Return to: U of M Home

STANDARDS & GUIDELINES

STANDARD—Securing Private Data (Appendix G)

Responsible Office: Office of Information Technology
Responsible Officer: Chief Information Officer

STANDARD
A standard is a level of quality that requires conformity.

Introduction

The University of Minnesota has a responsibility to maintain high standards of security for private/non-public electronic information. University data that is stored on or accessed by computers and other electronic devices must be secured against intentional or unintentional loss of confidentiality, integrity, or availability regardless of location (off-campus, on-campus, home computer, etc.).

This standard provides the University community with baseline actions needed to protect legally and contractually private University electronic data stored on or accessed by computers and other electronic devices. The term "private data" for this purpose is legally and contractually protected non-public University data and data which the University is obliged to treat as confidential whether it is research, clinical, educational, outreach, or administrative data (for examples, see Appendix G-1).

At the University, most electronic devices are directly connected to the University network and the Internet. Data is increasingly mobile to desktop, laptop, and handheld devices which need to be secured. Viruses, worms, and malicious programs from the Internet as well as accidental and unintentional loss of data are substantially increased risks in such an environment. These increasing risks to private data in the electronic environment require that corresponding protections be in place.

Requirements to Secure Computers that Store or Access Private Data

1. Local data owner: Computers and other devices must have an identified local data owner (such as the principal user of the data or the unit supervisor) who is responsible for the data and can act as a point of contact.
2. Technical support required: Computers and other devices must be either continuously managed or reviewed on an ongoing basis for appropriate security measures by a full-time information technology professional, such as competent local information technology support staff. These reviews must include adherence to baseline security requirements as well as additional strategies for protecting the information.
3. Staffing level: Units are responsible to have appropriately supervised professional technical support staffing sufficient to maintain information security. The staffing level should be appropriate to the environment, i.e. the amount and type of private information for which they are responsible and the level of risk. See the Information Technology Support Staffing Standard and the related Information Technology Support Guideline for additional information.
4. Configuration: Computers and other devices must be set up in accordance with applicable University security guidelines and standards. As received from the vendor, computers and other devices are not configured for security and require initial as well as ongoing review of the configuration and security of the operating system and software.
   
   For Windows desktop systems, the Windows Basic Security Guidelines and the Windows QuickStart Security Settings (both Basic & Level-2) are required initial steps. Equivalent settings are required for servers (with adjustments for log size, etc). 
   
   For Mac OS X desktop systems, the Mac OS X Security Guidelines are required initial steps. Equivalent settings are required for servers.
5. Maintenance and patching: Security vulnerabilities are regularly found and publicized for software. Regular patching, installation of newer versions, and other maintenance must be performed to protect private data (see the Security Patch Standard). Automatic settings or centralized updating of security patches is recommended for most desktop computers.
6. Authentication: Access to private data must be authenticated (e.g. by using a strong and complex password) with file access privileges differentiated by user-(see authentication definition below for further detail). Administrator or root level passwords should be exceptionally strong, since these accounts allow complete control of the system. User accounts with fewer privileges should be used instead of root accounts whenever possible. Periodic review of access (through the authorization processes) for databases and tables that are multi-user and outside of the scope of those “centrally-administered” is required.
7. Encryption: If sent across the Internet (external to the University's network)  or other open networks such as wireless connections, both the authentication data (e.g. a userid and password) and the data itself must be encrypted with strong encryption. Encryption of private data stored on laptop computers or other portable devices is required. An offsite plain-text backup version in a secure location is recommended to protect against lost encryption keys. See encrypting stored data. The University's wired network is not considered an open network.
8. Anti-virus technology: Desktop and laptop computers must have anti-virus software or filters installed and updated daily (automatic updates recommended). In addition, other Windows computers, including servers, must have anti-virus software installed and updated daily. (See the Anti-Virus Standard).
9. Firewall or filtering: A software firewall, hardware firewall, or other network filtering (e.g. port or IP address filtering) technology must be used to limit network access to the device storing private data. (See the OIT Microsoft Filtering QuickStart).
10. Access: Physical access to computers must be restricted as much as possible. Devices not in use for extended periods (e.g. at night and on weekends) must be turned off. Laptops must be physically restrained (e.g. via an anchoring device) at work stations and servers must be in an appropriate and secure physical facility (see Server Installation Guidelines and Physical Security for Critical Servers Guideline). Password protected screen saver programs should be used in open locations.  Password protected screen savers are required in units identified by the University as "Health Care Components" under the HIPAA regulations and should be set at 30 minutes or less.
11. Security event logging: Host security log files must be configured and reviewed for anomalies. Logs must be of sufficient size to provide useful information in case of a security event (at least 90 days of logs). See Information System Activity Review procedure below.  The Windows XP/2000 security setting in the QuickStart "Level-2" Security Wizard sets up security logging.
12. Reporting Critical Servers:  Servers storing private data must register with OIT Security & Assurance as "critical servers" and be scanned regularly with vulnerability testing software with corrective actions taken as appropriate.  Registration of the server can be accomplished by completing the online form, see  Critical Server Identification for more information.
13. Vulnerability scans: Desktop vulnerability scans are regularly sent to professional technical support staff upon their request for review. Servers storing private data are scanned regularly with vulnerability testing software with corrective actions taken as appropriate (see Notes section below for information on the scan process).
14. Backups: Periodic backup copies of software  and data must be made, tested, and stored securely (not in staff  cars, homes, etc). The physical security of the removable media must be maintained and plans made to allow recovery from unexpected  problems.
15. Disposal of data and equipment: A "secure deletion" program must be used to erase data from hard disks and media prior to transfer or disposal of hardware.  (See secure deletion).  Permanent media (e.g., CD's, etc) must be physically destroyed.
16. Limit services: Services available on computers or other devices must be as limited as possible. Web server, ftp server, mail server, peer to peer, and anonymous file sharing software can significantly raise the security risk to private data. Unless a high level of expertise is available and these services are closely monitored at all times, this higher risk software should not be installed.
17. Training: Training provided by the University on data security practices must be completed by both new and existing employees.  In certain units (e.g. units subject to the HIPAA and other regulations) University community members in addition to employees are also required to complete training.
18. Additional actions: One or more of the following additional actions should be used to further protect private data, depending upon the situation and requirements:
19. • Limit storage of private data to a hardened file server at the department or collegiate level
    • Severely restrict the volume and duration of the information stored
    • Move the data to a dedicated computer with no other applications or data
    • Limit network access to a list of specific machines or devices (access control list)
    • Use an internal University, non-routed IP address or network which prevents any access either to or from the Internet
    • Encrypt stored data (with a clear-text version on a removable medium stored in a safe place)
    • Sign up for notification of security patch availability from vendors
    • Separate any sensitive data from other data and store independently (e.g. on a non-networked device)
    • Develop a security plan

Notes:

• OIT has the following services available that assist in meeting certain of the above requirements (send email to help@umn.edu for specifics):
• • Quickstart Security Settings Wizards for Windows XP/2000 https://www.quickstart.umn.edu/
  • Free upgrades to newer Windows versions are included in the University Microsoft site license; Windows XP and other recent operating systems have a built-in firewall and filtering capability  http://www.umn.edu/ucs/Microsoft/CampusAgreement.php
  • A site license for Symantec/Norton anti-virus software for the anti-virus requirement http://www.umn.edu/adcs/software/security/
  • OIT Security provides free vulnerability scans with the commercial ISS scanner http://www.umn.edu ssLINK/OIT__14074_REGION1
  • The OIT Central Computing Organization offers a network backup service for a fee https://www.umn.edu/cco/udms/netbackup/
  • A Microsoft Software Update (SUS) Server is available to help automate patch installation http://www.umn.edu/adcs/help/oitsus/
• Units identified by the University as "Health Care Components" under the HIPAA regulations are required to have applied security settings equivalent to the settings in QuickStart Basic and Level-2 on all computers. For a list of units, see:  http://www.ahc.umn.edu/privacy/hipaa/glossary/components.html 
• The Windows XP/2000 security settings in the QuickStart Wizards provide important protections from network-based attacks and other vulnerabilities but, by themselves, do not assure conformance to the standards.  About half of these level-2 requirements will be at least partially met by using the level-2 wizard (4, 5, 6, 8, 9, 11).
  

INFORMATION SYSTEM ACTIVITY REVIEW PROCEDURE

University of Minnesota departments and units must conduct periodic reviews of information systems in their control that contain private or confidential data.

Each department or unit is required to document the activities they will conduct to review information systems activity. These activities must include:

1. regular review of list of users who have been granted access to systems that contain protected or private information to ensure that only those who need access have access to the systems
2. periodic review of departmental or unit data security incident trends
3. periodic review of departmental or unit policies and practices to ensure they address emerging data security trends in the department or unit
4. document the completion of the periodic reviews described above
5. periodic review of audit logs

Office of Information Technology Units have the following responsibilities:

1. establish and publish the criteria upon which a server is determined to be a "critical server"
2. periodically review critical server list based on established criteria
3. perform and review vulnerability scans of critical servers
4. implement intrusion detection system and review
5. perform and review ad hoc scans for emerging threats

Designated Compliance Offices and Data Stewards are responsible for monitoring local data security compliance in the areas for which they are responsible.

Definitions

Authentication - Proving that a device or person is who they say they are. The most common form of authentication is a user-id and password.  The computer or electronic device must be capable of providing authentication.  Some operating systems such as Windows/98 are incapable of differentiating access privileges by user and therefore should not be used for storing private data.

Local data owner - The person, such as the principal user or a supervisor, who is responsible for ensuring the appropriate security of the data over its lifetime through the continuing application and oversight of a security plan and coordination with technical staff who implement the plan.

Network - A collection of computers linked to each other to communicate such as a local area network (LAN) or the campus network.

Private data - Data that does not fall within the definition of "public" data as defined by the Minnesota Data Practices Act or other applicable laws and University policies.

Security log - A listing of events captured by the operating system or other software that are outside of established parameters. For example, multiple log-on attempts within a short time period or attempted access of a protected file.

Strong encryption - Hiding the true meaning of data or words using a generally accepted method (usually mathematical) that cannot be easily broken (e.g. 3DES, RC4). Programs/ products such as PGP, SSH, and SSL all use strong encryption for transmission.

Strong password - A password that is complex (includes numbers as well as upper and lower case letters and special characters) as well as sufficiently long (e.g. 8 or more characters) to frustrate automated guessing.

Transmission - Moving data between two machines or locations. This might be accomplished using wired and/or wireless methods.

Transmit data across the Internet - To send data outside the U network border (e.g. via email, ftp, instant message, etc.) using the Internet. Except for communications on and between U campuses, electronic communication should be assumed (unless confirmed to be otherwise) to be via the Internet.

University electronic data - Digital information that was created by or for the University or for which the University has a custodial responsibility.

Appendix G-1: Examples of private data

Examples of Private/non-public data:

• Social security number
• Trade secrets or intellectual property such as research activities
• Birth date
• Home phone number
• Home address
• Health information
• Student grades
• Location of assets
• Parking leases
• Anonymous donors
• Gender
• Ethnicity
• Citizenship
• Citizen visa code
• Veteran and disability status
• Linking a person with the subject about which the library user has requested information or materials
• Non-directory Student Information may not be released except under certain prescribed conditions. Non-releasable information includes:
• • Grades
  • Courses taken
  • Schedule
  • Test scores
  • Advising records
  • Educational services received
  • Disciplinary actions
  • Student ID

Examples of contractually protected information:

• Credit card numbers

Examples of Individually-Identifiable Health Information:

• See   De-identifying Data for Research

Appendix G-2: Related guidelines, standards, policies, and resources

Related Resources:

OIT Security information: http://www.umn.edu ssLINK/OIT__12575_REGION1
OIT helpline: http://1help.umn.edu/
Policy links: http://www.umn.edu ssLINK/OIT__13224_REGION1

Related Standards:

• Anti-Virus Standard
• IT Support Staffing Standard
• Microsoft Domain Controller Standard
• Network Security & Operational Continuity Standard
• Secure Data Deletion Standard
• Security Patch Standard
• Wireless Access Point Technical Standard

Related Guidelines:

• Basic Security Guidelines for Mac OS X Desktop Computers
• Basic Security Guidelines for Windows Vista Computers
• Basic Security Guidelines for Windows XP/2000 Desktop Computers
• Critical Server Identification Guideline
• IT Support Guideline
• Physical Security for Critical Servers Guideline
• Server Security Guideline
• Violation Reporting

Related Policies:

• Acceptable Use of Information Technology Resources
• Breach Notification Policy
• Internal Access to University Information Policy
• Public and Non-public Information

Related Laws & Regulations:

• Health Insurance Portability and Accountability Act (HIPAA)
• Family Educational Rights and Privacy Act (FERPA)
• Gramm-Leach-Bliley (GLB)
• Payment Card Industry (PCI) Data Security Standard
  

Appendix G-3: Windows Security Settings

The QuickStart security settings are required for University systems that store or access private data and highly recommended for all other Windows computers.  Documentation of settings and an automated means of installing them are at:

• Wizards for Windows XP and 2000 - https://www.quickstart.umn.edu/
• Documentation -   Windows XP , Windows 2000 and Windows Vista

Click here for a PDF version of this standard.