Principles for Protecting Sensitive Data
When it comes to protecting your data, knowledge is power. If your computer were stolen or compromised what sensitive information would the thief find? If you are an employee, you are personally responsible for guarding any sensitive or confidential university information. Steps must be taken to protect your computer files from unauthorized access in order to prevent identity theft, financial account takeover, fraud, and unauthorized information alteration.
Data Identification and Classification
The first step is to identify what data you use or have access to in your day-to-day functions and where it resides-is it stored in hardcopy format, on your local pc, or email for example to create an inventory of your data.
Michigan Tech has established a framework for classifying and handling data based on its level of sensitivity, value, and criticality. All data needs to be classified into one of three sensitivity levels, or classifications which are referred to as Confidential, Internal, and Public.
Once you have an inventory of your data (know what data you have and where it resides), you can then classify it based on its level of sensitivity and the impact to the University should that data be disclosed, altered or destroyed without authorization.
Data Scanning
Data Scanning tools help prevent identity theft, by finding and securing personally identifiable information (PII) such as Social Security Numbers or credit card numbers, that may be stored in files, emails, web browser data, and system areas that you may not be aware of.
Secure your Data
The level of security needed is based upon the sensitivity and classification of your data. More controls are needed over confidential data then public data. Once you have classified your data, you can then determine how to appropriately safeguard the information through access controls, copying/printing restrictions, physical security, etc. Please see the Identity & Access Management section the Michigan Tech Information Security Program for further reference.
Review and Remove Unnecessary Data
Review sensitive data and if you do not have a legitimate business need for it, don’t keep it. Appropriately dispose of all sensitive information unless you absolutely cannot do business without storing this information locally on your machine. Appropriate disposal means deletion from currently used drives (and then deleting your deleted items), securely wiping drives you no longer need, destroying storage media (disks, USB keys, CD’s, etc.), and shredding paper. Please see the Physical Security Measures of the Michigan Tech Information Security Program for further reference.
Safe Storage
One of the most important steps in protecting your data is limiting who has access to it in its stored format.
- Paper documents need to be stored in a locked room or filing cabinet
- Access must be restricted to only those with a legitimate business need
- Encrypt sensitive information sent over the internet and also all sensitive information stored on your computer
Secure sending and sharing sensitive data
- NEVER use email when dealing with sensitive information
- Encrypt and Password Protect Files
- Encryption is a way of rendering information to make it unreadable by anyone with the exception of those knowing the password or key to unencrypt or decrypt the data or file.
- Microsoft as well as Adobe Acrobat provides the ability to encrypt or password protect a document. See http://support.microsoft.com/kb/822924 for more information on Microsoft features.