Best Practices for Handling Electronic SSNs and Personal Information When Approval Is Granted by the Chancellor
Patches
Critical Operating System or Application security updates shall be installed within 10 working days of release. If applying the patch is not possible due to compatibility issues, other steps must be taken to mitigate the risk.
Information Services must be notified if updates cannot be applied in the required timeframe.
Authentication
- Strong passwords MUST be used for all system and user accounts.
- Accounts shall not be shared between users.
- A timed lockout mechanism such as a screensaver that requires authentication to return must be used.
- Passwords are to be changed anytime a system has been compromised.
Physical Security
- Servers must be located in a secure facility. Multi-factor authentication shall be used to gain physical access to the server.
- Workstations and/or portable devices (e.g. PDAs and laptops) storing personal information must use strong encryption to protect the data. This applies to all devices whether they are owned by UNL or the user.
- Storage media containing personal information will be kept in a secure facility with multi-factor authentication access. Optionally, strong encryption should be used to protect the data and the media physically secured in an appropriate manner.
- Whenever personal information is no longer needed, it shall be removed securely. Standard deletion of a file or formatting a hard drive is NOT sufficient. Any removal of storage media such as hard drives to be removed from a secure facility (including return of damaged drives to vendor for repair) also need to be securely erased.
Vulnerability Scanning
- Servers and workstations shall be periodically scanned to verify that personal information are not being stored in an unsecured manner.
- Any devices identified as containing personal information are subject to periodic vulnerability scans authorized by the Chief Information Officer or authorized agents. Attempts to specifically block these scans are not allowed.
Network Traffic
- If any personal information are accessible over a network, connections that will encrypt the data during transfer such as a VPN, SecureFTP, secure TN3270 emulation software or SSL should be used. If access over a non-secured network is allowed, such as wireless or off-campus traffic, encrypted connections MUST be used.
Non-Intended Use
- Use of servers for tasks other than their intended use should be avoided, e.g. web-surfing, peer-to-peer, unofficial services, etc.
Antivirus Protection
- All servers and workstations that have access to personal information should have antivirus software enabled and updated.
Firewalls
- All servers that process or store personal information should be protected by a network firewall supported by Information Services.
- All workstations/laptops that store or have access to personal information should be protected by a network firewall.
- All workstations/Laptops must have a software (personal) firewall enabled.
Incident Reporting
- Any security incidents involving systems that store and/or have access to personal information MUST be reported promptly.
- Security incidents include (but are not limited to):
- Virus infections
- Spyware infections, excluding 'tracking cookies'
- Rootkits
- Other security compromises (e.g. hacks, inappropriate use, etc.)
- Loss of media or computing devices (e.g. laptop, CD, etc.)
Logging
- Servers and workstations that have access to personal information are to have logging enabled. Both successful and failed authentication attempts are to be logged.
- Servers are to have all system administration functions logged.
- Log files are to be made available to Information Services or authorized agents upon request.
Annual Agreements
- University employees and contractors having access to University facilities or computing resources shall annually acknowledge the University's Privacy, Confidentiality and Information Security Agreement.
See security agreement link for additional information.
Asset Ownership and Responsibility
- Every University Department shall maintain a current inventory of all personal information. A copy of this inventory shall annually be sent to Information Services.
What is Personal Information?
"Personally identifiable information" (PII), as used in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context."
Information TechnologyServices is to be immediately notified of any new systems or applications that use personal information.
Access and Storage Approval
- Every University Department shall maintain an access control list for personal information. The list will identify who is authorized access to the data and if/when any data has been copied or checked out.
- Access control lists are to be made available to Information Services or authorized agents upon request.
Application Life Cycles
- Computer applications or services that collect, store or transmit personal information shall not be commissioned, enhanced or decommissioned without first receiving written approval from the Chancellor or his designee.
Awareness Training
- Any University employee or contractor having access to personal information will annually take training on the appropriate handling of personal information; this training will be offered by Information Services.
Glossary
Multi-factor authentication:
Verifying and validating the authenticity of an identity using more than one validation mechanism. This is accomplished by verifying the following: A) something you are, e.g. iris scan, fingerprint; B) something you have, e.g. driver's license; and C) something you know, e.g. password.
Network firewall:
A system used to control access between two networks -- a trusted network and an untrusted network -- using pre-configured rules or filters. A network firewall examines all messages entering or leaving the trusted network and blocks those that do not meet the specified security criteria. A network firewall should be considered the first line of defense in protecting private information.
Peer-to-peer:
Also known as P2P, a type of network in which each workstation has equivalent capabilities and responsibilities. This differs from client/server architectures in which some computers are dedicated to serving the others. Secure facility: An area with multiple strong security controls implemented to protect personal information or equipment. The facility must be in a secure state by default. (e.g. auto-closing locked door)
Secure FTP:
Short for Secure File Transfer Protocol, an established method for exchanging encrypted files over the Internet. (If it's not labeled as secure-it's not.)
Personal information:
Distinct pieces of information about individuals that are to be shared only within the University or with those with whom the University has established a trust relationship. See personal information link for additional information.
SSL:
Short for Secure Sockets Layer, a protocol for transmitting private documents via the Internet. SSL uses two keys to encrypt data- a public key known to everyone and a private or secret key known only to the recipient of the message. By convention, web sites that use SSL start with https instead of http.
Strong encryption:
A method of transforming data from plain text to a difficult-to-interpret format (and back again) using a very large number (128 bits) as its cryptographic key. Some applications that use strong encryption are: SSH2, SSL, IPSec and PGP.
Strong password:
A password that is difficult to detect by both humans and computer programs, effectively protecting data from unauthorized access. A strong password has letters in both uppercase and lowercase, contains numbers as well as special characters, and does not consist of words that can be found in a dictionary or parts of the user's own name. for additional information see:
Strong PasswordsTN3270 emulation:
Telnet software running on a workstation that permits access to IBM mainframe computers.
VPN:
Short for virtual private network, a network that uses encryption and other security mechanisms to ensure that only authorized users are given access and that transmitted data cannot be intercepted. (A remote desktop is NOT VPN.)
If you have any questions regarding this information, please contact the Computer Help Center