Safeguarding Information
Security breaches of confidential or sensitive data have potentially serious consequences: for the person whose confidential information is compromised and for the University, which is accountable for upholding federal and state laws as well as CSU orders and regulations. In addition, individuals involved in unauthorized disclosure of information (even when accidental) may be subject to disciplinary and/or civil action.
These actions are critical to helping protect you and the University in case of theft or misuse of your equipment.
What is Confidential Data?
Securely Remove or Encrypt Confidential Data
Erase and Dispose of Media Securely
Handling Paper Records Securely
Use Secure Remote Connections
What is Confidential Data?
As state and federal laws evolve, a number of formal and informal categorizations of data have emerged which dictate whether singular or combined data elements now are considered "confidential." Various terms may be used depending on the legislation applicable to the state or entities in which the data is held or exchanged with other entities:
Personal Identity Information, or PII
Credit Card Information
SFSU Student Information and Personally Identifiable Information
Applicant Information (not yet assigned SFSU ID or UID)
Securely Remove or Encrypt Confidential Electronic Data
Carefully review the information stored on your PC, laptop, hard drive, phone, PDA, as well as on USB flash drives, CDs and floppy disks. Confidential data should not be stored on these devices. Secure erasure is recommended for permanent removal of files containing confidential data (see Erase and Dispose of Media Securely). Note that student records created prior to 2006 may contain partial social security numbers used as student IDs. Media containing software which is covered by a license agreement between San Francisco State University and a software vendor should be treated as containing confidential data in order to protect the terms of the license agreement.
When access to files containing sensitive data is necessary, such data should be stored on protected servers within the campus firewall, and viewed over secure network connections when needed. In this way, sensitive data need not be stored on local laptops or desktops, and is therefore not vulnerable in case of equipment theft.
Encrypt Confidential Electronic Data
In the exceptional case when there is a requirement to store confidential data on a desktop, laptop or other device, special security measures such as encryption must be employed. The encryption technology bundled with the Windows and Macintosh operating systems provides a layer of protection against casual thieves. Stronger encryption software is available for impenetrable security; however, your encrypted data is not recoverable if you forget your password. Please contact your department's IT support personnel or the DoIT Help Desk if there is a need to store sensitive data on your local machine.
- Using Windows encryption
- Macintosh encryption with FileVault
- TrueCrypt Creates a virtual encrypted disk within a file and mounts it as a real disk. It can encrypt an entire partition or storage device such as USB flash drive or hard drive. Like Windows and Mac encryption with FileVault, TrueCrypt unfortunately does not contain any mechanism or facility that would allow partial or complete recovery of your encrypted data without knowing the correct password or the key used to encrypt the data.
DoIT continues to evaluate products to find those that provide strong encryption, but are also easy to use and administer, and have key management capabilities.
Erase and Dispose of Media Securely
When erasing confidential data and prior to disposal or redeployment of computers and storage media, such as hard drives, flash drives, floppy disks, tapes, etc., securely delete all data. Normal deletion only erases the information used to access the files on a disk, not the actual files.
To securely delete files containing confidential information on a Macintosh, put the files in the trash then select: Finder > Secure Empty Trash
To securely delete the contents of disk volumes on a Mac use Disk Utility.
There are many utilities tor Windows that can securely delete files and the contents of disk volumes. Eraser is one that is easy to use, has been available for many years, and is free.
Optical Media (CDs, DVDs) & Removable Magnetic Media
Physically destroy (by cutting or shredding) CDs, DVDs, floppy disks and other disposable media containing confidential data. Most inexpensive desktop shredders are capable of handling CDs as well as paper, credit cards and other items.
Handling Paper Records Securely
Paper records should also be scrutinized and managed with care. Records which contain confidential information are to be retained only as long as they are valid, useful, and required to be retained. (See section 4 of the Student Privacy Rights Policy and Procedure for student records retention policy, and the CSU Records Retention & Disposition Schedules.)
Control access to rooms and file cabinets where confidential records are kept:
- Keep confidential records in non-public areas
- Lock all doors and windows to office areas during non-business hours.
- Work areas where confidential information is kept or processed must be behind locked doors or otherwise secured during business hours.
- Escort visitors in areas where confidential information is kept.
- File cabinets used to store confidential information must be secured in locked areas.
When no longer required to be retained, any papers that contain confidential information should be securely destroyed (shedded). Staff without access to cross-shredding equipment or services may contact the Registrar's Office x82823 for assistance with disposal of confidential records.
Departmental Managers are responsible for overseeing disposal of paper and other media (including electronic media) in their areas.
Use Secure Remote Connections
SF State offers Virtual Private Network (VPN) encrypted connections to faculty and staff to enable access to secure local area network resources when users are not directly connected to the campus network. When unsecured network connections are used, transmitted data can be intercepted using eavesdropping programs.
When running scripts or transferring files over the network, use software that supports the highest security connection method offered. When connecting to campus servers use secure network protocols. For example, web pages that require a password (or PAC or PIN) should use HTTPS addresses instead of HTTP addresses; UNIX shell logins should use SSH (Secure Shell) instead of telnet; file transfers should use SFTP (Secure File Transfer Protocol) instead of FTP.
Mac OS X has command line versions of SSH and SFTP built in. There is no need for a separate SSH client, but a GUI based SFTP client, Fetch, simplifies file transfers. Download Fetch from DoIT's Macintosh Applications download page.
Windows has no built in support for SSH or SFTP, but SSH Secure Shell Client, by SSH Communications Security, provides both SSH and SFTP clients. If you don't need SSH, Filezilla is a nice SFTP client. Download SSH Secure Shell Client or Filezilla from DoIT's Windows Applications download page.
Leaving workstations open for remote connections (e.g., Remote Desktop) is discouraged. Generally, files should be stored on a secure server and accessed using secure protocols. If you have special needs that require making a remote connection to a workstation, minimize the number of accounts allowed to log in remotely and make certain they have strong passwords. Please contact your department's IT support personnel or the DoIT Help Desk for assistance.
