Ohio University is open

Portion of West Union Street remains closed following multiple structure fire. More Information
 
OIT Tech 32px
security_4

Secure Data Online

What is Sensitive Data?

Sensitive data is information not available through normal public channels that presents the potential for individual or institutional harm if disclosed.  Examples include but are not limited to:

  • SSNs
  • Other personal data that can be used to facilitate identity theft.  Name, address and phone number are not sensitive by themselves; however, they do become sensitive when stored in conjunction with items like date of birth, mother’s maiden name, etc. or when they belong to someone who has invoked their FERPA rights.
  • Credit card and bank account numbers
  • Medical or educational records
  • Any other confidential, protected, or financially valuable data, like:
    • Grade lists that include personally identifiable information
    • Trade or research secrets
    • Patent information

back to top…

Dealing with Sensitive Data - The Three Es

EVALUATE 

  • Do you use SSNs to identify individuals who need your services?  If so, why? 
  • If you archive SSNs, medical records, grade reports, or other sensitive data, do you really need to, or are you keeping the data around ‘just in case’? 
  • Do you have paper files that contain sensitive data?  If so, are they stored securely?

ELIMINATE

This may seem obvious, but the single best way to protect sensitive data, especially personal information, is not to collect it in the first place! 

  • Do not use SSNs to identify your clients.  OHIO offers several identifiers that can be used in place of SSNs, including Oak IDs and P Numbers.  Consider using one of these.
  • For historical data that must be kept (past grade reports, customer contact databases, lists of research subjects), keep only the fields you need and delete the others.  Unless required by law, do not keep SSNs.

ENCRYPT

If you must keep sensitive data on a workstation or notebook, you should encrypt that data, both on the drive and when sending it over the network. Doing so ensures that the data cannot be read by others.

  • We recommend the following encryption methods for Windows and Mac systems:
  • If you must transfer sensitive data onto removable media like a CD/DVD or memory stick, make sure the data’s encryption is preserved during the copy process. 
  • Never pass sensitive data over the network unless you know the connection is secure.  Examples include: 

 

Secure

Insecure

Web Pages

https

http

Terminal Sessions

SSH

telnet

File Transfers

SFTP

FTP

back to top…

Where to Store Sensitive Data

The decision to collect and store sensitive data should not be taken lightly.  If you have not yet done so, step through the Three Es described above to make sure you really need the data you are collecting. 

If you must handle sensitive data, here are a few guidelines regarding common storage options:

  1. No Storage – Do you really need to archive sensitive data like SSNs, or is it simply convenient to do so?  If the latter, you should rethink your business process.
  2. Desktop Computer Hard Drive – Storing sensitive data on a personal computer places a great deal of responsibility on you as the computer owner.  If you choose to do so, you should:
  • Follow safe computing practices
  • Encrypt your data
  • Store password(s) separate from your computer
  • Restrict access to your computer
  1. Removable Media – Memory sticks, USB flash drives, CDs, DVDs and other removable media are poor options for storing sensitive data, since they are easily lost or stolen.  You can keep backups on removable media; however, the data should be encrypted, the media kept under lock and key, and the password(s) stored separately from the encrypted items.
  2. Laptop Computer – Due to their easy portability and popularity with thieves, laptops are not good places to keep sensitive data.  If you must store sensitive data on a laptop, you should:
  • Follow safe computing practices
  • Encrypt your data
  • Set a password in your laptop’s BIOS
  • Store password(s) separate from your laptop
  • Activate and use your laptop’s security chip (if installed)
  • Never leave your laptop unattended while traveling, and do not store it in a vehicle.  A laptop that contains sensitive data should never leave your person at any time while you are on the road.
  1. Network Server – Some issues to consider if you decide to store your data on a network server:
  • Access should take place only over secure connections – SSH, https, SFTP, etc. 
  • Do not have your PC remember your username and password.  Instead, type them in by hand each time you log in.
  • Make sure that only those individuals who need access to your data are granted accounts.
  • Insure that physical access to the server is restricted. 
  • Make sure that your server’s administrator understands and follows industry best practices for security and maintenance. 

back to top…

Who is Responsible?

If you keep sensitive data on a computer you own or control, then YOU are responsible for making sure that data is secure.  This includes following safe computing practices and using encryption.  For data that is stored on a server, the server owner/administrator normally is responsible for security practices on that machine; however, individuals who collect and store sensitive data on a server are not absolved of responsibility should a breach occur.