These general principles are beneficial for everyone, but are particularly important if you work with data of heightened sensitivity.
Consider if it’s possible for someone to walk into your workspace and view sensitive data on your screen. Take steps to prevent this, such as turning your monitor or using a privacy screen.
One of the most common ways data is exposed is through lost or stolen hardware. Don’t give someone an opportunity to steal equipment where you keep sensitive data, such as your computer, mobile, or portable storage devices. Sensitive data stored on devices you take out of your workspace is at particular risk. Steps to prevent hardware theft include locking your computer down and storing small devices out of view, preferably in locked drawers, when they aren’t in use. Mobile devices used for institutional information must comply with the Mobile Device Security Standard.
Read about The Basics of VPN at IU to review how you can ensure all of your network traffic is secure when working or connecting remotely.
Regular backups not only protect you against losing all your work, but also if your computer is lost or stolen. Having the backed-up data at hand makes it possible to determine what sensitive data may be at risk.
Do-it-yourself backup solutions pose risks. For example, data may be backed up on an irregular basis, or it may put confidential data at risk by storing it on external hard drives that are easy to steal. For this reason, do-it-yourself backup solutions are discouraged. Use a backup service that guarantees data is backed up regularly and stored securely. Contact your department’s technical support staff for recommendations.
Specific requirements for confidential data
- Encrypt any passwords stored on your computer that are used to access confidential data.
- Keep confidential data only as long as is necessary to complete the work for which it is intended. That applies whether the confidential data is stored on your computer or a departmental file server. If you don’t need it, delete it!
- Always transmit confidential data securely.
- You must not send confidential data in an email, in the body of a message or as an attachment, unless the data is encrypted. While Microsoft Office 2007 includes a facility for appropriately strong encryption of documents, the password-protection feature found in older versions of Word and Excel is not sufficient. Similar facilities in other applications may or may not fulfill this requirement. For information on another tool for encrypting email see KB article, “What is the Cisco Registered Envelope Service (CRES).”
- You must not send confidential data in an IM (instant message) or a text message.
- Slashtmp is a good approach for exchanging sensitive data with both others at IU and external users.
- Always store confidential data securely.
- Confidential data should only be stored on a file server if it is in a folder that can only be accessed by people authorized to see it.
- Confidential data must not be stored on a server that is also used to host a web site open to the public.
- Backups of confidential data are always subject to the same restrictions as the original data.
For more in-depth information about handling electronic information, consult the following documents: