Practices for Protecting Electronic P3 - P4 Data

Para ver la informacion de esta pagina en Español seleciona Español en el menú debajo.

INTRODUCTION

Institutional information must be protected from unauthorized access or disclosure. Everyone in the University community has a responsibility to protect university data under their jurisdiction or control. The following practices are designed to provide realistic, achievable steps for protecting this information. They do not supersede UC Business and Finance Bulletin IS-3 requirements for the protection of institutional information and IT resources. For questions or additional information about any of these practices, please open an ITS ticket.

Step One: UC Minimum Security Standard applies to all devices that connect to UCSC networks or access university data. The information below is in addition to these requirements. Confirm you are complying with Minimum Security Standards and other Secure Practices by following all steps under How to Stay Secure.

This document includes practices for protecting all P3-P4 university data. There may be additional specific requirements for protecting regulatory-protected categories of university data, such as protected health information (PHI/HIPAA data), credit card information (PCI), research data subject to specific federal or grant requirements, etc.


THE BEST WAY TO PROTECT P3-P4 DATA IS NOT TO HAVE IT IN THE FIRST PLACE!

  • Store the minimum amount of P3-P4 data possible, and know where it is stored.
  • Securely delete P3-P4 data when there is no longer a business need for its retention.
    • Don't forget about email, attachments, screenshots, old or previous versions of files, drafts, archives, copies, backups, CDs/DVDs, old floppy disks, etc.
    • Always shred or otherwise destroy P3-P4 data when disposing of it or equipment that contains it.
    • Information on how to securely delete files and email is available in IT Request KBs: Mac / PC / email
  • Truncate, de-identify, or redact P3-P4 data that you must retain whenever possible.

PRACTICES FOR P3-P4 ELECTRONIC DATA, INCLUDING PII

Implement the following protections for any P3-P4 data you must retain:

A. Encrypt it:

  • P3-P4 data MUST be encrypted when it is transmitted. This includes email, online, remote access, file transfers, and workstation/server communications.
    • If you need to send files containing P4 data, use the Filelocker service to send them securely. Files containing P3 data can be stored and shared via Google Drive
    • Avoid standard (unencrypted) email and unencrypted Instant Messaging (IM). Sensitive information should not be sent through the campus email service.
  • Use Secure Networks.
  • P3-P4 data MUST be encrypted at rest. This includes P3-P4 data stored in a database (physically located on-site or in the cloud), on a file server, or in an archival server. Work with ITS to determine the best option. 
  • Review Encryption Information.

B. Authorized use only:

  • Be sure that you have proper authorization and training prior to accessing P3-P4 data.
  • Never share or discuss P3-P4 data with unauthorized individuals.
  • You may also be required to read and sign UCSC's Access to Information Statement (required for all ITS staff).

C. Protect information when using the Internet and email:

  • Keep P4 data out of the cloud
  • Be especially careful about what you do over wireless. Information and passwords sent via standard, unencrypted wireless are especially easy for hackers to intercept (most public wireless is unencrypted).
    • See eduroam for encrypted wireless at UCSC.
    • See Campus VPN (virtual private network) for network encryption from off-campus.
    • Set devices to “ask” before joining new networks so you don’t unknowingly connect to insecure wireless networks.
    • See Mobile Devices and Wireless for additional information.
  • When distributing P3-P4 information to others, be sure you notify them that the data requires security protections.
  • See UCSC's Remote Access Requirements for additional information about safe remote access.

D. Don't install unknown or unsolicited programs on your computer.
These can harbor behind-the-scenes computer viruses or open a “back door” giving others access to your computer without your knowledge. Examples are toolbars or browser extensions.

E. Additional Cautions about Storing P3-P4 Data:

  • Be sure you know who has access to server folders before you put P4 data there. Confirm share settings in Google Drive before you put P3 data there.
  • Don’t put sensitive information in locations that are accessible from the Internet.
  • Refrain from capturing P3-P4 data in screenshots.
  • Design database systems so that P3-P4 data can be identified, and avoid using P3-P4 data elements as the "key" to a database.

F. Disposal and Re-Use of Electronic Devices and Media:
P3-P4 data must be destroyed or completely and securely removed from computers, electronic devices, and electronic media (including backups) before disposal, re-use, or re-assignment

  • Also, remember to shred physical documents with P3-P4 data when they are no longer needed.

G. Test, Dev, and Training Systems:
Don’t use actual P3-P4 data in test or development systems, or for training purposes. If actual P3-P4 data must be used, it must be protected appropriately.

H. Policies:

  • All employees who work with P3-P4 data must be familiar with UC and UCSC policies relating to P3-P4 data. The UC systemwide IS-3 Electronic Information Security Policy.
 Also applicable are UCSC's Acceptable Use PolicyUC Minimum Security Standard, department or Division-specific policies, procedures and guidelines; and any specific non-disclosure agreements that apply to information that you work with.
  • Sanction Policy: Employees who violate UC policies or State or Federal laws regarding privacy or security of university information
 may be subject to corrective or disciplinary actions in accordance with existing University personnel policies, bargaining agreements, and guidelines. (See Personnel Policies for UC Staff Members (PPSM 62), UC BFB IS-3, applicable bargaining agreements, UC Academic Personnel Manual (APM 015, 016 & 150), and UCSC Campus Academic Personnel/Procedures Manual (CAPM 002.015 & 003.150).)
    • Contact Staff Human Resources or the Academic Personnel Office for additional information.
    • Violation of local, State, and Federal laws may carry additional consequences of prosecution under the law, costs of litigation, payment of damages, (or both); or all.
  • Background Checks: Background checks and/or fingerprinting are required when hiring or reassigning individuals to critical positions that will require access to P3-P4 data. For additional information, contact Staff Human Resources or the Academic Personnel Office.
  • Education and Training: All employees whose jobs involve working with P3-P4 data should receive training on basic computer security awareness, security incident response, practices for protecting P3-P4 data, and relevant policy requirements. General training materials are available on ITS' Security Awareness Training page. Additional training may be required for access to specific regulatory protected data.

I. Disaster recovery and emergency procedures:
All critical P3-P4 data must be backed up regularly to a secure location.

  • Backup media containing P3-P4 data must be physically secure, encrypted, and must be transported securely.
  • Be familiar with your department's or unit's disaster recovery plan and emergency operations procedures for the protection of P3-P4 data in the event of a disaster.

J. Third Party/Vendor Relationships:
If you are planning a contract where a non-UCSC third party will access, collect, process, or maintain UC Institutional Information and/or access IT Resources, the Appendix Data Security (DS), must be included as part of the contractual terms and conditions.

K. Report a security incident:
Promptly address reported, suspected, or actual security violations. Any events involving Institutional Information classified Level 3 or above must be reported to the Chief Information Security Officer (CISO). Click here for more information about Protection Levels and Availability Levels.) 

 

 


ADDITIONAL RESOURCES: