IT-1004 Securing Sensitive Information

Effective Date: 2015-01-01

1.0 Overview

Florida Institute of Technology handles potentially sensitive data on a day to day basis. It is the duty of the university to take measures to reduce the likelihood that this information is unintentionally accessed or disclosed.

2.0 Purpose

This policy defines safeguards that must be used to protect sensitive information that the university is responsible for maintaining and using.

3.0 Scope

This policy applies to all persons employed by the university.

4.0 Policies

Sensitive information may not be placed on publicly accessible web servers, FTP sites, or any other publicly accessible server or service unless all of the following conditions are met:

  • The server utilizes encryption to encrypt the transmission of data
  • The server's operating system is up-to-date with the latest vendor-supplied security patches
  • The information is restricted to authorized users by utilizing, at a minimum, usernames and passwords
  • The information is stored on an area of the server that unauthorized persons do not have access

Sensitive information may not be stored on a portable computing or storage device and removed from the university campus unless all of the following conditions are met:

  • The user of the device has authorization from the university administration to remove the information from the university campus
  • The data is stored in an encrypted format that requires, at a minimum, a password to decrypt
  • The computing device is owned by the university, or a faculty/staff member.

If sensitive information is stored unencrypted on a portable computing or storage device, the device must be physically secured when not in use. Physically securing a device requires, at a minimum, a lock and key to prevent access to the device from unauthorized personnel.

Some examples of sensitive information includes, but is not limited to, social security numbers, bank account numbers, Tracks account passwords, PAWS pins, health records and credit card numbers.

5.0 Related Documents

Guideline 1001 - Guidelines for Ensuring Sensitive Data Security (To Be Drafted)

6.0 Enforcement

Violators of this policy will be subject to disciplinary action based on the severity of the offence and impact to the university, up to and including termination of employment.

7.0 Definitions

Term

Definition

Portable computing or storage device

Any electronic or storage device capable of storing sensitive information in a digital format

Unauthorized Persons

Anyone who does not have a valid Florida Institute of Technology job-related requirement to view the sensitive information in question.