Confidential Data

Confidential data refers to business sensitive, personally identifiable information (PII) or otherwise regulated data not intended for disclosure outside the organization.  

The University of Dayton is required to comply with regulations such as:

Members of the UD community have a responsibility to:

Understand if your files contain sensitive data

Faculty and staff at UD use a wide variety of electronic information to facilitate University business. While much of this information is public, misuse of restricted or sensitive data could substantially damage UD’s reputation or put our institution at legal and financial risk.

  • Regulated or Personally Identifying Information (PII): Information to which access must be restricted due to contractual or legal/regulatory considerations. Examples: student academic record (FERPA), social security numbers, credit card data (PCI), personal health information (HIPAA)
  • Business Sensitive: Information of value to UD or which, if lost, might adversely impact our environment. Examples: Proprietary research, pay scales and donor data
  • Public: Information with no existing local, national or international legal restrictions on access. Public information may or must be open to the general public. Examples: course catalog, directory information

See UD's Electronic Use of Confidential Data Policy for more information about classifying the types of data you use.

Locate Personally Identifiable Information (PII)

Tools that assist in finding personally identifiable information include:

Cornell Spider - http://www.it.cornell.edu/services/spider/howto/index.cfm

IdentityFinder - http://www.identityfinder.com/us/Home/Free (personally owned machines only, free version may not be used on UD owned computers or laptops)

Managing UD Data

If you work with regulated or business sensitive data, take measures to ensure it’s stored properly.

Tips for storing Regulated and Business Sensitive data
  • DO NOT use consumer cloud solutions such as Dropbox, SkyDrive, etc. for UD data.
  • DO use Google Apps for Public, Business Sensitive and for FERPA data.
  • DO NOT over share - make sure you’re only sharing files and folders with those authorized to see the content.
  • DO store University of Dayton data on UD’s Novell and other servers specifically identified to process and store UD data.
  • DO store Regulated and Business Sensitive data on encrypted computing devices – laptops, external hard drives, flash drives, etc.
  • DO NOT store UD data on personal devices.
  • If in doubt, contact your unit’s IT support staff or UD’s Help Desk.

Managing Personal Data

You should take precautions to ensure your personal data is stored properly.
TIPS FOR STORING Personal DATA
  • What to Save: Anything you’d shed tears over if it disappeared for good (e.g. that book you’ve been working on for the last three years)
  • When to Save: Depends on you. If it’s something really important that changes frequently, back it up more frequently. If it’s something more static (like family pictures), maybe back up a batch every 3-6 months. Like insurance, it comes down to your personal tolerance for risk.
  • Where to Save: Storing stuff in the cloud is usually fine, but for threats like Ransomware, a good ole’ fashioned “ground” copy is best. Consider investing in an external hard drive (for long-term storage) or encrypted USB drive (for shorter-term, lower volume storage).

Encryption

The President’s Council has directed that all University laptops incorporate a standard, full disk encryption solution with initial and annual costs borne by the unit purchasing the laptop.  Please refer any questions to UDit’s IT Risk Management Office (itriskmgmt@udayton.edu, 937-229-4387).

Laptops offer no less functionality than their desktop counterparts; users access the same types of enterprise systems and data.  By virtue of their size and mobility, however, they are at a significantly higher probability of loss or theft.   The Ponemon Institute, conducting independent research on privacy, data protection and information security policy, published a study that suggested average costs surrounding a lost or stolen laptop were over $40,000 and Intel has reported that costs can be much higher.  Use of a whole or full disk encryption solution reduces the costs associated with mitigation of the loss or theft of a laptop to those associated with hardware replacement.

References:

Report an IT Security Breach

An IT Security Incident is any adverse event which compromises some aspect of computer or network security.

Security incidents that must be reported include:

  • Compromise of user credentials (when there is reason to believe this has led to unauthorized access or loss of confidential data)
  • Lost or stolen laptop
  • Lost or stolen removable media containing sensitive UD information (CD, DVD, USB flash drive, external hard drive, smart cards)
  • Malware or virus-infected computer (when there is reason to believe this has led to unauthorized access or loss of confidential data)

All incidents should be taken seriously and reported according to UD's policy on IT Incident Handling.  When in doubt, report it!