Sensitive Information Handling
January 10, 2019
Executive Director, Gallaudet Technology Services
Many Gallaudet University departments handle sensitive information about students, faculty, and staff that the university must safeguard against the loss and theft of sensitive information. All individuals who have access to confidential or restricted data are required to sign a T1 Information Security Agreement (see Information Security Guidelines) and ensure the protection of data to which they have access.
Storage of Sensitive Information
All sensitive electronic information including all Gallaudet University constituent Social Security Numbers (SSNs), birth date, credit card, and other personal identification information must be stored on Gallaudet University data center servers, rather than on personal and departmental PCs, laptops, or other storage media including portable drives, USB thumb drives, and CDs/DVDs. IDfinder software is being deployed to help end-users to identify and remove sensitive information from their personal and departmental devices.
Transmission of Sensitive Information
If sensitive information needs to be transmitted (moved to others or other locations), individuals are responsible for ensuring that the transport is via secured transport methods (e.g., secure FTP, secured USB drive, private tunnels or VPN (virtual private network). If sensitive data must be transmitted via USB thumb drive, the drive must be secured and offices are responsible for buying their own secured USB thumb drive from vendors such as IronKey or Kingston. Individuals are expressly prohibited from transmitting any sensitive data or personally-identifiable information via unsecured email.
Storage of Sensitive Information with External Vendors
In cases where Gallaudet University departments task external vendors or contractors to work with sensitive university data, then the data steward (e.g., Huamn Resources, Registrar) working with the external vendor or contractor must inform GTS of such projects upon initial discussion via submission of a IT Service Desk ticket. The specific data delegation and data transmission methods must be documented and approved by the GTS Executive Director and the budget unit head of the office that has data stewardship responsibilities. All such approval shall be documented within the IT Service Desk system and in the GTS Information System Inventory. All data shared with outside vendors must be stored and transmitted in an encrypted format.
Reporting Sensitive Information Handling Violations
If you witness a violation to this policy, you need to notify the appropriate university authorities.
Gallaudet University employees should report a violation to this policy in the following manner:
- They should first report the violation to their immediate supervisor. The employee provides documentation of the violation including date, time, location, and department.
- Supervisor reports the violation to their Budget Unit Head (BUH) nd the senior administrator for their unit, typically a University Dean or Executive Director. The report should include any documentation of the violation.
- The Budget Unit Head and/or Senior Administrator escalates the report to the GTS Information Security Officer (ISO) and to the Manager of Risk Management for investigation and resolution.
Gallaudet University students should report violations of this policy to both their Academic Advisor and the GTS Information Security Officer (ISO), with a copy to the GTS Executive Director.
Alumni, Visitors, or others
Gallaudet University visitors should report violations of this policy directly to the GTS Executive Director and the GTS Information Security Officer (ISO).
Last Reviewed: 11/04/2019