Follow these general actions to start securing sensitive data.
Actions you can take to secure sensitive data
Identify where you have stored data under your control. In addition to your own workstation's hard drive, check to see if you have stored data on your departmental file server drives, your departmental or campus web servers, portable devices such as laptops, tablets, PDA's, and storage media (disks, USB keys, CD's, etc). You must ALSO identify where you have stored data on paper. (Note: The IU Warehouse is no longer approved for storing university-internal, restricted or critical institutional data. A list of approved vendors is available on the Purchasing website.)
Inventory what kind of data you have stored in ALL of these places.
Indiana University stopped using the social security number (SSN) as the student ID in the Fall of 2004. Therefore, it is important to review student records from prior to 2004, looking for SSN's. If you have spreadsheets of historical data that absolutely must be retained locally and electronically, simply highlight the column in which the SSN's are located, and delete just that column and all the SSNs in it. If your data is on paper, look especially for colored papers (rosters used to be printed on green or blue paper) or, for records prior to 1989, for oversized sheets (about 10" by 13") of white paper. If you absolutely cannot dispose of the entire sheet of paper, use scissors to cut out the columns of SSNs.
Dispose of all Social Security numbers, credit card numbers, bank account numbers and access codes, driver's license numbers, and other sensitive personal information, unless you absolutely cannot do business without retaining this information in your own storage locations. And we mean absolutely - if you can get access to that data from the official secured data source when you need it instead of keeping it yourself, even if that would be somewhat inconvenient, DISPOSE of it!
Appropriate disposal means deletion from currently used drives (and then deleting your deleted items), securely wiping drives you no longer need, destroying storage media (disks, USB keys, CD's, etc.), and shredding paper.
- Secure any remaining SSNs and other sensitive personal information. To do this you must KNOW which storage location is used for what purpose:
- Consult with your departmental computing professional(s) to ensure you are securing this data sufficiently — that is, on a professionally secured file server and in encrypted format.
- Ensure paper records are kept in locked storage – either in locking cabinets or locked storage rooms. (Note: The IU Warehouse is no longer approved for storing university-internal, restricted or critical institutional data. A list of approved vendors is available on the Purchasing website.)
- Leverage central services available at IU.
- NEVER use personal storage mediums, such as flash drives, discs, or unapproved online storage options.
Stop and think whenever you come across or are handling critical information such as Social Security numbers, credit card numbers, bank account numbers and access codes, driver's license numbers, and other sensitive personal information as part of your daily duties. Why do I have this data? Is it necessary for this transaction?
If you do not absolutely need it to transact that business, DISPOSE of it!
If you received that data from another source, TELL THEM not to provide it to you anymore.
If you do absolutely need it for the transaction, ENSURE you are handling it securely.
DOUBLE-CHECK email addresses, fax numbers, telephone numbers before transmitting the data.
CONSULT with your departmental computing professional(s) and/or the data stewards for that data to ensure you are handling it securely and appropriately.
How do exposures occur and what should I do?
Mistakenly providing sensitive personal information to a person external to IU, verbally, on paper, or electronically is a disclosure.
Depending on the circumstances, data may also be considered disclosed or exposed if the device on which the data is stored is compromised or stolen; if a web page is made available with the data on it; if paper records with the data are disposed of without shredding or the use of another secure disposal method; or if computer disks are disposed of without following one of the methods described in UISO's document, Securely Removing Data.
If you're not careful, it's easy to save sensitive information to the wrong location; either intentionally or unintentionally. Saving sensitive information to shared disk space or to a server with web services can result in a sensitive data exposure. Did you know that saving data to a web server makes it publicly available, whether or not you provide a link to it from your web pages?
Mobile storage devices and media are convenient but can be easily lost or stolen. Data saved to these types of devices (laptops, tablets, smartphones, USB or "thumb drives", CDs, diskettes, tapes, or any removable media) can be exposed if the device or media is lost or stolen.
Remedy - Always be mindful of where you store sensitive data. Ideally, is should be in a private area on a secure server. If you use a mobile device to work with university data, you must follow the Mobile Device Security Standard.
Sometimes a file is shared for a legitimate reason, but the file contains sensitive information of which sharer is not aware (like social security numbers in a far right column of a spreadsheet).
Remedy - Know what ALL the data elements in a file are before you share it. If it contains sensitive information, sanitize the document before sharing it.
Pitfall - Human error. Sometimes data can be exposed by simply not thinking when attaching a sensitive file to an email sent to a mailing list.
Remedy - Exercise extra vigilance when handling sensitive data.
Report it! Visit the report an incident page for the appropriate process.