Guidelines for Safeguarding Personally Identifiable and Confidential Information from Unauthorized or Accidental Disclosure

Introduction

The purpose of this Statement is to reaffirm the Standards that apply in the matter concerningthesafeguarding of administrative, personally identifiable or confidential data that has been entrusted to the University or to persons working on behalf of the University.

These guidelines are applicable to the University’s computing and communications facilities, or any facility, service or device (privately owned, leased or granted), where such entrusted data are stored or accessed.

Terms and Definitions

Safeguarding Personally Identifiable and Confidential Information

For the purposes set forth in this document, the University’s computing and communication facilities include all computing, video, data and telecommunication hardware and software systems owned, leased, or granted to the university.

Personally Identifiable Information

Personally Identifiable Information (PII) refers to any data that identifies or can be used to identify, contact, or locate the person to whom such information pertains. This includes data that is used in a way that is personally identifiable, including linking it with identifiable information from other sources, or from which other personally identifiable information can easily be derived, including, but not limited to, name, address, phone number, fax number, external email address, financial profiles, social security number, drivers license number and credit card information.

Administrative Data

Administrative data refers to any data that are collected, maintained and used on administrative information systems that support the operations of the University.

Confidential Data

Confidential data refers to any data pertaining to individuals or the University that is sensitive, private, or of a personal nature, or data that is protected under a confidentiality agreement, regulation, law, or University procedure.

Institutional Data

The use of the term “institutional data” hereafter within this document is meant to refer to all personally identifiable information, administrative data or confidential data residing or accessible through the University’s computing and communication facilities, or any facility, service or device (privately owned, leased, or granted) containing data created by the University or entrusted to the University.

Guidelines

Authorized use of and access to the University's computing and communication facilities is intended and permitted solely to support the legitimate educational, administrative and mission‐centered programs of the institution. Authorization for the use of and/or access to the University’s computing and communication facilities is granted by the Chief Information Officer and the Director or supervisor of the organizational unit that is the recognized steward and custodian of the data for which access is requested.

Institutional Data

Anyone who has access to institutional data must act to properly safeguard such data against unauthorized or accidental disclosure to a third party.

Personally Identifiable Information

Access to administrative data may be granted to individuals for the purpose of enabling them to fulfill specific job duties or contracted services or in furtherance of legitimate university business. Custodianship of data that is maintained on the university’s primary administrative information systems is detailed below.

---

 Banner Student Information System

---

 Banner Human Resource System

---

 Banner Alumni and Development

---

 Banner Finance System

---

 Computing Systems

---

 

Specific Guidelines

Following are specific guidelines for the proper protection of institutional data. If you have any questions concerning data security, please contact Information Technology Services.

Secure Access and Storage of Institutional Data – Institutional data must be protected from unauthorized access or accidental disclosure. Access to institutional data must, to the extent possible, be restricted using strong passwords (e.g., a password of greater than 8 characters, including special characters and numbers). Enterprise communication systems including email may contain privileged, sensitive, confidential, and/or personally identifiable information (PII). As such, the duplication and/or exfiltration of institutional data containing any of the aforementioned properties is strictly prohibited, and may result in the violation of federal regulations including FERPA and HIPAA.

Securing Institutional Data on Backup or Removable Storage Devices– Employees may for specific job related purposes and with the approval of the appropriate data custodian copy or create and store institutional data to a removable storage device, PC, mobile device, cloud‐based or remote facility.  Removable media and mobile devices containing institutional data should always be kept in a place that is safe from theft, unauthorized access or accidental disclosure. Employees or other authorized personnel must take care to promptly remove institutional data that has been placed on desktop or portable computers, removable media, or cloud‐based or remote facilities when the data is no longer needed for the specific purpose.

Device Access Security – Desktop and mobile devices that contain or provide access to institutional data must be password protected against unauthorized access. These computers and devices should be shut down when not in use for extended time-frames. Additionally, they should, when possible, be configured to require password re‐authentication after no more than 20 minutes of inactivity.

Encrypting Institutional Data – Information Technology Services provides encrypted remote connectivity services (VPN/VDI) for authorized University personnel. Institutionally issued laptops are configured to automatically encrypt their hard disk drive(s). End users are typically not provided with administrative credentials. Exceptions are reviewed and authorized by the Associate Director for Information Technology Services.

Secure Transmittal of Data – Institutional data may only be transmitted to or from an external site, including external email accounts for specific job related purposes. Institutional data that are electronically transmitted to or from an external site, including an external email account, should be securely transmitted. When transmitted via email, institutional data should be encrypted, password protected and sent as an attachment to the email message. The password for the encrypted attachment must always be transmitted under separate cover or via telephone or voicemail. Some employees may for specific job related purposes need to transmit institutional data to a third party (e.g., Financial Loan Processor, Bank, Credit Union, transfer institution). Whenever institutional data is transmitted to a third party, it must be transmitted via a secure communication protocol, such as TLS or Secure FTP. Contact Information Technology Services if you have questions concerning the secure transmittal of data.

Securing Paper Files – Institutional data that is kept in hard copy form must also be secured and protected. These data should be stored in a location that prevents unauthorized or accidental disclosure.

Effective Measures for Securing Institutional Data on Mobile Devices – Because of their portability, mobile devices are more susceptible to loss and theft. Following are specific measures that should be observed to secure institutional data on mobile devices (privately or University owned) that contain institutional data. If you need assistance with any of these measures, please contact Information Technology Services.

1. Physically secure your device. Keep it with you or in a secured location.
2. Enable strong device pass-code protection features and select a pass-code or PIN that is difficult to guess.
3. Enable mobile device idle timeout (e.g., 5 minutes) and other device specific locking features, where possible.
4. If available, enable the feature that will erase data after 10 failed pass-code attempts.
5. Delete any institutional data from the device when no longer needed.
6. Enable whole device encryption, if your device is so equipped. All institutionally issued Windows based laptops are automatically configured to encrypt the data on their hard disk drive(s).
7. Enable and configure device tracking features (e.g., Find My iPhone service).
8. Keep software up‐to‐date to protect against hacking attempts.
9. Minimize the number of apps on your device and only load apps or software on your device that come from a trusted source.

Reporting Lost or Stolen Devices or the Suspected Disclosure of Institutional Data – If you know or suspect that University property or a privately owned device containing institutional data has been lost or stolen, promptly contact the campus police department. Additionally, if employed by Stockton, promptly notify your unit manager of the incident. Information Technology Services can attempt to remotely locate your device and wipe email (or other data if possible) from it. Most mobile devices store passwords for apps. To prevent unauthorized access to your data and accounts, contact the Information Technology Services Help Desk at 609-652-4309 and request a password reset as soon as possible.