Information

Private Information Handling Quick Reference Table

Private Information Handling Quick Reference Table

Updated 8/14/12

This table provides recommendations on the correct handling of private information at RIT.

New York State defines private information (PI) as any personal information concerning a natural person combined with one or more of the following data elements: Social Security number, driver's license number, account number, or credit or debit card number in combination with any required security code.

Digital Self Defense 103 - Information Handling fulfills the training requirement for handling RIT Private or Confidential Information.

Consult the Identity Finder End User Guide for Windows or Mac for more information.





Situation

Identity Finder Instructions (Preferred)

General Instructions (Use if Identity Finder is NOT available)

I no longer need the files containing the private information

Delete the files using the "Shred" command. This can be done from within the Identity Finder interactive scan report or by right-clicking on the file or folder and choosing "Identity Finder/Shred." If you are unable to delete the file, contact your help desk.

Delete the files securely. Use a secure file deletion utility such as Eraser. Contact your campus support organization or the RIT Information Security Office at infosec@rit.edu for recommended products.

I need to keep the files, but I don't need the private information

Sanitize the information by using the "Scrub" command. This can be done from within the Identity Finder interactive scan report. Identity Finder will replace the Private Information with x's. Note that this option is not available for all file types.

Sanitize the documents by deleting any private information such as Social Security Numbers (SSNs) or credit card numbers. Save a new copy of the sanitized document and delete the original file.

I need to continue to have a unique identifier for each individual

Sanitize the information by using the "Scrub" command. This can be done from within the Identity Finder interactive scan report. Identity Finder will replace the Private Information with x's. Open the file and replace the x's with unique identifiers not based on the SSN.

Sanitize the documents by eliminating the private information. Convert SSNs to University Identification Numbers (UIDs).

 





Situation

General Instructions for Handling Private Information

I need to keep the complete files containing the private information

Unnecessary possession of Private information should be eliminated.

  • There must be a business need to store this information and the system storing the information must meet all applicable RIT security standards (e.g., Desktop and Portable Computer Security Standard, Server Security Standard, etc.). In general, an RIT employee has a legitimate purpose for having access to the social security numbers of another individual when such number is required for:
    • tax or billing purposes
    • credit authorizations
    • background checks
    • in furtherance of submitting a federal or state governmental application that requires the transmission of an individual's social security number.
 

In addition, SSNs shall be maintained when required by either court order, subpoena, or by direction of the Office of Legal Affairs.

  • Consider encrypting the files.
  • Do not store the encryption key or password on the computer or drive containing the encrypted information.
  • Minimize the amount of records stored locally on a desktop or laptop computer by storing the information on an RIT file server.
  • Inform your manager and your Information Steward/Management Representative of the need to retain Private information.
 

Contact your help desk or the RIT Information Security Office for more recommended practices.

I need to carry the files on a portable computer, device, or media (e.g., Laptops, Flash Drives, CD/DVDs, smartphones)

Unnecessary possession of Private information should be eliminated.

  • Storage or conveyance of Private Information on portable devices or media is strongly discouraged.
  • Minimize the amount of records stored on portable devices or media by storing the information on an RIT file server.
  • There must be a business need to store this information and the system storing the information must meet all applicable RIT security standards (e.g., Desktop and Portable Computer Security Standard, Server Security Standard, etc.). In general, an RIT employee has a legitimate purpose for having access to the social security numbers of another individual when such number is required for:
    • tax or billing purposes
    • credit authorizations
    • background checks
    • in furtherance of submitting a federal or state governmental application that requires the transmission of an individual's social security number.
 

In addition, SSNs shall be maintained when required by either court order, subpoena, or by direction of the Office of Legal Affairs.

  • Private information (and RIT Confidential information) stored or transported on portable media must be encrypted.
  • Do not store the encryption key or password on the media containing the encrypted information.
  • If you are storing or transporting the private information on a portable computer, contact your help desk for encryption options.
  • Protect the private information from unauthorized use or theft.
 

Inform your manager and your Information Steward/Management Representative of the need to retain Private information.

I no longer need the portable media or hard drive, how do I dispose of them securely?

The RIT Information Security Office provides the following secure disposal recommendations:

  • Erase magnetic media (hard drives, LS120 media, old Zip/Jazz Cartridges, magnetic tapes) with a degausser.

    NOTE: the media may not be usable after degaussing.
  • CD/DVDs can be shredded in a media shredder.
 

A degausser and media shredder are available at the ITS HelpDesk in Booth 07B.

 

Requirements for Faculty/Staff

Faculty and Staff

Security Standards















Standard

When does it apply?

Desktop and Portable Computer Standard Always
Password Standard Always
Information Access & Protection Standard Always
Computer Incident Handling Standard Always
Portable Media Standard If you are storing Private or Confidential information on portable media, such as USB keys, CDs, DVDs, and flash memory. If you must store Private information on portable media, the media must be encrypted.
Web Security Standard
If you have a web page at RIT, official or unofficial, and you:

  • Own, administer, or maintain an official RIT web page that hosts or provides access to Private or Confidential Information.
  • Use RIT authentication services
Signature Standard If you are sending out an e-mail, MyCourses, or Message Center communication relating to Institute academic or business purposes. This applies to both RIT and non-RIT e-mail accounts.
Server Security Standard If you own or administer any production, training, test, or development server, and/or the operating systems, applications or databases residing on it.
Network Security Standard
If you own or manage a device that:

  • Connects to the centrally-managed Institute network infrastructure
  • Processes RIT Confidential or Operationally Critical information
Account Management
  • If you create or maintain RIT computer and network accounts.
  • Managers reporting changes in access privileges/job changes of employees.
Solutions Life Cycle Management
RIT departments exploring new IT services (including third-party and RIT-hosted, and software as a service) that meet any one or more of the following:

  • Host or provide access to Private or Confidential information
  • Support a Critical Business Process
Disaster Recovery

For business continuity and disaster recovery.  Applies to any RIT process/function owners and organizations who use RIT information resources.

NOTE The “in compliance by” date for this standard is January 23, 2016.

Authentication Service Provider Standard

If you are providing authentication services on network resources owned or leased by RIT.

NOTE The Authentication Service Provider Standard will retire on January 23, 2015 and be replaced by the Account Management Standard.

All instances of non-compliance with published standards must be documented through the exception process.

Information Handling Quick Links








Link Overview
Digital Self Defense 103 - Information Handling Covers important security issues at RIT and best practices for handling information safely.
Disposal Recommendations How to safely dispose of various types of media to ensure RIT Confidential information is destroyed.
Recommended and Acceptable Portable Media List of recommended and acceptable portable media devices (such as USB keys, CDs, DVDs, and flash memory).
Mobile Device Usage Recommendations Recommendations for mobile device usage at RIT
VPN Recommended for wireless access to RIT Confidential information.
E-mail at RIT Improve the security of your e-mail at RIT.

Safe Practices

  • Visit our Keeping Safe section to find security resources and safe practices and to see our schedule of upcoming workshops.

Questions

If you have questions or feedback about specific information security requirements, please contact us.

Cloud Computing Best Practices

Cloud Computing Best Practices

We've provided some general information below about cloud computing. At RIT, information handling requirements (including the use of non-RIT servers for storage) are articulated in the Information Access and Protection Standard. Refer to the standard for more information about storage restrictions based on information classification.

There are certainly some benefits to cloud computing, but the practice of saving content on the Internet is facing more scrutiny than ever. While there is no silver bullet solution to securing your cloud service, understanding how you can protect yourself is the best way to keep your information private.

  • Keep up to date with the latest cloud security developments. Because cloud computing is constantly evolving and adapting to new security threats, you need to upgrade your security as often as possible. As this article states, “hackers target vulnerable operating systems that don't have properly applied patches.”
  • Add file caching capability to your computer. Consider local caching of your files on your computer as a backup for your cloud service. Cloud computing is perfect for sharing team files, but the network can go down and bring project progress to a standstill. Having your files to work off of, even if they aren’t perfectly synced, is an essential backup if you want to continue working. This is also convenient if you encounter a security breach, because it allows you to find any changes or deletions in your files.
  • Don’t just rely on cloud computing. If it’s not maintained by you, there is never a guarantee that your information will be there. When Megaupload was taken down by the FBI, many users found that they lost all of their own data as part of that effort to stop the distribution of copyrighted materials. Cloud Service Providers (CSPs) sometimes recommend that you store your data with several cloud services, which is more costly due to subscription costs and is less effective than hosting your own backup system. Most CSPs save your information in one place, so you would be buying multiple services that depend upon a single source.
  • Know which programs or services you use that are supported by cloud service providers. This allows you to keep better track of what information you could potentially lose or have stolen in the event of a CSP security breach. This knowledge can be critical to protecting your private information; if you’re not aware of what is available, you may become an unsuspecting victim.
  • Be aware that your system can easily be transferred to another server in the CSP’s network. Although this is a major advantage of cloud computing, if you deal with sensitive or classified information it is better at this point in cloud service development to work exclusively with more secure in-house systems.
  • Keep up to date on any infrastructure or policy changes for your CSP. Having a good relationship with your CSP is important, to ensure that you know when they change how they handle and secure your information. Although you may not be able to access security information in the same way you could on an internal system, understanding how your information is saved and monitored could quickly alert you to a problem.
  • Compare encryption standards between various CSP’s. Look for an Advanced Encryption Standard (AES) since it’s the best standard currently available to secure your data. An SAS 70 Type II datacenter is also widely acknowledged as a very secure physical housing of information. Having access to a CSP with both of these systems will help secure your information a bit better.

 

To learn more about cloud computing:

 

 

Private Information Management Initiative (PIMI) FAQ

Private Information Management Initiative (PIMI) FAQ

What is the Private Information Management Initiative?

Updated 6/11/14

 

The Private Information Management Initiative (PIMI) is a program where the RIT Information Security Office helps RIT faculty and staff scan their computers and attached drives to determine if they contain private information (PI). When PI is found, each RIT faculty and staff member is responsible for remediating the private information by scrubbing or shredding the files.

The program also includes destruction of paper files containing nonessential PI.

The goals of the program are to identify and reduce the amount of private information at RIT. This reduction will help safeguard the RIT community against identity theft and will help RIT comply with relevant state and federal laws.

What is Private Information?

New York State defines private information (PI) as:

any personal information concerning a natural person combined with one or more of the following data elements: Social Security number (SSN), driver's license number, account number, or credit or debit card number in combination with any required security code. These combinations of information are often used in identity theft. 

The New York State Information Security Breach and Notification Act requires that RIT notify affected consumers if their Private information is compromised.

Why is RIT scanning my computer or drive for Private information?

RIT is scanning your computer or drive because we've found that scans have revealed the presence of Private information on many computers; even when the computer owners do not believe there is any Private information present. We want to reduce the potential for identity theft occurring as a result of information obtained from RIT computers.

How is RIT authorized to scan my computer?

RIT is authorized to scan computers using the RIT network in order to protect the RIT community. See the Computer Code of Conduct and Network Use and the Privacy Policy.

It is important to note that the Information Security Office may inspect the results of the scan only to aid in remediation efforts.

Are other universities doing anything similar?

Many universities are beginning to scan for Private information on computers connected to their networks and have begun remediation of paper files and other media containing Private information.

Responsibilities

What are my responsibilities in the Private Information Management Initiative?

Your responsibilities as faculty or staff may be found here.

Scanning and Results

How will RIT scan my system?

Your computer is scanned by Identity Finder (IDF) software installed on your computer. The scans will be initiated from a central scanning server administered by the RIT Information Security Office. Identity Finder also allows you to initiate an on-demand scan. You do not have to be connected to the network to initiate an on-demand scan.

What do I do if the scan is slowing down my computer or I would like to pause it temporarily?

It's easy to Pause Identity Finder so that it doesn't impact your productivity significantly. Go to your system tray, right click on the Identity Finder icon (Ctrl-click for Mac) and choose Maximize. Then click on the Pause button. When you're ready to resume the scan, click on Resume.

What happens when Identity Finder finds Private information?

Identity Finder will generate an interactive report of suspected Private information matches and provide user-friendly tools to erase the information securely or remove the Private information (e.g. Social Security Number, Bank Account Number, Credit Card Number or Drivers License) from the files directly from the interactive report. You may also identify "false positives" by choosing "Ignore" within IDF. The Information Security Office will verify that the ignored files do not contain Private information.

I've completed a search and Identity Finder is asking me how to proceed. What should I do?

When Identity Finder completes its search, review the list of results to begin Shredding or Scrubbing Private Information and Ignoring "false positives."

How do I shred, scrub, or ignore a match?

You can choose shred, scrub, or ignore by right-clicking on the check box next to the entry and choosing from the options available. NOTE: not all options are available for all file types.  Process the entire list before closing Identity Finder.

What do I do if Identity Finder doesn't find Private information?

If Identity Finder completes its search and no Private Information is found, close Identity Finder.

I am unable to "shred" a file in Identity Finder. What should I do?

If you are unable to "shred" a file containing Private Information, you may not have permissions in Windows that allows Identity Finder to "shred" it. Contact the Help Desk and ask them to login to Identify Finder as admin and securely "shred" the file.

I am unable to "scrub" a file in Identity Finder. What should I do?

Identity Finder provides a scrub option for specific file types that may not work with all file types. If you need to retain an Office 2003 file on your computer but need to redact the Private information in the file you’ll need to follow a three-step process.
        1. Save a copy of the file in Office 2007 or 2010 format (.docx, xlsx, etc.)
        2. Use Identity Finder to scrub (redact) the Private information from the new file
        3. Use Identity Finder to shred the old file.

What do I do with Private information found on my system?

The RIT Information Security Office has created a Private Information Handling Quick Reference Table to assist you in determining how to handle Private information found on your computer or drives.

If you find Private information (e.g. Social Security Number, Bank Account Number, Credit Card Number or Drivers License) on your computer and are not sure whether it should be there, ask your Information Steward/Management Representative.

New York State law does not allow the retention of Social Security Numbers unless there is a clear business need for the information. In general, an RIT employee has a legitimate purpose for having access to the Social Security Numbers of another individual when such number is required for tax or billing purposes, credit authorizations, background checks, or in furtherance of submitting a federal or state governmental application that requires the transmission of an individual's Social Security Number. In addition, social security numbers shall be maintained when required by either court order, subpoena, or by direction of the Office of Legal Affairs.

What is redaction?

Unless required by RIT business processes, files must not contain Private information. Unnecessary information must be sanitized by redacting (removing) the Private information. It is not sufficient to simply obscure or hide the information. Although "redaction" has a broader meaning in editing, in the context of information handling it refers to the removal of information from a document.
If you are redacting a file before the Identity Finder scan, Adobe has provided a guide that instructs readers how to redact Microsoft Word and Adobe PDF files properly. The guide can be found here.

Why is Outlook prompting me for a new profile?

We’ve seen the following a few times
        1. Outlook is closed and you see the Identity Finder results screen.
        2. You try to open Outlook while the Identity Finder Results Screen is open.
        3. Outlook prompts you to create a new profile
    Solution
        1. Exit the Outlook setup wizard
        2. Process the results in the Identity Finder report
        3. Close Identity Finder
        4. Open Outlook

What if the only Private information the scan finds is mine?

Private information should not be stored on an RIT computer unless expressly permitted. (This information is typically found in copies of tax returns and filled-in forms.)

I’m seeing a Delete Database dialog box at the beginning of my Identity Finder session. The dialog box says that AnyFind technology has been updated and asks if I want to perform a full search. Should I answer Yes or No?

You should answer Yes. Identity Finder will conduct a full scan (including items previously ignored.) The scan length may be similar to your initial scan.

Non-Windows Computers

I have a non-Windows computer, will it be scanned?

Currently, only computers with the Microsoft Windows and Mac Operating System will be scanned by Identity Finder. We encourage you to examine the files on your computer and attached drives to identify Private information and handle it accordingly. For Linux, we recommend using Cornell's Spider. You may also work with your systems administrator to scan the Linux drive from Windows.

Questions

Whom do I contact with questions?

Please direct any questions regarding information handling or the Private Information Management Initiative to Infosec@rit.edu or contact your Information Steward/Management Representative.

Exception Process

Exception Process and Compliance

Updated 6/11/14

 

Anyone not in compliance with an Information Security Standard is subject to sanctions including suspension of computer and network privileges and/or the full range of current Institute personnel and student disciplinary processes.

In a small number of circumstances, it may not be possible to comply with an Information Security Standard.   The Information Security Office has provided the following method for obtaining an exception to compliance with a published information security standard.  Exceptions should be approved and signed by the appropriate Information Trustee (VP, Dean, or CIO).  (An email endorsing the exception request is acceptable.)

An exception MAY be granted by the RIT Information Security Office for non‑compliance with a standard resulting from:

  • Implementation of a solution with equivalent protection.
  • Implementation of a solution with superior protection.
  • Impending retirement of a legacy system.
  • Inability to implement the standard due to some limitation

 

Exceptions are granted for a specific period of time, not to exceed two years and are reviewed on a case-by-case basis and their approval is not automatic.

The Exception Request should include:

  • Description of the non-compliance
  • Anticipated length of non-compliance
  • Proposed assessment of risk associated with non-compliance
  • Proposed plan for managing the risk associated with non-compliance
  • Proposed metrics for evaluating the success of risk management (if risk is significant)
  • Proposed review date to evaluate progress toward compliance
  • Endorsement of the request by the appropriate Information Trustee (VP, Dean, or CIO).

 

If the non-compliance is due to a superior solution, an exception will normally be granted until the published standard or procedure can be revised to include the new solution. An exception request should still be submitted.

 

Submit the Exception Request Form to the Information Security Office, infosec@rit.edu, ROS 10-A200.

Pages

Subscribe to RSS - Information