This article is part of a series about the University of Utah’s information technology and IT security policies. Read last month’s article: IT security policies are critical to the U’s mission.
Now that you’re familiar with some of the University of Utah’s information technology and IT security policies, let’s look more closely at one of the most critical regulations, Rule 4-004C: Data Classification and Encryption.
Generally speaking, the Data Classification and Encryption Rule outlines what’s required in order to manage and protect various levels of university data. It defines the classes of data and your responsibilities for each type.
The catch: If you come into contact with restricted or sensitive university data — no matter your role — you must follow the rule.
“Let's say I'm a volunteer, not on the university’s payroll, but I volunteer my services and I handle some of this data, then this policy applies 100 percent,” said Trevor Long, associate director for Governance, Risk & Compliance (GRC) in UIT’s Information Security Office (ISO).
The rule, and all others under Policy 4-004: University of Utah Information Security, exists to protect university data and the personal information of its students, faculty, staff, affiliates, patients, and guests. If the university and its members don’t comply, they not only open the door for potential malicious attacks, they can also be held liable for not safeguarding the data.
Data classification and encryption
The university classifies data into three categories—restricted, sensitive and public—according to its level of sensitivity and associated legal requirements. A matrix of the data classification model can be found in the Data Classification and Encryption Rule.
Restricted data, the highest level of sensitivity, must be protected as required by federal or state laws and regulations, and contractual obligations. Data types include personally identifiable information (PII), protected health information (PHI), payment card industry (PCI) and financial and donor information.
Sensitive data, which has a moderate level of sensitivity, must be protected. The protection of sensitive data is required by the data steward, a university official who has policy-level responsibilities for the access and management of institutional data in their functional area(s), or other confidentiality agreement(s). Some data types include employee and student information (as outlined under the Family Educational Rights and Privacy Act), intellectual property and contracts.
Public data, the lowest level of sensitivity, may be protected at the discretion of a data steward. Some data types include information about program and degrees, academic and resource centers, business contacts and hours, and maps—all available on the U’s public-facing websites, Long said.
“There's no law or regulation around public data like there is around sensitive or restricted data. For example, the Health Insurance Portability and Accountability Act (HIPAA) is the wrapper around PHI,” he said. “Same with PCI — even though it's not a government regulation, it's an industry standard. And if the U wants to continue to use credit cards as a form of payment, then we must do a yearly audit that verifies our compliance with PCI requirements.”
Restricted data must be encrypted, or converted into a code that helps prevent unauthorized access, at rest or in transit (see the infobox below). Sensitive data may or may not need to be encrypted. “It’s at the discretion of the designated data steward,” Long said, noting that policy states that the encryption of sensitive data is strongly recommended. Public data does not require encryption, although it’s encouraged.
Most mobile devices (e.g., smartphones or tablets) can be encrypted by activating a passcode, PIN, biometric ID, or other identification method. Securing desktop and laptop computers, however, may require more technical knowledge — one reason why Long and his colleagues strongly recommend that all restricted and sensitive data are kept on a university-managed device.
The biggest reason, though: Personal, or bring-your-own, devices must comply 100 percent with Policy 4-004: University of Utah Information Security if they create, process, store, or transmit restricted or sensitive university data.
“If you use your own device, you are responsible for understanding the security policy well enough to configure your device to ensure it is compliant.”
Dustin Udy, security assessment team lead for ISO’s Enterprise Security team, said using your own device is not worth the headache or the risk—to the university or you.
“It's so much extra work. If you use your own device, you need to be or you essentially become an IT person. And not just that—you’re also a data expert,” Udy said. “So, my stance is just don't do it.”
To lower the U’s security risk, organizations should—and typically do—provide employees with managed devices. Unfortunately, Udy said he’s worked with research labs that could be in contact with sensitive or restricted data, and have told students to use their own devices for work.
“Could you imagine if a world-class researcher lost his work before he published it?” he said. “So, organizations should pony up a couple hundred bucks [for managed devices]. Don't require your students or temporary staff to use their personal devices because they can accidentally or intentionally walk out with your data. And there's no way you're going to recover it.”
Indeed, the consequences of not complying with the policy could be significant for the university, its units, and users, who could be held liable for safeguarding that data, too.
Since there are federal regulations for most restricted data and some sensitive data, Long said the university could face investigations and fines or penalties for noncompliance. With PCI, the university also could lose the ability to process credit card transactions. Then there’s the damage to the U’s reputation.
“It's about trust,” Long said. “I want to be involved with an organization that is doing its best to protect my data, to keep track of my PHI and other types of sensitive data. That is handling laptops and other devices properly when they are retired, etc. That is the organization that helps foster trust, and that is a big deal in 2021.”
Data hygiene and retention
If you interact with restricted or sensitive university data, it’s important to organize and routinely clean up your email inbox and subfolders, and files that are not immediately or no longer needed. If you might need those items later, move them to a university-approved cloud service like Box, Remynse said. If you don’t need them anymore, get rid of them.
It’s good data hygiene, Remynse noted. And it prevents data hoarding, Long added.
“Occasionally go through your data and delete it or clean it up,” Remynse said. “Then, if malware or a threat actor gets on that device, there's less risk because there are fewer things they could get into.”
Udy added that you can’t remove data appropriately if you don’t know what you have and where it’s located. That’s why it’s important to keep track of where you store your files.
Most often, Remynse said, the data will be on your desktop, or in your downloads or documents folders. Your local drive and email client, however, aren’t the only places you need to check.
In addition to backups on encrypted, external hard drives or devices (e.g., flash drive), you’ll need to check any cloud accounts that sync with your devices.
“If your phone backs up to your personal Google Drive or Apple iCloud account, you need to make sure that those backups are deleted when you reset the phone. It goes back to knowing where your data lives and which cloud services might be backing it up automatically,” said Remynse, noting that some cloud providers aren’t encrypted, which would be a violation of policy.
One option, Udy said, is to set your work devices to sync only with your U cloud accounts, such as Box and Microsoft Office 365, which are protected by two-factor authentication. If you send or backup that data anywhere else, “you have to now maintain that data where it is at all times,” he said.
Additionally, those with access to restricted or sensitive data should be mindful of the associated retention policies or regulations. University regulation, for example, requires that HIPAA data be saved for seven years.
In addition to following all federal, state, and university regulations, Udy said organizations should have their own internal processes for data handling and retention. Those should include creating a data retention policy, routinely managing data on local machines, file servers, and shared drives, and appointing a data steward, data custodian, and data administrator.
To properly remove data from your devices, start by deleting the files.
If you use a university-managed device, that’s likely all you need to do before turning the device in, although Long said it would be good to confirm with your IT support staff that the device has been erased.
If you use a personal computer—which, again, ISO stresses that you shouldn’t—at the minimum, you’ll need to reimage the encrypted device. If the computer is older and uses a spinning hard drive, the drive should be removed and destroyed before you discard the device. Mobile devices should be reset to factory standards.
While your local IT support staff or the campus or hospital help desks may be able to help, ultimately, your devices are your responsibility.
“It is just much better to use a university-managed device than it is to use your own and have to do all this stuff to make sure your device is compliant with the university's security policy,” Long said.
And there’s enough to keep up with as it is.
At-rest vs in-transit data
Restricted data must be encrypted at rest or in transit. University regulation states that encryption for sensitive data is strongly recommended, at rest and in transit, and should be in accordance with the data steward’s requirements. But what do those terms mean?
At rest: Data that’s stored on a hard drive, flash drive, or other device.
In transit: Data that’s moving from one place to another (e.g., uploading a file to Box).
- Rule 4-004C: Data Classification and Encryption
- Policy 4-004: University of Utah Information Security
- Policy 4-001: University Institutional Data Management
- University-approved platforms for restricted and sensitive data
- FERPA: Sharing and storing student data securely
- Encrypting university email (PHI)
- Protect your computer or device
- Information Security Office