Protecting Sensitive Data

Introduction

The potential loss of sensitive data is one of the greatest modern threats to the University of Illinois and every individual affiliated with the University. For individuals, the loss of personal sensitive data can cause financial loss, a ruined credit rating, and years of hassles as he or she struggles to recover from identity theft. For the University, a data breach brings serious consequences not only for the institution, but also for the employees directly involved with the data breach. While the University continually tries to minimize the availability of sensitive data, and the need for such data in day to day work routines, sometimes working with sensitive data is unavoidable.

For University employees that work with sensitive data, protecting that data is one of their most important responsibilities. To help in this effort, CITES Security provides a variety of educational opportunities, tools and web resources to help employees responsibly work with sensitive data on campus. This web page provides links to these resources, as well as news items that highlight some of the major issues in protecting sensitive data.

Orientations

CITES Security offers an orientation that is open to the entire University of Illinois community, although it will be of most value to employees that currently work or will be working with sensitive data. Broad topics, such as how to securely access sensitive data, how to store sensitive data, how to share sensitive data securely and how to destroy copies of sensitive data, will be covered. In addition, audience members will be able to select specific scenarios to discuss ranging from how to store sensitive data in an Excel spreadsheet to working out of the office.

Upcoming Sensitive Data Orientations

• December 10, 2009 in Illini Union Bookstore Building 514 (2:00 pm)
• February 8, 2010 in Illini Union Bookstore Building 514 (1:00 pm)
• April 8, 2010 in Illini Union Bookstore Building 514 (10:00 am)
• June 11, 2010 in Illini Union Bookstore Building 514 (1:00 pm)

Register For a Sensitive Data Orientation

Scheduling an orientation for your department or group

If you would like to schedule a presentation of the Sensitive Data Orientation for your department or group, CITES Security is able to come to you and work with your schedule. In addition, CITES Security is able to tailor sections of the orientation to deal with scenarios and problems that are specifically face your group. For example, if your department deals primarily with student records, the presentation can focus more on that area than others.

To schedule an orientation for your department or group, please email securitysupport@uiuc.edu

Orientation Materials

If you are unable to attend an orientation, or if you attended and would like extra copies of the materials provided at the orientation, this archive has downloadable copies of all materials and the PowerPoint presentation.

What is considered sensitive data?

One of the toughest challenges on a campus as large as the University of Illinois is understanding what information is considered sensitive data, and just how careful an employee needs to be with that information. CITES Security has created a guide to help you better classify the data that you are working with and understand the responsibilities that come with that particular data type.

Data Classification Chart

General principles for working with sensitive data

If, as part of your job, you think that you need to access and use sensitive data, there are four simple questions that you should ask yourself every time before actually accessing the data. If you ask these questions and honestly answer them every time, you will create a clear road map for what to do with the data you access.

Do you really need to access the sensitive data?
If there is a way to accomplish a task with or without accessing sensitive data, you should always choose the method that does not require you to come in contact with the sensitive data. The fewer times that data is access, copied and stored, the less likely it is to be stolen.

Do you really need to make a copy of the sensitive data?
If you can simply view the sensitive data without making a copy on your own computer or making a print copy, you should use only view the data. The more copies of a piece of sensitive data that exist, the more copies there are for an identity theft to steal. In addition, if you do not store a copy, the risk of you being personally responsible for a data breach is reduced because it won't be your copy that was stolen.

Do you really need to share the sensitive data with someone else?
If you are collaborating on a project that uses sensitive data, does everyone that is working on the project need to see the sensitive data? In addition to creating more copies, transmitting sensitive data creates the risk that it will be intercepted if transmitted insecurely. Furthermore, if you are the person that shares data with someone that loses that data, there is a good possibility that you will share some of the responsibility for that data loss. If a collaborative project can be completed with only a few people or ideally one person having access to the sensitive data, that is approach that should be used.

How long do you really need to keep a copy of the sensitive data?
The longer data is stored on your computer, or the longer that you keep a print copy, the more chances someone has to steal that information. Unless you need to use the same sensitive data on a regular basis (once a week or more), you should destroy or securely archive any copies that you've made. Old data is often the easiest to steal, because many people forget that they have an old file until the day that someone steals that old, but still valuable information.

Tools for working with sensitive data

The best line of defense for protecting sensitive data is constantly thinking about the general principles listed above. But after that, if you do need to share or store sensitive data, the University has made available tools that will allow you to use sensitive data securely.

• Sharing Files Securely with NetFiles
• Using PEAR to Securely Email Sensitive Data
• Storing Files Securely with Encryption Tools
• Using Firefly to Look for Social Security Numbers on Your Computer
• Properly Disposing of Printed Materials

Sensitive Data in the News

In this section, CITES Security links to different news stories that highlight some of the dangers that arise when working with sensitive data. When it is helpful, there will be a short commentary beneath each link that points out what can be learned from the story. Please check back frequently for new stories.

University of Colorado Discloses Data Breach (April 28, 2008)
This particular data breach is a perfect example of why storing sensitive data for longer than needed increases the risk of a data breach, and increases the amount of damage the eventual breach will cause. One staff computer had the Social Security Numbers and other personal information for 9,000 students and 500 instructors. This data dated back to 1997. While the article does not state specifics, it is highly unlikely that an employee in their day to day workflow would need to access Social Security Numbers that are over ten years old. If this copy of the Social Security Numbers had either been securely archived or destroyed, the risk of losing this data would have been drastically minimized.