Critical Data Guide A guide to handling critical information at Indiana University
What is critical information? IU defines critical information as sensitive data requiring the highest level of protection. This includes: Social Security numbers (SSNs) Financial account information Identifiable health information Passwords, passphrases, and access codes Student records Unauthorized disclosure of critical information could result in criminal or civil penalties, identity theft, and financial loss. Data collection & retention Collection First, determine if you really need the information. If it is vital to your project, try to make it less sensitive: Collect only the last four digits of SSNs Convert SSNs to university ID numbers Remove critical information from spreadsheets before creating reports Other tips: Consult with your departmental IT Pro (kb.iu.edu/data/baxq.html) or data steward to ensure proper handling Notify individuals in writing that you are collecting their data and get their consent (if appropriate) Periodically review internal decision and protection measures Retention Securely destroy information when you no longer need it. For details on university retention requirements, see University Records retention and disposition schedules [libraries.iub.edu/retention-and-disposition-schedules].
Storing critical data You don t need to store information locally if the university maintains the same information elsewhere. If possible, access the information from its primary source with the following in mind: Use SSH, VPN, remote desktop, or other methods using strong cryptography Make sure your mobile device meets IU s Mobile Device Security Standard [https://protect.iu.edu/cybersecurity/policies/it12/12.1] Use a secure storage location Electronic records: Do not store critical information on any personal device, including storage drives, mobile media, or USB drive, or media unless. All information must be: Professionally secured (encrypted) Approved for storage by your senior executive officer or the Institutional Review Board Paper records: Keep these in locked file cabinets/storage rooms or areas with access control. If stored in a shared location (e.g., University Archives), ensure that they are not accessible to others. Safeguards See Secure File Transfer Alternatives [http://protect.iu.edu/cybersecurity/ secure-file-transfer-alternatives] for information on transmitting encrypted critical information Tips: Always log off or lock your workstation when you step away Comply with the PCI Data Security Standard (PCI DSS) for card payment data storage Comply with HIPAA for electronic personal health information (e-phi) storage Use & transmission Critical information should only be used for one purpose: conducting university business. Report any misuse to the appropriate authorities [protect.iu.edu/ cybersecurity/incident].
Transmission by hand Use authorized couriers (list maintained by IU Purchasing) Require a signature from the recipient Provide a full address for the recipient, not a P. O. Box Keep your shipping documentation, including the tracking number Use tamper-evident packaging to protect information from unauthorized disclosure Transmission electronically Use an encrypt transmit method. If this isn t possible, encrypt the file before sending. Other tips: Consider Slashtmp [https://slashtmp.iu.edu] Comply with PCI DSS for card payment data Comply with HIPAA for e-phi Code secure websites and transmit data over a secure channel [kb.iu.edu/data/ahuq.html] Sites used for research may need to comply with HIPAA, CFR part 11, or FISMA For other data protection methods, see Secure File Transfer Alternatives [http://protect.iu.edu/cybersecurity/secure-file-transfer-alternatives]. Encryption assistance How does encryption protect information? Keys encrypt information. Only the person with access to the correct key can decrypt information. Methods of encryption Encryption typically applies to two different scenarios: Encrypting data at rest (while it s being stored) Encrypting data in transit (while it s being transmitted) Encryption tools: stored information Encryption explained [protect.iu.edu/cybersecurity/data/encryption] What is PGP? [protect.iu.edu/tools/pgp] What is BitLocker? [kb.iu.edu/data/avjz.html] What is True Crypt? [kb.iu.edu/data/auhm.html]
Encryption tools: transmitted information Secure File Transfer Alternatives [protect.iu.edu/cybersecurity/secure-filetransfer-alternatives] What is SFTP? [kb.iu.edu/data/akqg.html] What is Slashtmp, and how do I use it? [kb.iu.edu/data/angt.html] Searching & inventorying Searching for critical information Make sure you aren t unknowingly storing critical information with tools such as Identity Finder. The IU-licensed tool searches for, protects, and securely disposes of certain critical information elements stored on your computer, file shares, or external media. Download it at no cost from IUware [iuware.iu.edu]. Other tips: If you find critical information, inform your departmental IT Pro and ask for assistance on secure disposal Identify where you have stored information on paper (e.g., desk or office area, file cabinets, closets, remote storage) Social Security Numbers As of 2004, IU no longer uses social security numbers for employee or student IDs. To purge those SSNs: Delete the SSN column and all SSNs in it from historical student records Look for green or blue papers and oversized white Shred unnecessary documents Move necessary records to secured storage For external payrolls or government reporting, the university ID number can be converted to the SSN Disposal, wiping, & shredding Disposal Secure disposal means deleting information in a way that is not recoverable. Never discard or leave critical information in an area accessible to the public. Deletion is not enough Most methods for file deletion, including system utilities and hard drive reformatting, only remove pointers to the actual file. They do not remove the information itself. That is why IU policy requires wiping or destroying hard drives and storage media prior to disposal or transfer outside the university.
Disk-wiping utilities Check with your departmental IT Pro for a preferred tool, or see: How can I securely wipe disk drives? [kb.iu.edu/data/auhn.html]. Hard drive and document destruction IU Surplus Data Destruction Service [www.docuserv.indiana.edu/copy/ss_data.asp] Securely removing data [http://protect.iu.edu/cybersecurity/data/secure-removal] Document destruction vendors (approved by IU Purchasing) [http://www.indiana. edu/~purchase/contract/documentstorageanddestruction/destruction.php] Sharing & disclosure Disclosure is the direct sharing or providing of critical information to a person external to IU. It can be verbal, on paper, or electronic. Disclosure can also occur if information is compromised or stolen. Authorized disclosures Disclosure is sometimes necessary, or even required by law. Contracts (reviewed by IU Purchasing) should be in place to oversee the sharing agreement. Pre-2006 contracts must be updated to include standard language. Other things to note: Some instances of disclosure include SSNs. Get express written consent from affected individuals. Documents should also state SSN disclosure. Forward requests from law enforcement (or the public under the Indiana Access to Public Records Act) to the Office of the Vice President and General Counsel All disclosures must comply with Policy DM-02 [http://policies.iu.edu/policies/ categories/information-it/data-management/dm-02.shtml]. Unauthorized disclosures Report all unauthorized disclosures immediately. 1. Call the UITS Support Center [uits.iu.edu/support] 2. Email details to: it-incident@iu.edu 3. Wait for next steps from the University Information Policy and Security Offices If the incident involves a compromised computer, do not power it off or access or alter files. This may delete important forensic data.
Resources University Information Policy Office (812) 855-UIPO protect.iu.edu/uipo uipo@iu.edu Committee of Data Stewards datamgmt.iu.edu iudata@iu.edu Information protection protect.iu.edu/cybersecurity/data Office of the VP and General Counsel (812) 855-9739 (317) 274-7460 Student Privacy and FERPA registrar.indiana.edu/ferpainfo.shtml IU Knowledge Base kb.iu.edu Online safety tips protect.iu.edu/cybersecurity/safeonline UITS Support Center uits.iu.edu/support Global Research Network Operations Center (317) 274-7788 Institutional Data Acceptable User Agreement protect.iu.edu/agreement Incident Reporting it-incident@iu.edu The Trustees of Indiana University, November 2015