Guidelines for Data Security
It is the responsibility of all University employees and/or persons with access to University data to respect the highest level of privacy for their colleagues and other members of the University community.
New state laws require that the University report cases of intrusion into certain types of personal information to the person affected, and in some cases, to state agencies.
Steps Every User of Sensitive Information Should Take
Consider what information you store and where you store it.
- Do not store personally-identifiable information about others on your PC, even though
it may be convenient to do so. The convenience of having the information on a PC
may not be worth the risk of exposing someone else's identity to theft, and exposing
you to the liability and bad publicity that may follow. Consider:
- Does such information have to be stored on a PC at all?
- If it has to be on a PC, how can it be most effectively protected?
- Can it be stored on a server (NOT a web server) where it is more closely guarded?
- Should the data be encrypted?
- Do not store sensitive information on web servers or other machines that are open to the public. Web servers themselves draw outside users, and provide security holes if they are not constantly patched and kept up-to-date. If you're unsure about this, please contact Information Technology Services.
- Do not take on the collection of sensitive information without authorization from the University’s Information Security Council.
- Do not store sensitive information on departmental computers without authorization from the University’s Information Security Council.
Control access to rooms and file cabinets where paper records are kept.
- Secure customer information behind locked doors when unattended
- Prohibit unescorted guests from areas where customer information is in plain view
- Dispose of documents containing customer information that are no longer needed in designated recycling/shredding containers.
Protect information stored electronically.
- Secure workstations behind locked doors after business hours
- Shut down your PC or minimize screens when not in use
- Lock computer workstations when leaving them unattended
- Don’t allow anyone else access to your computer in your absence.
- Manage passwords wisely
- Use strong passwords of 8 characters or more that don't spell common words and do mix numbers, small and capital letters and special characters
- Change passwords every 60 days in systems hosting sensitive data
- Do not post passwords near or on computers
- Never give anyone else your login password, or any password.
- Password-protect and encrypt sensitive data files, if you have to have them at all.
- If your Windows 2000 or XP machine is not set up by Information Technology Services, make sure that the administrative password is NOT left blank
- Encrypt sensitive customer information when it is transmitted electronically over public networks.
Respond to requests for information about students in accordance with FERPA.
Report any fraudulent attempts to obtain customer information to management, who then report the attempt to the appropriate law enforcement agencies.
Security Concerns for PDF Reports on Firestone
In an effort to reduce paper consumption and increase efficiency, ITS had converted many “green bar” reports to PDF format and placed them in secured folders on Firestone for viewing.
With the growing awareness of the impact of security breaches, it has become clear that each of one of us needs to be aware of the content we save on our desktop and laptop computers. We have the responsibility to protect confidential and sensitive information about our students and staff members and to do it to the best of our ability.
Some reports on Firestone contain sensitive and confidential information. There are risks any time sensitive information is made available in a report. We must be aware of the risks and take every precaution to prevent a security breach.
It is possible to open the PDF file on Firestone and then save it to your desktop or laptop computer. By doing so, this increases the risk of the report ending up in the wrong hands.
Here are some do’s and don’ts when viewing the PDF reports stored on Firestone.
- View the reports from Firestone
- Close the PDF when it is no longer needed
- Delete old reports from your folder that are no longer needed
- Save the PDF file on your desktop or laptop machine
- E-mail the report to another colleague
- Create a shortcut to the report on your desktop
- Save the report on other media, like a flash drive or cd
- Print the report if it isn’t necessary
- Share your access information with anyone
We also recommend that you review files on your PC and remove any file that contains confidential and sensitive information, particularly files that may contain social security numbers.
If you have any questions or concerns, please contact the ITS Help Desk or your technical contact in ITS.
Frequently Asked Questions
I have Windows Updates enabled and am using the latest antivirus software. Is data on my PC protected?
You've made a good start, but your PC may not be protected. As new exploits are developed, there is a lag time between when antivirus and operating system patches can be modified and distributed by the vendors to protect against the new exploit. Also, new "spyware" threats are developed all the time, and antivirus software does not consistently target this potentially malicious code. Again, the only real protection is to isolate your PC from the network and unauthorized users.
My PC is password protected. Does that protect me from network intrusion?
No! The password only protects the machine from being booted up by someone who doesn't know the password. It does nothing to protect from network access.
What information is of particular concern?
Student data is protected by FERPA, and only information that is defined as "directory" information may be released about students, and even that may be restricted. Information about public employees in some circumstances is more public, but in all cases, information that could lead to identity theft must be protected. Information that can individually identify a person must be safeguarded, particularly the combination of name and social-security number, and personal information like marital status, etc.
If I need help, whom can I call?
Call your regular contact within Information Technology Services, if you have one. Otherwise, call the ITS Help Desk at 607-777-6420 to ask for an appointment to talk about this matter with our staff.
If I run a web server, how can I make it secure?
No machine can be made immune from intrusion if it is networked. Web servers are designed to be networked and to serve outside users, so they are especially vulnerable.
If your web site deals with sensitive information, you must "harden" the machine that hosts it to keep intruders from monitoring transactions or innappropriately gathering other users' private data. This "hardening" includes:
- frequently removing collected data so it is not stored there if the machine is intruded upon, and
- keeping the machine (the server and system software) patched and up-to-date to minimize the risk of intrusion.
Continual diligence and maintainance is required for the full life-cycle of server operation.
Some tools for checking the security of "apache" web servers are available for Educause members (which includes Binghamton) at The Center for Internet Security at <http://www.cisecurity.org/> (just be sure to register in accordance with the Educause Member agreement, explained there). You can also contact Information Technology Services for help.