Guidelines for Protecting Sensitive Data:
In today's universe, protecting confidential data is crucial. NDSU manages and uses personal information belonging to students, staff, faculty, researchers, and those who use its outreach services. As a manager of that information, NDSU is responsible for protecting and securing personal, student-related, financial, health information, and intellectual property from misuse, theft, compromise, and unauthorized disclosure. As an employee of NDSU it is your responsibilty to
- Follow all applicable laws, and NDSU policy and procedure
- Use due diligence when working with confidential and senstive data
- Incorporate and use mandated and recommended standards and guidelines for protection of confidential and sensitive data
Federal laws that protect personal data
- FERPA (Family Education Rights and Privacy Act), 1974. This law protects student information such as name, SSN, demographic information, grades and information related to their education.
- GLBA (Graham Leech Bliley Act), 2000. A finacial law designed to protect personal financial information such as financial aid, banking, credit , and investment information.
HIPAA (Health Insurance Portability Accountability Act), 1996. A federal law that protects personal health information.
State Laws and Other Standards that protect personal data
- ND Privacy Law, 2006, protects personal data. NDSU is required to report to the owner of the data if a breach has occured and if information has become compromised or stolen.
- North Dakota Public Records Statute, North Dakota Century Code 44-04, defines what is and isn't a public record and/or what data can be made availabe for public view.
- PCI - DSS (Payment Industry Data Security Standard). Standards created for online credit card transactions by the four major credit card payment companies. Requires those entities that accept online credit card payments to follow strict standards.
NDUS and NDSU Policies and Procedures
- North Dakota University System Computer Use Policy and Procedure 1901.2
- NDSU 710: Computer and Electronic Communication Facilities
- NDSU 158: Acceptable Use of Electronic Communication Devices
- NDSU 718 Public/Open Records
- NDSU Policy Manual
North Dakota University System Data Classification Standard
The North Dakota University System Data Classification Standard was developed to identify and clarify the definition of data types within a university. Any data asset of the NDUS or the Institution shall be classified as Public, Private, or Confidential.
Public data is defined as data that any entity either internal or external to the ND University System can access. The Open Records law of North Dakota may apply.
Confidential data is information that the NDUS or Institution is under legal or contractual obligation to protect from disclosure, alteration or destruction. The disclosure, use, or destruction of confidential data can have adverse affects on the NDUS or Institution and possibly carry significant civil, fiscal, or criminal liability. The availability and use of confidential data will be restricted to selected, authorized employees whose job function necessitates access to the data and to third parties pursuant to valid legal inquiries.
The owner of the data is the one whom the data belongs to. For example, a person owns his/her social security number, date of birth, and address.
The custodians of such data are employees, departments, colleges, research centers, and extension offices responsible for the integrity, confidentiality and availability of the data. It shall be the responsibility of the owner/custodian of the data to classify the data. However, all individuals accessing data are responsible for the protection of the data at the level determined by the owner/custodian of the data as mandated by law. Any data not yet classified by the owner/custodian shall be deemed Confidential. Accerss to data items may be further restricted by law, beyond the classification systems of the NDUS or NDSU.
Best Practices for Sensitive Data:
- All data must be classified.
- All data access must be authorized under the principle of least privilege and based on minimal need.
- All access to confidential data must be authenticated and logged.
- When an individual has been granted special access changes responsibilities or leaves employment, all thier access rights must be reevaluated and any unneeded access removed.
- When necessary, data transmission and storage should be encrypted.
Protect Social Security Numbers:
Do not use SSNs as a key field or as an identifier for files, spread sheets, data bases, and correspondence. If possible, it is recommended to avoid including the SSN in any type of file or document. An alternative would be to use the EmplID or Student ID.
If there is a business need to use the SSN in files and documents, the data must be secured and available only to those who have a need to know.
If you use a laptop and travel, it is recommended the hard drive of the laptop's hard drive be encrypted.
Never attach documents containing SSN's or other personally identifiable information to email. It is possible the transmission may not be secure.
For more information on the protection of SSNs, please see http://www.ndsu.edu/vpfa/ssn_management/ .
Protect Credit Card Data:
Credit card information is protected under the Payment Card Industry Data Security Standards and by various federal and state laws. When accepting, using, and storing credit card information, these guidelines must be followed.
- Do not store the full credit card number. If there is a business to store credit card information, only the last four digits can be stored electronically or in hard copy.
- Do not store the CVV2 (Credit card validation value - the three digites located on the back of the credit card).
- Do not store the expiration date
- Credit card reciepts must only show the last four digits of the card. The CVV2 and/or the expiration data must not be printed on the reciept.
- Do not accept credit card information over e-mail.
- If credit card information is recieved over voice mail, delete immediately.
- Within the office/college, there must be separation of duties for accepting and processing credit cards.
NDSU uses a secure third party vendor, TouchNet, to accept credit cards. Please contact NDSU Customer Account Services, Karin Hegstad or Carrie Peterson for more information on how to use this service. For more information on credit card information and safekeeping , please read NDSU policy 509, Electronic Financial Transactions and the NDSU Red Flag Identity Theft Prevention Program document.
Feb 17, 2015
Over-sharing on a first date could lead to no second date, but over-sharing on a social media site could lead to data theft, real property theft, or physical danger to yourself or your family. There are lots of automated scripts already running on the Internet looking for keywords that are posted to social media, these scripts do everything from changing the word "meet" to "meat" and posting the results to twitter, to alerting potential thieves that a family is now on vacation and away from their house. Be safe on social media
Feb 6, 2015
New Slim Spray Diet ... Want a Cruise ... Fight Hair Loss Now ... SPAM SPAM SPAM ... It seems to get into every e-mail inbox beofre the account is even setup. But there are some ways to fight this menace.
- Don't reply to it
- Don't tell vendors your e-mail account
- If your service has the option, report it or mark it as spam
There are more ways to fight in the link below.
FEB 4, 2015
Its Tax Refund Season, Time for a new phone or tablet. But what about the old one? Do you have information on that device that could be used against you? How can you make sure that your old phones and devices don't come back to haunt you when you are done with it? Many people buy old equipment off ebay just to see what kind of data is left on those devices. Follow this guide to make sure that your device is wiped clean before you dispose of it.
FEB 3, 2015
When you download an app on social media or your mobile device, you may be allowing it to collect personal information like your contacts list or location. If possible, look at an app’s permissions before downloading and make sure you are comfortable with the information it collects. If the app does not tell you what information it collects, error on the side of caution and assume that it may be collecting information.
FEB 2, 2015
There is a security and privacy threat almost everywhere you go. Most don't even think about it. Free WIFI, if its free how can that be bad? In fact most Free WIFI could be quite safe, but a few access points could have an active sniffer on the line watching every single nibble of data that goes across its interface, looking for passwords, usernames, or e-mail addresses. Click Below for more information on safely using WIFI when traveling.