Keys to Securing Purdue’s Data
Updated - July 2016
Know Data Handling
In order to be good stewards of university data, it is important that we understand the laws and policies that govern how our data is handled.
Health Insurance Portability and Accountability Act of 1996 (HIPAA): Laws and regulations governing the provision of health benefits, the delivery and payment of health care services and the security and confidentiality of Individually Identifiable and Protected Health Information in written, electronic or oral formats.
Family Educational Rights and Privacy Act of 1974 (FERPA): Federal law designed to protect the privacy of education records. It also provides guidelines for appropriately using and releasing student education records.
Gramm-Leach Bliley Act (GLBA): Requires financial institutions to develop, implement, and maintain administrative, technical, and physical safeguards to protect the security, integrity, and confi dentiality of customer information.
PCI (Payment Card Industry): A world wide security standard, to protect card holder information and the merchants and/or processors who store that sensitive information from fraudulent use.
Authentication & Authorization Policy (VII.B.1): Controls that facilitate access to and protect University IT Resources and data. Access to non-public IT Resources will be achieved by unique User Credentials and will require Authentication.
Data Security and Access Policy (C-34): - assure employees access to relevant data they need to conduct University business; prevent unauthorized access to systems, data, facilities, and networks; and prevent any misuse of, or damage to, computer assets or data.
Social Security Number Policy (VII.B.7): To ensure that the necessary procedures and awareness exist so that University employees and students comply with both the letter and the spirit of FERPA and Indiana Code Title 4 Article 1 Chapter 8 --State Requests for Social Security Numbers, as amended from time to time.
Data Classification & Governance Policy (VII.B.6): Provides a framework for the governance and classification of university data in order to ensure the privacy and security of that data.
For more information on these laws and policies, or others not listed here, visit: http://www.purdue.edu/Business/Security/Policies_Procedures/
Proper Data Handling
- What type of data am I using?
- How is the data classified?
- Who will have access to the data and what will they do with it?
- What do the data handling requirements say?
- Have I followed the appropriate handling requirements for public, sensitive, or restricted data?
- Are there alternative ways to handle the data that make it more secure or less likely to be used or viewed by unauthorized individuals?
There are three ways in which we categorize the handling of our data:
- Handling of Printed Information
- Electronically Stored Information
- Electronically Transmitted Information
For the complete guide to handling all university data, visit: http://www.purdue.edu/securepurdue/DataHandling/dataHandling.html
Know How the Data is Classified
The university's data are organized by the area responsible for it. Below is a summary of HR, Finance, and Student restricted data:
|Restricted Student Data||Restricted Financial Data|
|Social Security Number||Social Security Number|
|Class schedule information||Credit card (CC) numbers|
|Clinical dictation for transcribing into voice data format||Transactions and balances of selected accounts (i.e. reserves, endowments)|
|Confidential letters of recommendation||GLBA (loan agreements/balances, collection activity)|
|Credit bureau information||Bank account numbers|
|Credit card information, application fees, check information||Grant proposals|
|Criminal investigation information||Restricted HR Data|
|Disability information||Social Security Number|
|Discipline information||HIPAA (i.e. benefit claims)|
|Donor information||Employee Background Check|
|Encumbrance information||Employee ADA information|
|Exam schedule||Employee discipline|
|Fellowship awards||Garnishments/child support|
|Financial Aid information||Bank account information|
|Financial info of students or parents||Ethnicity|
|Fraudulent records information||I-9 Documentation|
|Grades/GPA/Transcripts||Payroll deduction selections|
|Insurance information||Restricted Government Research Data|
|Litigation information||Data Subject to ITAR, EAR regulations|
|Medical records||Restricted Third Party/Proprietary|
|Minority student information||Restricted by contractual obligations|
|Salary data collected from former students via surveys|
|Subpoenas for student records|
|Tax record info of students/parents|
|Witness protection program|
Restricted Data (Printed) Restricted Data (Electronically Transmitted)
|Labeling||No special requipment. Some documents should be labeled as "Confidential".||Fax||Unattended printing permitted only if physical access controls are used to prevent unauthorized viewing.
Printouts are to be picked up as soon as possible.
|Duplication||Receiver of document containing restricted information must not further
distribute without permission.
|By voice mail||Do not leave restricted information in a voice mail message. Request a call back.|
|No classification marking on external envelope, envelope to be sealed in
such a way that tampering whould be indicated upon receipt.
|By wireless or cellular
|Do not transmit.|
|Destruction||Destroy beyond recognition (shred).||Other electronic
transmissions (email, FTP)
|Storage||Store in secure location when not in use.|
Restricted Data (Electronically Stored)
|Storage on removeable media (CDs, USB flash drives)||Not allowed.|
|Printing of data||Unattended printing permitted only if physical access controls are used to prevent unauthorized viewing.|
|Storage on fixed media (server) with access controls||Encryption not required (exception-HIPAA, FERPA, PCI, GLBA subject to applicable laws).|
|Storage on fixed media (hard drive) without access controls, but not accessible via the Web||Not recommended.|
Information regarding specific types of data, its classification (public, sensitive, restricted) and who the Information Owner is can be found at the following link:
- Always lock your workstation, mobile device or laptop when you are not using them.
- Create strong passwords with upper/lowercase letters, numbers, and symbols.
- Do not store restricted information on your local hard drive. This type of data should always be stored in a secure area protected by access controls on the LAN.
- Clear your browser cache monthly.
- Do not share your password or login with others.
- Encrypt and password protect your mobile devices.
- Do not open unexpected email attachments. Verify with the sender that the attachment is legitimate.
- Never enable the password “auto-save” feature on your browser.
Need a review of data handling and security? Visit http://www.purdue.edu/securepurdue/DataHandling/dataclass/resources.html using your career account and password.
If you have problems, contact email@example.com and put Training Problem in the subject box.
A Data Steward manages data as a university resource and asset.
For a complete listing of all Data Stewards, visit http://www.purdue.edu/securepurdue/DataHandling/dataStewards.html
Questions may also be sent to: firstname.lastname@example.org