Secure IT! Newsletter
The Newsletter of the Information Security Group | ISG@brown.edu
Archive Edition: May, 2006
Archives Home Page

 

Connie Sadler
by Connie Sadler, Dir. of IT Security, CIS

Data Confidential: What's Your Score?

Universities deal with an unprecedented amount of information, and store and transmit quite a diverse variety of important and confidential data, including the following:

  • admissions applications, family background, grades and transcripts
  • email, voicemail and telecommunication records
  • medical records
  • financial information: personal, departmental and institutional
  • employment information, e.g., performance/disciplinary, payroll, beneficiaries for insurance purposes
  • "customer" information (personal data entrusted to us by others) from individuals who register for events at Brown online or who purchase materials from us or who make library withdrawals
  • health-related information for research, athletics, student health or staff
  • card swipe records (building location, dining hall usage, copying at the libraries)

We believe that one of the most important measures that IT Security can take right now is to provide guidelines for how to protect Brown's valuable information. The first step is increased awareness, so that individuals know what it is they have (in terms of confidential information) and what they should be doing to protect it.

In support of that goal, we are releasing guidelines on the proper handling of Brown Sensitive Information (represented as "BSI" in the following list). How well do you score on following the recommended "best practices" for handling BSI? Give yourself one point for each good habit you follow on a regular basis, then check your score below.

  1. Adopt "clean desk practices". Don't leave paper documents containing BSI unattended; protect them from the view of passers-by or office visitors. It is recommended that confidential documents contain a cover sheet.
  2. Close and lock office doors when away from your office.
  3. Add a "Confidential" watermark to a Word document. (Steps vary by operating system and version. Consult the directions found in the Help menu.).
  4. Store paper documents containing BSI in locked files with a controlled key system (a list of individuals who have access should be documented) or an appropriately secured area.
  5. Lock file cabinets containing BSI before leaving the office each day.
  6. Do not leave the keys to file drawers containing BSI in unlocked desk drawers or other areas accessible to unauthorized staff.
  7. Store paper documents that contain information that is critical to the conduct of University business in secure file cabinets. Keep copies in an alternate location.
  8. Shred paper documents containing BSI when they are no longer needed, making sure that such documents are secured until shredding occurs. If a shredding service is employed, the service provider should have clearly defined procedures in the contractual agreement that protect discarded information, and ensure that the provider is legally accountable for those procedures, with penalties in place for breach of contract.
  9. Immediately retrieve or secure documents containing BSI as they are printed on copy machines, fax machines or printers. Double-check fax messages containing confidential information:
    • Recheck the recipient's number before you hit 'Start.'
    • Verify the security arrangements for a fax's receipt prior to sending.
    • Verify that you are the intended recipient of faxes received on your machine. If you are not, contact the intended recipient and make arrangements for the proper dispatch of the fax.
  10. Do not discuss BSI outside of the workplace or with anyone who does not have a specific "need to know". Be aware of the potential for others to overhear communications containing BSI in offices, on telephones, and in public places like elevators, restaurants, and sidewalks.
  11. Ensure that electronic equipment containing BSI is securely transferred or disposed of in a secure manner, per Brown's Electronic Equipment Disposition Policy .
  12. Immediately report the theft of Brown electronic computing equipment to the Department of Public Safety. Loss or suspected compromise of data containing BSI should be immediately reported to IT Security ( ITSecurity@brown.edu ).
Points
Score
0 - 2
Needs a security primer
3 - 5
Room for Improvement
6 - 8
Conscientious
9 - 11
Very Good
12
Expert!

The nature of our diverse campus demands that security be implemented as a community. This means a commitment from every individual at Brown to ensure that all of the sensitive information we hold is adequately protected.

Anyone who has have questions about these guidelines, or the data they generate, access, store or transmit, is welcome to contact me at any time at 3-7566, or by email at Connie_Sadler@Brown.edu.

* Brown Sensitive Information is defined as information that should not be made public and is only to be disclosed under limited circumstances. It includes but is not limited to:

  • All information identifiable to an individual (including students, staff, faculty, trustees, donors, and alumni) including but not limited to social security numbers, dates of birth, student education records, medical information, benefits information, compensation, loans, financial aid data, alumni information, donor information, and faculty and staff evaluations.
  • The University's proprietary information including but not limited to intellectual research findings, intellectual property, financial data, and donor and funding sources.
  • Information, the disclosure of which is regulated by federal, state, and/or local government (e.g., FERPA, GLBA and data collected from human subjects).