Electronic Media Procedures
Date Issued: February 10, 2025
Date Last Revised: Not Applicable
These requirements supplement the University Data Handling Procedures for Electronically Stored Information – Storage on Electronic Media, which support the implementation of the Information Security and Privacy Policy (VII.B.8), Acceptable Use of IT Resources and Information Assets (VII.A.4), and the associated Standards, Guidelines, and Procedures.
Table of Contents
ContactsIntroduction
Procedures
Responsibilities
Exclusions
Related References
History and Updates
Contacts
Clarification of Procedures
|
Title/Office |
Telephone |
Email/Webpage |
|
Purdue Systems Security (PSS) |
765-494-4000 |
Introduction
Electronic Media is defined in the University Data Handling Procedures for Electronically Stored Information – Storage on Electronic Media, and these procedures use the same definition. The definition is inclusive of Portable Storage Devices as defined by the National Institute of Standards and Technology (NIST).
Use of Electronic Media may introduce security challenges, and the University must manage how the media is secured and maintains the computing environment and University information assets. This document identifies procedures and responsibilities in the engagement and management of Electronic Media.
Electronic Media can provide portable, convenient, and expandable storage for many situations. The Purdue community may take advantage of this technology to easily share data, take data with them off-campus for business purposes, or keep a backup of specific data. There are risks to consider, however: Electronic Media is less secure than storage on servers or cloud services and is more susceptible to data corruption and theft.
Procedures
Storing university data classified as sensitive or restricted on Electronic Media is generally not advised and should be considered a last resort. Data should only be stored on the Electronic Media as long as it is needed. Sensitive and restricted data are defined in Data Classification and Handling Procedures.
The following requirements must be met when storing sensitive or restricted data on Electronic Media:
- A business reason requires the use.
- The Electronic Media in use is owned by the University.
- The Electronic Media is securely stored when not in active use by the user.
- The data is encrypted.
- The data is scanned for malware upon connection to a university computer and upon data access.
Any removable media containing sensitive or restricted data must be destroyed beyond recovery when no longer needed and in accordance with Media Disposal Guidelines.
Consider the level of risk associated with data corruption or loss on the Electronic Media, and take appropriate data validation and backup precautions.
Additional Requirements for Restricted Data on Electronic Media
Additional requirements must be met to store restricted data on Electronic Media. PSS must approve a Data Security Plan (DSP) for the intended usage.
Prior to initiating a DSP request, the intended Electronic Media user should collaborate with the data owner and applicable Data Steward and/or Security Officer to determine if intended usage is appropriate and necessary.
As part of the DSP process, PSS will collaborate with the Electronic Media user, data owner, and applicable Security Officer and/or Data Steward to ensure appropriate security practices are agreed to.
A DSP for restricted data use on Electronic Media can be initiated by opening a ticket with PSS Information Assurance (PSS-IA) in the following way:
Ticket may be submitted by email to it@purdue.edu or via the TDX web portal.
- Subject should be: Data Security Plan for Electronic Media
- Body: Should contain the following information
- The business reason for using Electronic Media
- Type of restricted data that will be stored
- Data Steward and/or Security Officer name and contact information
After initiation, PSS-IA will reach out to the requestor and data owner with questions that will help facilitate creation of the DSP. The applicable Data Steward and/or Security Officer will also be informed of the in-process DSP. Part of PSS-IA review will include confirming the Electronic Media user has completed appropriate University data handling training. The DSP will align with University policy and common security frameworks such as NIST.
Once a DSP is in place, it requires a yearly review.
Responsibilities
Data Stewards
Data Stewards are responsible for ensuring that data classification and protection is followed. They should be consulted when considering storing data on Electronic Media. Refer to the full listing of Data Stewards for each business area.
PSS Information Assurance (PSS IA)
PSS IA maintains these procedures and facilitates the DSP creation and approval process through collaboration with Electronic Media users, data owners, Data Stewards, and Security Officers.
Security Officers
Security Officers represent each business area and are responsible for the technical coordination of security activities across the University campuses. These individuals may be able to assist with acquiring and proper usage of Electronic Media per the procedures outlined herein. Refer to the full listing of Security Officers for each business area.
Exclusions
Usage of Electronic Media for controlled research or other research that is subject to Technology Control Plans or similar plans that are periodically reviewed by PSS IA are excluded from DSP process within these procedures.
Related References
The controls frameworks referenced below are the current versions at the time of this publication. These frameworks are subject to periodic updates and the most current, final publication available should be referenced.
Data Classification and Handling Procedures
NIST Special Publication 800-53 (Rev.5): Security and Privacy Controls for Information Systems and Organizations – Defines Portable Storage Devices
History and Updates
February 10, 2025 - Released to provide guidelines associated with University Data Handling Procedures for Electronically Stored Information – Storage on Electronic Media