Best Practices for Handling Electronic SSNs and Personal Information When Approval Is Granted by the Chancellor
Critical Operating System or Application security updates shall be installed within 10 working days of release. If applying the patch is not possible due to compatibility issues, other steps must be taken to mitigate the risk.
Information Services must be notified if updates cannot be applied in the required timeframe.
- Strong passwords MUST be used for all system and user accounts.
- Accounts shall not be shared between users.
- A timed lockout mechanism such as a screensaver that requires authentication to return must be used.
- Passwords are to be changed anytime a system has been compromised.
- Servers must be located in a secure facility. Multi-factor authentication shall be used to gain physical access to the server.
- Workstations and/or portable devices (e.g. PDAs and laptops) storing personal information must use strong encryption to protect the data. This applies to all devices whether they are owned by UNL or the user.
- Storage media containing personal information will be kept in a secure facility with multi-factor authentication access. Optionally, strong encryption should be used to protect the data and the media physically secured in an appropriate manner.
- Whenever personal information is no longer needed, it shall be removed securely. Standard deletion of a file or formatting a hard drive is NOT sufficient. Any removal of storage media such as hard drives to be removed from a secure facility (including return of damaged drives to vendor for repair) also need to be securely erased.
- Servers and workstations shall be periodically scanned to verify that personal information are not being stored in an unsecured manner.
- Any devices identified as containing personal information are subject to periodic vulnerability scans authorized by the Chief Information Officer or authorized agents. Attempts to specifically block these scans are not allowed.
- If any personal information are accessible over a network, connections that will encrypt the data during transfer such as a VPN, SecureFTP, secure TN3270 emulation software or SSL should be used. If access over a non-secured network is allowed, such as wireless or off-campus traffic, encrypted connections MUST be used.
- Use of servers for tasks other than their intended use should be avoided, e.g. web-surfing, peer-to-peer, unofficial services, etc.
- All servers and workstations that have access to personal information should have antivirus software enabled and updated.
- All servers that process or store personal information should be protected by a network firewall supported by Information Services.
- All workstations/laptops that store or have access to personal information should be protected by a network firewall.
- All workstations/Laptops must have a software (personal) firewall enabled.
- Any security incidents involving systems that store and/or have access to personal information MUST be reported promptly.
- Security incidents include (but are not limited to):
- Virus infections
- Spyware infections, excluding 'tracking cookies'
- Other security compromises (e.g. hacks, inappropriate use, etc.)
- Loss of media or computing devices (e.g. laptop, CD, etc.)
- Servers and workstations that have access to personal information are to have logging enabled. Both successful and failed authentication attempts are to be logged.
- Servers are to have all system administration functions logged.
- Log files are to be made available to Information Services or authorized agents upon request.
- University employees and contractors having access to University facilities or computing resources shall annually acknowledge the University's Privacy, Confidentiality and Information Security Agreement.
Asset Ownership and Responsibility
- Every University Department shall maintain a current inventory of all personal information. A copy of this inventory shall annually be sent to Information Services.
What is Personal Information?
"Personally identifiable information" (PII), as used in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context."
Information TechnologyServices is to be immediately notified of any new systems or applications that use personal information.
Access and Storage Approval
- Every University Department shall maintain an access control list for personal information. The list will identify who is authorized access to the data and if/when any data has been copied or checked out.
- Access control lists are to be made available to Information Services or authorized agents upon request.
Application Life Cycles
- Computer applications or services that collect, store or transmit personal information shall not be commissioned, enhanced or decommissioned without first receiving written approval from the Chancellor or his designee.
- Any University employee or contractor having access to personal information will annually take training on the appropriate handling of personal information; this training will be offered by Information Services.