Protecting University Data
- Data comes in both a physical and electronic form; however, electronic data can be more vulnerable to exposure making the need to protect it greater.
- If you have access to UW systems that you do not NEED access to, request that it be removed. This helps lessen the chances of a potential attack on University data.
- All University employees are responsible and accountable for ensuring that data is handled securely.
- You need to be aware of the methods by which data is handled, how you may handle this data, and of the attacks that can potentially expose University data.
- There are two types of data you need to be concerned about protecting in your job; restricted and sensitive.
What is "Restricted" Data?Restricted data is personal information that is protected by federal, state, local laws, regulations or adopted standards and is commonly referred to as PII (Personally Identifiable Information) and PHI (Protected Health Information).
Examples of Restricted Data Include:
- Social Security Numbers
- Driver's License Number or State Identification Number
- Financial Account Number (Including Credit or Debit Card Numbers)
- Unique biometric data, including fingerprint, voice print, retina or iris image or any other unique physical representation
- Protected Health Information (PHI), which is any information about the health status, provision of health care, or payment for health care
What is "Sensitive" Data?Sensitive data is described as "privileged or proprietary information which, if compromised through alteration, corruption, loss, misuse or unauthorized disclosure, could cause serious harm to the organization owning it" (source: businessdictionary.com).
Examples of Sensitive data include, but is not limited to:
- Academic records, tests and grades, or other academic information
- Financial aid reports
- Employee records, payroll or compensation information
- Passwords, email, logs or other files
- Health data (i.e. Protected Health Information or PHI)
- Research data
What is my Role in Protecting Sensitive Data?When you received your access to HRS you were required to accept the HRS compliance agreement. As an employee of the University of Wisconsin System, you may be entrusted with certain responsibilities and special privileges. Below is a list of responsibilities you should follow when using HRS:
- Sensitive information may only be accessed for business purposes
- What you access at work, stays at work
- You will make every reasonable attempt to maintain the integrity of the data. This includes making only the changes that you are authorized to make and doing so in an appropriate manner.
- You will sign out of HRS when not using it.
- You will not share your account and password with others.
- You will access only that information you need to perform your job at the University. This means no casual browsing of data.
- You will make every reasonable effort to maintain privacy of the data. This includes knowing what constitutes “directory” or public information and observing the employee's right to withhold this information.
- Report any actions which violate confidentiality to my supervisor or the Information Technology Security Officer.
Best Practices for Handling Restricted DataPrecautions must be taken when handling restricted data (both physical and electronic).
Data Handling encompasses the following elements:
- Viewing Data
- Updating Data
- Deleting Data
- Destroying Data
- Transferring Data
- Storing Data
Keys to SECURE Data Handling:
- Being aware that you are handling restricted data. Identifying restricted data is essential.
- Understanding the forms in which restricted data can be sent or received. Note that although they can be received in these forms doesn’t necessarily mean they SHOULD be transmitted through these mediums. Examples include e-mail, phone, fax, or file sharing sites like Box.com.
- Review the securely handling restricted data document for more information about sending and receiving restricted data via these mediums.
Before updating, deleting, transferring, mailing, storing or destroying data stop to identify if the data has restricted information.
Review the data you are working with to identify if any of the six restricted data elements exist. Being aware that you are handling restricted data is the key to handling it properly.
|ELIMINATE or MITIGATE!
Eliminate: If you are handling restricted data that is not necessary to complete your job, eliminate it. When you are done working with the restricted data, delete it.
Mitigate: If you are unable to eliminate restricted data from your work you need to take additional steps to exercise secure data handling.
How can Data be Exposed?
- Restricted and Sensitive data can be exposed in a number of different ways even though the UW-Madison Office of Cybersecurity team focuses proper security measures, policies, infrastructure and educating employees.
- Even if you have already secured your equipment and credentials, there are still other ways that attackers can get information from you, such as social engineering.
New Technologies/TrendsWhy is protecting data important? Failing to protect the University’s data can leave the University vulnerable to attacks. Every day in the news, there are reports of cyber-attacks where people’s sensitive and restricted information is exposed, stolen, or compromised. Most cyber-attacks are not front story headlines, but below are few recent examples that were a big deal or hit close to home.
- In the fall of 2014, the Home Depot was a victim of a cyberattack that impacted more than 56 million customers
- Credit Card Information Compromised
- In March of 2015, the Rutgers University was attacked, impacting students and faculty
- In this case, personal or confidential information was not stolen, the university experience interruptions in internet service.
- In April of 2015, a cyberattack targeting the United States Office of Personnel Management (OPM) systems was detected
- Exposed records for over four million current and former government employees at places like the Department of Defense
- Background and security clearance investigations on employees' families, neighbors, and close associates also exposed
- In May of 2015, we learned of a sophisticated cyberattack at Penn State that had been taking place on the University’s networks for over two years
- Penn State’s College of Engineering networks house data for the US Military and other government agencies.
- Attackers had access to over 18,000 SSN’s
- Staying informed about ways to prevent becoming a victim of attack or the reason for one:
- Reviewing KB articles published by the UW-Madison Office of Cybersecurity about Security Awareness and Social Engineering
- Understanding that you are always a target because you have something that attackers want:
- Credentials to a system which contains sensitive or restricted information
- Your own credit card numbers, social security number, keys, etc.
- Read this interesting SANS article: "Yes, You Actually Are A Target"
- Never give out your personal or University Information
- Never give out sensitive information
- Never give out your Campus Credential and Password