Bryant University has a responsibility to maintain high standards of security for electronic
information that should not be made public. University data that is stored on computers and other
electronic devices in files and databases must be secured against intentional or unintentional
loss of confidentiality, integrity, or availability.
This guideline provides definition and guidance to the University community on baseline actions
needed to protect private University electronic data stored on computers and other electronic devices.
The term "private data" is meant to include legally protected and non-public University data whether
it is research, clinical, educational, outreach, or administrative data. The data includes but is not
limited to the following:
- Social security number
- Trade secrets or intellectual property such as research activities
- Birth date
- Home phone number
- Home address
- Health records
- Student grades
- Location of assets
- Parking leases
- Anonymous donors
- Citizen visa code
- Veteran and disability status
- Linking a person with the subject about which the library user has requested information or materials
The risks to private data in the electronic environment have substantially increased, while the
corresponding protections have not. At the University, most electronic devices are directly
connected to the University network and the Internet. Data is increasingly mobile to desktop,
laptop, and handheld devices, which need to be secured. Viruses, worms, and malicious programs
from the Internet, as well as accidental and unintentional loss of data, are substantially
increased risks in such an environment. It is highly recommended that sensitive data stored on
mobile devices such as laptop computers be encrypted due to the high risk of loss or theft.
It is the responsibility of each individual with access to sensitive data resources
to use these resources in an appropriate manner and to comply with all applicable federal, state, and
local statutes. Additionally, it is the responsibility of each individual with access to sensitive data
resources to safeguard these resources.
Responsibility and Approval:
Computers and other devices used to store private data need:
- An approved plan: Computers and other devices should not be connected to a network or
the Internet except in accordance with a security plan that has been approved and implemented
by the department head (as well as relevant oversight groups where applicable).
- Local data owner: Computers and other devices must have an identified local data
owner (such as the principal user of the data or the unit supervisor) who is responsible
for the data and can act as a point of contact.
- Technical expertise: Computers and other devices must be either continuously
managed or reviewed on an ongoing basis by a full-time Information Services (IS)
professional, such as the local server administrator or Information Services staff.
These reviews must include adherence to baseline security requirements as well as
other strategies for protecting the information.
Methods of Safeguarding Private Data include:
- Sensitive data should not be stored on personal desktop or laptop computers since these computers
tend to reside in less secure locations than central servers.
- Access to computers that are logged into central servers storing sensitive data should be
restricted (i.e. authenticated logins and screen savers, locked offices, etc.)
- Access to sensitive data resources stored on central servers should be restricted to those
individuals with an official need to access the data.
- All servers containing sensitive data must be housed in a secure location and operated only by
- Copies of sensitive data resources should be limited to as few central servers as possible.
- Sensitive data should be transmitted across the network in a secure manner (i.e., to secure web
servers using data encryption with passwords transmitted via secure socket layer, etc.)
- Any accidental disclosure or suspected misuse of sensitive data should be reported immediately to
the appropriate University official.
- All computer systems, electronic devices and electronic media must be properly cleaned of
sensitive data and software before being transferred outside of Bryant University either as
surplus property or as trash.
- Computer hard drives must be sanitized by using software that is compliant with Department of
Defense standards. Non-rewritable media, such as CDs or non-usable hard drives, must be
Non-directory student information may not be released except under certain
prescribed conditions. Non-releasable information includes:
- Cources Taken
- Test scores
- Advising records
- Educational services received
In response to the need for easy-to-use encryption many software applications now provide
encrypt files. In fact, the Windows operating system has
encryption as a standard feature.
There are several different ways to encrypt data on your machine: you can encrypt a file within
the program you use to create it, such as Microsoft Word or Adobe Acrobat; you can have an encrypted
folder or location on your computer where you place the files you want to protect, using programs
like Windows Encrypted File System (EFS). You can also encrypt your entire computer (called full
disk encryption) using BitLocker on Windows 7 (the recommended option) and some versions of Windows
When you encrypt files it is important to remember they are only accessible with the password
you used to encrypt them. If you forget your password your files will be lost. If you encrypt
your entire computer and forget your password you will not be able to log in.
You can use a password management program to safely store your passwords for future retrieval.
For information on encryption and password management tools please contact the Helpdesk.
Credit Card Data Security Guidelines
These guidelines addresses Payment Card Industry (PCI) Data Security Standards (DSS) that
are contractually imposed by the major credit card brands on merchants that accept these
cards as forms of payment. The guidelines cover the following specific areas contained in the PCI
standards related to cardholder data: Collecting, processing, transmitting, storing
and disposing of cardholder data.
For Payment Card Industry (PCI) Data Security Standards (DSS) related to cardholder data see:
PCI Security Standards
- Cardholder data collected is restricted only to those users who need the data to
perform their jobs. Each department must maintain a current list of
employees with access and review the list monthly to ensure that the list reflects the
most current access needed and granted.
- Cardholder data, whether collected on paper or electronically, is protected
against unauthorized access.
- All equipment used to collect data is secured against unauthorized use in
accordance with the PCI Data Security Standard.
- Physical security controls are in place to prevent unauthorized individuals from
gaining access to the buildings, rooms, or cabinets that store the equipment,
documents or electronic files containing cardholder data.
- The Office of Information Services is responsible for PCI compliance for the
electronic payment gateway (currently Touchnet) and all other centrally administered
servers that process, store or transmit cardholder data. Individual departments are
held responsible for PCI compliance for all departmental procedures, applications,
point of sale devices and departmentally administered servers that process, store or
transmit cardholder data. Additionally, these procedures, applications and systems
should comply with Office of Information Services policies. All controls,
including firewalls and encryption, should be documented and verified.
- Email should not be used to transmit credit card or personal payment
information, nor should it be accepted as a method to supply such information.
- No database, electronic file, or other electronic repository of information will
store credit/debit card numbers, the full contents of any track from the magnetic
stripe, or the card-validation code.
- Portable electronic media devices should not be used to store cardholder data.
These devices include, but are not limited to, the following: laptops, compact disks,
floppy disks, USB flash drives, personal digital assistants and portable external hard