Guidelines for Safeguarding Personally Identifiable and Confidential Information from Unauthorized or Accidental Disclosure
Introduction
The purpose of this Statement is to reaffirm the Standards that apply in the matter concerningthesafeguarding of administrative, personally identifiable or confidential data that has been entrusted to the University or to persons working on behalf of the University.
These guidelines are applicable to the University’s computing and communications facilities, or any facility, service or device (privately owned, leased or granted), where such entrusted data are stored or accessed.
Terms and Definitions
Safeguarding Personally Identifiable and Confidential Information
For the purposes set forth in this document, the University’s computing and communication facilities include all computing, video, data and telecommunication hardware and software systems owned, leased, or granted to the university.
Personally Identifiable Information
Personally Identifiable Information (PII) refers to any data that identifies or can be used to identify, contact, or locate the person to whom such information pertains. This includes data that is used in a way that is personally identifiable, including linking it with identifiable information from other sources, or from which other personally identifiable information can easily be derived, including, but not limited to, name, address, phone number, fax number, external email address, financial profiles, social security number, drivers license number and credit card information.
Administrative Data
Administrative data refers to any data that are collected, maintained and used on administrative information systems that support the operations of the University.
Confidential Data
Confidential data refers to any data pertaining to individuals or the University that is sensitive, private, or of a personal nature, or data that is protected under a confidentiality agreement, regulation, law, or University procedure.
Institutional Data
The use of the term “institutional data” hereafter within this document is meant to refer to all personally identifiable information, administrative data or confidential data residing or accessible through the University’s computing and communication facilities, or any facility, service or device (privately owned, leased, or granted) containing data created by the University or entrusted to the University.
Guidelines
Authorized use of and access to the University's computing and communication facilities is intended and permitted solely to support the legitimate educational, administrative and mission‐centered programs of the institution. Authorization for the use of and/or access to the University’s computing and communication facilities is granted by the Chief Information Officer and the Director or supervisor of the organizational unit that is the recognized steward and custodian of the data for which access is requested.
Institutional Data
Anyone who has access to institutional data must act to properly safeguard such data against unauthorized or accidental disclosure to a third party.
Personally Identifiable Information
Access to administrative data may be granted to individuals for the purpose of enabling them to fulfill specific job duties or contracted services or in furtherance of legitimate university business. Custodianship of data that is maintained on the university’s primary administrative information systems is detailed below.
Banner Student Information System
System
Custodian
Academic Advising
Advising Office
Financial Aid
Financial Aid Office
Graduate Admissions
School of Graduate Studies
Records and Registration
Student Records Office
Shared Data
Student Records Office
Student Receivables
Bursar’s Office
Undergraduate Admissions
Admissions Office
Banner Human Resource System
System
Custodian
Benefit Record
Human Resources Office
Labor Distribution
Office of the Dir. of Budget
Payroll
Payroll Office
Personnel Records
Human Resources Office
Banner Alumni and Development
System
Custodian
Advancement Records
Alumni and Development
Alumni Records
Alumni and Development
Banner Finance System
System
Custodian
Accounts Payable
Office of Accounts Payable
Financial Account
Office of the Dir. of Budget
Purchasing
Purchasing Office
Computing Systems
System
Custodian
Academic Facilities and Systems
Information Technology Services
CBORD Board and Debit System
Bursar’s Office
Central Stores
Central Stores
Course Management Systems
Office of E-Learning
Email Systems
Facilities Maintenance Systems
Fixed Asset Inventory
Housing Management Systems
Library Management System
Specific Guidelines
Following are specific guidelines for the proper protection of institutional data. If you have any questions concerning data security, please contact Information Technology Services.
Secure Access and Storage of Institutional Data – Institutional data must be protected from unauthorized access or accidental disclosure. Access to institutional data must, to the extent possible, be restricted using strong passwords (e.g., a password of greater than 8 characters, including special characters and numbers). Enterprise communication systems including email may contain privileged, sensitive, confidential, and/or personally identifiable information (PII). As such, the duplication and/or exfiltration of institutional data containing any of the aforementioned properties is strictly prohibited, and may result in the violation of federal regulations including FERPA and HIPAA.
Securing Institutional Data on Backup or Removable Storage Devices– Employees may for specific job related purposes and with the approval of the appropriate data custodian copy or create and store institutional data to a removable storage device, PC, mobile device, cloud‐based or remote facility. Removable media and mobile devices containing institutional data should always be kept in a place that is safe from theft, unauthorized access or accidental disclosure. Employees or other authorized personnel must take care to promptly remove institutional data that has been placed on desktop or portable computers, removable media, or cloud‐based or remote facilities when the data is no longer needed for the specific purpose.
Device Access Security – Desktop and mobile devices that contain or provide access to institutional data must be password protected against unauthorized access. These computers and devices should be shut down when not in use for extended time-frames. Additionally, they should, when possible, be configured to require password re‐authentication after no more than 20 minutes of inactivity.
Encrypting Institutional Data – Information Technology Services provides encrypted remote connectivity services (VPN/VDI) for authorized University personnel. Institutionally issued laptops are configured to automatically encrypt their hard disk drive(s). End users are typically not provided with administrative credentials. Exceptions are reviewed and authorized by the Associate Director for Information Technology Services.
Secure Transmittal of Data – Institutional data may only be transmitted to or from an external site, including external email accounts for specific job related purposes. Institutional data that are electronically transmitted to or from an external site, including an external email account, should be securely transmitted. When transmitted via email, institutional data should be encrypted, password protected and sent as an attachment to the email message. The password for the encrypted attachment must always be transmitted under separate cover or via telephone or voicemail. Some employees may for specific job related purposes need to transmit institutional data to a third party (e.g., Financial Loan Processor, Bank, Credit Union, transfer institution). Whenever institutional data is transmitted to a third party, it must be transmitted via a secure communication protocol, such as TLS or Secure FTP. Contact Information Technology Services if you have questions concerning the secure transmittal of data.
Securing Paper Files – Institutional data that is kept in hard copy form must also be secured and protected. These data should be stored in a location that prevents unauthorized or accidental disclosure.
Effective Measures for Securing Institutional Data on Mobile Devices – Because of their portability, mobile devices are more susceptible to loss and theft. Following are specific measures that should be observed to secure institutional data on mobile devices (privately or University owned) that contain institutional data. If you need assistance with any of these measures, please contact Information Technology Services.
- Physically secure your device. Keep it with you or in a secured location.
- Enable strong device pass-code protection features and select a pass-code or PIN that is difficult to guess.
- Enable mobile device idle timeout (e.g., 5 minutes) and other device specific locking features, where possible.
- If available, enable the feature that will erase data after 10 failed pass-code attempts.
- Delete any institutional data from the device when no longer needed.
- Enable whole device encryption, if your device is so equipped. All institutionally issued Windows based laptops are automatically configured to encrypt the data on their hard disk drive(s).
- Enable and configure device tracking features (e.g., Find My iPhone service).
- Keep software up‐to‐date to protect against hacking attempts.
- Minimize the number of apps on your device and only load apps or software on your device that come from a trusted source.
Reporting Lost or Stolen Devices or the Suspected Disclosure of Institutional Data – If you know or suspect that University property or a privately owned device containing institutional data has been lost or stolen, promptly contact the campus police department. Additionally, if employed by Stockton, promptly notify your unit manager of the incident. Information Technology Services can attempt to remotely locate your device and wipe email (or other data if possible) from it. Most mobile devices store passwords for apps. To prevent unauthorized access to your data and accounts, contact the Information Technology Services Help Desk at 609-652-4309 and request a password reset as soon as possible.