Records Management - Training
Training for Unit Records Coordinators
Training is provided to Unit Records Coordinators (URCs). This training may also be used by NDSU staff who are not URCs, to learn more about records management.
Electronic Records Management
Institutional Records and Working Remotely
Following is information and guidance on working with institutional records as a remotely working employee, provided by Enrique Garcia, NDSU Chief Information Security Officer, on Aug. 28, 2020.
Records are constantly being created by employees while using a computing device. Employees have a duty to protect those records from threats. Some examples are:
- Disclosure. Access to an institutional record by an individual who is not authorized to see that record
- Cryptolocking. Data on a computer are encrypted by malware. and ransom is demanded in order to decrypt the information. Legal counsel’s current opinion is that NDSU cannot pay ransom.
- Exfiltration. Data on a computer is sent to a repository on the internet. Ransom is demanded in order to not make the information public.
- Alteration and destruction. Data is modified or deleted knowingly or unknowingly by an unauthorized individual.
Recommendations:
- NDSU owned devices such as computers, cellphones and tablets
- Limit browsing to sites needed for work related activities. Using a work device for everyday browsing exposes the device to sites that can contain malware and infect the computer.
- Only the employee should use the device. Other individuals could access records that are protected by privacy laws such as FERPA. Additionally, institutional records could be altered or deleted. Finally, non-employees are more likely to browse to sites not related to work and therefore exposing the device to malware.
- The use of personally owned computers is discouraged for the following reasons:
- Security of the device is not managed by NDSU IT so the level of security varies widely
- Personally -owned devices can be used by many individuals which cannot ensure the confidentiality of institutional records
- Browsing on personally owned devices is not limited to safe sites which exposes the computer to a higher probability of malware infection
- Not all personally owned computers have disk encryption approved by NDSU IT. If the device is lost, there is a potential for disclosure of institutional records
Use of NDSU email accounts
Following is information and guidance on use of our NDSU email accounts, provided by Enrique Garcia, NDSU Chief Information Security Officer, on March 9, 2022.
· NDSU Policy 158.1, “E-Mail as an Official Communication Method for Employees,” section 6.4, “Business Use of E-mail,” states that:
“Individuals’ NDSU official e-mail addresses are to be used in accordance with the business of the University and for purposes directly related to their position and/or job functions. Official e-mail addresses may not be used for conducting personal business. Incidental personal use is allowed and is to be determined by the respective dean, provost, vice president, president, director, department chairperson, or department head. Personal use must follow all applicable NDSU policies and laws. Use of email to store or transmit social security numbers, dates of birth, credit card numbers, or any sensitive data is explicitly disallowed for both business and incidental personal use.”
In simple (and frightening) terms, this means that if we don’t want our employer to know our personal business, we should not use NDSU email for our personal matters, and here is why: when sensitive data is sent, O365 sends an alert, and NDSU’s IT Security has to review the data. The result is that information we emailed from our NDSU account about things like personal purchases, tax returns, house refinancing, debts, loans, and the like, is no longer private.