University of Connecticut

University Information Technolgy Services

ITPolicies

UITS Standard - Copying University Data

ISSC Committee Members

Marie Dexter
Lisa Garcia
Jim Mandeville
Pete Weinstein
Connie Tomecko

Introduction

The University of Connecticut has a responsibility to maintain high standards to secure non-public information. ‘Non-public information’ or ‘non-public data’ is defined as items of information which are from the ‘Registered Confidential’, ‘Confidential’ or ‘Internal Use Only’ classifications of University data.

University data stored, copied or accessed by computers and other electronic devices, along with printed reports containing non-public information must be secured against intentional or unintentional loss of confidentiality, regardless of physical location (off-campus or on-campus). Individuals who are authorized to access University data for University business are responsible to take reasonable measures to ensure the confidentiality and security of this data.

The purpose for this standard is to describe the reasonable measures which are expected to be taken by University Information Technology Services (UITS) staff to ensure non-public University data or information is kept confidential and secure.

Violations of this standard may result in disciplinary measures and possible legal action in accordance with University of Connecticut Law and Bylaws.

This standard applies to any and all information the University has regardless of how it is distributed and maintained, or who created it. Please refer to http://itpolicy.uconn.edu/ for all supporting policies, procedures and guidelines. (Please see Appendix A for a reference list of some of these related policies, procedures and guidelines.)

Assumptions and Definitions::

This standard assumes that individuals accessing University data have been provided proper authorization to access this data. Individuals are to access University data strictly for the purpose of conducting University business, for functions related to their job responsibilities.

There are four classifications of University Data.

• Registered Confidential - Information which exposed to any security risk or disclosed to unauthorized users, would violate Federal or State law or University contract or standard.
• Confidential - Information that is not to be disclosed externally except where required by law. Internal access is restricted to a limited group of authorized individuals on a need to know basis.
• Internal Use Only - Information that is intended to be generally releasable within the University but not publicly published. Such information may be shared externally if there is a legitimate business need to know.
• Public/Unclassified - Information that is authorized for release to the public domain in an easily accessible manner (e.g. brochures, news releases, fact sheets, marketing materials, etc.)

The classification of University data being referenced within this standard is/or includes the ‘Registered Confidential’, ‘Confidential’ or ‘Internal Use Only’ classifications. (For more information regarding the different classifications of University data refer to the University Policy on Data Classification at http://policy.uconn.edu/pages/findPolicy.cfm?policyID=347.)

The physical location for access and use of University data is assumed to be ‘on-campus’ for the purpose of this standard. A separate standard relating to the business use and access of University data off-campus will be addressed at a later time.

‘Copying University Data’ refers to the access of and/or physical movement of University data from the source record location to a different storage medium for further electronic manipulation, data transfers, or for the purpose of generating reports, whether the data is viewable from individual electronic devices or in hardcopy format.

Requirements for Copying University Data

Servers

Servers that will potentially contain confidential data must be located in a secure physical location with limited physical access, require authentication, and reside within a UConn firewall.

Confidential data is to be erased when it is no longer needed on a server. If a server is being used as a transfer conduit to another resource, the data will be erased as soon as the file is successfully transferred to its new resource.

All internal data transfers to and from servers will occur within the UITS firewall. This eliminates the need for secure file transfer protocol.

All external data transfers to and from UITS servers will use a secure file transfer method, such as SFTP or SSH. Wherever possible, files being transferred should be encrypted. This is especially true when a file cannot be transferred via a secure transfer method, including e-mail. It is understood that some transfer methodologies are governed by the state or federal governments, banks, and other agencies. In these cases, prudent methods should be followed to the extent possible.

When servers or other data storage devices are retired or scrapped, they will be cleaned, using standard degaussing tools before they are removed from a secure location. CDs containing confidential information referenced by this standard must be physically destroyed. (Please refer to the Device and Media Control Policy at http://policy.uconn.edu/pages/findPolicy.cfm?policyId=349)

The central UITS file server will be used for downloading data for individual and shared use. Each individual may be provided with a server account upon request and have the ability to request that account access to the files on this server be granted and revoked. This server will provide a secure alternative to downloading and storing data on individual PCs or sharing it through e-mail or other means. (Please refer to Instructions for connecting to the UITS Novell Central Server and Sharing Files at https://secure.uconn.edu/interuits/secure/areas/csr/tss/instructions/connect_novell.html)

To make a request relating to the UITS Novell Central File server provide your NetID, the NetID of any other UITS staff involved in the request, and the details of the request and include in your contact the Help Center using one of the following methods:

• Call the UITS Help Center at (860)486-4357 (Option 3)
• e-mail helpcenter@uconn.edu
• Open a ticket in USD and assign to the ‘help center’ group

Desktops and Laptops

Data referenced by this standard will never be copied to a desktop or laptop unless it is absolutely necessary. A possible exception to this standard might be a situation where data must be transferred to an external site and UITS servers are not available at the time. If data must be copied to a desktop or laptop, it must be immediately erased after it is moved to an appropriate location.

All UITS desktops and laptops must be locked with a password (ctrl + alt + delete) when staff leave their desks.

Laptops should never be left unattended outside of secure UITS areas.

When desktops or laptops are retired, they will be cleaned, using standard disk wiping tools. This will occur before they are removed from UITS control.

Encryption software will be used on desktops or laptops. All desktops and laptops which store University data will use hard-drive encryption software which is password-protected. This is especially important for laptops that will leave secure University work areas. (Please refer to the Instructions for Encrypting Computer File Systems at http://tss.uconn.edu/Public/fileencrypt/fileencryptionmain.htm)

Requirements When Generating Reports Using University Data

Workstation Security Issues

Hardcopy reports are typically displayed before they are printed. In some cases, these reports will only be displayed. A certain amount of caution is needed to ensure that data cannot be viewed by unauthorized individuals when it is displayed. Each individual is responsible for information that is viewable from their workstation. Unauthorized individuals must not be allowed to view a workstation while data is being displayed.

Responsibility of an individual when data is being displayed on their workstation
If an unauthorized individual approaches a workstation while data is being displayed, the owner must minimize the window that is used to display the data.

Responsibility of an individual when they are away from their workstation
A workstation must be locked down when an individual is away from their workstation. This is necessary even if data is not being displayed since the opportunity to open an application by an unauthorized individual presents a risk.

Physical Location and Storage of Hardcopy Reports

Hardcopy reports must be stored in a location that is out of view of unauthorized individuals. These reports must be destroyed when they are no longer required to prevent the data from being viewed by unauthorized individuals. Each individual who possess a report must determine the appropriate retention period and destroy the report after the retention period expires.

Distribution of Hardcopy Reports

Each individual is responsible for the security of the reports within their possession. When an individual distributes a report they must ensure that the individual that is receiving the report is authorized. If a report contains non-public data, the individual must attach a coversheet that identifies the classification of data contained in the report is non-public. This will ensure proper handling after the report leaves their possession. (Please see Appendix B for a sample Confidential Report Cover Sheet)

Destroying Hardcopy Reports containing University Data

Hardcopy reports must be destroyed in a manner that prevents them from being viewed by unauthorized individuals. Locked recycle bins are located in all physically secure UITS locations to collect these reports until they can be shredded. These bins have a slot on top to allow paper-based reports to be deposited.

Central Warehouse is responsible for the pick-up/delivery of bins and the shredding of UITS confidential data - sensitive paper shredding. Each location will have a contact person responsible for the pickup/delivery of these bins.

(Please refer to UITS Procedures for Secure Shredding of Confidential Data - Sensitive Paper Documents at http://itpolicy.uconn.edu/policydocs/uits_shreddingR1.html)

Proper Disposal of Physical Media

Like other electronic or physical representations of University data, physical media containing University data may only be shared with those authorized to view the data. Because of this, it is important that data be destroyed and media be disposed of properly.

CD’s containing University data must be physically destroyed before disposal. CD’s should be cut in half using a pair of scissors so that the media is disposed of in two pieces. The two halves of the CD may then be deposited in any trash receptacle. (Note: CD-R and CD-RW media should not be broken in half as this exposes the metal within the CD and can be very difficult to clean).

Tapes containing University data must be disposed of using the University’s Degaussing Service for Computers process coordinated by Central Stores. Tapes should be brought to Central Stores and must be accompanied by the Degauss Electronic Storage Form. (More information about the program can be found at http://stores.uconn.edu/surplus.html#degauss)

All other hard drives (external, USB flash drives, etc.) must be either physically destroyed by drilling or equivalent means, or by using the University’s secure data wiping standards, including disk degaussing. (See Procedures for Removing (Wiping) Data from a Computer Prior to Re-Deployment Surplus or Disposal at http://policy.uconn.edu/pages/findPolicy.cfm?policyId=345)

Recommendations / Summary

The Standards Committee has incorporated several recommendations within this standard. These recommendations were approved and adopted by VPET in August 2007. As these recommendations were approved and adopted they were removed from the Recommendations/Summary section and added to the main Standard for Copying University Data.

The final recommendation which members of the Standards Committee feel should be considered is for the use of Full Disk Encryption. Although the University of Connecticut does not currently use Full Disk Encryption software on desktops or laptops, the committee recommends that all desktops and laptops use full hard-drive encryption software which is password-protected. SafeBoot is an example of such software. This is especially important for laptops that will leave secure University work areas.

Appendix A

List of University Policies, Procedures and Guidelines Supporting Standard on Copying University Data

Below are some of the University Policies, Procedures and Guidelines that directly or indirectly relate to this standard regarding Copying University Data.

• Procedures for Removing (Wiping) Data from a Computer Prior to Re-Deployment Surplus or Disposal
  http://policy.uconn.edu/pages/findPolicy.cfm?policyId=345
• Data Classification
  http://policy.uconn.edu/pages/findPolicy.cfm?policyId=347
• Device and Media Control Policy
  http://policy.uconn.edu/pages/findPolicy.cfm?policyId=349
• Degaussing Service for Computers
  http://stores.uconn.edu/surplus.html#degauss
• Electronic Data Integrity
  http://policy.uconn.edu/pages/findPolicy.cfm?policyId=351
• Electronic Data Security Management
  http://policy.uconn.edu/pages/findPolicy.cfm?policyId=352
• Electronic Workstation Use and Security
  http://policy.uconn.edu/pages/findPolicy.cfm?policyId=354
• Individual Responsibilities with Respect to Appropriate Use of IT Resources
  http://policy.uconn.edu/pages/findPolicy.cfm?policyId=356
• Instructions for connecting to the UITS Novell Central Server and Sharing Files
  https://secure.uconn.edu/interuits/secure/areas/csr/tss/instructions/connect_novell.html
• Instructions for Encrypting Computer File Systems
  http://tss.uconn.edu/Public/fileencrypt/fileencryptionmain.htm
• Responsibilities for Maintaining Currency of Legal Obligations with Respect to University Data
  http://policy.uconn.edu/pages/findPolicy.cfm?policyId=358
• Roles and Responsibilities with Respect to University Data
  http://policy.uconn.edu/pages/findPolicy.cfm?policyId=359
• Electronic Data Transport Standard
  http://itpolicy.uconn.edu/uconngsr/edtrans.html
• Laptop/Portable Computer Security Guidelines
  http://itpolicy.uconn.edu/uconngsr/laptop04.html
• Office Procedures for Dealing with Confidential and Registered Confidential Data (Best Practices)
  http://itpolicy.uconn.edu/uconngsr/bestprac.html
• UITS Rules of Conduct with Respect to Confidential Information
  http://itpolicy.uconn.edu/policydocs/conduct.html
• UITS Procedures for Secure Shredding of Confidential Data - Sensitive Paper Documents
  http://itpolicy.uconn.edu/policydocs/uits_shreddingR1.html
• Workforce Security - Access to Data
  http://policy.uconn.edu/pages/findPolicy.cfm?policyId=368

Appendix B

Sample Confidential Report Cover Sheet

Confidential Report Cover Page This report contains non-public information. It is the responsibility of the report holder to maintain the confidentiality of the data contained in this report as stipulated within the policies, standards and guidelines of the University of Connecticut. The report holder is minimally required to: At all times, keep this report stored in a secure physical location. Insure the report is not viewed or contents shared by any unauthorized individuals. When the report is no longer required, it is the report holder’s responsibility to have this report shredded.

Created On: 07.13.2007
Last Revision: 04.01.2008:ldg