Secure Sensitive Data

Overview

Once you are aware of how sensitive data is collected and stored, you need to begin the process of securing it from unauthorized access or security breaches.

Guidelines

Below are various standards which will assist you and your department in securing sensitive data from unauthorized access or breaches. While the list below is extensive, there may be situations in which they do not apply to a particular workflow. If such is the case, please feel free to reach out to TSS for further guidance and assistance.

• Authentication: Users should need to log in with a username and access to see data and that access should be logged.
• Permissions/Access Controls: Verify that controls are in place to allow system users to only see the data they need to see.
• Encryption where appropriate: Where possible, encrypt restricted data.
• In transit: both in transit over a network and physical transportation of media containing sensitive data, such as CDs.
• In storage: Encrypt data using tools such as PGP, TrueCrypt, etc. (This may not be possible in all cases. Contact TSS with any questions you may have.)
• Select a secure storage location: Select a location appropriate to store the data. Review current storage locations and decide if physical data is exposed or too readily accessible to other staff members.
• Physical security: Paper forms or portable media containing restricted data should be stored in locked cabinets, drawers, and closets.
• Access to storage locations: Should be limited to only staff who need access based on a specific job function.
• Servers containing restricted data: Should be kept in locked areas, preferably in a machine room, and follow established NYU procedures including, but not limited to:
• Monitored access, such as a card reader
• CCTV monitoring
• Backup power
• Environmental controls
• Position monitors so that unauthorized persons cannot casually view them
• Desktop computers containing restricted data: Should be kept in locked areas and follow established NYU procedures including, but not limited to:
• Enable password-protected screen savers to prevent unauthorized access
• Position monitors so that unauthorized persons cannot casually view them
• Never send restricted data over NYU email
• If you need to transmit restricted data over the network, use Webspace. Webspace will never transmit the actual data over email, but rather, send to the recipient an URL to the password protected files. Learn more about Webspace here.

Supplemental Better Practices

• Security Awareness: The most important part of protecting data is making sure that the people who use them make the right decisions about how to collect, use and store sensitive data.
• Education: Educational materials are available from ITS. If you would like a presentation or meeting regarding the use and storage of sensitive data, contact TSS.
• Business Continuity: Have a plan for what you will need to do to access sensitive data in case of an emergency. Make sure that plan follows the business and system best practices outlined here.
• Backups: Implement the same security controls for backup data as you would for production data. Retain backup data only as long as required or in conforment with the University or local department's data retention policies
• Inventory: Keep a list of systems where sensitive data is stored and document business processes that involve sensitive data
• Data and system disposal: Have a plan for what you will need to do to access sensitive data in case of an emergency. Make sure that plan follows the business and system best practices outlined here.
• Backups: Completely delete sensitive data of all types before disposing of systems
• Computer Disposal Guidelines
• Computer Disposal/Surplus Instructions
• Media destruction: Shred or otherwise destroy paper records or physical media, such as CDs and floppy disks.

Return to the "Data Security - Is IT Secure?" page >>>

Page last reviewed: May 20, 2011