Tuesday, February 7, 2012

Data Security

DO NOT copy or download restricted sensitive data (e.g. Social Security Numbers, credit card numbers, health records, or other personal information protected by law, such as FERPA) from the University’s administrative systems to your PC, Web server, PDA, laptop, or any other portable device. Storage of such data on portable devices is strictly prohibited, and must require VP level authorization and disk encryption.

DO store restricted personal data on secure servers.
DO NOT store restricted data (e.g. SSN, emplID, PID) at home. This especially includes system backup tapes.

DO contract with certified vendors for off-site storage.
DO NOT store restricted sensitive data on remote third-party sites.

DO NOT send restricted data (e.g. SSN, emplID, PID, grades) un-encrypted using any protocol, including e-mail. E-mail messages can be intercepted by third parties or mistakenly sent to the wrong addresses.

DO encrypt sensitive e-mail or documents before sending via e-mail.
DO NOT leave restricted data in printed form (hard copy) lying around.

DO store restricted data in a secure cabinet.
DO NOT leave restricted data unattended on a copier, fax, or printer.

DO shred/cross shred restricted data that needs to be disposed.
DO NOT download, via Reporting Database Service (RDS), PeopleSoft, or through any other means, data sets not intended for the immediate task at hand.

DO NOT share restricted data with individuals that are not authorized to view.

DO NOT leave a logged on workstation unattended.

DO NOT install Peer-to-Peer (P2P) file sharing software. The following software and their clones are prohibited from use anywhere on campus: Ares, Bittorrent, Audio Galaxy, Kazaa, IMesh, Morpheus, Gnutella, Bearshare, Limewire, Napster, Winmix, Edonky2000, Direct Connect, etc.

DO visit the Network Services' Prohibited Software Policies page to learn more about P2P use on-campus.
DO NOT download programs, applets, and images from unreliable and unknown sources; you might also be downloading Trojan viruses with it.

DO NOT dispose or transfer ownership of computers without making sure it is properly sanitized (with a hard drive erasing software.) 

DO NOT use a computer without having an anti-virus or anti-malware software running on it.

DO NOT neglect to make frequent backups of critical data or e-mail that you do not want to lose.

DO follow the e-mail retention policy based on the Florida Public Records Law. Most e-mail must be retained for three years.

DO NOT forward your UCF business e-mail to a third party external e-mail system provided by Internet Service Providers, such as EarthLink, Sprint, Apple, AOL, Hotmail, Yahoo, and Gmail. Such action could potentially expose sensitive information and your personal e-mail inbox may be subject to Florida's public records laws.

DO leave your UCF business e-mails on secure systems provided by UCF.
DO NOT open file attachments from an unsolicited e-mail until you confirm the source by contacting the sender.

DO NOT use easy-to-guess passwords that contains only numbers or letters, without special characters.
DO use a password that is a mixture of numbers, letters, and special characters. Remember to change it quarterly.

DO NOT share passwords with anyone. Use different passwords for different Internet sites as you visit them. This will make it harder for someone to guess your password by not sticking to a common password or a pattern.

DO NOT use wireless technologies for transmitting restricted sensitive data without making certain end-to-end encryption is involved, regardless if wireless encryption is used.
DO use university-provided VPN solution to make your wireless connection equivalent to a wired connection on campus. Visit the Network Services' Wireless Network page for more information.

DO NOT run applications with inherent weaknesses due to old or buggy versions.
DO run the most up-to-date version of your web browser, browser plug-ins (e.g. Adobe Flash, Java), e-mail software, and other programs.

No comments: