Data Protection @ UND

Why protect data?
We, as employees of UND, have a legal obligation (governed by laws like HIPAA and FERPA) and an ethical obligation to protect the personal information of our students, faculty, and staff, and also to protect all confidential information entrusted to us.  See the NDUS Data Classification Standard to see what types of data are considered confidential and therefore should be protected.  Breaches or unauthorized disclosure of confidential information could have serious implications to UND and our community members including financial losses, damage to the University’s reputation, loss of grants, and identity theft.

What can I do to protect data?
There are many things you can do to protect data, but here are the top 10.

1. Foster a security-minded culture.  Follow the advice in this article, and encourage your co-workers to do the same.

2. Stop collecting and storing data unnecessarily. If you don’t need to collect and store sensitive information, don’t.  If you have a departmental form or process that asks for Social Security Numbers (SSN’s), student ids, or employee ids, and you don’t really need that information, don’t ask for it.

3. Don’t store sensitive data on your personal computers (especially laptops).  If your department has a file server available to you, store your data on these servers.  Storing sensitive data on laptops is especially risky, since laptops are more likely to be lost or stolen.  You should also identify and remove all unnecessary files from your computer, especially those files that contain SSN’s, credit card numbers, driver’s license numbers, research data, or other such confidential information.  You should consider installing and running Spider on your computer.  It is an open source (free) software application developed at Cornell which can scan your computer and find files containing sensitive information.

4. If you must store sensitive data on your laptop, consider encrypting it. Talk to your local IT support personnel, or the IT Security Officer, about options (and risks) for encrypting data on your pc and mobile devices (like laptops, PDA’s and USB drives).  Encryption is a method to transform your data so that it becomes unreadable by others, and only you have the key, typically a password, to make it readable again.  The main risk is that if you lose or forget this password, you will never be able to read the data again.  If you are using Windows XP or Vista, you can use the built-in encryption – visit the Windows EFS page  for more information.  There are also a few open source encryption products available such as GnuPG, GnuPG for Windows and TrueCrypt.

5. Protect the paper documents.  Don’t forget about the paper printouts, forms, or other documents you may be saving that have sensitive data on them.  You should dispose of these documents according to UND’s Records Retention Schedule when you no longer need them, and make sure they are properly shredded or destroyed.

6. Understand email security.  You should never send sensitive information through email unless it is encrypted.  By default, email is not a secure transmission method, and this information could be intercepted and read.  Also, be suspicious of emails with attachments.  Email attachments are a common method to deliver viruses and other malicious programs.  If you are not expecting an attachment or the email looks suspicious, check with the sender prior to opening the attachment to make sure it is legitimate, or, even better, just delete the email.  Finally, don’t fall prey to phishing attempts.  Phishing is when someone sends you an email pretending to be someone you trust and asks you to provide sensitive information, such as a password or credit card number.  More information on phishing can be found at OnGuardOnline’s phishing page.

7. Use updated antivirus software. Antivirus software protects your computer from viruses that can destroy your data, slow your computer's performance, cause a crash, or even allow spammers to send email through your computer.  Antivirus software works by scanning your computer and your incoming email for viruses, and then deleting them. You need to make sure to keep your antivirus software up to date with the latest signature files in order for it to be effective.  The good news about antivirus software is that UND has this software available for free for you to download and use on both your work and home computers.McAfee VirusScan Enterprise and VirusScan for Macs are available athttp://itsecurity.und.edu/virus.html.

8. Keep your operating system up-to-date.  Operating systems should be set to automatically retrieve and install patches for you.  Doing this will help to make sure your computer is not vulnerable to an attack.  Here is a tutorial for turning on automatic updates for Windows XP or Vista.  Here is a tutorial for turning on automatic updates for Mac OS X.

9. Use a personal firewall.  Firewalls help keep hackers from accessing your computer to delete information, to crash your computer, or to steal information without your permission. While antivirus software scans email and files, a firewall is like a guard, watching for outside attempts to access your system and blocking communications from and to sources you don't permit.  Here is a tutorial for turning on the Windows built-in firewall.  Here is a tutorial for turning on the Mac OS X built-in firewall.

10. Use updated antispyware software.  Anti-spyware software helps protect your computer from malicious programs called spyware that may be inadvertently installed on your computer while you are browsing the Internet.  These malicious programs may do things such as display pop-up advertising on your computer, collect and relay your personal information, or change the configuration of your computer without appropriately obtaining your consent first.  Microsoft Windows Defender is a free software program designed to protect against spyware.  If you are using Windows XP, you can download Windows Defender for free.  Windows Defender already comes with Windows Vista, so if you are using Vista, you do not need to download it.  There are also other free antispyware programs available such as Spybot and Ad-aware (available for home use only - not University computers)..