Departments & Offices » IT » Information Security » Policy & Standards » Standard for Securing Sensitive Data

Standard for Securing Sensitive Data

This standard sets the minimum requirements for securing sensitive University data in electronic or physical form that is collected, stored, processed, received, sent, or maintained by or on behalf of the College.

Scope

This standard applies to the College of William and Mary, including the Virginia Institute of Marine Science (together, the university). It applies to all university data and all faculty, staff, students, and affiliates of the College are required to comply.

Definitions

i. Sensitive university data: data that the university is obligated to protect, whether by law, contract, or policy. This includes:

a. Personal information including social security number, driver's license number, bank account number, credit/debit card number, Password number, and full name in conjunction with a corresponding date of birth;

b. Information Technology system account passwords;

b. Student records, which are protected by FERPA;

c. Personally identifiable financial information (these records, which are protected by the Gramm-Leach-Bliley Act, generally will also be either personnel or student records);

d. Personal information collected from a donor, alumnus, or other individual;

e. Proprietary vendor information;

f. Health records, which are protected by the Virginia Health Records Privacy Act; and

g. Attorney-client communications.

Sensitive data does not include information in the William and Mary directory or data that is made public by the University.

Banner identification numbers are not classified as sensitive data, but they are subject to certain rules provided below.

Research data, including copyrighted materials and intellectual property, in any form, electronic or otherwise, should also be protected using reasonable and commonly accepted security practices.

ii. Non-sensitive university data: All other university data. Examples include:

a. Most internal correspondence;

b. Minutes from administrative meetings, other than meetings open to the public, and

c. Budget reports for a department or unit.

Standard

i. Collecting Sensitive Data. There are laws relating to university collection of sensitive data. The legal restrictions most commonly impacting the university are summarized below. For additional information contact the Office of Legal Affairs.

a. Sensitive data may only be collected, maintained, used, or disseminated as necessary to accomplish a proper academic or business purpose of the university or as required by law. For a partial list of laws requiring or permitting data collection by the university, see Appendix A.

b. Individuals or units requesting or collecting sensitive data must communicate why the sensitive data is being collected, how it will be used, and, if applicable, any consequences of not providing it.

c. Individuals have the right to inspect and challenge, correct, or explain their personal information (as required by Section 2.2-3806(A)).

ii. Sending and/or Receiving Sensitive Data in Electronic or Physical Form. The following restrictions apply both to internal data transmissions (such as sharing files with another university employee) as well as transmissions to outside parties.

a. Sensitive data sent and/or received electronically must be secured using encryption technology, a secure web transfer, or the Secure File Transfer Protocol. Other acceptable methods include transferring files between network drives on the University's internal network or using the University's secure web file system (wmfiles.wm.edu). The university's email system is not designed to support the transmission of sensitive data securely. If email must be used to transmit sensitive data individuals are instructed to contact the Information Security Office for guidance on securing the data.

b. Routine exchange of sensitive data with a third party requires a signed interoperability agreement or other contract describing which party is responsible for securing sensitive data in transit and how the data will be secured, and any specific confidentiality obligations.

c. For any other release of sensitive data by the university to a third party the sender must ensure that the third party is aware of the confidentiality obligations applicable.

d. Sensitive data sent in physical form, such as through the post office or interdepartmental mail, must be secured in a sealed envelope or similar method and marked confidential.

e. Faxing sensitive data is permitted provided that the recipient is notified in advance and is available to retrieve the fax immediately following transmission or able to secure it upon receipt (ie receiving a fax in an office that is only accessible by the recipient). Individuals receiving faxed documents with sensitive data are responsible for securing the document after receipt.

iii. Storing Sensitive Data

a. Sensitive data should be kept on University administered servers that comply with the University's Minimum Security Standard for University Servers (docx). If sensitive data must be stored on mobile electronic devices, including but not limited to laptops, CDs, flash or thumb drives, cell phones, and/or personal computing devices (i.e. Blackberries, etc...), the sensitive data must be encrypted according to the College's Data Encryption Standard (docx) and said devices must be password protected.

b. Sensitive data saved in non-electronic form (i.e. paper or a white board) must be protected from unauthorized access when left unattended and destroyed when it is no longer needed. For example, papers with sensitive data cannot be left on an unattended desk but instead must be filed in a locked cabinet or a locked office.

c. Individuals are strongly discouraged from storing sensitive data on a personally owned pc or laptop. Individual's working from home or whose job duties or work environment requires storing sensitive data on a personally owned pc or laptop should contact the Information Security Office for assistance.

iv. Banner Identification Numbers (‘93#'). 93#s are internal use data and so may not be used, disclosed or shared without a legitimate business or academic purpose. The following additional restrictions also apply;

a. 93#s can only be stored on university owned or leased computers.

b. 93#s can only be emailed to an internal university email address (@wm.edu, @vims.edu , or @mason.wm.edu). Emailing 93#s to personal mail accounts or mail accounts with third party providers is prohibited.

c. Sending 93#s to a third party requires an interoperability agreement or contract language detailing how the third party will secure the 93#s.

v. Destruction of Electronic Media Containing Sensitive Data

a. Electronic media including computers jump or flash drives, CD/DVDs, or servers on which sensitive data has been stored must be disposed of according to the university's Standard for the Disposal of Electronic Data.