Subject: Employee Protection of Data
Purpose and Scope
All individuals working on behalf of the University have a responsibility for protecting University data and data that is entrusted to the University. The Board of Trustees Information Security Policy specifies that this requirement applies to all University of Maine System (UMS) faculty, staff, employees, contractors, consultants, business partners or anyone who accesses or possesses such data. This APL focuses on appropriate precautions that faculty, staff and student workers are expected to take commensurate with the sensitivity, volume, and value of the data they handle. The overarching goal of protecting data is to reduce the risk associated with unauthorized access, loss or theft of data whether the data is in paper or electronic form. Included in protection is awareness of what data is under an individual’s control so that appropriate actions can be taken if data is lost.
Information which has specified requirements for the control of confidentiality, integrity, or availability of the data due to statute or contract or other law or agreement. Compliant data is information which requires special protection because the misuse could harm members of the UMS community or compromise the mission of the System and/or any one of the Universities. Compliant data includes, but is not limited to, personally-identifiable information, confidential research information, and information that requires protection under law or agreement. (e.g., Maine Data Act, FERPA, GLBA, HIPAA, FTC “Red Flag Rule”, by the PCI data security standards, and data placed on legal hold in accordance with e-discovery). Examples of Compliant Data include: financial records, health records, student education records, and any information which could permit a person to attempt to harm or assume the identity of an individual.
In the previous Information Security APL VI-C, Compliant Data was labeled as Covered Data.
Business Sensitive Data
Information that is not the subject of statutory or contractual controls, but where the compromise of the confidentiality, integrity, or availability of the information would result in damage or loss to UMS.
A Computing device is specifically a single user machine such as a desktop computer, laptop computer, tablet, smart phone, or other mobile device that is used for University work, whether provided by the university or not.
Viewing or possessing something without authorization. This may be deliberate or accidental. The access may be to a system, network or data. Any lost or stolen paper or device which contains compliant or business sensitive data should be assumed to have resulted in unauthorized access.
For the purposes of this APL, University data is information that is either wholly or partially owned by UMS, or that has been entrusted to UMS. The UMS Policies and Standards define this data as Compliant, Business Sensitive, or Unclassified.
Protection of University data is the responsibility of everyone who accesses, stores, transmits or processes such data. This section describes the responsibilities that pertain to individuals (e.g. faculty, staff, and student workers) as well as managers and supervisors, and supporting Information Technology offices.
Each individual shall:
- Understand the requirements for protecting University data and the risk associated with using devices to access, process or store information. A list of permitted and restricted systems for compliant data is located in Appendix C and a list of specific data elements is located in Appendix D.
- Be accountable for the Compliant Data in his or her control or possession to include data on devices whether provided by the University or not.
- Limit the amount of Compliant Data that is in his or her control or possession and handle only the amount of data which is necessary to complete the job.
- Back-up University data stored on computing devices under the individual’s control when the data is the original or master copy.
- Promptly report any suspected incident including loss or theft of a device that may contain University data to Campus or System IT. Further response shall be in accordance with the Information Security Incident Response APL (APL VI-B).
- Follow the checklist referenced in Appendix A when using non-University devices or networks. Create strong passwords, ensuring they contain at least one upper and one lowercase alphabetic character, one numeric or special character and have a length of at least eight characters.
- Send business or compliant data to other departments or third parties only when the recipient is authorized to receive such data. Check with supervisor or manager if uncertain who is authorized.
Each Manager and Supervisor shall:
- Ensure individuals receive security awareness training and are familiar with the requirements of this APL.
- Require individuals to sign a confidentiality agreement if the individual has access to a significant amount of compliant or business sensitive data. A template is in Appendix B. This template may be administered electronically.
- Evaluate the amount and sensitivity of data handled by each individual, authorize the minimum access required to perform assigned duties according to a “need to know” basis, and determine whether a separation of duties should be used to prevent negligent or deliberate misuse of data.
- Grant authorization to an individual to remove equipment from the University prior to that individual taking University-owned equipment off site. This authorization may be one time and need not be in writing.
- Emphasize the need for individuals to protect Compliant or Business Sensitive Data when transporting it outside of UMS’s physical boundaries. Ensure that individuals who telecommute or work at home understand and acknowledge that they will follow the actions contained in Appendix A.
- Prohibit sharing of passwords and require individuals to report incidents where they were asked for their passwords from someone who is believed to be a University employee. Supervisors shall report such incidents to Campus IT or UMS ITS.
- Ensure each individual is handling UMS records in accordance with the Records Retention APL.
- Hold employees accountable for proper Information Security practices. Misuse of Compliant Data or Business Sensitive Data and breach of the Information Security Policy is subject to normal UMS disciplinary processes.
Campus and System Information Technology
IT offices shall:
- Assist individuals with applying technology to reduce risk of unauthorized access and to protect electronic data on University-issued devices. Such protections include storage encryption, antivirus, and secure file removal utilities, and other actions as required by the Information Security Policy and Standards.
- With cooperation from Information Owners, complete Risk Assessments on internal and external systems provided by the IT office to understand and relay the level of sensitive data that is permitted to be stored on such systems. Reference Appendix C.
Basic Risks and Safeguards
The UMS Information Policy and Standards identify a number of controls to be employed to safeguard data. The following are some basic practices.
- Make a concerted effort to understand what Compliant Data is in your control and possession at all times.
- Share Compliant Data only with those who have a need to know. This includes limiting voice discussions, orienting computer screens away from those not authorized and quickly retrieving documents that are printed on copy machines, fax machines and printers.
- Either do not send or take great care when sending anything by email or fax that you would not want disclosed to someone else. Be careful to address email to authorized recipients and be aware that the email may land on an unsecured device.
- Use extreme caution when handling certain types of Compliant Data as some data is highly targeted for theft and its loss could severely impact the University. Examples of such data are social security numbers, driver’s license numbers, bank account numbers, and credit card numbers. This type of data must be encrypted when stored on a computing device, and only stored on such a device with department head approval.
- Use cross-cut shredders to destroy compliant documents. For electronic documents, typical file deletion does not erase data from a computer hard drive. There are secure file deletion tools that overwrite disk space to render electronic files unreadable.
- To prevent malware from being installed on a computer, do not download or install unknown programs, do not, open unexpected email attachments, and do not download documents or open attachments from unknown individuals.
For individuals who want guidance on how to implement or perform technical aspects of this APL, such guidance can be found at the Office of Information Security web site.
Prepare for the Worst – Loss or Theft of a Device
Whether a device is University owned or not, individuals need to take precautions if University data is on the device. Mobile devices are more likely to be lost or stolen than other equipment. Even though a device may be stolen for the equipment value, the data on the device will be considered compromised unless it is encrypted. Devices containing sensitive data should not be left unattended and where possible, should be physically locked or stored away. A user/owner may have to relinquish control and possession of a device in the event it is needed for evidence for legal actions.
Taking the following steps will reduce the risk associated with lost data.
- Record what University data (especially Compliant Data) is stored on the device. This will provide a basis to report lost data, if needed, as well as help to reduce or eliminate unessential data. A backup of files provides a good record.
- Configure the device appropriately for the type of data being stored or accessed. Any or all of the following configurations may be required:
i) Password protect the device using a strong password.
ii) Enable system locks on devices so that the device will lock after a set time. This is usually 5-30 minutes depending on the device type, location of use and type of data accessed or stored.
iii) Configure the web browser so that passwords associated with email or other programs are not saved.
iv) Configure the device so that Compliant Data is not downloaded unbeknownst to the user/owner. For example, know when email is cached/stored on the device and if appropriate, avoid caching. On unencrypted laptops and personally owned computers, use browser-based email.
v) Encrypt the device.
- For retrieval purposes, document the device’s serial number for personally owned devices. 4. Ensure data files that contain the original or master copies are backed-up.
Approved: Vice Chancellor of Finance and Administration
Official signature on file in the Finance Office of the University of Maine System