Protecting Data - Baseline
Protecting the Universitys Data
- The University recognizes four data classifications including Restricted, Sensitive, Internal, and Public. More information regarding data classifications can be found here.
- All University employees are responsible and accountable for properly identifying, transmitting, redistributing, storing or disposing of data.
- Data comes in both a physical and electronic form; however, electronic data can be more vulnerable to exposure making the need to protect it greater.
- The best way to reduce the risk of data exposure is not to have access to the data. It is recommended that you review your access to systems where restricted or sensitive data elements are stored. If possible, eliminate or remove your access to these data elements unless it is essential to your job duties.
What is "Restricted" Data?Restricted Data is personal information that is protected by federal, state, local laws, regulations or adopted standards and is commonly referred to as PII (Personally Identifiable Information) and PHI (Protected Health Information). Data should be classified as Restricted when the unauthorized disclosure, alteration, loss or destruction of that data could cause a significant level of risk to the University, affiliates or research projects.
What is "Sensitive" Data?The University’s definition of Sensitive Data is when the unauthorized disclosure, alteration, loss or destruction could cause a moderate level or risk to the University, affiliates, or research project. Data should be classified as Sensitive if the loss of confidentiality, integrity, or availability of data could have serious adverse effect on University operations, assets, or individuals.
What is my Role in Protecting Restricted and Sensitive Data?When it comes to handling and protecting restricted and sensitive data, use good judgment. Remember:
- As an employee, you are obligated to take reasonable steps to protect the confidentiality of UW-Madison Restricted and Sensitive Data.
- You can only access UW-Madison Restricted or Sensitive Data that you are authorized to access. You can only use or transfer it as part of your official UW-Madison job duties. Never use it for personal reasons.
- For more information – review the Handling sensitive university data guide.
What is Internal Data?
Data should be classified as Internal when the unauthorized disclosure, alteration, loss or destruction of that data could result in some risk to the University, affiliates, or research projects. By default, all Institutional Data that is not explicitly classified as Restricted, Sensitive or Public data should be treated as Internal data. This may include academic records, tests and grades, or other academic information.
What is Public Data?
Data should be classified as Public prior to display on web-sites or once published without access restrictions; and when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates.
Examples of the Data Types
View the below chart for different examples of data types or view the information on the Data Classification Examples website.
Best Practices for Handling Restricted DataPrecautions must be taken when handling restricted data (both physical and electronic).
Data Handling encompasses the following elements:
- Viewing Data
- Updating Data
- Deleting Data
- Destroying Data
- Transferring Data
- Storing Data
Keys to SECURE Data Handling:
- Being aware that you are handling restricted data. Identifying restricted data is essential.
- Understanding the forms in which restricted data can be sent or received. Note that although they can be received in these forms doesnt necessarily mean they SHOULD be transmitted through these mediums. Examples include e-mail, phone, fax, or file sharing sites.
- Review the securely handling restricted data document for more information about sending and receiving restricted data via these mediums.
Before updating, transferring, mailing, storing or destroying data stop to identify if the data has restricted data.
Review the data you are working with to identify if any data elements exist. Being aware that you are handling restricted data is the key to handling it properly.
|ELIMINATE or MITIGATE!
Eliminate: If you are handling restricted data that is not necessary to complete your job, eliminate it. When you are done working with the restricted data, delete it.
Mitigate: If you are unable to eliminate restricted data from your work you need to take additional steps to exercise secure data handling.
Tools for discovering Restricted Data?
The University has a campus license with Identity Finder. Identity Finder is a software that can scan your computer for Restricted Data and some Sensitive Data elements. Identity Finder has the ability securely delete this data from your computer. In addition, Identity Finder can be installed on any personal computer and is recommended for most University computers. For more information, view the Identity Finder KB.
How can Data be Exposed?
Anytime Restricted or Sensitive data is stored there is a risk of exposure. Some more common methods of data exposure includes:
- Virus and malware on your computer through web browsing or email attachments.
- Lost or stolen documents or computer equipment.
- Social engineering such where passwords are acquired.
- Occasionally, misconfigured or vulnerable servers.
New Technologies/TrendsWhy is protecting data important? Failing to protect the Universitys data can leave the University vulnerable to attacks. Every day in the news, there are reports of cyber-attacks where peoples sensitive and restricted information is exposed, stolen, or compromised. Most cyber-attacks are not front story headlines, but below are few recent examples that were a big deal or hit close to home.
- In the fall of 2014, the Home Depot was a victim of a cyberattack that impacted more than 56 million customers
- Credit Card Information Compromised
- In March of 2015, the Rutgers University was attacked, impacting students and faculty
- In this case, personal or confidential information was not stolen, the university experience interruptions in internet service.
- In April of 2015, a cyberattack targeting the United States Office of Personnel Management (OPM) systems was detected
- Exposed records for over four million current and former government employees at places like the Department of Defense
- Background and security clearance investigations on employees' families, neighbors, and close associates also exposed
- In May of 2015, we learned of a sophisticated cyberattack at Penn State that had been taking place on the University’s networks for over two years
- Penn State’s College of Engineering networks house data for the US Military and other government agencies.
- Attackers had access to over 18,000 SSN’s
- Staying informed about ways to prevent becoming a victim of attack or the reason for one:
- Read the TechNews monthly email newsletters.
- Understanding that you are always a target because you have something that attackers want:
- Credentials to a system which contains sensitive or restricted information
- Your own credit card numbers, social security number, keys, etc.
- Read this interesting SANS article: "Yes, You Actually Are A Target"
- Never give out your personal or University Information
- Never give out sensitive information
- Never give out your Campus Credential and Password
- Official UW-Madison IT Policies
- Data Classification Policy
- Handling Sensitive University Data Guide
- Storage and Encryption Policy
- Identity Finder KB
- UW-Madison Information Classifications
- UW-Madison Information Classifications and Associated Policies
- Tips for Securely Handling Restricted Data
- OUCH! April 2014 Article - "Yes, You Actually Are A Target" (SANS)