Guidelines for Protecting Sensitive Data:
In today's universe, protecting confidential data is crucial. NDSU manages and uses personal information belonging to students, staff, faculty, researchers, and those who use its outreach services. As a manager of that information, NDSU is responsible for protecting and securing personal, student-related, financial, health information, and intellectual property from misuse, theft, compromise, and unauthorized disclosure. As an employee of NDSU it is your responsibilty to
- Follow all applicable laws, and NDSU policy and procedure
- Use due diligence when working with confidential and senstive data
- Incorporate and use mandated and recommended standards and guidelines for protection of confidential and sensitive data
Federal laws that protect personal data
- FERPA (Family Education Rights and Privacy Act), 1974. This law protects student information such as name, SSN, demographic information, grades and information related to their education.
- GLBA (Graham Leech Bliley Act), 2000. A finacial law designed to protect personal financial information such as financial aid, banking, credit , and investment information.
HIPAA (Health Insurance Portability Accountability Act), 1996. A federal law that protects personal health information.
State Laws and Other Standards that protect personal data
- ND Privacy Law, 2006, protects personal data. NDSU is required to report to the owner of the data if a breach has occured and if information has become compromised or stolen.
- North Dakota Public Records Statute, North Dakota Century Code 44-04, defines what is and isn't a public record and/or what data can be made availabe for public view.
- PCI - DSS (Payment Industry Data Security Standard). Standards created for online credit card transactions by the four major credit card payment companies. Requires those entities that accept online credit card payments to follow strict standards.
NDUS and NDSU Policies and Procedures
- North Dakota University System Computer Use Policy and Procedure 1901.2
- NDSU 710: Computer and Electronic Communication Facilities
- NDSU 158: Acceptable Use of Electronic Communication Devices
- NDSU 718 Public/Open Records
- NDSU Policy Manual
North Dakota University System Data Classification Standard
The North Dakota University System Data Classification Standard was developed to identify and clarify the definition of data types within a university. Any data asset of the NDUS or the Institution shall be classified as Public, Private, or Confidential.
Public data is defined as data that any entity either internal or external to the ND University System can access. The Open Records law of North Dakota may apply.
Confidential data is information that the NDUS or Institution is under legal or contractual obligation to protect from disclosure, alteration or destruction. The disclosure, use, or destruction of confidential data can have adverse affects on the NDUS or Institution and possibly carry significant civil, fiscal, or criminal liability. The availability and use of confidential data will be restricted to selected, authorized employees whose job function necessitates access to the data and to third parties pursuant to valid legal inquiries.
The owner of the data is the one whom the data belongs to. For example, a person owns his/her social security number, date of birth, and address.
The custodians of such data are employees, departments, colleges, research centers, and extension offices responsible for the integrity, confidentiality and availability of the data. It shall be the responsibility of the owner/custodian of the data to classify the data. However, all individuals accessing data are responsible for the protection of the data at the level determined by the owner/custodian of the data as mandated by law. Any data not yet classified by the owner/custodian shall be deemed Confidential. Accerss to data items may be further restricted by law, beyond the classification systems of the NDUS or NDSU.
Best Practices for Sensitive Data:
- All data must be classified.
- All data access must be authorized under the principle of least privilege and based on minimal need.
- All access to confidential data must be authenticated and logged.
- When an individual has been granted special access changes responsibilities or leaves employment, all thier access rights must be reevaluated and any unneeded access removed.
- When necessary, data transmission and storage should be encrypted.
Protect Social Security Numbers:
Do not use SSNs as a key field or as an identifier for files, spread sheets, data bases, and correspondence. If possible, it is recommended to avoid including the SSN in any type of file or document. An alternative would be to use the EmplID or Student ID.
If there is a business need to use the SSN in files and documents, the data must be secured and available only to those who have a need to know.
If you use a laptop and travel, it is recommended the hard drive of the laptop's hard drive be encrypted.
Never attach documents containing SSN's or other personally identifiable information to email. It is possible the transmission may not be secure.
For more information on the protection of SSNs, please see http://www.ndsu.edu/vpfa/ssn_management/ .
Protect Credit Card Data:
Credit card information is protected under the Payment Card Industry Data Security Standards and by various federal and state laws. When accepting, using, and storing credit card information, these guidelines must be followed.
- Do not store the full credit card number. If there is a business to store credit card information, only the last four digits can be stored electronically or in hard copy.
- Do not store the CVV2 (Credit card validation value - the three digites located on the back of the credit card).
- Do not store the expiration date
- Credit card reciepts must only show the last four digits of the card. The CVV2 and/or the expiration data must not be printed on the reciept.
- Do not accept credit card information over e-mail.
- If credit card information is recieved over voice mail, delete immediately.
- Within the office/college, there must be separation of duties for accepting and processing credit cards.
NDSU uses a secure third party vendor, TouchNet, to accept credit cards. Please contact NDSU Customer Account Services, Karin Hegstad or Carrie Peterson for more information on how to use this service. For more information on credit card information and safekeeping , please read NDSU policy 509, Electronic Financial Transactions and the NDSU Red Flag Identity Theft Prevention Program document.
October 29, 2013
Everyone keeps saying you should backup your computer, what does this really mean?
In light of some recent virus activity out on the Internet, a good backup is crucial in cases where a file has been corrupted or encrypted by an Internet Black Hat. So what is it?
A backup is essentially a copy of files that you specify, stored in a secure way, that in the event of something bad happening to those files on your computer you can easily restore those files back to their original status. There are all kinds of different types of backups
· A Full Backup – All files are copied
· Incremental – Only files that have changed since the last backup are copied
· Versioning – Files are backed up as changes are saved
Backing up your computer can take some work, and some storage space, but if something were to happen to those files that you have done significant work on and you don’t have a backup, you get to do all that work again.
October 28, 2013
What is this two-factor authentication thing I keep hearing about?
In order to authenticate, (decide if you should have access to something,) there needs to be something that sets you apart from everyone else. There are typically three things that can set you apart.
- Something you know – a password or passphrase
- Something you have – a special USB drive or RFID chip
- Something you are – a DNA sequence or fingerprint
Any of these things can be unique to you and in normal circumstances would be enough to set you apart, however, passwords are becoming easier to crack, fingerprints are easy to lift from objects you have touched, and technology has allowed the cloning or RFID chips just from being in close proximity. So these days, two-factor authentication is in place on many different services. This authentication method utilizes two of the factors above, typically a password and a device like a smart phone with an authentication application. However, there have been some advances in fingerprint technology that can be used as well.
October 25, 2013
I use a very difficult password for everything, so I shouldn’t be worried about being attacked.
There is little tiny something about passwords that scares me just a little bit, in three days, a standard laptop computer sold in the store today can crack an eight digit password consisting of upper and lower case letters, numbers, and special characters. Adding 2 more characters pushes that time to 58 years, and a 16 character password will take 12 trillion years to crack. Special password cracking rigs with large arrays of video cards can significantly shorten that time needed.
One thing that you can do to protect yourself is to use a different password for each services that you need a password for. But, you say, how can I maintain all those passwords? One suggestion would be to use a password managers, these tools allows you to store hundreds of passwords along with notes and expiration dates of accounts. Many allow you to store all of those passwords in a single encrypted database with a single password, some will also allow you to create randomly generated passwords to use on services. I would recommend against using an online password storage service as you would be giving the keys to your kingdom to some stranger who is hanging them on a very large board.
October 21, 2013
But, my email is safe now, right? I mean SPAM is way down, and AV catches all the really bad stuff, right?
E-Mail or Electronic Mail is still one of the easiest way to communicate information across the Internet, and in many ways it has become a much safer route than it used to be years ago. However, there are still a few threats that linger on this old reliable dusty trail.
There are still a few of the Internet Bad Guys that use email for sending attachments, so we do recommend that you disable the automatic downloading of attachments, many modern E-Mail applications by default will disable the ability to even download a picture in embedded E-Mails. Keep the defaults if this is the case. If you do download attachments it may be a great idea to scan the attachment with your anti-virus computer before you run or open the attachments.
Of course the biggest threat via e-mail these days is the Social Engineering threat. Someone claiming they are from your IT department or an account representative needing your credentials to activate, or maintain your account will most likely lead to your account credentials being posted on PasteBin for the entire world to see and use. So if you receive an E-Mail asking for any credentials do not respond and throw it away.
October 10, 2013
We were taught to share our things, and now you tell us that sharing on the internet is bad, whats the deal?
Copyright law is kind of a strange beast in itself. So what is the deal? Current copyright law in the United States can be found in Title 17 of the United States Code, and it states that an artist has a “limited duration monopoly” on anything that they create. When you purchase media you are agreeing to consume it for yourself and not distribute it without the permission of the copyright holder. This is in place to make sure that the “limited duration monopoly” is kept in place and that the copyright holder is compensated for the work that they have done. By sharing these works you may be violating Federal and State Copyright Laws. There are many resources on the internet for consuming media for “free”
Another problem that can arise from sharing, is that along with the media you download you may get some malware, or depending on the software you choose to use, you may be opening your computer for thousands of other people to peruse and take what they like.
So, despite what you have been taught or what you continue to teach, sharing on the Internet, while getting that song you want, may get you a large fine or your data in the hands of people that you never want your data close to.
October 9, 2013
I took some awesome photos of that party last night, it won’t hurt, to post em right?
That fear tactic used years ago about behavior going on your permanent record wasn’t really true, that is until the recent advent of online social media that is. Now you can post a picture of some of your more, colorful, activities and those pictures could spread across the internet faster than kitten pictures on imgur.com. You may even try to remove those pictures from your account, however, all it takes is a right click or a key combination and that picture is on someone else’s computer. From there it would also be just a small process for them to share that picture to everyone else on the Internet.
Job recruiters fully admit to using online social media to “take a peek” at the people they may potentially be hiring. Having pictures of some of those colorful moments may not be the best thing that you could be showing potential employers or members of upper management, or the press.
Instead, post things that you are passionate about, those things that make you smile and things that tell the world about you and what you want to accomplish in life.
October 8, 2013
If this guy on the phone tells me he is affiliated with Microsoft, should I let him install software on my computer?
There has been some scams recently involving some former Microsoft partners, these scams involve a person receiving a call from someone claiming to be from a Microsoft Gold Partner stating that your computer has been the victim of a virus. They will walk you through the process of running a command that will give you a certain number to “verify” that this is indeed the computer. This number is the same on all windows based computers. They will then ask you to allow them to remote control your computer and will ask to install a special antivirus software on your computer. This antivirus software will require that you have to pay for some updates and special filters in order to work correctly.
There is very little recourse for credit card charges of this type, some credit card companies do offer refunds for this scam, but for the most part if you were to install this antivirus software you will be stuck with those charges. Microsoft has dumped a Gold Partner that was found doing this type of scam, however this company is not operated out of the United States and there is little that can legally be done.
If you do receive this kind of call, please hang up on the individual as asking to be put on a Do Not Call list would not do anything, fighting with the caller will not accomplish anything, and most importantly, do not give these people your credit card information because you will not get it back.
October 7, 2013
This software is great, why don’t I have to pay for it?
Free (as in Pizza) software, usually does have a cost to it, someone, sometime, somewhere, invested significant capital or resources into the manufacture of the software. One of the many things you need to watch out for when installing software is what other software may be piggybacking on it. Some software updaters may have a toolbar that is installed if you are not careful. These piggyback software may be on your computer to watch where you go on the Internet, and selling that information to advertisers. Some may be direct advertising causing Popups.
Don’t get me wrong there is some “Free” software that is out there that is great to use, however you really need to be careful of the documentation and the licensing agreements that by clicking Yes or OK that you are agreeing to.
October 6, 2013
I just click OK when this EULA thing comes up, is that really OK?
The End User License Agreement (EULA) is there to protect the software manufacturer and to a lesser extent yourself. It is a legal document that states what you can and cannot do with the software that you are installing on your computer. However, it also states what the software can do with any information that you may give it. It states what other software may be piggybacking on the software that you are installing. (Free software, means someone has to be paying for it somehow.) There maybe language saying that you agree to the software manufacturer may sell your information to anyone that they choose. By clicking OK to this document you are legally agreeing to everything that is in the EULA, and could have a difficult time correcting the issues that may arise. If you have difficulties finding or even understanding the EULA for the software that you are potentially installing on your computer, you may want to rethink installing it.
October 4, 2013
How can Free Internet be a bad thing?
Upon traveling, whether it be in an airport or a hotel, you may see an access point called free internet or something similar to that, the icon may seem a bit different, but hey, when was the last time you got something for free. Don’t connect to this access point!!! There are people out there that will have two or more wireless cards in their computer, one is connected to the Internet, the other, is allowing people to connect to it like they would connect to a wireless access point. “Why would they do this?” you ask. Traffic, is the answer, more specifically your traffic. Essentially it boils down to, if you connect to these Ad-Hoc networks all traffic will go through this computer before it goes out to the Internet. Therefore the owner of this computer has access to your data. You should disable the ability to connect to Ad-Hoc networks, see the link below.
October 3, 2013
This updater thing keeps popping up, people have told me not to click OK on popups. How do I know I should click OK on this thing?
There is a difference in application popups and Internet popups. An Internet popup is typically an advertisement for some product that also may have an ad on the web page you are viewing. These popups can start playing music or videos to get your attention, because they want you to click on them, causing many different things to possibly happen, like installing their software or malware. These types of popups are usually characterized by sounds, or flashing text, dire warnings, some look like Windows applications starting to do something. These popups can be shut down by usually clicking the X in the upper right hand corner of the window, or by pressing Ctrl-Alt-Delete and running Task manager and closing the offending application.
Application Popups such as the Java, Adobe, or printer updaters will generally be in the lower right hand of your computer screen and will let you know that they are only there to update existing software. It is recommended that you do install these updates as security patches are being implemented on your applications.
One thing that you do want to be aware of when installing these updates is that some of these applications will also try to install other software, so before clicking YES and OK make sure you read and understand what you are saying yes to.
October 2, 2013
Do I have permission to access all your information?
Permissions in the cyber world are everywhere, from who has access to your Credit Card information, to who can see your shopping list that is stored in the cloud for easy retrieval during your shopping trips, or who can see all of your friend’s pictures on a social media site. When you are installing a new app on your phone, device, or social media profile take a close look at what you are giving the writer of that application access to. If you question some of the access that is granted, you should be questioning whether or not you should be installing the application in the first place.