Security Ripcord

University practices concerning the distribution and control of sensitive information located on university and personally owned information resources is forcing most of the faculty and staff at these universities to analyze how they are collecting, receiving, accessing, storing, sending, and destroying sensitive information related to their student, faculty, staff, and business partners.  Although each university can provide guidance to individuals on how to properly interact with sensitive information, it is ultimately up to each university employee to proactively protect the information people have entrusted into their care.  To that end, as a team, each university needs to start reviewing their processes for collecting, receiving, storing, sending and destroying sensitive information.

All university employees to include staff, tenured and non-tenured faculty, graduate assistants, student workers, interns, guests, volunteers, and probationary, temporary, or wage employees of each university should be required to immediately review all university computers, mobile devices, and removable storage devices and media that they have been assigned responsibility to maintain for any file that contains sensitive personal information.  Individuals who have been permitted to utilize personal resources to conduct university business should be required to check these resources as well.  Sensitive personal information includes a person’s full or partial name in conjunction with other information such as complete or partial Social Security Numbers, date of birth, driver’s license or government-issued identification number, or any financial information such as credit card or bank account numbers.  Perhaps the best method for locating Social Security and credit card numbers on Windows, Linux, Unix, and OS X is the Spider program developed by security administrators at Cornell University.  Before conducting any search for sensitive information each employee utilizing this program should be instructed to read the Spider documentation as this tool is know to be subject to false positives and negatives.

Once located, sensitive information should NOT be immediately deleted.  Individuals who locate sensitive information will need to identify whether there is a specific business need to maintain the information on that resource.  Any information that has been determined to be unnecessary should be deleted using a secure deletion method such as SDelete, Eraser, or Wipe (OS X securely deletes information automatically).  Individuals who identify files that contain sensitive information that is necessary to complete a specific business function should immediately notify their immediate supervisor for review, clarification, and instructions on how that to protect the information.  Most likely one of the methods selected will involve one of the following tools:  TrueCrypt, GnuGP, WinZip, or FileVault.  Each university employee should be required to complete and sign a formal document which certifies he/she has removed all unnecessary sensitive data and validates that they understand all state laws and regulations and university policies and procedures associated with the security of sensitive information.

University departments should be required to maintain a list of all information resources, to include any type of database, that contains sensitive information and the individuals who are directly responsible for security and controlling access to this resource and the information it contains.  Departments should be required to review how they collect and store sensitive information via paper forms.  During the review of paper forms, methods and techniques for removing fields associated with an individual’s Social Security number from these forms should be considered.  University departments should be held responsible for ensuring that each one of their employees completes university policy, security awareness, and FERPA training courses.
 
The administrators of each university should do their best to assist their fellow employees in all of these efforts.  The information technology departments should develop step by step guidelines to assist departments and individuals in the identification, deletion, and secure storage of sensitive information.  Links to these guidelines should be distributed through the university’s notification mechanism.  University policies associated with the utilization of university information resources should be published to an easy to locate section of the University’s web site.

Certainly these actions may seem a bit confusing to the average university employee and may prove to be initially time consuming.  But the end result of providing proper protection for an individual’s sensitive information will ensure that each university can focus future activities on the normal services they provide to their students, faculty, and staff.  Providing a safe and protective working environment for university students and employees has always been a top priority of every university.  I assure you that the combination of all of these actions will ensure you and your university successfully move down the path of protecting your sensitive information.

Go forth and do good things,
Cutaway

Technorati Tags: Security Ripcord, sensitive information, security, truecrypt, wipe, eraser, gnupg, winzip, filevault, univesity, SDelete, Cornell, Cornell Spider, policies

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.