Some thoughts on sensitive data and how to secure it.
Reviewed by bil hays 07.30.2107
Let me start off by saying I have no intention of trying to scare anyone, the people we work with on security issues are uniformly nice, patient and understanding.
The guidelines and policies for campus are found here: http://its.unc.edu/about-us/how-we-operate/
There’s a lot there to read, and some of it is contradictory, so I would like to summarize some key points.
-Everyone is required to be aware of sensitive data issues, and the best place to start is to ask yourself two questions: 1) Do you have any data on the computers and other devices you use that belongs to someone else? 2) Would a private, cautious person be likely to be upset at all if those data were posted out to the public internet or passed to someone with criminal intent? For more detail see https://cs.unc.edu/help-article/do-i-have-sensitive-data/
-There are many different kinds of sensitive data, and different procedures for handling the various kinds. But the important question is, are you handling the data securely? And we are glad to help you answer that question–if you have any doubts, please contact us and we’ll help you sort it out.
-Most importantly, please understand that you are bound by these policies whether or not you are unfamiliar with them. For example, data about students (their grade or any other information they have not made available to the public) are protected by law under FERPA. IRB data are covered under IRB policies. Clinical medical data are protected by law under HIPPA. If you violate a policy, it doesn’t matter that you didn’t know what the policy was.
-Finally, many people (including myself) do work with their own personal devices. If you put university property on your personal device–including data from experiments, or university email, or any data that might be construed as belonging to the university–that device may be legally seized if there’s any question about whether those data may have been at risk. You own the device, but the university owns its data.
-And what is more troublesome is when a device that has sensitive data is lost and we don’t know the state of the device when it was lost. If you use your personal device for work with any data that might be construed as sensitive, you want to be able to say with confidence to anyone who asks that: 1) Your device is encrypted with a strong password, automatic login is disabled, and the screen saver is password protected. 2) Your device’s OS and the software on it were regularly updated. 3) Your device is regularly scanned for viruses and other type of malware. 4) Your device was used securely on the network (that is, that you use the campus VPN service when off campus).
Now, if you are involved in a data breach, what will follow will be a formal investigation into what data you may have exposed. The amount of the data and the sensitivity of the data will factor strongly into how serious the breach is. If your computer or other device is compromised a forensics examination may be required, and this costs an average of $2500, for which you will be responsible if it’s your personal device, and for which the department will be responsible if the device is owned by the department. And there may be other liabilities as well. For example, if the people whose data was exposed require notification, the cost of that and for the fraud protection usually associated with such notifications can be high.
There is a saying, Op Sec is hard, but we’re here to help. Just send email to firstname.lastname@example.org if you have a question. And there are some simple things you can to harden your machine.
- Take advantage of Qualys’s free Browser Check online: https://browsercheck.qualys.com/
- If you use windows on your personal machine, install Flexera’s Personal Software Inspector.
- Install anti-virus software
- Encrypt portable devices like phones, tablets, external drives and laptops
- Make good backups
This will scan your system for the most common vulnerabilities and provide links to make it easier to patch them. For windows users it can be a bit much, since if you are running as admin and are not using applocker (like most people), it will downgrade you severely. But it’s a really good way to see that your browser, plugins and most targeted applications like Office and Adobe products are up to date.