At UD, protecting confidential information is everyone's business

ADVERTISEMENT

UDaily is produced by Communications and Marketing
The Academy Building
105 East Main Street
University of Delaware
Newark, DE 19716 • USA
Phone: (302) 831-2792
email: ocm@udel.edu
www.udel.edu/ocm

1:44 p.m., Oct. 22, 2009----Not a month goes by without a computer security breach being reported in the press.

THIS STORY
Email E-mail
Delicious Print
Twitter

“Earlier this month, the University of North Carolina had to notify subjects in a medical study that their personal information had been exposed,” Scott Sweren, UD's information security officer, said. “And a community college in New York had to hire a firm to monitor the credit reports for 300 students whose social security numbers were accidentally distributed via e-mail.”

Sweren said that avoiding situations like these is why UD Information Technologies staff take advantage of National Cyber Security Awareness Month to remind faculty and staff that information security is everyone's business.

How should I store confidential information?

According to Ian Janssen, director of University Archives and Records Management, you should start with some common sense steps. “Take simple precautions to protect confidential information, in both portable electronic storage media and hard-copy formats,” he said. “Always store confidential material in locked cabinets when stored within your unit, and limit physical access to only those individuals who actually need to use the information.”

Ron Nichols, manager in IT-Client Support and Services, said that there are some additional steps you should take with electronic information. “Don't leave files open on your computer when you walk away from your desk,” he said. “Whenever possible, store confidential information on a secure server, not on a USB drive, laptop, or desktop computer. But if you do store confidential information, for example your students' grades, on your own computer, encrypt the information.”

Sweren said that those departments, faculty, and staff that still store personal, non-public information (PNPI) locally need to encrypt this information to be in compliance with the University's PNPI policy.

“Encrypting information with a program like AxCrypt jumbles the information so that only those people who have the key or password can see the information,” Nichols added. “If you ever have to take confidential data off campus, it is essential that you encrypt the data. What if your computer is stolen or you leave the USB drive that contains the data on an airplane? Encrypting the information keeps it safe in cases like these.”

Janssen suggested that some units might prefer to use the records management program operated by University Archives and Records Management. “Our program lets you send confidential information to our secure on-site and off-site storage facilities in accordance with the records retention schedule created for your unit,” he said. “This service is available at no cost, and materials stored under the records management program are available with 24 hours notice, or on the same day in the event of an emergency.”

How should I back up confidential data?

According to Nichols, “If you store your information on a secured server, either one operated by IT or one operated by your department, the back-ups should automatically be secure. But if you back up your own files to an external drive, remember that anything you have not encrypted is vulnerable.”

Janssen indicated that it is best if back-ups of critical information -- confidential or not -- are stored “in a secured location away from your center of operations. University Archives and Records Management can store your backups within its secured facilities on campus, or can place them in secure off-campus storage.”

How do I destroy confidential data?

“We know that one way criminals find PNPI is by 'dumpster-diving' -- searching trash bins for confidential paper documents and examining hard drives on discarded computers,” Sweren said. “So it is critical that you dispose of confidential data securely.”

Janssen indicated that bulk destruction of confidential data and records is another service offered by University Archives and Records Management. “We don't charge for this service, so a unit's cost is limited to the expenses of transporting the records to 002 Pearson Hall.”

He added that a certificate of destruction is available upon request, saying, “We coordinate the destruction of data stored on both paper and electronic media, including disks, tapes, and hard drives.”

Sweren said that many departments and offices already do a good job of shredding paper documents containing PNPI, or of shipping large amounts of PNPI to Archives and Record Management's bulk destruction service, “but they forget that it takes more than deleting a computer file to completely eradicate it.”

“At our PNPI site, we have information about completely erasing files and about eradicating all the data on a disk,” Nichols said. “We recommend that, before a computer is sent to surplus or donated, that the computer's hard drive be 'wiped.'”

Sweren said that when you start working on a project that involves confidential information, “You need to develop a records retention plan that includes secure storage, limited access and the destruction of confidential information when it's no longer needed.”

“So long as faculty and staff at UD do a good job of managing the paper documents and computer files that contain confidential information, UD can avoid the problems other schools have had with stolen laptops containing Social Security numbers, credit card numbers lost to hackers and other breaches that expose people's PNPI to potential identity thieves,” Sweren concluded.

For more information:

University Archives and Records Management: 831-2750

University Archives and Records Management's Records Management Manual

Information about Software Tools to Protect PNPI

National Cyber Security Awareness Month at UD

close