Do you know what “University Protected Information” is?

I’m guessing that you probably don’t know exactly what we mean when we say “University information” in a security related discussion.  This is because the definitions are buried in the fairly recently published University Information Security Policy and just like End User License Agreements, nobody likes to read policy statements until we have to.

Those of you involved in human subject research, anything HIPAA related, etc are, I’m sure, much more conscious of protecting things like patient information, health records, etc.  Or at least I sincerely hope you are.  But those of you routinely doing “other UVM business” may not be as familiar.

So, extracted from this policy document:

The following definitions apply to UVM information, and not to information about yourself or your friends or family that is unrelated to UVM. 

“Personally Identifiable Information” is any information about an individual that (i) can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, motor vehicle operator’s license number or non-driver identification card number, or biometric records; and (ii) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

“Protected Health Information” refers to individually identifiable health information transmitted or maintained by electronic media or maintained in any other form or medium, but excludes certain education-related records and certain employment records held by an employer.

“Protected Student Information” is student education records maintained by the University, whether by academic or administrative units, and protected under the Family Educational Rights and Privacy Act (FERPA) and as described more fully in the UVM FERPA Rights Disclosure policy.

[FERPA Rights Disclosure document is here]

“Confidential information” is sensitive information about individuals, the University, or University property, including, without limitation, Personally Identifiable Information, Protected Health Information, information involving certain legal matters, or business and financial transactions, grant applications, student records, pending patent applications, institutional electronic security architecture, and information about security breaches or other events.

Protected Library Records – means patron registration records that contain the information a University library patron must provide to be eligible for library privileges and patron transaction records that contain personally identifiable information related to an individual’s activities within the University libraries.

In order to easily protect UVM from a data breach, which admittedly would be very costly to the institution both financially and in reputation, UVM now requires that all UVM owned laptops be encrypted using our licensed PGP encryption.  UVM also requires that home computers used for “UVM business” be encrypted as well.

It’s my opinion that vastly increased security could come from less drastic measures, such as educating the people performing the work of exactly what constitutes sensitive information. Which brings us to this post.

Takeaways from the above:

It would be wise to consider NOT using your personal devices and home computers for UVM related business

If you do choose to do so, it would be wise to:

  • Store UVM related documents containing protected information ONLY in UVM network storage (Zoofiles or Active Directory), not on Dropbox, Carbonite, iCloud or any form of personally available local or cloud storage and not on the local hard drive of the computer
  • Set your email programs NOT to cache your email on the local machine if you can (note that UVM webmail is NOT immune to caching since it stores snapshots of visited pages in the web browser temporary directory)
  • Make sure that all your devices are protected by a password, passkey or equivalent and where possible ensure that theft target, easy to lose devices such as smartphones and iPads are protected by remote location and erasure services, if any.  Apple offers a “find my device” service that is capable of locating a misplaced or stolen device (which in my experience works frighteningly well) and also remotely wiping the data off of it, if it cannot be retrieved.

If we all do our part to be aware of sensitive data and take fairly common sense steps towards protecting it, UVM will be protected from expensive and embarrassing data breaches.  It’s also a good idea to implement some of these measures to protect your personal property and information as well.