HIGHLY SENSITIVE DATA AUTHORIZATION
To store Highly Sensitive Data (HSD) on your computer you are required to have formal authorization from a Chief Data Steward. Storing HSD on your computer without authorization is a violation of university policy 1114.
Storing highly sensitive data on your office or laptop computer adds a risk that this protected data might be lost or stolen. If you are authorized to store HSD on your computer, you must have a protection program, such as encryption, in place to keep the stored data safe.
Before you begin the process of requesting authorization to store HSD, you should consider alternatives to storing the data on a computer. You might not need to store this data on your computer. Storing it on and accessing it from a secure network storage system could be one way to meet your business needs. Other options should be investigated, along with carefully examining why HSD is needed to perform your job.
If you truly believe your business need requires you to store highly sensitive data on your office or laptop computer, please see below for further details on how to get authorization from a Chief Data Steward.
Frequently Asked Questions about Highly Sensitive Data Storage
What university policy governs permission to access or store Highly Sensitive Data (HSD)?
University Policy #1114, Data Stewardship Policy, states:
"No one is permitted to access HSD unless the Data Owner has given written permission, either through established business processes or specific memorandum."
“No one is permitted to store HSD unless a Chief Data Steward has signed the approval form and the storage device or media is protected with the university’s encryption program.”
>>back to top
What is Highly Sensitive Data (HSD)?
The definition of “Highly Sensitive Data” appears in Appendix A of University Policy #1114, Protected Data Types:
“Data that (1) by their personal nature can lead to identity theft or exposure of personal health information, or (2) a researcher, funding agency or other research partner has identified as highly sensitive or otherwise requiring a high level of security protection.” See Appendix A for more details.
Generally, data is considered highly sensitive if exposure, loss, or corruption of the data in question may:
- Critically damage the university’s ability to operate
- Substantially impact the university’s reputation
- Place the university at risk of substantial legal action or penalty
A few examples of highly sensitive data (HSD) are:
- An Excel spreadsheet with hundreds of personal records including social security numbers
- An extract of university data that includes multiple university credit card numbers with personal ID information
- Multiple personal health records that clearly identify the individuals in the record
- An Access database with personal information including drivers license numbers
- A collection of passwords associated with personal identifiers that provide access to university systems storing Highly Sensitive Data
- Records associated with a research project where there is an agreement in place or a university policy that the data must be kept highly secure.
>>back to top
What type of data might appear highly sensitive, but is not subject to the Data Stewardship policy?
- Your personal information (social security number, credit card number, or any other personal data) that you may have stored on university computers for your own personal reasons.
- Data used by your department that may be mission critical for department function(s) but does not include HSD as described in University Policy #1114, Data Stewardship Policy.
>>back to top
When must Highly Sensitive Data (HSD) be protected by encryption?
HSD must be protected by encryption:
- In transport – when being moved from one place to another:
- Over the Internet
- On removable media
- In an encrypted file in an otherwise non-encrypted transport (e.g. mail)
- At rest – when being stored on:
- Office computers and laptops
- Removable media
- A server that has not been approved by the Information Security Officer as having sufficient mitigating controls in place
>>back to top
What are some examples of encryption “in transport”?
- HTTPS SSL: In a browser, an Internet address that begins with “https://” indicates that SSL encryption is being used
- SSH or SFTP: A protocol for attaching to systems using an encrypted channel (e.g. PUTTY, a common free client software tool, available at http://en.wikipedia.org/wiki/PuTTY)
- VPN: The “Virtual Private Network” technology that allows for an encrypted tunnel over the Internet for communication between two endpoints. Mason supports a VPN solution for faculty and staff to securely connect to the university’s network resources. See IT Services for more details.
- RDP with strong encryption: The “Remote Desktop Protocol” that connects to a Microsoft Windows workstation remotely, which requires the option of Strong Encryption to be set as “enabled.” Be aware that Strong Encryption “Enabled” is not the default setting in the Windows operating system.
- Encrypted files sent with key/password exchanged through a separate type of communication: An example would be to send an encrypted file via e-mail and then send the password via phone or fax. Multiple methods of encrypting files are available; some common ones include encryption built into WINZIP, PGP encryption. (Note: The method of encryption used must be supported by both the sender and receiver of data.)
>>back to top
What is encryption “at rest”?
The only approved and supported method for university computers "at rest" is whole disk encryption used for personal desktop and laptop computers. Servers which have not been approved by the Information Security Officer as having sufficient mitigating controls in place should also use encryption.
Whole disk encryption:
The university has an enterprise encryption solution for Windows-based systems. Approval to store sensitive data will trigger a request to have the Windows system encrypted.
- Protects the entire contents of the hard drive
- Protects the data from theft when the system is turned off (loss or theft of the computer won’t expose data on an encrypted hard drive)
- May not protect the data when the system is turned on
>>back to top
Who are “Data Owners” and what are their responsibilities?
Data Owners are the university’s authorities on how data can be used, stored, shared, and transported (identified in Appendix B of the Data Stewardship Policy). However, only a Chief Data Steward can give permission to store Highly Sensitive Data (HSD).
The Data Owner is the business lead for a department that governs a class of data:
- The Registrar: for student data
- The Associate Vice President of Human Resources: for faculty and staff HR data
- The University Controller: for financial data (credit card numbers, etc.)
- Deans of Schools or Colleges: for research data collected in their particular school or college (but NOT for Mason faculty, staff, student or financial data collected in their school or college)
The Data Owner may grant permission to access and/or share HSD (Note: Approval may have been previously granted through a Banner Security Liaison and/or Banner Security Officer; confirm with department head or Mason’s IT Security Office.)
The Data Owner oversees agreements in place between suppliers and receivers of sensitive data:
- In agreements between the supplier of the sensitive data and the receiving department, the departmental authority of the supplier of the sensitive data is responsible for determining how the data can be used, stored, shared and transported, recognizing the preeminent authority of university policies governing data.
- In agreements which are required between the authority in the department and those with whom data is shared, the departmental authority is responsible for determining how the data can be used, stored, shared and transported, recognizing the preeminent authority of university policies governing data.
>>back to top
What are the user’s responsibilities in protecting Highly Sensitive Data (HSD) on the system?
1. Understand the common risks to computers that could result in a data breach
- Use the computer responsibly:
Do not respond to a malicious request for your personal authentication credentials, such as passwords, PINs, or account numbers. No legitimate entity will request your authentication credentials via e-mail or through any other channel. Authentication credentials, such as passwords, must never be shared.
- Avoid high risk behavior by following simple guidelines:
- Avoid visiting a questionable web site
- Do not use Peer to Peer file sharing
- Do not download files through online chat programs
- Do not open suspicious or mysterious e-mail attachments
- Do not access applications or links embedded in social networking sites (Facebook, MySpace, Twitter, etc.)
- Do not attach questionable removable media, such as a USB flash drive found in a parking lot, to the system
- Do not download, install, or use any application that has questionable integrity.
- Avoid clicking directly on an embedded URL link in a document, e-mail, or high risk web site; instead, type out the URL in a browser such as Firefox or Internet Explorer because links that appear legitimate may mask a malicious address, also known as "url spoofing."
- Learn how to view the e-mail header which shows the true sender's e-mail address and sender's system IP address or contact an authoritative source to confirm legitimacy. An e-mail may appear to come from a known, trusted source, but the sender's "FROM" address may mask a malicious address, also known as "e-mail address spoofing."
2. Keep current with system updates, antivirus software, and host-based firewalls
- Ensure that the computer and applications are being updated regularly. Users must NOT block installation of security patches for the system and Microsoft applications in MESA.
- Ensure that the computer has university-supported antivirus software. Users must NOT block or otherwise disable current versions of university-supported antivirus software in MESA.
- Maintain a host-based firewall if the computer is not in MESA, as MESA configurations include a firewall.
3. Follow good password security practices
4. Apply proper system configurations
- Use a password-protected screen saver.
- Turn off your computer, if possible, when left unattended for a substantial amount of time (e.g. at lunchtime, at end of the day, on vacation) as Whole Disk Encryption only protects data when the system is off.
- Avoid, if possible, the use of an administrator equivalent account on the computer. Some departments provide support where users do not need an administrator account on a computer; check with your department.
>>back to top
How does someone begin the process of obtaining authorization to store Highly Sensitive Data (HSD)?
If you believe that your business need requires the storage of highly sensitive data (HSD) on an office or laptop computer or removable storage device, you must begin the approval process by completing this application. After application is complete, it must follow the workflow at top of the application which includes approval by the department head or chair and the chief data steward.
>>back to top