UC Santa CruzInformation Technology Services
Home About ITS Service Catalog News and Events Policies and Guidelines IT Governance ITS Staff Site ITS Job Opportunities ITS Frequently Asked Questions ITS Feedback Form
A-Z Index | Find People

Information Security Team
Communications Building
1156 High Street
Santa Cruz, CA 95064
Phone: (831) 459-HELP

SECURITY Home
Technical Alerts
Tips, Tricks and Tools
Detecting a Breach
Reporting an Incident
Prevention
Anti Virus
Policies
Security Services
Additional Resources
Security Training
Best Practices
Restricted Data Resources
About Our Team

Other UCSC Links:
UCSC Home
MyUCSC
ResNet
UCSC Library
AIS Home

Maintained by secweb@ucsc.edu
Last Reviewed on Oct 26, 2004

© 2008 The Regents of the University of California

 

Practices for Protecting Electronic Restricted Data: A Quick Reference

These practices were endorsed at the March 30, 2006 meeting of the Information Technology Security Committee and are updated periodically.

| Definitions | Practices for Protecting Restricted Data | Getting Help | Additional Resources |

Printer-Friendly Format (PDF 434K)

 

Introduction:

Because of its very nature, restricted data must be protected from unauthorized access or disclosure. The following practices are designed to provide realistic, achievable steps for protecting this information. For questions or additional information about any of these practices, please see "Getting Help."

Please note: This document is intended to be a “quick-reference” only. For a more comprehensive list of practices for protecting electronic restricted data, including additional responsibilities for Managers and Service Providers, please see the UCSC Practices for Protecting Electronic Restricted Data.

 

 

Definitions:

Restricted Data: The University of California has defined “restricted data” as “any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit.”

At UCSC, restricted data includes, but is not necessarily limited to

  • Personal Identity Information (PII)
  • Electronic protected health information (ePHI) protected by Federal HIPAA legislation
  • Credit card data regulated by the Payment Card Industry (PCI)
  • Records of students who have requested "Non-Release of Public Information" under the Federal Family Educational Rights and Privacy Act of 1974 (FERPA)
  • Information relating to an ongoing criminal investigation
  • Judge-ordered settlement agreements requiring non-disclosure
Please see ITS’ online glossary for information about many of these types of data.

 

Practices for Protecting Electronic Restricted Data, including PII:

  1. Securely delete restricted data when there is no longer a business need for its retention on computing systems. Always shred or otherwise destroy restricted data before disposing of it.
    • See the following IT Request FAQs for information on how to securely delete files: Mac / PC

  2. Truncate or de-identify restricted data that you must retain whenever possible.

  3. Implement the following protections for all intact restricted data you must retain:

    1. Be sure that you have proper authorization prior to accessing restricted data, and never share or discuss restricted data with unauthorized individuals.


    2. Always store the minimum amount of restricted data necessary for completing job functions, and remember #1, above.


    3. Use cryptic passwords that can't be easily guessed, and protect your passwords
      • Good, cryptic passwords use a mixture of upper and lower case letters, numbers, and symbols; are at least 8 characters in length (or longer if they’re less complex); are difficult to guess and easy to remember (so you don’t have to write them down).
      • Don’t share your passwords or private account information.
      • Use different passwords for accounts that provide access to restricted data than for your less-sensitive accounts.
      • For more information, see the UCSC Password Strength and Security Standards.


    4. Make sure your computer has all necessary OS and third-party application security updates or “patches,” as well as anti-virus, and that you know what you need to do, if anything, to keep them current.


    5. Ensure proper physical security of electronic and physical restricted data.
      • Secure your work area before leaving it unattended.
        • Lock up portable equipment and sensitive materials (take keys out of drawers)
        • Lock windows and doors
        • Never share your access code, card or key, or hold secure doors open for people you don’t know
      • Physically secure (lock down) workstations whenever possible.
      • Don’t leave sensitive information lying around, including on printers, fax machines, or copiers.
      • Be especially careful with portable electronic devices that store restricted data (such as laptop computers, CDs/floppy disks, memory sticks, PDAs, data phones, etc.). These items are extra vulnerable to theft or loss.
        • Don't keep sensitive information or your only copy of critical data on portable devices unless they are properly protected.


    6. Secure laptop computers at all times; keep it with you or lock it up before you step away, even for a very short time.
      • At all times: in your office, at meetings, conferences, coffee shops, etc.
      • Make sure it is locked to or in something permanent.
      • Take special care with a laptop that includes restricted data; in the event of theft, not only will the laptop be lost, any restricted data on it will be compromised.
      • Laptop lockdown cables are available at the Bay Tree Bookstore and most computer or office supply stores.


    7. Be safe on the Internet: Don't provide personal or sensitive information (including your password) to Internet sites, surveys or forms unless you are using a trusted, secure web page.
      • Look for “https” in the URL and the little locked padlock that appears in the corner of most browser windows to indicate that there is a secure connection.
      • Don’t click on unsolicited web links, including in email or pop-ups. Just opening a malicious web page can infect a poorly protected computer, so be aware of where you are going before clicking on a web link.
      • Instead of clicking on an unsolicited link, look up web pages you are interested in on your own and go there directly (use a search engine such as Google or Yahoo).


    8. Practice Safe Emailing:
      • Don't open email attachments or click on website addresses in emails unless you really know what you're opening.
      • Delete spam and suspicious emails; don’t open, forward or reply to them.
      • Email that contains restricted data must be treated with care and should not be preserved any longer than absolutely necessary.
      • Make sure your email client (Eudora, MacMail, Outlook, etc.) is configured for secure authentication and secure sending and receiving of email. Configuration information is available on the CruzMail website.
      • Configure your email client to delete attachments when emptying the trash. Most email programs have this choice in the preferences, settings, or options.
      • Contact the ITS Support Center with email questions or problems.


    9. Shut down, lock, log off of, or put your computer to sleep before leaving it unattended, and make sure your computer requires a password to start up or wake-up.
      • <ctrl> <alt> <delete> or Windows-L on a PC;  Apple menu or power button on a Mac.


    10. Additional cautions about storing restricted data:
      • Be sure you know who has access to folders before you put restricted data there!
      • Don’t put sensitive information in locations that are accessible from the Internet.
      • Don’t send or download restricted data to an insecure or unknown computer.


    11. Restricted data should be encrypted when it is transmitted. This includes email, remote access and workstation/server communications.
      • If you send files or attachments containing restricted data, work with ITS to set up a way to send them securely.
      • Avoid standard (unencrypted) email and unencrypted Instant Messaging (IM)


    12. Disposal and Re-Use: Restricted data must be destroyed or completely and securely removed from computers and electronic media (including backups) before disposal, re-use or re-assignment. See #1, above, for links to tools.


    13. Don’t use actual restricted data in test or development systems, or for training purposes. If actual restricted data must be used, it must be protected appropriately.


    14. Don't install unknown or unsolicited programs on your computer. These can harbor behind-the-scenes computer viruses or open a “back door” giving others access to your computer without your knowledge.


    15. Be sure your workstation is set up so that unauthorized people and passers-by cannot see the information on your monitor.


    16. Immediately report suspected security incidents and breaches to your supervisor and the ITS Support Center. If no one is available, contact the ITS Security Response Team at security@ucsc.edu.
      • Report lost or missing University computing equipment to your supervisor and the Campus Police, and to the local authorities if the incident occurred away from campus.


    17. Be familiar with UC and UCSC policies relating to restricted data. Links to many of these policies are available on the ITS Security Awareness website’s “Restricted Data Resources” page. Also applicable are the Policies for Use of UCSC Computing Facilities, and any specific non-disclosure agreements that apply to information that you work with.

 

Getting Help:

For questions or additional information about any of the above practices, please contact the ITS Support Center (also 459-HELP, help@ucsc.edu) or your ITS Divisional Liaison.


 

Additional Resources:


Rev. 2/4/08