Protecting Data - Technical IT Staff
Protecting the Universitys Data
- The University recognizes four data classifications including Restricted, Sensitive, Internal, and Public. More information regarding data classifications can be found here.
- All University employees are responsible and accountable for properly identifying, transmitting, redistributing, storing or disposing of data.
- Data comes in both a physical and electronic form; however, electronic data can be more vulnerable to exposure making the need to protect it greater.
- The best way to reduce the risk of data exposure is not to have access to the data. It is recommended that you review your access to systems where restricted or sensitive data elements are stored. If possible, eliminate or remove your access to these data elements unless it is essential to your job duties.
What is "Restricted" Data?Restricted Data is personal information that is protected by federal, state, local laws, regulations or adopted standards and is commonly referred to as PII (Personally Identifiable Information) and PHI (Protected Health Information). Data should be classified as Restricted when the unauthorized disclosure, alteration, loss or destruction of that data could cause a significant level of risk to the University, affiliates or research projects.
What is "Sensitive" Data?The University’s definition of Sensitive Data is when the unauthorized disclosure, alteration, loss or destruction could cause a moderate level or risk to the University, affiliates, or research project. Data should be classified as Sensitive if the loss of confidentiality, integrity, or availability of data could have serious adverse effect on University operations, assets, or individuals.
What is my Role in Protecting Restricted and Sensitive Data?When it comes to handling and protecting restricted and sensitive data, use good judgment. Remember:
- As an employee, you are obligated to take reasonable steps to protect the confidentiality of UW-Madison Restricted and Sensitive Data.
- You can only access UW-Madison Restricted or Sensitive Data that you are authorized to access. You can only use or transfer it as part of your official UW-Madison job duties. Never use it for personal reasons.
- For more information – review the Handling sensitive university data guide.
What is Internal Data?
Data should be classified as Internal when the unauthorized disclosure, alteration, loss or destruction of that data could result in some risk to the University, affiliates, or research projects. By default, all Institutional Data that is not explicitly classified as Restricted, Sensitive or Public data should be treated as Internal data. This may include academic records, tests and grades, or other academic information.
What is Public Data?
Data should be classified as Public prior to display on web-sites or once published without access restrictions; and when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates.
Examples of the Data Types
View the below chart for different examples of data types or view the information on the Data Classification Examples website.
Best Practices for Handling Restricted DataPrecautions must be taken when handling restricted data (both physical and electronic).
Data Handling encompasses the following elements:
- Viewing Data
- Updating Data
- Deleting Data
- Destroying Data
- Transferring Data
- Storing Data
Keys to SECURE Data Handling:
- Being aware that you are handling restricted data. Identifying restricted data is essential.
- Understanding the forms in which restricted data can be sent or received. Note that although they can be received in these forms doesnt necessarily mean they SHOULD be transmitted through these mediums. Examples include e-mail, phone, fax, or file sharing sites.
- Review the securely handling restricted data document for more information about sending and receiving restricted data via these mediums.
Before updating, transferring, mailing, storing or destroying data stop to identify if the data has restricted data.
Review the data you are working with to identify if any data elements exist. Being aware that you are handling restricted data is the key to handling it properly.
|ELIMINATE or MITIGATE!
Eliminate: If you are handling restricted data that is not necessary to complete your job, eliminate it. When you are done working with the restricted data, delete it.
Mitigate: If you are unable to eliminate restricted data from your work you need to take additional steps to exercise secure data handling.
Tools for discovering Restricted Data?
The University has a campus license with Identity Finder. Identity Finder is a software that can scan your computer for Restricted Data and some Sensitive Data elements. Identity Finder has the ability securely delete this data from your computer. In addition, Identity Finder can be installed on any personal computer and is recommended for most University computers. For more information, view the Identity Finder KB.
How can Data be Exposed?
Anytime Restricted or Sensitive data is stored there is a risk of exposure. Some more common methods of data exposure includes:
- Virus and malware on your computer through web browsing or email attachments.
- Lost or stolen documents or computer equipment.
- Social engineering such where passwords are acquired.
- Occasionally, misconfigured or vulnerable servers.
Data Management - Technical Content
IT Staff on campus should constantly be evaluating and classifying the data on your systems. For Sensitive and Restricted Data it is critical that the Confidentiality, Integrity, and Availability are constantly evaluated.
- Putting the necessary security controls/mechanisms in-place on servers.
- This includes perimeter safeguards (physical, network firewalls, OS firewalls), access controls, monitoring, appropriate storage of backups, data masking, use of secure protocols (SSL, HTTPS) and data encryption, physical and network location of server, and much more.
- Implement the necessary access controls and processes to ensure that employees are only getting the level access they NEED and only to the data they NEED access to. This concept is known as Least Privilege.
- Encrypt Sensitive and Restricted Data across open networks. View the Types of encryption and key concepts document for further details.
- Digital certificates provide a strong level of security for your email transmissions. They allow you to digitally sign and encrypt your mail and attachments. By encrypting the message, you ensure that only your intended recipient will be able to read the mail. By digitally signing your emails, your recipient can confirm that you are indeed the sender and essentially guarantee the message was not altered during transmission. You can obtain a digital certificate by navigating to the UW Digital ID website.
- Ensuring there is proper input controls and sanitation for data collected.
- Recognizing the need for Separation of Duties.
- Separation of Duties is the concept of having more than one person required to complete a task. In business by separating the tasks can prevent errors or fraud.
- For technical staff a key component of separation of duties is restricting technical staff access to production systems.
- The key point in separation of duties is to divide the work.
- Ensure there are adequate backup and data recovery plans. Ensure these plans are tested and data can be fully recovered.
New Technologies/TrendsWhy is protecting data important? Failing to protect the Universitys data can leave the University vulnerable to attacks. Every day in the news, there are reports of cyber-attacks where peoples sensitive and restricted information is exposed, stolen, or compromised. Most cyber-attacks are not front story headlines, but below are few recent examples that were a big deal or hit close to home.
- In the fall of 2014, the Home Depot was a victim of a cyberattack that impacted more than 56 million customers
- Credit Card Information Compromised
- In March of 2015, the Rutgers University was attacked, impacting students and faculty
- In this case, personal or confidential information was not stolen, the university experience interruptions in internet service.
- In April of 2015, a cyberattack targeting the United States Office of Personnel Management (OPM) systems was detected
- Exposed records for over four million current and former government employees at places like the Department of Defense
- Background and security clearance investigations on employees' families, neighbors, and close associates also exposed
- In May of 2015, we learned of a sophisticated cyberattack at Penn State that had been taking place on the University’s networks for over two years
- Penn State’s College of Engineering networks house data for the US Military and other government agencies.
- Attackers had access to over 18,000 SSN’s
- Staying informed about ways to prevent becoming a victim of attack or the reason for one:
- Read the TechNews monthly email newsletters.
- Understanding that you are always a target because you have something that attackers want:
- Credentials to a system which contains sensitive or restricted information
- Your own credit card numbers, social security number, keys, etc.
- Read this interesting SANS article: "Yes, You Actually Are A Target"
- Never give out your personal or University Information
- Never give out sensitive information
- Never give out your Campus Credential and Password
- Official UW-Madison IT Policies
- Data Classification Policy
- Handling Sensitive University Data Guide
- Storage and Encryption Policy
- Identity Finder KB
- UW-Madison Information Classifications
- UW-Madison Information Classifications and Associated Policies
- Tips for Securely Handling Restricted Data
- OUCH! April 2014 Article - "Yes, You Actually Are A Target" (SANS)