critical data management indiana university hr summit april 24, 2014
TRANSCRIPT
Critical Data Management
Indiana University HR SummitApril 24, 2014
I N D I A N A U N I V E R S I T YU n i v e r s i t y H u m a n R e s o u r c e s
www.threatgeek.com
Classifications of data
IU has four classifications of data that define the access, handling, and the proper disposal of data.
Public University Internal Limited Access/Restricted Critical
I N D I A N A U N I V E R S I T YU n i v e r s i t y H u m a n R e s o u r c e s
Data Classified as Public
• Open access (except CANNOT be used for commercial purposes)
• Examples of HRMS data classified as Public:
Name Job Title Salary/Wages Work address & phone Dates of first and last employment
I N D I A N A U N I V E R S I T YU n i v e r s i t y H u m a n R e s o u r c e s
Data Classified as University Internal• Accessible by eligible employees in
order to conduct university business.
• Examples of HRMS data classified as University Internal:
University ID (employee ID) Preferred name Compensation frequency IU Job funding account numbers
I N D I A N A U N I V E R S I T YU n i v e r s i t y H u m a n R e s o u r c e s
Data Classified as Limited Access/Restricted• Requires high level of protection and specific
authorization. Selective access may be granted.
• Examples of HRMS data classified as Limited Access/Restricted:
Date of birth/Age Gender Ethnicity Home address/home phone Benefit enrollment information Payroll information (taxes, deductions, etc.)
Data Classified as Critical
• Requires the very highest level of protection. Specific authorization required.
• HRMS data classified as Critical: Social Security Number Direct deposit bank account
numbers
I N D I A N A U N I V E R S I T YU n i v e r s i t y H u m a n R e s o u r c e s
Inappropriate handling of Critical data can result in:
• Criminal or civil penalties 2 Indiana state laws exist
related to unauthorized disclosure of SSN and insecure disposal of personal information
• Identity theft or personal financial loss
• Invasion of privacy
Unauthorized disclosure of Critical data
• If at any time you think you may have had an unauthorized disclosure or exposed any Critical information, please immediately:
Call your Support Center or Network Operations Center
Send details to [email protected]
Highlights from:
• “Protecting Red-Hot Data” Flippy book can be found here: http://protect.iu.edu/cybersecurity/training/downloads
• “Staying Safe Online” bookmark:https://protect.iu.edu/sites/default/files/StaySafeOnlineBookmark.pdf
Safeguarding data
• Don’t be a phishing scam victim. Reputable organizations will never ask for personal data, account numbers, or passwords via email.
• Don’t open files from strangers and ensure that files from friends are legitimate.
• Use strong passphrases: include combos of lower and uppercase letters, numbers, and symbols.
Safeguarding data
• NEVER share passwords or passphrases.
• ALWAYS log off or lock your workstation when you step away, even for a moment.
• Use VPN as often as possible when using public Wi-fi.
• Access HRMS employee data only in the conduct of university business.
Safeguarding data
• Respect the confidentiality and privacy of individuals whose records you may access.
• Do not access or use any HRMS data for your own personal gain or profit, or the personal gain or profit of others, or to satisfy your personal curiosity.
• Observe any ethical restrictions that apply to data to which you have access, and abide by applicable laws or policies with respect to access, use, or disclosure of information.
Collecting Critical or Limited Access/Restricted data
• Do not collect it unless absolutely required for business need
• Utilize university ID instead of SSN where possible
• If you received the information from another source, DIRECT THE SOURCE not to provide it to you anymore and DISPOSE of it securely
Storing Critical or Limited Access/Restricted data
• Electronic: Always store on secure departmental servers
NEVER store this information on your desktop, PDA, USB drive, or any mobile device unless you have written approval from your unit AND the information is encrypted on the device
Storing Critical or Limited Access/Restricted data
• Paper: Ensure that records are kept in locked file cabinets/storage rooms that are access controlled
Sharing Critical or Limited Access/Restricted data
• Do not disclose except as specifically required by your job responsibilities
• Reduce risk by providing the minimal amount of information required to meet the business need.
• Do not provide this data when someone requests it in person, in writing, or by phone unless you have secured approval due to it being required or allowable by law or policy.
Sharing Critical or Limited Access/Restricted data
• Paper: Hand deliver Use reliable transport or
couriers (Purchasing maintains a list)
Sharing Critical or Limited Access/Restricted data
• Electronic: Do not send via email unless
absolutely required for business need If required, add the word
“Confidential” to the email subject line so the file will be encrypted if it leaves the IU network (Cisco Registered Envelope Service)
To share files, use Slashtmp: https://www.slashtmp.iu.edu
Retaining Critical or Limited Access/Restricted data
• Retain only as long as is required for business or compliance needs
Disposing of Critical or Limited Access/Restricted data
• Paper: Shred (Purchasing has a list of
approved document destruction vendors)
• Electronic: Delete files containing “critical” data
as soon as business need is fulfilled If disposing of hard drive, IU policy
requires wiping or destroying prior to disposal or transfer outside the university
Proper use and handling of university data is EVERY
employee’s responsibility!
Summary
• Safeguard university data like it’s your own
• Collect only what is absolutely required
• Store securely
• Share only what is required and use a secure method for sharing
• Retain only as long as needed
• Dispose using best practice tools and techniques
Remember - don’t be Dave!
Questions?