IT-1003 Transmission and Use of Sensitive Information

Effective Date: 2016-02-29

1.0 Overview

Florida Institute of Technology handles potentially sensitive data on a day to day basis. It is important to prevent the unintentional disclosure or misuse of such information in order to ensure the integrity of the university and comply with applicable laws.

2.0 Purpose

This policy defines safeguards that must be used to protect information that the university is responsible for maintaining and using.

3.0 Scope

This policy applies to all persons employed by the university.

4.0 Policies

Sensitive information may only be used for the purposes for which the information was intended. Sensitive information may not be transferred to third parties without the approval of university administration and in accordance with all applicable laws including the Gramm Leach Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Family Education Right to Privacy Act (FERPA).

Some examples of sensitive information include, but are not limited to, social security numbers, bank account numbers, Tracks account passwords, PAWS pins, and credit card numbers.

If sensitive information disclosure is allowed, the sensitive information must include a written statement detailing exactly which information needs to be protected by the person receiving the information, and how the information may and may not be used.

If sensitive information is transferred using electronic means outside of the university network, the data must be encrypted in such a way as to prevent disclosure to unauthorized persons, and must not be transmitted through email communications.

Some examples of non-encrypted communications which MAY NOT be used include, but are not limited to: email, FTP, and websites that are not prefixed with https:// in their address.

Some examples of encrypted communication which MAY be used include, but are not limited to: SSH, Secure FTP (SFTP), and HTTPS.

Using email to transmit sensitive data is not allowed, even if the data is encrypted.

Storage of Sensitive Data including PII and PHI is only permitted on encrypted media such as an encryped hard drive or USB drive. When using removable media (USB/portable) the media must be securely stored when not in use and only used by approved employees. 

Cloud services are also available for sensitive data for storage, such as Box and Image-X Vault, for a subscription based fee paid by the department storing the data. 

All new software products which transmit sensitive data over the university network must encrypt the data while in transit across the network. If the software does not support this, special arrangements must be made with the Information Technology department in order to setup hardware encryption devices for the software in question. If the software product is deemed to be incompatible with the hardware encryption devices, the software may not be used on the network.

5.0 Enforcement

Violators of this policy will be subject to disciplinary action based on the severity of the offence and impact to the university, up to and including termination of employment.

6.0 Definitions

Term

Definition

Unauthorized Persons

Anyone who does not have a valid Florida Institute of Technology job-related requirement to view the sensitive information in question.

7.0 Updates and Changes

The Information Technology managers must review any changes to this policy. Once the Information Technology managers approve the wording and contents of the policy, this document must be reviewed and approved by the Information Technology Executive Committee before going into effect.

New versions of this policy will take effect no sooner than 21 days after the approval of the policy by the Information Technology Executive Committee.