What is Protected Information?
"Protected information" is an umbrella term for information that is linked to an individual person's identity, such as Social Security numbers, drivers' license data, and credit card or bank account information (sometimes called Personally-Identifiable Information, or PII) and which can be used to facilitate identity theft. Universities in particular have become attractive targets for hackers because of the freedom with which information is exchanged in an educational environment. Chico State University, like other institutions, is legally required to be vigilant and proactive in the protection of PII that's been entrusted to us.
Data Classification and Protection Standards
Data Classification and Protection Standards have been developed by CSU, Chico to classify various types of information as outlined below:
Detecting Protected Information
The University is required to inventory protected information stored on campus systems. Beginning fall 2014, the campus will provide tools to help locate, protect, or delete confidential Level 1 protected data stored on University computers.
Handling Protected Data
If you find protected data on a system under your control, the following options are available to you:
- If it no longer meets a business need, destroy it.
- If it needs to be kept, move it to a secure and labeled CD or other offline location, or to a secure server, and ensure that it is encrypted.
- If the protected data is not essential to the document containing that data, edit it to remove the sensitive data.
- Cloud storage
Remember that CSU, Chico protected data may only be kept on campus systems.
Storage of Protected Data
Level 1 and Level 2 data must be protected.
Neither Level 1 Confidential data nor Level 2 Private data should be stored on university–owned personal computers (desktop or laptop), other electronic storage media (e.g., cd, DVD, or flash drive) or other electronic devices (e.g., mobile devices, smart phones, tablets) unless University data security requirements commensurate to the data classification level are met. Level 1 and Level 2 data should be removed when the business justification for storage no longer exists, or when required by records retention schedule. Level 2 Private data for students enrolled in the current semester may be stored on University and non-university owned computers during the current term only. At the end of the term, such data should be removed to an appropriate, secure archive medium and location or encrypted.
Systems and electronic storage devices used to store Level 1 Confidential or Level 2 Private must meet minimum CSU Chico, desktop security standards. Contact ISEC for more information.
Level 1 Confidential data stored on university–owned computers (desktop or laptop), other electronic storage media (e.g., CD, DVD, or flash drive) or other electronic devices (e.g., mobile devices, smart phones, tablets) must be encrypted using University-approved encryption methods.
Under no circumstance should Level 1 Confidential data be stored on computers, other storage media, or other electronic devices not owned by the California State University, its auxiliaries or its foundations or centers.
Cloud Storage
Cloud computing security, including Software as a Service (SaaS), makes use of the cloud computing infrastructure to deliver one application to many users, regardless of their location. Cloud storage of files can expedite collaboration and sharing of information, however users need to be aware that CSU, Chico explicitly forbids the storage of University Level 1 Protected Information and restricts the storage of Level 2 Private Information.
The following table outlines the data classification and proper handling of CSU, Chico data:
*Only services contracted by and supported by the University
Encryption
Encryption is the transformation of data into a form unreadable by anyone without a secret decryption key. Its purpose is to ensure confidentiality and privacy by keeping the information hidden from anyone for whom it is not intended. For example, one may wish to encrypt files on a hard drive to prevent an intruder from reading them. When an entire hard drive is encrypted, all the data on the drive is protected from unauthorized access if the computer is lost or stolen. Encryption can also be used to protect sensitive files that are sent through email or sensitive communications sent over the network.
"Strong encryption" is the term we use to describe the minimum strength of encryption appropriate for use with Level 1 protected data. Strong encryption is 256-bit encryption and complies with ICSUAM Policy Information Security Asset Management Section 8065.
it is either extremely difficult or completely impossible to decrypt encrypted data if the password is lost. If you have any questions or concerns about encryption, please talk with your Information Security Office before proceeding.
File Encryption
Caution: Data in encrypted files are not retrievable if the encryption key is lost.
File encryption is designed to protect stored files or folders. CSU Chico recommends the following file encryption programs:
- 7-Zip is an open-source, free utility that provides AES 256-bit encryption for files and folders under Windows 7/Vista/XP/2008/2003/2000
- Disk Utility encryption software is built into Macintosh OS X
The following productivity tools let you password-protect and/or encrypt individual files:
- Microsoft Office 2007 - Password protection and encryption for documents, workbooks, and presentations
- Microsoft Office 2010/2013 - Password protection, encryption, and access permissions for documents, workbooks, and presentations
- Microsoft Office Mac 2004/2008/2011 - Password protection only (no encryption) for Word documents
- Adobe Acrobat 10 Pro - Password protection and encryption for PDF files
Disk Encryption
Disk encryption safely protects all the data stored on a hard drive. When the entire hard disk is encrypted, everything on that disk is protected if the computer is lost or stolen. CSU Chico recommends the following drive encryption programs for non-portable storage devices. Click the appropriate link for more information on how to use each program:
- TrueCrypt works with Windows XP/Vista/7/8/Server, Mac OS X, and Linux
- Windows BitLocker works with Windows Vista/7/8/Server/10/11
- FileVault works with Mac OS X
Encryption for Portable Storage
CSU Chico recommends the following encryption methods for protecting files and folders stored on portable storage devices such as, USB sticks, external hard drives and other mobile devices. Click the appropriate link below for more information on how to use each program:
- 7-Zip is an open-source, free utility that provides AES 256-bit encryption for files and folders under Windows 7/Vista/XP/2008/2003/2000
- Disk Utility is built into Macintosh OS X
Email Encryption
Emails may be encrypted and/or authenticated to prevent the contents from being read by unintended recipients. Please ask your ITC or the Information Security Office if you believe you need to encrypt e-mail messages.
Network Encryption
It is possible to encrypt entire networks, which may be desirable in certain situations. If you think this may be relevant to you, please contact your ITC or the Information Security Office.
Secure Disposal of Paper & Electronic Media
Any data storage medium - paper, computer, copier, hard drive, tablet, smartphone - should be treated as if it contained protected data when it comes to disposal of that storage device. It's simply too easy for thieves to piece digital or analog data back together again and make use of the results for their own nefarious purposes. It's incumbent on all of us to make that task as difficult as possible, and it really doesn't take a lot of time.
Paper
Under State Civil Code 1798.80-82, FERPA, and HIPAA, paper documents containing personally identifiable or confidential CSU Level 1 or Internal Level 2 information must be shredded.
Purchasing a Shredder
Departments that may shred Level 1 or Level 2 data should purchase cross-cut shredders with a minimum 1/8" strip cut X 2" cross cut. Credit Card data must use cross-cut shredders.
For more information about shredder security levels see: Shredder Security Levels (PDF)
Shredding Requirements for Level 1 & Level 2 Data
Shredders used for the destruction of Level 1 & 2 data must be at least “shredder security level 3", 1/8" x 2" Cross Cut.
On-Campus shredding of Level 1 data is available through FMS Facilities bins.
- CSU employees must monitor the destruction of Level 1 data.
- Bins used for the collection of Level 1 data must be locked and inventoried.
- Documents identified for destruction and removed from secured storage must be locked and secured until destruction.
- Bins containing Level 1 data should not be released to individuals that do not present appropriate ID and proof of employment.
- Appropriately shredded Level 1 documents may be recycled.
On-campus shredding of Level 1 data using unlocked Facilities bins is prohibited.
Electronic Media Disposal & Destruction
Learn how to
implement secure electronic media disposal and destruction procedures.HDD Reformat
In certain circumstances, such as in the case of on-campus intra-departmental transfers, a media drive may be reformatted to ensure no confidential data is accidentally carried over. Contact ITSS for more information.
HDD Wiping (Non-SSD Drives)
If a computer is being reassigned outside of the current administrative unit, all storage must be wiped by Darik's Boot and Nuke.
Solid State Drive Wiping (SSD)
Current methods of wiping hard drives are not effective on SSDs. Encrypt the hard drive using BitLocker, PGP Whole Disk, or File Vault 2 (Mac) (NOT True Crypt). When the drive is ready for retirement, simply delete the encryption key which leaves the drive inaccessible.
Labeling Wiped Storage Drives
When storage drives are wiped, even in the case of reassignment on campus, the drive must be reformatted or wiped and then labeled with the Certified Wiped Media label. The person performing the wipe certifies and dates the label. If the hard drive cannot be removed, the label is affixed to the top exterior of the case.
Disposal of CSU Chico-tagged property
A property management department form must be completed prior to disposal of all CSU, Chico computer property. Internal hard drives must be either wiped (and labeled) or removed and destroyed via secure e-waste.
Disposal of non-tagged property
Secure electronic waste, or e-waste, comprises items such as hard drives (wiped and labeled), USB drives, CDs, DVDs, optical disks, magnetic tapes, etc. To dispose of non-tagged property please contact Property management or Environmental Health and safety.
- If the electronic item is still working, regardless of if it has a property tag, please contact Property Management at ext. 5176.
- If the electronic item does not have a property tag and it is not working, please contact Environmental Health & Safety at ext. 5126.
A note on multifunction devices and data
A document scanned in copier, fax, or scanner mode on a multifunction device, or print data sent from a printer driver, is stored on the machine's hard disk, even after the job is completed.
To erase data after each job completion or disk erasure on a Lanier multifunction device, an optional Data Overwrite Security unit is required. You can then use NSA, DoD, or random number erasure procedures to ensure data recovery is no longer possible.
If you have a Lanier multifunction device that will be disposed of, surplused, or sold back to Lanier, you must delete the data on the hard drive and affix a Certified Wiped Media label to the device. Please consult with the information security office at isec@csuchico.edu for more information.