Keys to Securing Purdue’s Data

Updated - July 2016

Keychain

Know Data Handling

In order to be good stewards of university data, it is important that we understand the laws and policies that govern how our data is handled.

Health Insurance Portability and Accountability Act of 1996 (HIPAA): Laws and regulations governing the provision of health benefits, the delivery and payment of health care services and the security and confidentiality of Individually Identifiable and Protected Health Information in written, electronic or oral formats.

Family Educational Rights and Privacy Act of 1974 (FERPA): Federal law designed to protect the privacy of education records. It also provides guidelines for appropriately using and releasing student education records.

Gramm-Leach Bliley Act (GLBA): Requires financial institutions to develop, implement, and maintain administrative, technical, and physical safeguards to protect the security, integrity, and confi dentiality of customer information. 

PCI (Payment Card Industry): A world wide security standard, to protect card holder information and the merchants and/or processors who store that sensitive information from fraudulent use. 

Authentication & Authorization Policy (VII.B.1): Controls that facilitate access to and protect University IT Resources and data. Access to non-public IT Resources will be achieved by unique User Credentials and will require Authentication. 

Data Security and Access Policy (C-34): - assure employees access to relevant data they need to conduct University business; prevent unauthorized access to systems, data, facilities, and networks; and prevent any misuse of, or damage to, computer assets or data.

Social Security Number Policy (VII.B.7): To ensure that the necessary procedures and awareness exist so that University employees and students comply with both the letter and the spirit of FERPA and Indiana Code Title 4 Article 1 Chapter 8 --State Requests for Social Security Numbers, as amended from time to time. 

Data Classification & Governance Policy (VII.B.6): Provides a framework for the governance and classification of university data in order to ensure the privacy and security of that data.

For more information on these laws and policies, or others not listed here, visit: http://www.purdue.edu/Business/Security/Policies_Procedures/

Proper Data Handling

Ask yourself:

  • What type of data am I using?
  • How is the data classified?
  • Who will have access to the data and what will they do with it?
  • What do the data handling requirements say?
  • Have I followed the appropriate handling requirements for public, sensitive, or restricted data?
  • Are there alternative ways to handle the data that make it more secure or less likely to be used or viewed by unauthorized individuals?

There are three ways in which we categorize the handling of our data: 

  • Handling of Printed Information
  • Electronically Stored Information
  • Electronically Transmitted Information

For the complete guide to handling all university data, visit: http://www.purdue.edu/securepurdue/DataHandling/dataHandling.html 

Know How the Data is Classified

The university's data are organized by the area responsible for it. Below is a summary of HR, Finance, and Student restricted data:

Restricted Student DataRestricted Financial Data
Social Security Number Social Security Number
Class schedule information Credit card (CC) numbers
Clinical dictation for transcribing into voice data format Transactions  and balances of selected accounts (i.e. reserves, endowments)
Confidential letters of recommendation GLBA (loan agreements/balances, collection activity)
Credit bureau information Bank account numbers
Credit card information, application fees, check information Grant proposals
Criminal investigation information Restricted HR Data
Disability information Social Security Number
Discipline information HIPAA (i.e. benefit claims)
Donor information Employee Background Check
Encumbrance information Employee ADA information
Exam schedule Employee discipline
Fellowship awards Garnishments/child support
Financial Aid information Bank account information
Financial info of students or parents Ethnicity
Fraudulent records information I-9 Documentation
Grades/GPA/Transcripts Payroll deduction selections
Insurance information Restricted Government Research Data
Litigation information Data Subject to ITAR, EAR regulations
Medical records Restricted Third Party/Proprietary
Minority student information Restricted by contractual obligations
Resume information
Salary data collected from former students via surveys
Subpoenas for student records
Tax record info of students/parents
Test scores
Veteran's records
Witness protection program
 

Restricted Data (Printed)                                Restricted Data (Electronically Transmitted)

TypeRequirementsTypeRequirements
Labeling No special requipment. Some documents should be labeled as "Confidential". Fax Unattended printing permitted only if physical access controls are used to prevent unauthorized viewing.  
Printouts are to be picked up as soon as possible.
Duplication Receiver of document containing restricted information must not further
distribute without permission.
By voice mail Do not leave restricted information in a voice mail message. Request a call back.
Mailing (internal
& External
No classification marking on external envelope, envelope to be sealed in
such a way that tampering whould be indicated upon receipt.
By wireless or cellular
technology
Do not transmit.
Destruction Destroy beyond recognition (shred). Other electronic
transmissions (email, FTP)
Encryption required.
Storage Store in secure location when not in use.
 

Restricted Data (Electronically Stored)

TypeRequirements
Storage on removeable media (CDs, USB flash drives) Not allowed.
Printing of data Unattended printing permitted only if physical access controls are used to prevent unauthorized viewing.
Storage on fixed media (server) with access controls Encryption not required (exception-HIPAA, FERPA, PCI, GLBA subject to applicable laws).
Storage on fixed media (hard drive) without access controls, but not accessible via the Web Not recommended.
 


Information regarding specific types of data, its classification (public, sensitive, restricted) and who the Information Owner is can be found at the following link:

http://www.purdue.edu/securepurdue/DataHandling/dataclass/index.html


Best Practices 

  • Always lock your workstation, mobile device or laptop when you are not using them. 
  • Create strong passwords with upper/lowercase letters, numbers, and symbols. 
  • Do not store restricted information on your local hard drive. This type of data should always be stored in a secure area protected by access controls on the LAN. 
  • Clear your browser cache monthly. 
  • Do not share your password or login with others. 
  • Encrypt and password protect your mobile devices. 
  • Do not open unexpected email attachments. Verify with the sender that the attachment is legitimate. 
  • Never enable the password “auto-save” feature on your browser. 

Need Training?

Need a review of data handling and security? Visit http://www.purdue.edu/securepurdue/DataHandling/dataclass/resources.html using your career account and password.

If you have problems, contact certify@purdue.edu and put Training Problem in the subject box.

Questions?

A Data Steward manages data as a university resource and asset.


For a complete listing of all Data Stewards, visit http://www.purdue.edu/securepurdue/DataHandling/dataStewards.html
Questions may also be sent to: datastewards@purdue.edu