Twitter
Feb
19
Colleges and universities store employment data, financial records, transcripts, credit histories, medical histories, contact information, social security numbers and other types of personal information. Although higher-education institutions should be forums where information and knowledge are easily exchanged, “sometimes the free flow of information is unintentional.” Here are eight policies and behaviors that put personal information at risk:
1. Administrative Decentralization
2. Naive Office Culture
3. Unprotected “Old” Data
4. Shadow Systems
5. Unregulated Servers
6. Unsophisticated Privacy Policies
7. Improper Use of the SSN
8. Unsanitized Hard Drives
Solutions
College administrators should consider the following:
- Regularly scan institutional networks for sensitive information, such as social security numbers, grades, and financial information. Use a combination of public search engines, and internal text- and file-scanning software.
- Automatically retire “old” data on institutional servers but allow faculty members to un-retire old data they still use. Forgotten information is dangerous information.
- Establish a “radioactive date,” which is when your institution last used social security numbers as an identifier. Files last modified before this date should be presumed dangerous.
- Create permissions-based access to core systems. Sensitive personal information should be available to faculty members and departments only on a need-to-know basis.
- Establish a data-retention-and-access policy by balancing threat, benefits and risks of maintaining the data.
- Coordinate interdepartmental privacy and security practices with a special committee of information security professionals.
- Update your privacy policy to reflect all privacy issues arising in a university setting. Explain privacy rights and practices that protect offline employment information and sensitive student records. Also explain work-flow protections (for example, “only director-level employees have access to social security numbers”) and technical practices (for example, “employee data is stored on encrypted hard drives”). Privacy policies should deal with more than just cookies and Web forms.
- Eliminate social security numbers from official records where possible, or establish a policy whereby students can opt to omit their numbers from transcripts or other records.
- Physically destroy all old hard drives.
Institutions of higher education must promote the free exchange of ideas while protecting sensitive personal information. Although the academic environment can seem at odds with information security, appropriate practices and procedures can balance information freedom and personal privacy.
Echoing an extract from the original post on The Security Catalyst by Aaron Titus
0 Trackbacks