NATIONAL CYBERSECURITY AWARENESS, PART 2: Data Handling and Security - 10/15/09

Purdue expects employees who create, access, transfer and delete its public, sensitive or restricted administrative data also to keep it safe from unauthorized use, alteration, disclosure and destruction.

Helping employees stay informed about data classification and handling is a team of data stewards, each assigned to one of the University’s administrative areas. Stewards ensure that employees are granted appropriate access to data and are informed of the appropriate guidelines and policies.

Cheryl Gray, manager for Human Resources Operations, is the data steward for HR data. Hans Sigg, manager for the System Support Group Reporting Team, is the data steward for Financial data.

Protecting University employees’ data is part of Gray’s daily job responsibility. Among the types of restricted employee data are: Social Security numbers, interview results, payroll deduction selections, counseling, appraisals, discipline, sickness, bank account, reasons for termination and exit interview results.

“The University has come a long way in educating the faculty and staff on data classification and handling,” she said. “Protecting Social Security numbers (SSN) by removing them from the Purdue ID card and only requiring the SSN on forms when it is legally necessary are a couple examples.”

Employee Self-Service, rolled out in June of 2007, also provides greater employee data protection because it allows the individual to update his or her own information.

“Because the individual has the ability to update his or her own demographic, education and bank account information, there isn’t a need for the data to be collected on a paper form that would route through campus mail and end up in the employee’s personnel folder,” Gray said. “This helps the campus’ ‘green’ initiative too.”

Financial data is structured simply in two categories, Sigg explained, “general,” which can be made available to all staff members; and “restricted ledgers,” as defined by the comptroller, granted only on an “as needed” basis.

“There is an ongoing need to safeguard financial data as diligently as we protect our human resources data,” Sigg said.

Access to financial data in the SAP system is dictated by the assignment of specific user roles that must be approved by role owners or their designated authorized approvers. Supervisors request specific roles for their staff based on the requirements related to the employees’ positions. Individual staff members may not request role access for themselves.

Staff members routinely have access to systems files, reporting, emails and faxes containing sensitive or restricted data, such as credit card and bank account numbers, tax forms, students’ financial aid and loan information, customer account information, costing and risk management information, and Sponsored Program Services proposals and awards. The University also maintains data related to vendors and business partners that they expect will be protected, Sigg said.

“Each staff member has a stewardship responsibility to exercise due diligence with respect to use and distribution of university housed data,” he said. “The key to assuring the proper handling of university information rests with all of us.”

Sigg encourages employees to ask themselves these questions whenever they receive, store or share data:
     -- Am I dealing with any sensitive or restricted information?
     -- Could this information be misused in any way?
     -- Will I be sharing this information only with the appropriate individuals?
     -- Are there any special precautions that I need to take to safeguard this information?

Since early 2006, all new Business Services employees are required to complete “BDHAS 100, Data Handling and Security” during their first month of employment. The self-directed course, available online through Blackboard, defines Purdue’s policies and guidelines concerning data classifications, data handling and data security procedures. It also provides employees tips for securing their work areas. All Business Services staff were required to take the course as a refresher in 2008, Gray said, noting that course material is reviewed annually and updated as needed.

As a reminder, a data handling and security flyer, located on the Business Services Security Web site, outlines key points in keeping Purdue’s HR and financial data secure. Here are some of the tips:

     -- Employees should access only data needed to complete their assigned functions.
     -- Use the PUID instead of the SSN wherever possible.
     -- Exercise caution with information intended to remain confidential.
     -- Do not transmit confidential information via e-mail.
     -- Note that an employee can be held personally responsible if an improper disclosure of SSNs is impermissibly made.
     -- GLBA (Gramm-Leach Bliley Act) refers to personally identifiable information in situations where a consumer has provided information with intent to receive a service.
     -- FERPA relates to student data that is protected Family Education Rights and Privacy Act of 1974.
     -- HIPAA refers to protected health information.
     -- Special care should be taken when handling GLBA, FERPA, HIPAA data.

For more information about data handling and security, please contact Cheryl Gray or Hans Sigg, or visit the SecurePurdue Web site. The site also contains information about the activities planned this month in connection with the National Cybersecurity Awareness campaign.