My previous post highlighted how universities fumbled data security because of data
handling errors. Data exposed in the incidents included student education records,
protected health information, Social Security numbers, and credit card numbers.
WSU has four policies that guard against data handling errors. Are you familiar with all four?
The sections that follow provide two key passages from each policy and the link to each.
3.12 / Security and Confidentiality of Student Records and Files
Key passages:
All employees are expected to be knowledgeable of FERPA, as evidenced by successful completion of the online tutorial. New employees are required to complete the tutorial within 30 days of beginning employment.
No student record, or copy thereof, may be removed from the office where it is maintained, except in the performance of an employee's official duties.
13.14 / Security of Credit Card Data
Key passages:
No credit card numbers or any documentation containing credit card numbers or cardholder data shall be transmitted or stored in any personal computer, email account, or any other form of electronic media.
No paper documents, including but not limited to, paper receipts and hand-written notes, containing credit card numbers or cardholder data shall be permanently stored by an approved department or unit. Said documents must be destroyed within two days of processing.
19.01 / Acceptable Use of Information Technology Resources
Key passages:
All users of University computing and information technology resources shall be required to complete a minimum of one training session relating to the usage of said resources every 12 months.
The storage of social security numbers and credit card information on University provided devices is prohibited. Storage of any personal information is discouraged.
19.10 / Retirement of Computing and Information Technology Resources
Key passages:
It is an unacceptable practice for personal data and information to remain on University computing and information technology resources upon the cessation of use of those resources by a University department, office, or group.
No University computing and information technology resources may be forwarded to the University Physical Plant Warehouse for salvage, sale, or redistribution until and unless Information Technology Services or departmental technical personnel has determined that all data, information, and/or software has been permanently deleted from said resources.
WSU Dropbox is Best
WSU made a concerted effort to remove Social Security and credit card numbers from its personal computers and other electronic media some years ago.
In that light, it was surprising how many of the data security fumbles highlighted in my previous post were related to Social Security and credit card numbers. All of these incidents occurred within the past year.
It was also surprising how often sensitive records were transmitted via email to ill effect. The annual online training session referenced in WSU Policy Manual Section 19.01 explains why the WSU Dropbox is the best way to secure and transmit confidential or sensitive information on campus:
The WSU Dropbox automatically encrypts information ... and stores it safely in the Information Technology Services data center.
"The WSU Dropbox automatically encrypts information and notifies the recipient(s) that they need to retrieve it. It also automatically encrypts the data and stores it safely in the Information Technology Services data center.
"Reminder: If the home computer is used by anyone else, password protect the document to keep the information secure and to comply with university data policies. Use the WSU Dropbox to send the new/revised document back to campus. Always delete the document from your home computer and empty the recycle bin."
Image attribution: "very business minded" by emdot is licensed under CC BY 2.0