Protect your sensitive data
February 9, 2012
DePaul faculty and staff work with a vast variety of sensitive data – from salary information and students’ grades to Social Security and credit card numbers – that could lead to costly consequences if left in the wrong hands.
The DePaul community is reminded of information security rules annually during mandatory general compliance training, which is available on-line each year from November to January. Additional faculty and staff training is offered for those who access data that must comply with federal laws, such as the Family Educational Rights and Privacy Act (FERPA).
To further reduce the risk, DePaul’s Office of Institutional Compliance encourages everyone to follow some easy rules of thumb.
Who has access?
Only faculty or staff who have a legitimate educational or business purpose are granted access to confidential or sensitive data. Still, supervisors should keep track of their employees’ access levels, said Emily Opalski, director of the Office of Institutional Compliance. If someone leaves the department or no longer has reason to use a particular database, she says, those privileges should be discontinued or transferred to a more appropriate person.
In the past, DePaul employees have faced disciplinary action for misusing access to confidential databases, a security breach that could run afoul of FERPA and lead to DePaul being penalized. “Just because you can access a database doesn’t mean you should,” Opalski says.
At other universities, simple human error has led to the accidental public release of sensitive information, including Social Security numbers, though DePaul has minimized the risk of exposing that type of data by strictly limiting access to full Social Security numbers.
What if my laptop is lost or stolen?
Stolen or lost laptops can jeopardize sensitive data, especially if the laptop isn’t locked by a password. If you’re downloading sensitive information to laptops or even desktops, DePaul policy mandates that the file must be encrypted. To learn more about encryption, e-mail questions to email@example.com. In the event a laptop is lost, a laptop that has had device-tracking software installed has a better chance of being found.
Setting a password is another easy way users of desktop computers, laptops, cell phones, iPads or other tablets can protect themselves. “Oftentimes there’s work-related or personal information on those devices,” Opalski says. “If you lose a cell phone or iPad, you don’t want someone to access your email and personal contacts.” For the password to be secure, she said, it should use a combination of capital and lowercase letters, numbers, and symbols. Once that password is set, it should never be shared.
The Information Security Policy requires that data breaches be reported to the director of Information Security at firstname.lastname@example.org. Anyone who suspects misconduct related to security breaches or a loss of sensitive data should contact his or her supervisor or call the anonymous Misconduct Reporting Hotline at 877-236-8390.