Protecting Sensitive Data

The Commonwealth of Massachusetts has adopted a new data security law (Chapter 93H of the Massachusetts General Laws of 2007). This new law defines Personally Identifiable Information (PII) and requires that institutions notify individuals immediately whose information has been compromised as a result of a Security breach. In addition there are a few federal regulations such as FERPA and HIPPA that would apply to certain data processed, transmitted, and/or collected at Bridgewater State College. As per these regulations, such information must be protected from un-authorized disclosure by applying appropriate security controls.
 

What is confidential data?

Data in this category constitutes information that is private in nature and is mandated by certain legislations that we provide a standard level of privacy and security. Such security includes restricted access, encryption, and securing networks associated with processing or transmitting such information.
a. Personal Identifiable Information (PII): As per the new data security law (Chapter 93H of the Massachusetts General Laws of 2007) PII data is a combination of a user's name and their a) Social Security Number (SSN) or b) Drivers license number or Mass ID or c) financial account number, credit or debit card number (with or without password or PIN, password or personal ID number that would grant account access). BUT NOT information lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

b. Health Information (HIPPA): As per the Health Insurance Portability and Accountability Act (HIPPA), this is information pertaining to a user's physical and mental health, treatment details (past, present and future), insurance information and information on payment of health care services.

c. Academic and Educational records (FERPA): Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student's educational records.

Please refer to the Data Classification Standard for more information.

Bridgewater State College efforts towards protecting sensitive data

It is a Bridgewater State College (BSC) policy that BSC employees must not store confidential information on their local computer hard drives. Instead, sensitive data must be stored in a secure, restricted location on the G drive. Please make yourself aware of the Confidential Data Policy. 
In order to protect confidential information under the college's stewardship while complying with above mentioned regulations, Information Security at Bridgewater State College has begun certain initiatives.

Scanning:

As a part of these initiatives IT Security staff will scan all:

• Network Shares (G drive)
• College owned websites
• College Affiliated websites
• Hard drives of college owned notebook computers
• Servers on BSC network
• Database applications on BSC network

This is an initiative to identify all confidential and private data stored in various locations on Bridgewater State College infrastructure.
 

Network share encryption:

Bridgewater State College has acquired an encryption platform for encrypting identified confidential information. The encryption system is centrally managed and BSC users who need access to confidential information must access it using the encryption platform. Ultimately, confidential data will be encrypted and access will be restricted to identified BSC employees upon completion of an access request and verification process. Access will be granted on a need to know basis.
 

To help protect confidential information and comply with the new state law we would like you to do the following:
1. Inspect all files under your control with PII information
2. Move all files with PII data into the "Secure_folder", located within the Department folder in your G drive.
3. Move all files without PII data which should be restricted to the "Department" folder located within your G drive
4. Move all files without PII data that need to be accessed by your student workers into the "Community" folder
5. Move all files that need to be securely deleted to the "Delete_Items" folder located within the "Department" folder in your G drive. IT will securely delete all of these files. Once you have moved the files for deletion, please contact IT Support Services at 508.531.2555 and open an ITS ticket to have IT staff delete the contents of your departments "Delete_Items" folder.

To gain access to secure or encrypted confidential information please contact IT Support Services at 508.531.2555 and open an ITS ticket. You will be asked to complete this  access request form. Once we receive the ticket number and completed access request form, we will review it and contact you. If approved, IT staff will work with you to establish secure access to confidential data.

Please go to the following links to get more information on how to use Network share encryption:

• How to: Register with central server to use NetShare encryption
• How to: How to Add a Folder to NetShare and Give Others' Permissions to Access

Whole disk encryption:

In another initiative to protect sensitive information, whole disk encryption is being deployed to college-owned notebook computers. Data is encrypted only if the notebook (with whole disk encryption) is stolen or lost in a shutdown state. Whole disk encryption clients will be automatically installed on all new faculty and staff college-owned notebook computers. As for the existing notebooks, due to limited licenses, the client will be installed on a case by case basis once we determine if the notebook is able to support the whole disk encryption program and the nature of data stored.
For all laptops that have the client already installed, you will have to register with the central server and then start the encryption process. Once the whole disk has been encrypted all data is secure if the laptop is lost in a shutdown state. Please go to the following links to get more information on how to use Whole disk encryption:

• How to: Register with central server to use whole disk encryption
• How to: Use Whole disk encryption

You will have to use your BSC email password to log in to your notebook computer. In an event that you forget your password we will be able to provide you with a onetime token to unlock your account. This token will allow you to log in to your laptop and reset your password. This token will not be provided over the phone or via email. You must come in person with your notebook computer.

Caution: Encryption is great if you are storing or communicating sensitive information. But it works great only if you have the right key to decrypt the encrypted information. Bear in mind if you encrypt information and forget the key used to decrypt, you will lose all your information. It is very important that you choose a key that you will remember. Losing the key means losing your encrypted information.
 

Last Modified: June 27, 2008