Bryant University. The Character of Success

Protecting Private Data

Bryant University has a responsibility to maintain high standards of security for electronic information that should not be made public. University data that is stored on computers and other electronic devices in files and databases must be secured against intentional or unintentional loss of confidentiality, integrity, or availability.

This guideline provides definition and guidance to the University community on baseline actions needed to protect private University electronic data stored on computers and other electronic devices. The term "private data" is meant to include legally protected and non-public University data whether it is research, clinical, educational, outreach, or administrative data. The data includes but is not limited to the following:

  • Social security number
  • Trade secrets or intellectual property such as research activities
  • Birth date
  • Home phone number
  • Home address
  • Health records
  • Student grades
  • Location of assets
  • Parking leases
  • Anonymous donors
  • Gender
  • Ethnicity
  • Citizenship
  • Citizen visa code
  • Veteran and disability status
  • Linking a person with the subject about which the library user has requested information or materials

The risks to private data in the electronic environment have substantially increased, while the corresponding protections have not. At the University, most electronic devices are directly connected to the University network and the Internet. Data is increasingly mobile to desktop, laptop, and handheld devices, which need to be secured. Viruses, worms, and malicious programs from the Internet, as well as accidental and unintentional loss of data, are substantially increased risks in such an environment. It is highly recommended that sensitive data stored on mobile devices such as laptop computers be encrypted due to the high risk of loss or theft.

It is the responsibility of each individual with access to sensitive data resources to use these resources in an appropriate manner and to comply with all applicable federal, state, and local statutes. Additionally, it is the responsibility of each individual with access to sensitive data resources to safeguard these resources.

Responsibility and Approval:

Computers and other devices used to store private data need:

  • An approved plan: Computers and other devices should not be connected to a network or the Internet except in accordance with a security plan that has been approved and implemented by the department head (as well as relevant oversight groups where applicable).
  • Local data owner: Computers and other devices must have an identified local data owner (such as the principal user of the data or the unit supervisor) who is responsible for the data and can act as a point of contact.
  • Technical expertise: Computers and other devices must be either continuously managed or reviewed on an ongoing basis by a full-time Information Services (IS) professional, such as the local server administrator or Information Services staff. These reviews must include adherence to baseline security requirements as well as other strategies for protecting the information.

Methods of Safeguarding Private Data include:

  1. Sensitive data should not be stored on personal desktop or laptop computers since these computers tend to reside in less secure locations than central servers.
  2. Access to computers that are logged into central servers storing sensitive data should be restricted (i.e. authenticated logins and screen savers, locked offices, etc.)
  3. Access to sensitive data resources stored on central servers should be restricted to those individuals with an official need to access the data.
  4. All servers containing sensitive data must be housed in a secure location and operated only by authorized personnel.
  5. Copies of sensitive data resources should be limited to as few central servers as possible.
  6. Sensitive data should be transmitted across the network in a secure manner (i.e., to secure web servers using data encryption with passwords transmitted via secure socket layer, etc.)
  7. Any accidental disclosure or suspected misuse of sensitive data should be reported immediately to the appropriate University official.
  8. All computer systems, electronic devices and electronic media must be properly cleaned of sensitive data and software before being transferred outside of Bryant University either as surplus property or as trash.
  9. Computer hard drives must be sanitized by using software that is compliant with Department of Defense standards. Non-rewritable media, such as CDs or non-usable hard drives, must be physically destroyed.

Non-directory student information may not be released except under certain prescribed conditions. Non-releasable information includes:

  • Grades
  • Cources Taken
  • Schedules
  • Test scores
  • Advising records
  • Educational services received

Encryption

In response to the need for easy-to-use encryption many software applications now provide encrypt files. In fact, the Windows operating system has encryption as a standard feature.

There are several different ways to encrypt data on your machine: you can encrypt a file within the program you use to create it, such as Microsoft Word or Adobe Acrobat; you can have an encrypted folder or location on your computer where you place the files you want to protect, using programs like Windows Encrypted File System (EFS). You can also encrypt your entire computer (called full disk encryption) using BitLocker on Windows 7 (the recommended option) and some versions of Windows Vista.

When you encrypt files it is important to remember they are only accessible with the password you used to encrypt them. If you forget your password your files will be lost. If you encrypt your entire computer and forget your password you will not be able to log in. You can use a password management program to safely store your passwords for future retrieval. For information on encryption and password management tools please contact the Helpdesk.

Credit Card Data Security Guidelines

These guidelines addresses Payment Card Industry (PCI) Data Security Standards (DSS) that are contractually imposed by the major credit card brands on merchants that accept these cards as forms of payment. The guidelines cover the following specific areas contained in the PCI standards related to cardholder data: Collecting, processing, transmitting, storing and disposing of cardholder data.

  1. Cardholder data collected is restricted only to those users who need the data to perform their jobs. Each department must maintain a current list of employees with access and review the list monthly to ensure that the list reflects the most current access needed and granted.
  2. Cardholder data, whether collected on paper or electronically, is protected against unauthorized access.
  3. All equipment used to collect data is secured against unauthorized use in accordance with the PCI Data Security Standard.
  4. Physical security controls are in place to prevent unauthorized individuals from gaining access to the buildings, rooms, or cabinets that store the equipment, documents or electronic files containing cardholder data.
  5. The Office of Information Services is responsible for PCI compliance for the electronic payment gateway (currently Touchnet) and all other centrally administered servers that process, store or transmit cardholder data. Individual departments are held responsible for PCI compliance for all departmental procedures, applications, point of sale devices and departmentally administered servers that process, store or transmit cardholder data. Additionally, these procedures, applications and systems should comply with Office of Information Services policies. All controls, including firewalls and encryption, should be documented and verified.
  6. Email should not be used to transmit credit card or personal payment information, nor should it be accepted as a method to supply such information.
  7. No database, electronic file, or other electronic repository of information will store credit/debit card numbers, the full contents of any track from the magnetic stripe, or the card-validation code.
  8. Portable electronic media devices should not be used to store cardholder data. These devices include, but are not limited to, the following: laptops, compact disks, floppy disks, USB flash drives, personal digital assistants and portable external hard drives.

For Payment Card Industry (PCI) Data Security Standards (DSS) related to cardholder data see: PCI Security Standards
  Approved By: Information Services
 
 
  © 2006 Bryant University | www@bryant.edu  
  1150 Douglas Pike, Smithfield, RI 02917 | 401-232-6000  
  blank space