University Guidelines for Protecting Personal Non-Public Information

Contents
 
Introduction: University departments must act
 
Importance of protecting SSNs and other PNPI
 
Guidelines for protecting PNPI
 
PNPI software tools
 
For more information
 
 
Questions or comments
 
Copyright © 2005, University of Delaware
Last updated: 11/22/05

The two greatest threats to the security of Personal Non-Public Information (PNPI) are

  • an unsecured, non-password-protected or compromised computer
  • and paper documents containing PNPI.
To be sure that information for which you are responsible is secure, follow the University's guidelines for protecting PNPI. These guidelines are available in a brochure mailed to all employees in September 2005 (Adobe PDF format). In addition, this web page presents frequently answered questions about the guidelines.

Ensure the Privacy of PNPI

  1. What is considered PNPI?

    Examples include, but are not limited to:

    • SSNs
    • Credit card or bank account numbers
    • Medical or educational records
    • Other sensitive, confidential or protected data (e.g., grades used in context with personally identifiable information such as name, address, or other easily traceable identifiers).

  2. How often should departments review their use of PNPI?

    Departments should conduct an annual review all business processes that require the use of PNPI. During that review, a department's employees should ask themselves questions like the following ones:

    • Do we really need to collect this information?
    • How are we safeguarding any electronic records that contain PNPI?
    • How are we safeguarding any paper records that contain PNPI?
    • When we are done using the information, do we store it securely or discard it safely?

Encrypt Electronic Transmissions

  1. I have a web site on my departmental server that is not secure. How can I secure it?

    Use the University's Central Authentication Service (CAS) for authentication.

  2. I want to restrict a web site on my departmental server to select individuals. Can I request their name and SSN for access?

    No, use CAS to authenticate.

  3. Can I telnet into University servers to work with PNPI?

    No, telnet does not encrypt traffic. Use SSH which encrypts all traffic. If working off campus, use UD's VPN service.

  4. Is accessing my e-mail secure?

    No. You should turn on SSL/TLS for the incoming and outgoing mail server in your mail client. This process does not encrypt the transmission of e-mail. Therefore, you should not send PNPI through e-mail.

  5. How can I tell if a web site I am using is encrypted?

    The site's URL should begin with https. Many browsers, for example, Mozilla, have an icon representing a lock at the lower right of the browser window. If you are unsure about the authenticity of the site, you can double-click the lock icon and review the certificate information.

Do Not Store PNPI Locally

It is a University goal that PNPI not be stored locally. If, for some reason, you feel you have to do this, recognize that your department is responsible for the information. The Personal Non-Public Information (PNPI) policy states that if PNPI must be stored locally in the unit, it must be encrypted. Contact Information Technologies for options for protecting it.

  1. Is it safe for me to store PNPI locally on my computer or on removable devices (e.g. floppy disks, iPods, PDAs, cell phones, flash/jump drives)?

    No. You should not store PNPI locally. "Locally" is defined as storing information directly on your computer or removable media.

  2. How should I secure my computer when I am away from the office?

    You should set a password that cannot be easily guessed and lock the computer when you are away.

  3. How should I dispose of PNPI data?

    Shred paper copies and delete any e-mail. If you need to store data on your computer electronically, remove SSNs and any other PNPI from the electronic file. For more information, see Responsible Computing: A Manual for Staff.

  4. What should I do if I have a class roster with SSNs?

    As of August 2005, class rosters no longer have student SSNs. If you are required to retain copies of old grade rosters, make certain that they are stored in a locked location. When you dispose of the old rosters, shred the paper copies and delete any e-mail containing the students' SSNs. If you need to retain grade information from past semesters on your computer, remove the SSNs from the data file(s). In addition, because grade information is also PNPI protected by FERPA, you should encrypt any files you retain or move them to a secure server.

  5. I use computerized test scoring. Do students have to write their SSNs in the "Student ID Number" section?

    No. On the brown student response form used with the Test Scoring program, the "Student ID Number" section should not be used for SSNs. You can post or track grades by assigning students a substitute number known only to you and the student. Students can use that number in the "Student ID Number" section.

    If you are looking for a unique identifier to track students in your class, we suggest having the students enter their UDelNet ID in the Last Name space and the first 7 characters of their last name in the First Name space.

    If students mistakenly fill in their SSNs in the "Student ID Number" section, you will need to shred the brown response sheets. Also, if you do generate a grade file and plan to download it to your PC, remember to delete the SSN column.

    For updated information on using the "Student ID Number" field in a Test Scoring job, please see the Test Scoring Documentation Test Scoring Documentation

Ensure PNPI Security When Working from Home or Outside the University

  1. How can I encrypt traffic from my e-mail or other electronic transmissions from home or while traveling?

    You should use the University's Virtual Private Network (VPN) service. Doing so will encrypt all traffic between the University's VPN appliance and your computer. If you use an outside ISP or a wireless connection at home, using the VPN system will prevent others on the network from seeing your traffic. Caution: Once your traffic goes beyond the VPN appliance (i.e., to another server on the network), it will no longer be encrypted.

  2. Can I use MVS to access PNPI at home or while traveling?

    If you need to use MVS, you should use the new VPN system provided by the University.

  3. Is it safe or all right to allow other individuals in my home or while I am traveling to use my University-owned computer?

    You should not allow non-UD individuals to use your University equipment.

Have Computer Equipment Audited

Can someone come to our department and review our computers for security?

Yes, you can contact the Help Center at 831-6000 to request that someone visit your office. They will review your computer and talk with you about additional measures that will help you protect your systems.

General Information

What can I do to ensure the protection of my computer?

Make sure:

  • You have the University's antivirus software (McAfee) installed.
  • You are up-to-date on the latest patches for your operating system.
  • You are up-to-date on patches for software on your computer.
  • You have protected the account with which you log into your computer with a password that cannot easily be guessed.

Visit the Help Center's security pages for more information.