Classify Data

Review your existing business processes which request or process sensitive data in order to assess the state of data security.

Look at your existing business processes which request or process sensitive data and answer the following questions:

• Based on the Electronic Data and System Risk Classification Policy, is my department collecting "High Risk" data?
• How is the data being used?
• Is it necessary to performing a business function?
• Who within my group needs access to these data?
• How long do we need to keep these data?

Make a plan for restricting collection and storage to meet the "minimum necessary" standard for access to sensitive data. In other words: 1) One only collects the minimum that is required for a business process 2) Access to that data is only granted to the smallest number of employees required 3) The data is kept for the shortest period of time possible before it is properly disposed of.

Once you have completed this process, begin reviewing where data is stored and collected.

When reviewing your data storage and collection processes, be as specific as possible. The greater the specificity, the more likely data will be properly secured. In order to do so, ask yourself the following:

• What kinds of sensitive data do we need to store?
• How many records will we be using?
• On what systems will the data be stored?
• Who needs access to systems that contain sensitive data?
• How do we collect sensitive data? (web forms, email, paper forms, etc.)
• How do we transport/transmit the data? (e.g. Are data stored on tape or hard drive? Are they being transmitted over NYU-NET? Over the Internet? On paper?)

You should document the places where data is stored and collected as well as keep the documentation up to date. Then, follow the procedures in step 3 to secure the systems and data that are involved in these processes.

Below are various standards which will assist you and your department in securing sensitive data from unauthorized access or breaches. While the list below is extensive, there may be situations in which they do not apply to a particular workflow. If such is the case, please feel free to reach out to OIS for further guidance and assistance.

• Authentication: Users should need to log in with a username and password to see data and that access should be logged.
• Permissions/Access Controls: Verify that controls are in place to allow system users to only see the data they need to see.
• Encryption where appropriate: Where possible, encrypt restricted data.
  • In transit: Both in transit over a network and physical transportation of media containing sensitive data, such as hard drives.
  • In storage: Encrypt data using tools such as PGP, etc. (This may not be possible in all cases. Contact OIS with any questions you may have.)
• Select a secure storage location: Select a location appropriate to store the data. Review current storage locations and decide if physical data is exposed or too readily accessible to other staff members.
• Physical security: Paper forms or portable media containing restricted data should be stored in locked cabinets, drawers, and closets.
• Access to storage locations: Should be limited to only staff who need access based on a specific job function.
• Servers containing restricted data: Should be kept in locked areas, preferably in a machine room, and follow established NYU procedures including, but not limited to:
  • Monitored access, such as a card reader
  • CCTV monitoring
  • Backup power
  • Environmental controls
  • Position monitors so that unauthorized persons cannot casually view them
• Desktop computers containing restricted data: Should be kept in locked areas and follow established NYU procedures including, but not limited to:
  • Enable password-protected screen savers to prevent unauthorized access
  • Position monitors so that unauthorized persons cannot casually view them
  • Never send restricted data over NYU email

If you need to transmit restricted data over the network, use NYU Box. NYU Box will never transmit the actual data over email, but rather, send to the recipient an URL to the password protected files. Learn more about NYU Box.

Supplemental Better Practices

• Security Awareness: The most important part of protecting data is making sure that the people who use them make the right decisions about how to collect, use and store sensitive data.
• Education: Educational materials are available from NYU IT. If you would like a presentation or meeting regarding the use and storage of sensitive data, contact OIS.
• Business Continuity: Have a plan for what you will need to do to access sensitive data in case of an emergency. Make sure that plan follows the business and system best practices outlined here.
• Backups: Implement the same security controls for backup data as you would for production data. Retain backup data only as long as required or conforming with the University or local department's data retention policies
• Inventory: Keep a list of systems where sensitive data is stored and document business processes that involve sensitive data
• Data and system disposal: Have a plan for what you will need to do to access sensitive data in case of an emergency. Make sure that plan follows the business and system best practices outlined here.
• Backups: Completely delete sensitive data of all types before disposing of systems. See computer disposal guidelines.
• Media destruction: Shred or otherwise destroy paper records or physical media, such as CDs.

Microsoft and Apple release updates and patches that protect your computer from operating system vulnerabilities; once you enable automatic software updates, your computer will automatically check for these updates every day and download any that become available. See these Recommendations for getting secure in the ServiceLink knowledge base for instructions.