Portable

Private Information Handling Quick Reference Table

Private Information Handling Quick Reference Table

Updated 8/14/12

This table provides recommendations on the correct handling of private information at RIT.

New York State defines private information (PI) as any personal information concerning a natural person combined with one or more of the following data elements: Social Security number, driver's license number, account number, or credit or debit card number in combination with any required security code.

Digital Self Defense 103 - Information Handling fulfills the training requirement for handling RIT Private or Confidential Information.

Consult the Identity Finder End User Guide for Windows or Mac for more information.

Situation

Identity Finder Instructions (Preferred)

General Instructions (Use if Identity Finder is NOT available)

I no longer need the files containing the private information

Delete the files using the "Shred" command. This can be done from within the Identity Finder interactive scan report or by right-clicking on the file or folder and choosing "Identity Finder/Shred." If you are unable to delete the file, contact your help desk.

Delete the files securely. Use a secure file deletion utility such as Eraser. Contact your campus support organization or the RIT Information Security Office at infosec@rit.edu for recommended products.

I need to keep the files, but I don't need the private information

Sanitize the information by using the "Scrub" command. This can be done from within the Identity Finder interactive scan report. Identity Finder will replace the Private Information with x's. Note that this option is not available for all file types.

Sanitize the documents by deleting any private information such as Social Security Numbers (SSNs) or credit card numbers. Save a new copy of the sanitized document and delete the original file.

I need to continue to have a unique identifier for each individual

Sanitize the information by using the "Scrub" command. This can be done from within the Identity Finder interactive scan report. Identity Finder will replace the Private Information with x's. Open the file and replace the x's with unique identifiers not based on the SSN.

Sanitize the documents by eliminating the private information. Convert SSNs to University Identification Numbers (UIDs).

 

Situation

General Instructions for Handling Private Information

I need to keep the complete files containing the private information

Unnecessary possession of Private information should be eliminated.

  • There must be a business need to store this information and the system storing the information must meet all applicable RIT security standards (e.g., Desktop and Portable Computer Security Standard, Server Security Standard, etc.). In general, an RIT employee has a legitimate purpose for having access to the social security numbers of another individual when such number is required for:
    • tax or billing purposes
    • credit authorizations
    • background checks
    • in furtherance of submitting a federal or state governmental application that requires the transmission of an individual's social security number.
 

In addition, SSNs shall be maintained when required by either court order, subpoena, or by direction of the Office of Legal Affairs.

  • Consider encrypting the files.
  • Do not store the encryption key or password on the computer or drive containing the encrypted information.
  • Minimize the amount of records stored locally on a desktop or laptop computer by storing the information on an RIT file server.
  • Inform your manager and your Information Steward/Management Representative of the need to retain Private information.
 

Contact your help desk or the RIT Information Security Office for more recommended practices.

I need to carry the files on a portable computer, device, or media (e.g., Laptops, Flash Drives, CD/DVDs, smartphones)

Unnecessary possession of Private information should be eliminated.

  • Storage or conveyance of Private Information on portable devices or media is strongly discouraged.
  • Minimize the amount of records stored on portable devices or media by storing the information on an RIT file server.
  • There must be a business need to store this information and the system storing the information must meet all applicable RIT security standards (e.g., Desktop and Portable Computer Security Standard, Server Security Standard, etc.). In general, an RIT employee has a legitimate purpose for having access to the social security numbers of another individual when such number is required for:
    • tax or billing purposes
    • credit authorizations
    • background checks
    • in furtherance of submitting a federal or state governmental application that requires the transmission of an individual's social security number.
 

In addition, SSNs shall be maintained when required by either court order, subpoena, or by direction of the Office of Legal Affairs.

  • Private information (and RIT Confidential information) stored or transported on portable media must be encrypted.
  • Do not store the encryption key or password on the media containing the encrypted information.
  • If you are storing or transporting the private information on a portable computer, contact your help desk for encryption options.
  • Protect the private information from unauthorized use or theft.
 

Inform your manager and your Information Steward/Management Representative of the need to retain Private information.

I no longer need the portable media or hard drive, how do I dispose of them securely?

The RIT Information Security Office provides the following secure disposal recommendations:

  • Erase magnetic media (hard drives, LS120 media, old Zip/Jazz Cartridges, magnetic tapes) with a degausser.
    NOTE: the media may not be usable after degaussing.
  • CD/DVDs can be shredded in a media shredder.
 

A degausser and media shredder are available at the ITS HelpDesk in Booth 07B.

 

Requirements for Faculty/Staff

Faculty and Staff

Security Standards

Standard
When does it apply?
Desktop and Portable Computer Standard Always
Password Standard Always
Information Access & Protection Standard Always
Computer Incident Handling Standard Always
Portable Media Standard If you are storing Private or Confidential information on portable media, such as USB keys, CDs, DVDs, and flash memory. If you must store Private information on portable media, the media must be encrypted.
Web Security Standard
If you have a web page at RIT, official or unofficial, and you:
  • Own, administer, or maintain an official RIT web page that hosts or provides access to Private or Confidential Information.
  • Use RIT authentication services
Signature Standard If you are sending out an e-mail, MyCourses, or Message Center communication relating to Institute academic or business purposes. This applies to both RIT and non-RIT e-mail accounts.
Server Security Standard If you own or administer any production, training, test, or development server, and/or the operating systems, applications or databases residing on it.
Network Security Standard
If you own or manage a device that:
  • Connects to the centrally-managed Institute network infrastructure
  • Processes RIT Confidential or Operationally Critical information
Account Management
  • If you create or maintain RIT computer and network accounts.
  • Managers reporting changes in access privileges/job changes of employees.
Solutions Life Cycle Management
RIT departments exploring new IT services (including third-party and RIT-hosted, and software as a service) that meet any one or more of the following:
  • Host or provide access to Private or Confidential information
  • Support a Critical Business Process
Disaster Recovery

For business continuity and disaster recovery.  Applies to any RIT process/function owners and organizations who use RIT information resources.

NOTE The “in compliance by” date for this standard is January 23, 2016.
Authentication Service Provider Standard

If you are providing authentication services on network resources owned or leased by RIT.

NOTE The Authentication Service Provider Standard will retire on January 23, 2015 and be replaced by the Account Management Standard.

All instances of non-compliance with published standards must be documented through the exception process.

Information Handling Quick Links

Link Overview
Digital Self Defense 103 - Information Handling Covers important security issues at RIT and best practices for handling information safely.
Disposal Recommendations How to safely dispose of various types of media to ensure RIT Confidential information is destroyed.
Recommended and Acceptable Portable Media List of recommended and acceptable portable media devices (such as USB keys, CDs, DVDs, and flash memory).
Mobile Device Usage Recommendations Recommendations for mobile device usage at RIT
VPN Recommended for wireless access to RIT Confidential information.
E-mail at RIT Improve the security of your e-mail at RIT.

Safe Practices

  • Visit our Keeping Safe section to find security resources and safe practices and to see our schedule of upcoming workshops.

Questions

If you have questions or feedback about specific information security requirements, please contact us.

Encryption at RIT

Encryption at RIT

Several RIT Security Standards refer to ISO-approved encryption. ISO-approved encryption is divided into two categories: Preferred and Acceptable. Preferred encryption methods were chosen based on standard industry usage and their ability to support RIT business processes. RIT's current product is McAfee FDE.

Preferred Encryption

Purpose

Encryption Algorithms

RIT Security Standard

Comments

Network Connections (including web browsers)

Currently only SSL 3.0 and TLS 1.0 are supported at 128-bit and above.

Web, Network

 

Laptop/Desktop Encryption

AES 256-bit is recommended, although AES 128-bit or higher is adequate. 3DES has also been approved.

Desktop and Portable Computer

Centrally-managed whole disk encryption is required to meet the 2009 Desktop and Portable Computer standard.

Server

AES is recommended only at 256-bit. RC4 is currently supported until June 2009.

Server

 

Portable Media

AES 128-bit and above, 256-bit is recommended. 3DES and Twofish are adequate.

Portable Media

 

Public/Private Key Encryption and Signing

PGP 2048-bit or greater and RSA 1024-bit or greater.

   

Cryptographic Hashes/Checksums

SHA-2, RIPEMD-320, and the Tiger hash are all adequate for hash comparison.

 

SHA-1 and RIPEMD 128 & 160 are considered strong algorithms, but there is reason to suspect that they may be susceptible to frequency collisions (hash duplications) and their use is not recommended in situations where collision resistance is required. In such cases, SHA-2 or RIPEMD-320 is recommended.

Acceptable Encryption

Use of non-preferred encryption methods is discouraged. However, we recognize that there may be times when business or other requirements may be better served with an alternative algorithm. In those cases, developers should reference the Educause Encryption Strength Support Matrix. (This matrix and accompanying explanatory text was developed by Jim Moore, RIT Information Security Office.) Algorithms with a strength rating of High are acceptable for use at RIT. Use of algorithms with a strength rating of Low or Medium are not permitted.

Encryption Strength

Encryption strength is a relative concept. Both the algorithm used and the length of the key used to encrypt data determines the strength of encryption. Encryption services also perform various cryptographic functions beyond data encryption.

Key Management Requirements

Security of the key management process for encryption keys is especially important. Security of encrypted content (ciphertext) may be compared to a physical lock and key. The algorithm provides the lock. The encryption key unlocks the ciphertext. If the key is weak or compromised, the encryption can be broken. Key revocation provides a means to disallow or change a compromised key and "re-key" the lock.

Many encryption algorithms have the potential to lock access to data permanently if the key is lost. Key escrow provides a "copy" of the key to enable access to the data.

Centralized encryption/key management ensures that data will remain both encrypted and accessible. Non centralized or individual encryption without key escrow may disallow access to the encrypted RIT information if the key is lost. Use of non-centralized or individual encryption of RIT information assets would be allowed only through a granted exception and would require an ISO-reviewed key escrow and revocation process.

 

Portable Media

Portable Media Security Standard

Portable media such as USB keys, flash memory, CDs/DVDs, etc. are a crucial part of daily business. However, portable media is easily lost or stolen and may cause a security breach.

Because portable media can be stolen or compromised easily, users should take precautions when using it to transfer or store Confidential information. We strongyly discourage placing Private Information on portable media.

 

Approved Portable Media (updated 6/20/2013)

When handling RIT Confidential information, you should use only portable media that provides an approved encryption level (the RIT Information Security Office requires 128-bit or 256-bit AES encryption).

USB Memory/flash drives

Recommended
  • IronKey
  • Stealth MXP™ (biometric capable)
  • Stealth MXP™ Passport
  • Apricorn Aegis Secure Key
  • Imation Defender F200 Biometric
Acceptable
  • Lexar JumpDrive Lightning
  • Lexar JumpDrive Secure 2 Plus
  • Kanguru Defender
  • Kanguru Defender Pro
  • Kanguru Defender 2000
  • Kanguru Bio AES
  • KanguruMicro Drive AES
  • Kingston Data Traveler BlackBox
  • Kingston Data Traveler Vault – Privacy Edition
  • McAfee Zero-footprint Bio FIPS
  • SanDisk Cruzer Enterprise
Secure Option for External Backups
  • MXI Outbacker MXP Bio (External HDD)
  • Apricorn Aegis Padlock Pro
Unacceptable

USB memory that doesn't include encryption

Encryption of CD’s, DVD’s, Removable Hard Drives, and Other Portable Media

Please contact Paul Lepkowski, RIT Security Engineer, for recommended encryption methods.

3rd Party Encryption Products

The RIT Information Security Office requires 128-bit or 256-bit AES encryption to protect RIT Confidential information when transferred or stored on portable media.

Media Disposal Recommendations

Media

Disposal Method

Paper

Use a shredder. Crosscut is preferred over a strip shredder.

CD, DVD, diskette, etc.

Use the media shredder (located at the ITS HelpDesk, 7B-1113).

Hard Drives

If the hard drive is to be reused, contact your support organization for recommendations for secure erasure.

If the hard drive is damaged or will not be reused, render the hard drive unreadable by using the degausser (located at the ITS HelpDesk, 7B-1113).

Tapes

Use the degausser (located at the ITS HelpDesk, 7B-1113).

Other

Use an industry standard means of secure disposal.

 

Document Destruction

Document Destruction

Updated June 11, 2014

Why Have Document Destruction Activities?

Document Destruction Activities provide a focused opportunity for RIT faculty and staff to archive securely or dispose of paper records that contain private information. Private Information includes financial account numbers, social security numbers, driver’s license numbers and other information that can be used in identity theft. Participation in this activity will enable RIT to secure Private Information that could otherwise be used to facilitate identity theft. Document Destruction Activities are part of the RIT Private Information Management Initiative, but they are managed by your department.  We encourage all departments to schedule Document Destruction Activities.

Why are Document Destruction Activities so important?

With its concentration of student records and private information, Higher Education is often targeted by attackers hoping to harvest private information (e.g. Social Security Number, Bank Account Number, Credit Card Number or Drivers License) for use in identity theft.  In addition, careless storage or loss of records often leads to data breaches that require compliance with various state and federal laws requiring notification of affected consumers. For example, DataLoss DB (http://datalossdb.org/) indicates that almost 25% of breaches have been due to the inadvertent loss of private information, in both paper file and digital formats.  

Participation in Document Destruction Activities will reduce the likelihood for the RIT community to have their personal information fall victim to malicious attacks or loss. This activity will also provide an opportunity for faculty and staff to adhere to the RIT Records Management Policy (C22.0).  Any questions regarding the appropriate retention period can be addressed to the RIT Office of Legal Affairs.

When are my Document Destruction Activities?

Contact your Private Information Management Initiative representative to find out what activities are being planned in your college or division for document destruction.

What do I need to do for my Document Destruction Activities?

It is important that you keep track of any documents that may leave another person susceptible to identity theft attacks.  In preparation for your department’s Document Destruction Activities, please review the files in your office to ensure that you have not retained any private information (e.g. Social Security Number, Bank Account Number, Credit Card Number or Drivers License) that is not critical to your current work. Take this opportunity to review files and dispose of them in accordance with the RIT Records Management Policy (C22.0).

We encourage you to review your files now and dispose of those containing Private Information securely. Ensure that any RIT files in your home do not contain any private information.

How do I dispose of portable media and paper documents containing Private Information securely?

Visit our Information Disposal page for recommendations.

What if I have questions?

Contact your division or college's PIMI representative

Subscribe to RSS - Portable