Frequently Asked Questions
Why do I want to search for confidential information on my computer?
SSNs are highly confidential and legally protected information. The University is committed to protecting an individual's SSN. Many NDSU faculty and staff over the course of their employment have used SSNs as identifiers for individuals, or have collected other pertinent personal data such as addresses and dates of birth. These data elements are classified and must be protected. Faculty and staff have the responsibility to protect or remove the information if it is no longer need for the course of their job functions. It is important to ensure that if you have this information you either remove it or protect it.
What information is considered confidential and protected?
Confidential information is information that NDSU is under legal or contractual obligation to protect. Confidential information includes, but is not limited to, SSNs and credit card numbers. For additional specific examples of confidential information, please see the NDUS Data Classification and Information Technology Standard.
Why should I protect confidential information?
Certain information, by its nature, requires protection. Additionally, there may be contractual or legal penalties for failure to maintain proper confidentiality. As an employee of NDSU, you have an obligation and responsibility for the security and privacy of the information that you store, send, or display using NDSU computing resources.
Confidential information, such as personally identifiable information, is often needed to perform business functions such as payroll, student financial information, and fulfillment of grant and federal law obligations. Confidential information, if breached or compromised, could have serious implications for NDSU including financial losses and damage to the University's reputation. For the person whose information has been compromised, there is the potential risk of identity theft.
Who is responsible for classifying information as confidential?
Information is usually classified according to federal and state regulations. Based on those regulations, the North Dakota University System has developed and implemented a data classification standard.
I need to dispose of confidential information. Are there any requirements I need to follow?
Follow the procedures outlined in NDSU Policy 713 Records Retention. More information can be found in the NDSU Records Disposal Report.
What about paper documents that contain confidential information? What do I need to do to protect these documents?
There are several steps you need to do to protect paper documents containing confidential information.
Most importantly: Determine if you actually need to store confidential information in paper format.
- Storage of paper documents containing confidential information must be in a locked file cabinet located in an area that is not public and is locked when no one is present. Keys to the area and the cabinets must be assigned only to those who have a definite need for access.
- Review and update the forms that you use to collect confidential information. Eliminate the confidential data items that are not needed.
- For older forms that have confidential information such as SSNs, you will want to remove that information by blacking it out with a permanent marker or other method to block the data from view. If you have reason to believe the paper documents have been compromised, contact your supervisor and follow procedures established by NDSU.
- Follow NDSU's Records Retention policy 713 and accompanying procedure for permanent removal and destruction of confidential records.
What is encryption and how does it protect data?
Encryption is the process of transforming information (referred to as plain text) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge or a "secret key" to unlock the cipher.
I need to have confidential data on my computer. How do I encrypt this data?
If you are required by your position to work with confidential data, you will want to ensure that the data is protected and secure. There are several tools that can be used.
- Windows XP and Vista use built-in encryption called EFS (Encrypting File Systems) to encrypt the files on the hard drive of your computer. Click here for instructions on using EFS. If you decide to use EFS, it is recommended that you back up your encryption certificate, because if your certificate and key are lost or damaged and you do not have a backup, you won't be able to access and use the files that you have encrypted. Click here for instructions on how to back up your EFS certificate.
- Those using Windows 7 Enterprise and Ultimate can use an encryption mechanism called BitLocker, which is installed automatically as part of the operating system installation and will encrypt your hard drive. BitLocker is not enabled until it is turned on using the BitLocker control panel. Click here for instructions on how to enable BitLocker on Windows 7.
- Other options for those who use Windows operating systems include open-source software (free) to encrypt files and folders on the computer. Some options include Gnu PG for Windows and TrueCrypt.
- For Linux operating systems, there are several encryption options. A few popular open-source encryption tools are Gnu PG and TrueCrypt.
- For a Mac computer using the OS X version 10.2 or later, an encrypted disk image can be created to store confidential/sensitive information. Mac users can also use open-source encryption software such as TrueCrypt or Gnu PG.
IMPORTANT: With any encryption tool you choose to use, care must be taken with the key or password that you use. NDSU does not provide you with a key or password for the encryption tools mentioned in this document. If you should lose the key or forget the password, the information you have encrypted cannot be retrieved. It is important that you keep a copy of the key or password in a safe place. Recommendation: Keep a copy of the key or password in a sealed envelope. Place one copy with the administrator of your department and one copy locked in a drawer in your office. If there is an emergency, and you are not able to supply the key or password, a copy will be available for department chair/director. If you change the password or key, update the copies accordingly.
I access confidential information as part of my job duties. What do I need to do to protect this information?
- Collect and store only the information that will be needed for the business of your college or department.
- Remove/delete information when it is no longer needed or has met the standards of the NDSU Records Retention Policy 713 and the NDSU Records Disposal Report.
- Your NDSU owned computer
- Must be compliant with NDSU Policy and Procedure 1901.2; NDSU policies 158 and 710.
- All software including the operating system installed on the computer must be current with the latest updates, service packs, and patches.
- A firewall must be installed and enabled.
- Anti virus software must be installed and enabled.
- Practice good e-mail security. Never send confidential information through e-mail. By default, e-mail is not a secure transmission method, and e-mailed information could be intercepted and read. However, NDSU's e-mail system does protect your user name and password.
- If you work in a public area, the computer screen must not face the public. If the computer's location can't be changed, a privacy screen must be installed and used on the computer's monitor.
- When you leave the computer, even for short periods of time, lock the computer screen, or log off the computer.
- If you store confidential information on your computer, it is recommended your encrypt the data, especially if the computer is a laptop or other mobile device.
- Do not use your computer in areas that offer "free" or "open" wireless access, such as coffee shops and Internet cafes. These are easy targets for hackers.
- If possible, work with confidential information from a network folder or file that is provided to you by your department or the NDSU Division of IT.
- It is recommended that you do not use your personal computer for working with confidential information belonging to, or under the protection of, NDSU.
- If you suspect your computer has been breached and the information stored on it compromised, contact your supervisor or the Chief IT security officer immediately. Do not use the computer.
- Do not share your NDSU owned computer or your login and password with friends and family.
I am a system administrator for a college or department that stores confidential information. What are the requirements for keeping this information secure?
As a system administrator, you are required to follow NDSU Policy and Procedure 1901.2 NDUS Server Information Technology Security Procedure, NDUS Data Classification and Technology Standard, NDSU Policy 158and 710.
- All servers must be registered with IT. See NDSU policy 710 for more information.
- All servers containing confidential data must have methods installed and enabled to protect the data contained on the server.
- Operating systems and all software must be current with all service packs, updates, and patches.
- Anti virus software must be installed, enabled, and current with all recent signatures.
- A firewall must be installed and enabled
- Configure the firewall to allow only necessary traffic.
- Review the firewall logs regularly for inappropriate or unauthorized access.
- Configure all services to log all connections and authentication information
- Logs must be monitored on a regular basis. Any unusual activity must be reported to the Chief IT security officer or the CIO.
- Review the purpose of the computer/server and only allow services, applications, and access as they pertain to the purpose. If being used as a Web server, data or data bases should not be maintained on the same machine.
- Run only services needed for the function and purpose of the computer:
- These services must be related to the role/purpose it is serving.
- Install and configure only software that is needed for the role/purpose.
- Use SFTP or SSH. Disable Telnet and FTP.
- Disable all services that will not be used.
- The guest account must be disabled or a strong password set that only the administrator knows.
- The administrator account must be renamed and a strong password set. Only the person managing the machine should have access to the administrator account. The machine should not be run in administrator mode. Administrator mode should only be used when necessary.
- A unique login and strong password must be created for each user of the system.
- Force new users to change their password when they first log in.
- Disable or delete old accounts that belong to people who no longer need access. If using shared accounts, the password must be changed each time a user leaves or joins the group.
- Maintain physical security of the system:
- The computer/server must be located in a secure area with documentation of who has access.
- The area should be one that is not public and only accessible to those who need access. Doors and windows must be locked when not in use. A log of who has keys to the area must be kept up-to-date. Keys must be collected from those who no longer need access.
- Use of a UPS (Uninterrupted Power Supply) is recommended. It should have line conditioning for both electrical and network.
- The computer/server should be located in a climate controlled environment.
- Use screen savers or keyboard locking capabilities to prevent keyboard activity or unauthorized access.
- Maintain back-ups and operational continuity:
- Backup data on a regular scheduled basis.
- Backup and restore procedures must be tested on a regular basis.
- Fire suppression services must be available (fire extinguisher).
- A secure deletion program must be used to erase data from hard disks and media after using and prior to surplus or disposal.
- It is recommended that you develop a disaster recovery and business continuity plan.
Should I protect my own confidential information? How would I do this?
Yes, it is important that you take steps to protect your own confidential information. Protecting your information can protect you from the risk of identity theft. The Federal Trade Commission has developed information and steps you can take to protect your information and identity. This information can be found at www.ftc.gov/bcp/edu/microsites/idtheft/consumers/index.html.
I have additional questions, who can I talk to?
General Counsel's Office
Matthew Hammer - 231-6446
Finance and Administration
Gina Haugen - 231-6177
Registration and Records
Kristi Wold-McCormick - 231-7989 (student information)
Theresa Semmens - 231-5870
Jeff Gimbel - 231-6730 (software questions)
Click on the links below to learn more about protecting SSNs and other confidential information.