Protection of Compliant Data when using non-University Devices or Networks
Employees who work at home or at non-University locations and employees who use non-University devices will follow the measures below. Employees who telecommute will also follow these measures as part of their telecommuting agreement.
Protected data includes personally identifiable information, confidential research information, and information that requires protection under law or agreement. This data is classified as restricted or confidential per the Data Classification APL (APL VI-I). Examples of protected data include: financial records, health records, student educational records, and any information which could permit a person to attempt to harm or assume the identity of an individual such as an individual’s name in combination with a Social Security, credit card or bank account number.
1. University-owned Device
An employee who stores, accesses, or processes Protected Data, other than limited student data as it pertains to a particular course (such as faculty records of student activity in a course) will work with Campus IT to ensure the necessary precautions are taken and have encryption enabled on the device. Accessing Protected Data through MaineStreet does not require working with Campus IT.
2. Non-University-owned Devices
An employee who uses a non-University owned device for work, even if only for University email, agrees to:
- Never store Protected Data other than student course information on a non-University-owned device. For example, faculty may store student data to include class lists and information about current students.
- Only access restricted data from a University owned device or if there is a VPN protected remote desktop.
- Protected data, including email attachments, should never be stored, downloaded or cached on public computers such as those in public libraries or computer cafes.
- Install virus protection software on a computer which is used to access University systems and will manage the system in such a way that the system is monitored, and virus signatures are kept current.
- Have disabled web browser’s option to store authentication information for University systems.
- In the case of a suspected breach, report it to campus IT and, if required, provide access to his or her personally owned device to UMS staff.
3. Portable Storage Devices
An employee who uses a portable storage device (e.g., portable HDD, memory stick, thumb drive, etc.) agrees that if he or she moves or stores Protected Data, other than student course information, with a portable storage device, the employee will work with Campus IT to define and create a Protected Data storage area and securely erase the device or files when finished using the device for Protected Data storage.
4. Non-University Network
An employee who has a wireless network at home and might access Protected Data must secure the wireless network with encryption even if the computer being used is hardwired. An employee who uses non-University networks to access Protected data, shall ensure the connection is secure (for example through https).