Guidelines for Protecting Restricted Data
Approved: February 2018
According to NIU’s Data Classification Guidelines, one important property of Data is that the “unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the University or its affiliates.” Everyone in the NIU community has a responsibility to protect the Restricted Data under their control irrespective of whether the data is digitally or physically stored. Moreover, NIU’s Information Incident and Data Breach Policy places the responsibility and the cost of data breaches within the NIU Division within whose area of responsibility the breach occurs. As of 2016, the cost of data breaches in the U.S. was estimated at $221/record with an average of 30,000 records breached per incident.
Note: This document describes the practices for protecting Restricted Data in general and does not address the additional and specific requirements for protected health information under HIPAA or payment card information under PCI/DSS.
1. Do not collect or store Restricted Data unless absolutely necessary.
The Illinois Personal Information Protection Act (815 ILCS 530) defines personal information and the required notifications for any breach of that personal information. The best way to protect against a breach of personal information is not to have it in the first place.
- Do not collect Social Security numbers or Driver’s License numbers for personal identification. The loss of a person’s name and SSN alone is enough to trigger mandatory breach notifications under many federal and state laws. Although old NIU paper forms may still ask for an SSN beyond the initial hiring forms, this does not constitute an absolute requirement to provide the data and the forms should be revised as soon as possible.
- Truncate, de-identify or redact Restricted Data whenever possible.
- Store only the minimum amount of Restricted Data possible and know how and where it is stored.
- When there is no longer a business need or requirement for retention, securely delete Restricted Data either by securely deleting electronic files or shredding the paper documents. Any deletion of records must comply with Illinois laws governing disposal and retention and NIU's Record Schedules.
2. Do not print Restricted Data unless absolutely necessary.
- Do not print copies of electronic records that contain Restricted Data. Current business practices that require paper backups of electronic records should be changed. Printing copies for use as mere backups is a bad practice.
- If printed forms require the use of Restricted Data such as Social Security numbers or Driver’s license numbers for identification, these forms must be stored in a physically secure area in a locked filing system that restricts access to named personnel.
- Where possible, Restricted Data on printed forms or documents should be redacted.
- Employees who work with printed copies of Restricted Data must take care to secure their work area before leaving it unattended. This includes locking office doors and removing keys from obvious areas such as unlocked desk drawers.
3. Properly protect digitally-processed Restricted Data.
- Do not store any NIU data on your personal devices.
- Do not store NIU Restricted Data on any mobile device including laptops, tablets, smart phones, external hard drives, flash/USB drives, or other external media such as CDs, DVDs, etc.
- Encrypt Restricted Data when it is transmitted.
- NIU’s Microsoft Office365 suite is properly encrypted in transmission and can be used to email or transmit Restricted Data when necessary.
- Encrypt Restricted Data when it is at rest.
- NIU’s Microsoft Office365 suite is properly encrypted at rest and can be used to store Restricted Data in OneDrive or SharePoint.
- Other properly encrypted storage includes NIU’s PeopleSoft (MyNIU) systems, OnBase, and Blackboard.
- Local file shares and servers are not properly encrypted for storage of Restricted Data unless users have taken affirmative action to encrypt the files before placing them on a shared drive.
- Use strong passwords if you have access to Restricted Data and do not share them with anyone, anywhere.
- Use different passwords for your university and personal accounts.
- NIU staff with access to personal health information, credit card
information,or other specially Restricted Data must use Multi-Factor Authentication (MFA) to login.
- Secure laptops, tablets, smart phones, external hard drives, flash drives, CDs/DVDs or any other mobile storage devices at all times.
- Keep devices, applications and anti-virus software up to date.
- All NIU laptops should use full disk encryption to prevent data loss.
- Back up all critical Restricted Data to DoIT’s approved backup service that is suitable for storing copies of NIU’s Restricted Data. Be familiar with your unit’s disaster recovery or business continuity plans and procedures.
- Understand any contractual relationships and requirements with vendors or external agencies that may require access to NIU’s Restricted Data. All vendor contracts that include the storage or transmission of NIU data should be reviewed by the Chief Information Security Officer and successfully pass a vendor assessment.
4. Beware of social engineering scams.
- Don’t give anyone your password. NIU’s IT Service Desk will never ask you for your password.
- Delete spam or suspicious emails; report them to firstname.lastname@example.org
- Review and keep current on security awareness (link). Employees with access to certain kinds of Restricted Data must take online education courses and assessments to maintain their access.
- Prevent shoulder surfing by shielding your devices so others can’t see the Restricted Data on your screen or your passwords as you type them.
- If you think someone may not belong in an employee-only area, offer to assist them to find their way.