Home » Secure IT » Security of Sensitive Data

Creighton University has legal and ethical obligations to ensure that private and legally protected institutional information such as the SSN and other personal identifying information (PII) is secured in a manner that minimizes risk of unauthorized or inappropriate use or disclosure, (personal identifying information is defined here as social security number, credit or debit card number, and banking account numbers).

Creighton will no longer use Social Security Numbers to identify students, employees, or other persons with a CU relationship, except for those uses required by law, such as payroll, benefits, and financial aid. Our intent is to prevent unauthorized use of or access to SSNs and other PII.

Neither the Social Security Number nor any portion of the Social Security Number will be collected, stored, or transmitted unless authorized in writing by the Information Security Office. Departments or individuals who are authorized to collect, store, or transmit Social Security Numbers will be required follow stringent guidelines to secure such data that must be stored on central University resources where extra levels of security will be applied.

 

Schools, divisions, and departments must follow a set of administrative, physical, and technical procedures to protect the confidentiality of private information.

Access to sensitive information is limited to those who need to use the information in the performance of their job responsibilities.

 

• Steps must be taken to maintain the privacy of the private information such as SSN.  E.g, this includes taking reasonable steps to remove SSNs from public view (on computer displays and paper documents), to ensure that conversations concerning SSNs are conducted as privately as possible, and that SSNs are physically secured when not in use.
• Strong passwords should be set on computer systems used to access sensitive data. Password screen savers, desktop locking, or logging off systems should be employed when your computer system is unattended.
• Desks and file cabinets containing private data such as SSNs should be locked when unattended by an individual with access to the private data.
• Laptops are inherently physically insecure since they can easily be stolen: Unencrypted private data may not be stored on laptops. Cable locks are available for securing laptop computers and act as a deterrent to theft.  Special care must be taken to protect laptops against theft in airports, hotels, and other off-campus sites.  Follow these tips for protecting your laptop on the road.
• Servers containing SSN data should be housed in secure spaces with appropriate system access controls to protect against unauthorized access, and be protected against malicious software.
• Removable media, such as flash or jump drives and CD/DVDs, may not be used to store unencrypted SSN data.

Sending SSN over the Internet or by email is prohibited unless done in a secure environment. Appropriate measures must be taken to ensure the confidentiality of fax and paper transmissions containing SSN.

 

• When SSN is shared with a third party, a written agreement must be entered into to protect the confidentiality of the SSN.
• SSN should not be included in email text or attachments unless done in an encrypted environment. Not all email servers encrypt the transmission of messages and email sent between servers is usually not encrypted.
• SSN should be removed from paper forms and faxes unless required by law or determined to be necessary by the appropriate data owner.
• When SSN is exchanged on paper, steps must be taken so the number is not revealed. The SSN must not appear in an envelope window.
• Fax transmissions over phone lines (fax to fax) are secure if appropriate safeguards exist when faxing SSN to make sure the recipient's fax number is correct and the recipient does not leave the fax in an unsecured area.
• Fax transmissions involving computer networks (fax to computer, computer to fax, computer to computer) are not secure and should not include SSN.

SSN data may only be used for the stated legal and/or business purpose for which it was collected.  In addition, SSN data may not be shared with others and may only be disclosed as authorized by law or with specific consent from the individual from whom it was collected.

 

• The SSN may only be used in a manner consistent with authorized access and the duties and responsibilities of the position.
• The SSN may not be provided to anyone without proper authorization.  You may not delegate your authorization/access to SSN data to anyone.
• Copies of SSN data or records will not be made except as required in the performance of duties.
• SSN data for which there is no longer a business need will be destroyed or disposed of securely.  
• SSN data will not be used for any personal or commercial purposes.
• Any unauthorized access to SSN data will be reported immediately to the appropriate supervisor.
• Unauthorized use of SSN data will result in the removal of access privileges and could also result in appropriate administrative action, including, but not limited to, disciplinary and/or legal action.

 

 

Units must actively work to remove SSN data from local electronic files, databases, images, and paper documents. Any University office that collects and maintains an individual's SSN must ensure that the SSN is stored in a secure and confidential environment, eliminate use of the SSN for any purpose except that for which it was collected, and follow the guidelines below for the disposal of records containing the SSN. The objective is that private "data at rest", i.e., "stored private data", should be encrypted unless it has been transmitted to a secure network as authorized by the Information Security Officer.

• As a general practice, SSNs may not be stored on a local workstation or laptop, or on a floppy disk, CD/DVD, PDA, USB flash drive, or other portable storage device.  Several recent information security incidents at universities have involved the theft of such devices containing SSNs. If storing SSN on such a device is absolutely necessary for legal or business reasons, the information must be encrypted and the device must be physically secured.
• Computer applications requiring the SSN must store the SSN on an authorized secure network server that is physically secure (in a secure environment), as well as protected from unauthorized access and against malicious software.  Encryption of the data is advised to add another layer of security.
• On-site Storage: Tapes, disks, backups, and other electronic storage devices containing SSN and other PII must reside in secure physical locations.
• Off-site Storage: Any electronic storage media containing SSNs or other PII taken off-site must be protected by encryption.
• Documents and forms containing SSN should be stored in a restricted access area, such as secure cabinets or a locked desk, available on a limited basis.
• Anyone working with paper documents that contain SSNs must take steps to protect the confidentiality of the information: desks and file cabinets containing SSN data should be locked when unattended.

As SSN is eliminated from the normal course of business, organizational units must follow these standards for secure disposal.

 

• Prior to disposal, steps must be taken to destroy portable electronic storage devices, floppy disks, and CD/DVDs containing SSN and other PII.
• Prior to recycling or disposal, desktop, laptop, and server disks containing SSN must be erased (scrubbed) using current industry standards.
• Paper documents containing SSN should be shredded locally or disposed of in accordance with industry best practices.

1. Never tell your password to anyone!
2. Never write down your password in an obvious location.
3. Make your password hard to guess — do not use the name of your pet (or your kid).
4. Avoid using words found in a dictionary.
5. Never write down your password in an obvious location.
6. The more random your password, the better.
7. Be sure that you don't use personal identifiers in your password (like your name or NetID).
8. Never write down your password in an obvious location.   
9. Take responsibility for your NetID.
10. ...and never tell your password to anyone!