Subject: Employee Protection of Data
Purpose and Scope
All individuals working on behalf of the University have a responsibility for protecting University data and data that is entrusted to the University. The Board of Trustees Information Security Policy (Section 901) specifies that this requirement applies to all University of Maine System (UMS) faculty, staff, employees, contractors, consultants, business partners or anyone who accesses or possesses such data. This Administrative Practice Letter (APL) focuses on appropriate precautions that faculty, staff and student workers are expected to take commensurate with the sensitivity, volume, and value of the data they handle. The overarching goal of protecting data is to reduce the risk associated with unauthorized access, loss or theft of data whether the data is in paper or electronic form. Included in protection is awareness of what data is under an individual’s control so that appropriate actions can be taken if data is lost.
An authentication credential is something that an individual possesses and controls (typically a password, key, or token) that is used to verify the individual or device, often as a prerequisite to authorizing access.
A computing device is specifically a single user machine such as a desktop computer, laptop computer, tablet, smart phone, or other mobile device that is used for University work, whether provided by the university or not.
For the purposes of this APL, University data is information that is either wholly or partially owned by UMS, or that has been entrusted to UMS. Data is classified in accordance with the Data Classification APL VI-I. Specific classifications referenced in the APL are summarized here, with details in the subject APL.
Data that may pose severe risk to the University in the event of unauthorized access. Such data includes, but is not limited to, export control data, health data payment card data, financial aid data, personally identifiable information as described by 10 M.R.S.A § 1347, and high-risk operational data.
Data that may adversely affect individuals or the business of the University in the event of unauthorized access. Such data includes, but is not limited, to student information covered by The Family Educational Rights and Privacy Act (FERPA), donor information, and information covered by contractual confidentiality obligation.
Data that is potentially sensitive and not intended to be readily available to the public.
Data that may be disclosed to any person regardless of the affiliation with the University.
Viewing or possessing something without authorization. This may be deliberate or accidental. The access may be to a system, network, or data. Any lost or stolen paper or device which contains restricted, confidential, or internal data should be assumed to have resulted in unauthorized access.
Protection of University data is the responsibility of everyone who accesses, stores, transmits, or processes such data. This section describes the responsibilities that pertain to individuals (e.g. faculty, staff, and student workers) as well as managers and supervisors, and supporting Information Technology offices.
Each individual shall:
- Understand the requirements for protecting University data and the risk associated with using devices to access, process, or store information. A list of permitted and prohibited systems for restricted and confidential data is located in Appendix C. Data classification specifics are identified in APL VI-I.
- Be accountable for the Restricted and Confidential Data in his or her control or possession to include data on devices whether provided by the University or not.
- Limit the amount of Restricted and Confidential Data that is in his or her control or possession and handle only the amount of data which is necessary to complete the job.
- Back-up University data stored on computing devices under the individual’s control when the data is the original or master copy.
- Promptly report any suspected incident including loss or theft of a device that may contain University data to campus Information Technology (IT), the IT helpdesk or the Information Security Office. Further response shall be in accordance with the Information Security Incident Response APL (APL VI-B).
- Follow the checklist referenced in Appendix A when using non-University devices or networks. Create strong passwords, ensuring they contain at least one upper and one lowercase alphabetic character, one numeric or special character and have a length of at least eight characters.
- Only share restricted or confidential data with other departments or third parties when the recipient is authorized to receive such data. Check with the supervisor or manager if uncertain who is authorized.
- Complete required security awareness training as part of annual compliance training requirements.
- Not share authentication credentials – such as passwords, keys, or tokens – with others.
- Adhere to the acceptable use policy (APL VI-H).
Each Manager and Supervisor shall:
- Ensure individuals annually take the security awareness training and are familiar with the requirements of this APL.
- Require individuals to sign a confidentiality agreement if the individual has access to a significant amount of compliant or business sensitive data. A template is in Appendix B. This template may be administered electronically.
- Evaluate the amount and sensitivity of data handled by each individual, authorize the minimum access required to perform assigned duties according to a “need to know” basis, and determine whether a separation of duties should be used to prevent negligent or deliberate misuse of data.
- Grant authorization to an individual to remove equipment from the University prior to that individual taking University-owned equipment off site. This authorization may be one time and need not be in writing.
- Emphasize the need for individuals to protect Restricted, Confidential and Internal Data when transporting it outside of UMS’ physical boundaries. Ensure that individuals who telecommute or work at home understand and acknowledge that they will follow the actions contained in Appendix A.
- Prohibit sharing of an individual’s authentication credentials except in rare circumstances approved by the Information Security Office. Report incidents when credentials have been shared to Campus IT, IT Helpdesk, or Information Security Office.
- Ensure each individual is handling UMS records in accordance with the Records Retention APL (APL IV-D).
- Hold employees accountable for proper Information Security practices. Misuse of Restricted and Confidential Data and breach of such data is subject to normal UMS disciplinary processes.
Publishers of Data Reports
Employees who create, distribute, and publish university data & reports (for example, Institutional Researchers and report authors using business intelligence systems) are additionally responsible for decision-making in regard to data selection, usage, and publication to appropriate audiences. The report author will:
- To ensure data integrity, ensure validity and reliability of data prior to report publication.
- Protect data in raw form in accordance with the appropriate classification as defined in the Data Classification APL (APL VI-I).
- Restrict the distribution of data reports that contain confidential or restricted data to audiences who have been deemed to have a need to know that data for the performance of their job.
- When aggregating confidential or restricted data after identifiers have been removed, consult with functional area staff regarding acceptable minimum cell sizes. In general cell sizes of N<5 should not be published.
Information Technology Offices
IT offices shall:
- Assist individuals with applying technology to reduce risk of unauthorized access and to protect electronic data on University-issued devices. Such protections include storage encryption, antivirus, and secure file removal utilities, and other actions as required by the Information Security Policy and Standards.
- With cooperation from the Information Security Office, and functional data stewards, complete risk assessments on internal and external systems provided by the IT office to understand and relay the level of data that is permitted to be stored on such systems. Reference Appendix C.
Basic Risks and Safeguards
The UMS Information Policy and Standards identify a number of controls to be employed to safeguard data. The following are some basic practices.
- Make a concerted effort to understand what Restricted and Confidential Data is in your control and possession at all times.
- Share Restricted and Confidential Data only with those who have a need to know. This includes limiting who can hear voice and desktop video discussions, orienting computer screens away from those not authorized and using secure print features or quickly retrieving documents that are printed on copy machines, fax machines and printers.
- Be careful to address email to authorized recipients and be aware that the email may land on an unsecured device. Be cautious of email autocomplete functions which might include an address of an unintended recipient with a similar name.
- Use extreme caution when handling Restricted data, as such data is highly targeted for theft and its loss could severely impact the University and the people to which this data is connected. Examples of such data are social security numbers, driver’s license numbers, bank account numbers, and credit card numbers. This type of data must be stored on an encrypted computing device, and only stored on such a device with department head approval.
- Use cross-cut shredders or approved destruction services to destroy restricted documents. For electronic documents, typical file deletion does not erase data from a computer hard drive. There are secure file deletion tools that overwrite disk space to render electronic files unreadable.
- To prevent malware from being installed on a computer, do not download or install unknown programs, do not open unexpected email attachments, and do not download documents or open attachments from unknown individuals.
- Be alert to social engineering attempts via email, phone, text or other means that might include spoofing of the university offices, university personnel or vendors who might ask for protected information, credentials, gift cards or other monetary contributions or who might request you click on a nefarious web link or open a malware-ridden attachment.
- Be cautious with sharing cloud-based folders and files to ensure that only intended recipients are listed (by email address and not just name) and the files are not shared to anyone in the UMS or public without intention.
For individuals who want guidance on how to implement or perform technical aspects of this APL, such guidance can be found at the Information Technology Security/Privacy web site.
Prepare for the Worst – Loss or Theft of a Device
Whether a device is University-owned or not, individuals need to take precautions if University data is on the device. Mobile devices are more likely to be lost or stolen than other equipment. Even though a device may be stolen for the equipment value, the data on the device will be considered compromised unless it is encrypted. Devices containing non-public data should not be left unattended and where possible, should be physically locked or stored away. A user/owner may have to relinquish control and possession of a device in the event it is needed for evidence for legal actions.
Taking the following steps will reduce the risk associated with lost data.
- Record what University data (especially Restricted Data) is stored on the device. This will provide a basis to report lost data, if needed, as well as help to reduce or eliminate unessential data. A backup of files provides a good record.
- Configure the device appropriately for the type of data being stored or accessed. Any or all of the following configurations may be required:
- Protect the device using strong authentication, such as a strong password, or approved multi-factor authentication.
- Enable system locks on devices so that the device will lock after a set number of time.
- Configure the web browser so that authentication credentials associated with email or other programs are not saved.
- Configure the device so that Restricted or Confidential Data is not downloaded unbeknownst to the user/owner. For example, know when email is cached/stored on the device and if appropriate, avoid caching. On unencrypted laptops and personally owned computers, use browser-based email.
- Encrypt the device.
- For retrieval purposes, document the device’s serial number for personally owned devices. 4. Ensure data files that contain the original or master copies are backed-up.
Approved: Vice Chancellor of Finance and Administration
Official signature on file in the Finance Office of the University of Maine System
Summary of Changes
All references to compliant, business sensitive, and unclassified data were changed appropriately to restricted, confidential, internal, and public data to reflect the Data Classification APL (APLVI-I). This included alterations to the Definitions section and use of the word protected data instead of confidential data in the confidentiality agreement template (Appendix B) to avoid confusion.
Added a definition and references to authentication credentials and made references to other forms of authentication throughout the APL because password is not the only authentication factor with the implementation of multi-factor authentication.
Three requirements were added to individual responsibilities. Completing annual training and not sharing passwords are listed under manager responsibilities but should also be the responsibility of the individual. A cross reference to the acceptable use policy added to reinforce that APL.
Added a subsection for Publishers of Data Reports under the Responsibilities section to reflect some data governance issues.
Updated IT Offices under the Responsibilities section to reflect the unified nature and updated the risk assessment process to reflect the collaboration of current practices.
Guidelines were updated to reflect current technology, solutions and threats. Added specific guidelines on social engineering and file sharing.
Removed contents of Appendix C to be referenced in a dynamic table on the web to include and adapt to new solutions.
Revised and moved Appendix D to the Data Classification APL (APL VI-I). Because that APL delineates compliant data into restricted and confidential, the protection factor column became unnecessary and was deleted.