SecurePurdue

Electronically Stored (Computer-based) Information

How electronic information should be handled is based upon the category of data that is contained in the electronic file. Electronic information must be handled according to the highest classification level of data contained in the file. For example, if a file contains both Public and Restricted information, then the file should be handled according to the Restricted classification. Purdue Data Custodians are urged to contact the Data Stewards for guidance in cases that present handling questions or security concerns.

Actions

Storage on Servers, Authentication Required

Storage on Servers, No Authentication Required

```
Storage on Electronic Media
```
```
Storage on Mobile Devices
```

Disposal of Physical Electronic Media, Repurposed for University Use

Disposal of Physical Electronic Media, NOT Repurposed for University Use

```
Voicemail
```

Access to Data in Applications and Databases

Storage on Servers, Authentication Required

This category includes Purdue central departmental file storage servers or Career Account storage spaces where access is protected via Purdue authentication credentials. This category can also include storage on vendor solutions where Purdue has determined that there is a business need for the vendor’s solution, has entered into a contract with the vendor, and Purdue authentication credentials are used to access the vendor’s solution. Purdue authentication credentials include the Purdue Career Account and password, or a username/password combination issued by a departmental IT unit when the Purdue Career Account cannot be reasonably used.

As a result, this category includes the following storage scenarios:

Data stored on servers that can be accessed on a campus workstation as part of a user's workstation profile.
Data stored on servers that can be accessed remotely via a file transfer protocol where Purdue authentication credentials must be provided before a user can access the files.
Data stored on servers that can be accessed remotely via the use of a tool through the Internet where Purdue authentication credentials must be provided before a user can access the files. (This section covers the use of tools like Sharepoint for Purdue users only).
Purdue web spaces with information intended for Purdue dissemination only and where Purdue authentication credentials must be provided before a user can access data.
Data stored on third-party hosted-servers where Purdue has determined that there is a business need for the vendor’s solution, Purdue has entered into a contract with the vendor, and Purdue authentication credentials are used to access the vendor’s solution. (This situation is usually documented extensively through Purdue business practices.)

Purdue-provided central and departmental servers are among the most secure places to store Purdue Restricted data. However, some Restricted data types (e.g. protected health information, banking information, or credit card information) may be subject to laws that require the data to be stored in an encrypted form or require the data to be Restricted to specific authorized users only. Some common laws that may require additional security precautions include HIPAA (for health information), FERPA (for student information), GLBA (for financial account information), and PCI (for credit card information). Contact your Data Steward if you have questions about how these laws may apply to the data you are using.

Public	No special requirements
Sensitive	No special requirements
Restricted	No special requirements (subject to any applicable laws, as discussed above)

Storage on Servers, No Authentication Required

This category includes file storage servers where the data stored on those servers can be accessed via Internet, and where that access does not require the use of Purdue authentication credentials to access the files. So, this category includes the following storage scenarios:

Purdue web pages with information intended for public dissemination
Files on servers that can be accessed remotely via the use of a tool through the Internet where Purdue authentication credentials are not required before access. (This section covers the use of tools like SharePoint when access to different files or data is given to non-Purdue users.)

Data Custodians are urged to exercise caution when providing access to Purdue data without appropriate Purdue authentication. For instance, when allowing non-Purdue users to access Purdue data, a Data Custodian must make sure that there are adequate protections (such as password protection, encryption, and secure communication channels) in place to protect that data.

Public	No special requirements
Sensitive	Not allowed
Restricted	Not allowed

Storage on Electronic Media

This category includes all media on which electronic data can be stored, including, but not limited to: internal and external hard drives, magnetic tapes, diskettes, CDs, DVDs, and USB storage devices.

This category is intended to apply to a person’s direct use of electronic media, and does not apply to archival, disaster recovery, and backup media used by Purdue information technology departments to protect Purdue data as part of normal operational activities. Such archival electronic media must be properly secured from loss, theft, and unauthorized access.

Data Custodians are reminded that central and departmental servers, where Purdue authentication is required, are the best place to store all categories of Purdue data, particularly Purdue Restricted data. Data Custodians are encouraged to consult the Data Stewards if Sensitive or Restricted data must be stored on electronic media (other than Purdue servers). Data Custodians should exercise caution and common sense when storing Purdue data on personally owned computing devices, including electronic media. In almost all instances, Purdue Restricted data should never be stored on a Data Custodian’s personally-owned computing devices, and Data Custodians should be cautious of storing Sensitive data on personally-owned computing devices.

Public	No special requirements
Sensitive	Not advised
Restricted	Not allowed

Storage on Mobile Devices

This category includes all computing and technology devices, regardless of name, that serve as a stand-alone and mobile computing device. Devices such as laptop computers, tablet computers, smart phones, cell phones, e-readers, and personal digital assistants fall in this category. This category is used to define Purdue-owned mobile devices only.

Data Custodians are reminded that mobile devices are easily lost and/or stolen and must be secured appropriately. ITaP has published information about mobile device security best practices. These security best practices must be implemented on mobile devices that process or store Purdue data. Data Custodians should exercise caution and common sense when storing Purdue data on personally owned computing devices, including mobile devices. In almost all instances, Purdue Restricted data should never be stored on a Data Custodian’s personally-owned computing devices, and Data Custodians should be cautious of storing Sensitive data on personally-owned computing devices.

Public	No special requirements
Sensitive	Not advised
Restricted	Not allowed

Disposal of Physical Electronic Media, Repurposed for University Use

This category applies to any electronic media that is ready for disposal in one unit or department, but is capable of reuse within another unit or department of the University. This category applies to any electronic media that is reused within the University.

Public	Multiple pass overwrite according to Media Disposal Guidelines
Sensitive	Multiple pass overwrite according to Media Disposal Guidelines
Restricted	Multiple pass overwrite according to Media Disposal Guidelines

Purdue has issued Media Disposal Guidelines to provide guidance on media disposal techniques. A multiple pass or Department of Defense (DoD) overwrite means to overwrite all addressable locations with a character, its complement, then a random character, and verify.

Disposal of Physical Electronic Media, NOT Repurposed for University Use

This category applies to any electronic media that is ready for disposal and will not be reused within the University. This category is intended to apply to any electronic media on which data can be stored, and also includes multi-function devices such as copiers and scanners that are leased by the University. These devices usually have some sort of data storage capability. Departments leasing equipment with data storage capabilities are encouraged to make sure all lease agreements include provisions about securely deleting or replacing device hard drives once the device is no longer in use at Purdue (and before the device leaves University property). Departments can contact the Data Stewards for assistance if needed.

Public	Physically destroy
Sensitive	Physically destroy
Restricted	Physically destroy

To destroy electronic media means to physically destroy it beyond any ability to recover any data on the media. Shredding media is an appropriate destruction method. The use of the University “Recycle for the Future” recycling program is acceptable for disposal of all classifications of electronic media/data. Information regarding this program can be found at: www.purdue.edu/surplus.

Voicemail

Purdue uses a computerized messaging system for voice mail services. The messaging system allows you to manage your voicemail messages via telephone and/or computer through web access. Voicemail messages are stored on the messaging system and can be accessed from your telephone. There is also the ability to set remote notification, which sends a notification to mobile devices when a voicemail message is received. Voicemail messages can also be forwarded to an email address (e.g. wav or proprietary .vbk attachment.)

Data Custodians must exercise care in using the messaging system and in forwarding voicemail messages to your email as an attachment. In some instances, this service must be disabled for an entire area in order to prevent the transmission of Restricted information via email. This is particularly important with respect to the email forwarding function in areas that might be covered by HIPAA. Purdue Data Custodians are urged to contact the HIPAA Privacy Office for guidance in these cases.

Public

No special requirements

Sensitive

No special requirements

Restricted

Do not leave Restricted information in a voice mail message. Ask the recipient to call you back.

If you receive Restricted information in a voice mail message, delete the message immediately upon receipt.

Access to Data in Applications and Databases

This category includes access to data in Purdue applications and databases for business operations purposes. In most cases, access to information, and the ability to use, manipulate, or delete that information is based on roles defined by business areas (and is not specified based on field values). Users are urged to contact an application owner or data stewards for guidance in cases that present handling questions.