BGSU Data Handling Guidelines

INTRODUCTION

This document provides guidance in compliance with the BGSU Data Use & Protection Policy.  It is the responsibility of each data user to provide for the secure handling of data throughout the life cycle of the data, including data at rest, data in transit, and data disposal.  The following guidelines represent a summary of best practices for your guidance; however, every situation is unique.  Some situations may require additional steps.  If you have additional questions, please contact the BGSU Information Security Office.

Review the BGSU Data Resource Summary

DATA HANDLING GUIDELINES

I.  DATA AT REST

Data at Rest is electronic data in any storage media e.g. hard drives, flash drives, CD/DVD, cloud storage.

A. Physical Security

Poor physical security of data can circumvent other controls and protections in place.  As with other forms of security, it is best to provide multiple layers of protection rather than depending on one method of protection as the entire defense strategy.

Use the following guidelines in physically securing data:

1. Log out or turn off computer when leaving for long periods. For short periods, lock your computer before going away or set screen saver with password enabled.

2. Lock the door when you leave the work area.

3. Use locks, cables, and other security devices if the computer is in public or unsecure area. Consider redacting or removing “limited access” or “restricted” information under these circumstances.

4. Report suspicious people and activity in high security areas to the BGSU police.

5. Maintain awareness of those having access to your office. If necessary, require an attendance log for areas requiring high security.

6. Examine viewing areas for workstation screens and limit viewing areas to those requiring access.

B. Computer and System Security

1. Encrypt “limited access” and “restricted” data at rest using University supported encryption technology.  For example, BGSU currently uses PGP’s suite of products for encryption of an entire hard drive as well as for partial drive and individual file encryption.   

2. While it is important to backup your data, limit unnecessary duplication of “limited access” and “restricted” data.  Additionally, avoid storing data on external media that can be easily lost, stolen or misplaced.  If you do store “limited access” or “restricted data” on external media then it must be encrypted and then securely erased when it is no longer needed.

3. Follow basic computer security best practices on computers that store BGSU data.  This includes installing software and operating system updates, maintaining current anti-virus protection, and enabling firewall protection.  

4. Refrain from installing untested or unsupported software. Only use software necessary to complete necessary work tasks.

5. Backup important data to prevent loss from theft, corruption, natural disasters, drive failures, accidental file deletions and malware infections.  Store backups in a physically secure location and securely destroy backup files when no longer needed.

6. Limit the probability of malware infections by limiting web browsing to trusted sites.

7. Avoid downloading and installing any software encouraged by a pop-up window or unexpected e-mail attachments.

8. Limit the amount of “limited” and “restricted” data you store on your computer, CDs/DVDs, flash drives, external hard drives and other storage media.  Only store what you need to accomplish your job duties.

II.  DATA IN TRANSIT

Data in Transit is data transferred between a server and a desktop or laptop computer in a network. Data is susceptible to interception when transmitted over public networks.  It is imperative to encrypt “limited access” and “restricted” data when transferred across networks to protect against loss.

A. Web sites – Any websites created by BGSU used to access or submit “limited access” or “restricted” data must use “HTTPS”, also known as secure socket layer (SSL) technology.  Additionally, BGSU employees submitting “limited access” or “restricted” data to authorized agencies via web sites must only do so if the web site is HTTPS or SSL enabled.

B. File Transfer Protocol (FTP) – any transfer of BGSU “limited access” or “restricted” data must use secure FTP (SFTP).

C. Virtual Private Networks (VPNs) – when establishing connections to or from non-BGSU networks to the BGSU network in which “limited access” or “restricted” data will be accessed, a VPN connection should be used.

D. Electronic Mail – Despite the use of some encryption on the BGSU email system, email is not an inherently secure method for transferring “limited access” or “restricted” data.  Users are encouraged avoid transferring “limited access” or “restricted” data over email.  If users do send “limited access” or “restricted” data via email they must only do so only FROM and TO BGSU email accounts and only to those authorized to receive the information.   If the recipient does not have a BGSU email account AND is authorized to obtain the information AND the only way to transmit the information is via email, then the data must use additional encryption methods such as PGP.

III.  DATA DISPOSAL

Data Disposal means the secure destruction and/or erasure of electronic devices.  Use the following steps for secure data disposal.

A. Identify data that requires secure disposal, such as data classified as “Limited Access” or “Restricted.”  

B. Destroy “Limited Access” and/or “Restricted” data using secure disposal technologies.

C. If a BGSU department uses an outside provider to destroy data classified as “Limited Access” or “Restricted,” users should document the data destruction process.

D. BGSU data users shall follow designated data retention timelines as applicable.  For more information, see the Records Retention Schedule section on the University Archives website.

E. For information on data destruction & recycling services at BGSU, review the BGSU Data Destruction & Recycling article.