indicate that there is a secure connection before you enter restricted or personal information, including your password. If they don't, don't enter the information and don't log in.
  • Also, keep in mind that even information that is sent securely can be used against you. Be cautious about who you share your personal information with – especially information that could be used for identity theft or to locate you or your family.
• Don't click on unsolicited web links, including in email or pop-ups. Just opening a malicious web page can infect a poorly protected computer, so be aware of where you are going before clicking on a link.
  • Instead of clicking on an unsolicited link, look up the company, product, or web page you are interested in on your own and go to their website directly (use a search engine such as Google or Yahoo).
• To help avoid viruses, don't use Internet Explorer unless you have a business need to do so. More secure web browsers may include Firefox and Safari.
• Clear your web cache after accessing restricted data through a web browser. That way someone accessing your computer can't pull up the content of web pages you were using. This is especially important if you are using a shared or public computer.
  
• See Transmission and remote access of restricted data, above, for more information about transmitting or accessing restricted data over the Internet.

Special considerations concerning wireless:

• It is important to remember that it is easier for hackers to intercept wireless transmissions, including passwords, than information transmitted by wires. Be especially careful about what information you send via standard, unencrypted wireless (most public access wireless is unencrypted).
• UCSC has not approved the use of wireless technology for the transmission of sensitive credit cardholder data. If you are connected to the Internet via wireless, you may not send/transmit sensitive cardholder data unless you know for certain that your department has received approval from the UCSC PCI Compliance Team and the UCSC Information Security Team, and you are using their approved, secure method of transmission.

• Make sure your computer has all necessary OS and third-party application security updates or "patches," as well as up-to-date anti-virus and anti-spyware, and that you know what you need to do, if anything, to keep them current.
• Don't install unknown or suspicious programs on your computer.
  • These can harbor behind-the-scenes computer viruses or open a "back door" giving others access to your computer without your knowledge.
• Make sure your computer's firewall is enabled. Default vendor settings are typically acceptable for most people. If you have special needs, or if you are unable to find or access your computer's firewall, contact the ITS Support Center, your ITS DL, or LITS for assistance.
  • Windows XP: http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/cfgfwall.mspx
  • Mac: Firewall information is available in the Finder's "Help" menu:
    In the Finder, select "Mac Help" from the "Help" menu. Type "firewall" in the search box, then press [Enter]. Start with "Using a firewall to protect your computer." Click on "Firewall" at the bottom of that page for more options.

• Redact or delete restricted data whenever possible when transferring, distributing, or downloading files or data.
• If you transfer files containing restricted data, work with the ITS Support Center, your ITS DL, or LITS to set up a way to transfer them securely.
• Do not send or download restricted data to an insecure or unknown computer.
  • You must ensure that appropriate security measures are in place before you transfer or download restricted data, and that the security measures are appropriate for the type of restricted data being sent or downloaded.
  • When distributing restricted information to others, be sure you notify them that the data is restricted and requires security protections. Include reference to policies and regulations, as appropriate.
  • You may choose to require the recipient's acknowledgement of this notification and verification that appropriate security is in place.

• See #3, above, for links to tools for securely deleting files, or work with ITS to completely remove all restricted data from electronic media before disposal or re-use.
• Shred physical documents with restricted data when they are no longer needed.

• You must not save files with restricted data to folders, servers or machines that allow public access, or do not have appropriate security to protect the restricted data.
  • Be sure you know who has access to folders before you put restricted data there.
  • Be certain you don't put restricted data in locations that are publicly accessible from the Internet.
  • If in doubt, ask first.
• Permanent copies of restricted data should not be stored for archival purposes on portable devices, including flash drives and laptop computers, unless protective measures, such as encryption, are in place. Restricted data should only be stored temporarily on portable equipment, and only for the duration of the necessary use.
• Store non-electronic documents that include restricted data in a locked filing system.
• Design database systems so that restricted data can be identified.
• Avoid using restricted data elements as the "key" to a database.

• Truncate, de-identify or mask the restricted data in these systems whenever possible.
• If actual restricted data must be used, it must be protected appropriately, as outlined in these Practices.
  • In addition to systems, this includes restricted data that may be contained in log files, screenshots, documentation, etc.

• All employees whose jobs involve working with restricted data should receive training on basic computer security awareness, security incident response, practices for protecting restricted data, and policy requirements relevant to restricted data.
  • General training materials are available on ITS' Security Awareness website: http://its.ucsc.edu/security_awareness/ (see the "Training" box)
• Additional training may be required for access to specific restricted data sets.

• All employees who work with restricted data must be familiar with applicable UC and UCSC policies and practices (also see Manager responsibilities in Section II). These are available online at Security Policies.
• Employees must also be aware of applicable non-disclosure agreements required for access to certain types of restricted data (these will vary by department and type of restricted data), as well as their department or Division-specific policies, procedures and guidelines
• A signed statement of receipt and understanding of applicable policies & requirements may be required prior to obtaining access to restricted data.
• UC and UCSC policies apply to third parties, including external service providers and vendors (see Third Party/Vendor Relationships, below).

• Contact Staff or Academic Human Resources for additional information.
• Violation of local, State and Federal laws may carry additional consequences of prosecution under the law, costs of litigation, payment of damages, (or both); or all.

• For additional information, contact Staff or Academic Human Resources.

• Immediately report suspected security incidents & breaches to your supervisor and to the ITS Support Center. If no one is available to receive your report, contact the UCSC Security Response Team at security@ucsc.edu.
• Report lost or missing University computing equipment to your supervisor and the Campus Police (9-2231) and to the local authorities if the incident occurred away from campus.
  • Be sure to tell the Campus Police if it contained any restricted data.
• Refer to the UCSC Implementation Plan for Protection of Electronic Personal Identity Information for additional information.
  

S. Disaster recovery and emergency procedures

• All critical restricted data must be backed up regularly to a secure location.
  • Backup media containing restricted data must be physically secure and/or encrypted and must be transported securely.
  • As with all of these guidelines, work with ITS if you need assistance (contact info below).
• Be familiar with your department's or unit's disaster recovery plan and emergency operations procedures for the protection of restricted data in the event of a disaster.

T. Third Party/Vendor Relationships
Be aware that appropriate contract language must be in place before providing UC restricted data, or access to systems containing UC restricted data, to external business partners, agents or affiliates ("third parties"). UCSC Purchasing or Business Contracts offices can assist you with this requirement. Information is also available at http://its.ucsc.edu/security_awareness/appendixds.php.