Guidelines for Protecting Sensitive Data
NDSU manages and uses personal information belonging to students, staff, faculty, researchers, and those who use its outreach services. As a manager of that information, NDSU is responsible for protecting and securing personal, student-related, financial, health information, and intellectual property data from misuse, theft, compromise, and unauthorized disclosure.
Sensitive data is considered any data classified as Private or Restricted as defined by North Dakota University System.
Your Responsibilities:
As an employee of NDSU it is your responsibility to:
- Follow all applicable laws, ND University System and NDSU policies and procedures
- Use due diligence when working with data
- Understand the Shared Responsibility Model and follow Data and Document Standards
Federal and State Laws:
Federal laws that protect personal data include but are not limited to:
- FERPA (Family Education Rights and Privacy Act), 1974. This law protects student information such as name, SSN, demographic information, grades and information related to their education.
- GLBA (Graham Leech Bliley Act), 2000. A financial law designed to protect personal financial information such as financial aid, banking, credit and investment information.
State Laws that protect personal data include but are not limited to:
- ND Century Code 54-59.1 CYBERSECURITY INCIDENT REPORTING REQUIREMENTS - NDSU is required to report to the owner of the data if a breach has occurred and if information has become compromised or stolen.
- ND Century Code 51-30 NOTICE OF SECURITY BREACH FOR PERSONAL INFORMATION - This document provides information on what data is considered protected
- North Dakota Public Records Statute, North Dakota Century Code 44-04, defines what is and isn't a public record and/or what data can be made available for public view.
ND University System and NDSU Policies and Procedures:
- North Dakota University System Computer Use Policy and Procedure 1202.1
- NDSU 710: Computer and Electronic Communication Facilities
- NDSU 158: Acceptable Use of Electronic Communication Devices
- NDSU 158.1: E-mail as an Official Communication Method for Employees
- NDSU 718 Public/Open Records
- NDSU Policy Manual
Standards:
Standards that protect personal data include but are not limited to:
- The North Dakota University System Data Classification Standard was developed to identify and clarify the definition of data types within a university. Any data asset of the NDUS or the Institution shall be classified as Public, Private, or Restricted.
- North Dakota University System Data Classification and Information Security Standard 1203.7
- Public data: This is data that is not considered to be "Restricted" or "Private". It is data that can generally be released to the public. It typically requires minimal protection.
- Private data: This is data that should not be available to the public. It is data that may be protected by federal or state laws, regulations, contracts, or policy. This data requires protection.
- Restricted data: This is data that requires the highest level of protection. It is data protected by federal or state laws, regulations, contracts, or policy. The unauthorized disclosure of restricted data would typically require reporting the disclosure and/or provide notice to the individual whose data was inappropriately accessed.
- Data owner: The individual whom the data belongs to. For example, a person owns their social security number, date of birth, and address.
- Data custodian: Are employees, departments, colleges, research centers, and extension offices responsible for the integrity, confidentiality and availability of the data. It shall be the responsibility of the owner/custodian of the data to classify the data. However, all individuals accessing data are responsible for the protection of the data at the level determined by the owner/custodian of the data as mandated by law. Access to data items may be further restricted by law, beyond the classification systems of the NDUS or NDSU.
- Examples of NDUS Data Classification (will require a login to inside.ndus.edu)
- When working with restricted and private data, these best practices must be followed:
- All data must be classified.
- All data access must be authorized under the principle of least privilege and based on minimal need.
- All access to this type of data must be authenticated and logged.
- When an individual has been granted special access changes responsibilities or leaves employment, all their access rights must be reevaluated and any unneeded access removed.
- When necessary, data transmission and storage should be encrypted.
- PCI - DSS (Payment Card Industry Data Security Standard). Standards created for online credit card transactions by the five major credit card payment companies. Requires those entities that accept online credit card payments to follow strict standards.
- Protecting credit card information:
- Credit card information is protected under PCI-DSS and by various federal and state laws. When accepting, using, and storing credit card information, these guidelines must be followed:
- Do not store the full credit card number. If there is a business to store credit card information, only the last four digits can be stored electronically or in hard copy.
- Do not store the CVV2 (Credit card validation value - the three digits located on the back of the credit card).
- Do not store the expiration date Credit card receipts must only show the last four digits of the card. The CVV2 and/or the expiration data must not be printed on the receipt.
- Do not accept credit card information over e-mail.
- If credit card information is received over voice mail, delete immediately.
- Within the office/college, there must be separation of duties for accepting and processing credit cards.
NDSU uses a secure third party vendor, NelNet, to accept credit cards. Please contact NDSU Customer Account Services for more information on how to use this service. For more information on credit card information and safekeeping , please read NDSU policy 509, Electronic Financial Transactions.
- Protecting Social Security numbers:
- Do not use SSNs as a key field or as an identifier for files, spreadsheets, data bases, and correspondence. If possible, it is recommended to avoid including the SSN in any type of file or document. An alternative would be to use the EmplID or Student ID.
- If there is a business need to use the SSN in files and documents, the data must be secured and available only to those who have a need to know.
- If you use a laptop and travel, it is recommended the hard drive of the laptop's hard drive be encrypted.
- Never attach documents containing SSN's or other personally identifiable information to email. It is possible the transmission may not be secure.
Programs:
Programs that are designated to assist in protecting data include but are not limited to:
- The NDSU Red Flag Identity Theft Prevention Program - developed to detect, prevent and mitigate identity theft with regard to NDSU Accounts