Computer Security Tutorial Module 7 (Text-Only Version)

Home IT Security Awareness Computer Security Tutorial Module 7 (Text-Only Version)

Computer Security Tutorial (Text-Only Version)
Module 7: Protecting Personal Identity Information (PII) and Other Restricted Data

Defining Confidential Information and Restricted Data

• Confidential Information: The term “confidential information” applies broadly to information for which unauthorized access to or disclosure could result in an adverse effect. To address this risk, some degree of protection or access restriction may be warranted.
  
  
• Restricted Data: Restricted data is a specific category of confidential information. Restricted data is any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit.

Access to Information Statement

Individuals with access to restricted data should, and in some cases are required to, read and sign the UCSC Access to Information Statement: http://its.ucsc.edu/services/accounts/online_forms/acc_info_stmt.pdf. Return the signed form to the requester.

• Access to Information Statements required for access to campus systems go to the ITS Support Center (mailstop: ITS-Kerr).
• Forms required by a department should be filed according to departmental procedures.

Examples of Personal Restricted Data

• Personal Identity Information (PII)
• Electronic protected health information (ePHI) protected by Federal HIPAA legislation
• Credit card data regulated by the Payment Card Industry (PCI)
• Records of students who have requested "Non-Release of Public Information" under the Federal Family Educational Rights and Privacy Act of 1974 (FERPA)
• Information relating to an ongoing criminal investigation
• Judge-ordered settlement agreements requiring non-disclosure.
• Other information for which the degree of adverse affect that may result from unauthorized access or disclosure is high.

Definitions and reference information follow.

Definition of Personal Identity Information (PII)

• Personal identity information (PII) is the electronic manifestation of an individual
  first name or first initial, and last name, in combination with one or more of the following*:
  • Social Security Number (SSN)
  • Driver’s license number, or State-Issued ID card #
  • Account number, credit or debit card number
  • Medical information
  • Health insurance information
  *Please note, this is a condensed list. For a complete definition please see our online glossary:
  http://its.ucsc.edu/security/policies/glossary.php#p

Personal Identity Information (PII) is Protected by State Law

• State Law: California Civil Code 1798.29: California Information Practices Act, Accounting of Disclosures (AKA SB-1386 California, Privacy of Personal Information to Prevent Identity Theft), requires mandatory notice to the subject of an unauthorized, unencrypted electronic disclosure of “personal information.” http://www.leginfo.ca.gov/cgi-bin/displaycode?section= civ&group=01001-02000&file=1798.25-1798.29
  
• UCSC Policy: UCSC Implementation Plan for Protection of Electronic Personal Identity Information. http://its.ucsc.edu/security/policies/ucsc_breach_guideline.php

Definition of Electronic Protected Health Information (ePHI)

• Patient health information which is computer based, e.g., created, received, stored or maintained, processed and/or transmitted in electronic media. Examples include:
  • Medical record number, account number or SSN
  • Patient demographic data, e.g., address, date of birth, date of death, sex, email / web address
  • Dates of service, e.g., date of admission, discharge
  • Medical records, reports, test results, appointment dates

Electronic Protected Health Information (ePHI) is protected by State and Federal Laws

• State Laws: California Civil Code 1798.81.5: California Information Practices Act, Consumer Records, outlines the definition of and required protections for protected health information. http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1798.80-1798.84
  
• Federal Laws: HIPAA Privacy & Security Laws mandate protection and safeguards for access, use and disclosure of PHI and/or ePHI with sanctions for violations.
  
• HIPAA Information at UCOP: http://webdev.ucop.edu/hipaa_dev/welcome.html

FERPA: The Federal Family Educational Rights and Privacy Act of 1974

The disclosure of information from student records is governed by FERPA.

• The campus has defined the following as public information which may be released from student records to any person UNLESS the student has requested Non-Release of Public Information (NRI) through the Academic Information System.
  • student’s name
  • local telephone
  • local address (current mailing or campus/college)
  • e-mail address
  • college
  • major
  • class level (e.g., frosh, senior)
  • dates of attendance
  • number of credits enrolled in the current term
  • degrees and honors received
  • name, weight and height of participants on intercollegiate athletic teams
• All other information contained in a student record is considered confidential.

Student records protected by FERPA are actually protected by both Federal and State laws

• Federal & State Laws: The disclosure of information from student records is governed by FERPA and, in part, by the State of California Education Code.
  • Potential consequences include legal or civil action and withdrawal of funds under any program administered by the Secretary of Education.
• UCSC Policy: See the UCSC Registrar’s FERPA web pages for policy information, a FERPA quick reference guide, a FERPA quiz for employees who work with student records, and links to legislation and UC policy: http://reg.ucsc.edu/guidelines.html

Credit Card Data

Credit card information is regulated by the Payment Card Industry (PCI) Data Security Standard.

Description of the PCI Standard

• A set of data security requirements that apply to all employees, merchants, vendors, service providers, contractors and business partners who store, process or transmit [credit] cardholder data, as well as to all system components included in or connected to or the cardholder data environment. (System components include network components, servers or applications.)

Payment Card Industry (PCI) Data Security Standard References

• Payment Card Industry Data Security Standard: https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
  
• Payment Card Industry Self-Assessment Questionnaire: Questionnaire designed to determine compliance with the Payment Card Industry Data Security Standard: https://www.pcisecuritystandards.org/pdfs/pci_saq_v1-0.pdf

Examples of Other Types of Confidential Information

• Ethnicity
• Gender
• Date of birth
• Citizenship
• Marital Status
• Religion
• Sexual orientation
• Home address or home telephone number
• Personal information protected by anti-discrimination and information privacy laws
• Information subject to a non-disclosure agreement, including research data, intellectual property (IP), and patent information
• Academic evaluations and letters of recommendation
• Responses to a Request for Proposal (RFP) before a decision has been reached
• Applicant information in a pending recruitment
• Data containing budget projections for a campus department (if it has been designated as restricted)

Steps for Protecting Restricted Data and other Confidential Information

1. Know where this data exists.
   • All PII and other confidential information must be protected. Knowing what you have and where it is is an important first step.
     • Note: Restricted data can be in current or old files, including archives. Be sure to check copies, back-ups and previous versions of files.
2. Destroy confidential data which is no longer needed.
   • The best way to protect restricted data is not to have it in the first place.
   • Work with your computer support person to delete confidential data securely and completely.
     • If you don’t know where to start, contact the ITS Support Center at 459-HELP or help@ucsc.edu.
   • Shred or otherwise destroy confidential data before throwing it away.
     • It is not uncommon to find all sorts of sensitive and even confidential information in trash cans, recycling bins, and dumpsters. This data can be on discarded papers, old computers or hard drives, CDs, floppy disks, etc. Even vacation schedules could be used by a resourceful hacker to justify a phony request for information.
   • Clean Devices before Disposal or Re-Use.
     • Work with your computer support person to “clean” electronic media (e.g. hard-drives, CDs, disks, flash drives, back-up tapes, etc.) before recycling, re-using, or disposing of it.
3. Never share or discuss confidential data with unauthorized individuals.
4. Know who has access to folders before you put confidential data there!
5. Don’t put sensitive information in locations that are accessible from the Internet.
6. Don’t leave confidential information lying around, including on remote printers, fax machines, or copiers - or even in your area when you step away.
7. Set up your workstation so that unauthorized people and passers-by cannot see the information on your monitor.

Special Cautions about Transferring and Downloading Restricted Data

• Confidential information should be sent securely.
  • Avoid email and Instant Messaging (IM)
  • Use https, sFTP, Secure telnet (SSL)
    
• Confidential information must be stored securely in both sending and receiving locations

• UCSC Practices for Protecting Electronic Restricted Data: http://its.ucsc.edu/security/policies/rd.php
• UC Business and Finance Bulletin IS-3; Electronic Information Security: http://www.ucop.edu/ucophome/policies/bfb/is3.pdf

Protecting PII and Other Restricted Data Completion Cerificate

Other Training Modules:

Introduction to Computer Security
Social Engineering
Internet Privacy and Security
Practice "Safe Emailing"
Password Strength and Security
Ten Other Essential Security Measures
Reporting I.T. Security Incidents
Additional Information & Resources
Security Self-Test: Questions & Scenarios

Rev. January 2009