Check List

ComplianceEND USER - Self Managed System/ Device Information Security & Policy O�ce

Phone: 319-335-6332 | E-mail: it-security@uiowa.edu Web: http://itsecurity.uiowa.edu

ITS Help Desk Phone: 319-384-4357E-Mail: helpdesk@uiowa.eduWeb: http://its.uiowa.edu/helpdesk

01010010010001

00

10

11

11

01

01

01

01

00

01

10

011000110001100011001110101

0010111101010100110011

00

11

00

10

00

10

01

000110011010101001000110001100

010010010011100101001100011000

11

00

01

1000110001101010101

Sensitive/ Protected Data: http://itsecurity.uiowa.edu/policy/policy-InstitutionalDataAccess.shtml

http://itsecurity.uiowa.edu/bestprac/InstData-Classification.shtml

http://its.uiowa.edu/encryption

Cloud Computing: http://its.uiowa.edu/cloud

Incident Response: http://itsecurity.uiowa.edu/incidents/incidents.shtml

Workplace Best Practices:http://itsecurity.uiowa.edu/bestprac/workplace.shtml

i Resources for more information

identity�nder

Identity Finder helps you �nd restricted information stored on your computer. Identity theft can occur when personal information, such as social security numbers and credit card numbers, fall into the wrong hands. For more information on the application and how to install and run it visit:http://its.uiowa.edu/identity/

If you are working from home accessing and using institutional data with systems on campus, do so via the University’s VPN service (UI Anywhere). Instructions on how to install and use the application to securely access UI campus resources can be found here:http://its.uiowa.edu/vpn

UI AnywhereA Virtual Private Network (VPN) at The University of Iowa

1

2

What is Personally Identifiable Information (PII)? PII Includes: Name, e-mail, home address, phone number etc.

Sensitive PII Includes: If Stand-Alone: If Paired with Another Identifier Social Security Number (SSN) Citizenship or Immigration Status Driver's License or State ID # Medical Information Passport Number Ethnic or Religious Affiliation Alien Registration Number (A#) Sexual Orientation Financial Account Number Account Passwords Credit Card Numbers Last four digits of SSN Biometric Identifiers Date of Birth Criminal History Mother's Maiden Name Personal Health Information

Any institutionally published public data. Examples below.

Restricted institutional data only accessible to speci�c campus users.

Role-based Protected Personal and Institutional Data.

Name

Course Catalogues

Job Title

Business Contact Information

Master Calendar

University Policies

HR data excludingrestricted data e.g. Part time/ full time indicator

Unrestricted Research data or results

Business transctns. that don’t include sensitive data

Student Grade Books

University ID No.

Employee Number

Online Library Catalg.

Materials Licensed for On-Campus use

Intrnl. Audit Rprts.

Budget Information

Intellectual Property

Project Data

Bus. Continuity Plans

HIPAA Data & PHI

Financial Data: CC, Debit & Bank Account Numbers, Cardholder info.

Driver’s License No.

Social Security No.

Official Transcripts

Donor Information

Alien (A) Reg. No.

Federal Grant Research data

Passport/ Visa No.

Export Controlled Research Data

Legal Information - Attorney Work Product

Examples of Data types

Level I Level II Level III

Enterprise Services

Stop agonizing...automate.

Check List

Compliance

This “Check List” is intended primarily for UI-owned, self-managed workstations or devices. Use it as a means of assessing your information security

END USER - Self Managed System/ Device

and to identify areas you can improve. More checked boxes means less risk.

Work with your local IT support person if you need any clari�cation or assistance.

Responding to Incidents

Why struggle for solutions when you can automate?

If I suspect I have a security issue with my computer, I know I have to contact the Information Security and Policy O�ce (5-6332) immediately, before I do anything on my computer.

If I have a problem with my HawkID, I know to contact my local IT support or the Help Desk (4-HELP).

If you interact with a computer, computer security is important to you.

Ensure that the integrity, con�dentiality, and availability of data are maintained at an appropriate level all times. Computer security is an ongoing process, not a one-time e�ort.

Don’t reinvent the wheel or stress on how to implement security controls. Capitalize on services provided to you by the University that will save your time, and that will very likely provide you with a higher level of security.

Where possible, engage your local IT support sta�s about services, software, and resources that are available to you. Take the time to review and follow IT policy, which governs all personal or unmanaged devices connecting to the campus network. Policy is developed to protect you and the University community from harm (such as loss, damage, or exposure of data), as well as to achieve compliance with federal and state regulations.

See http://itsecurity.uiowa.edu/policy for a complete list of University IT policies.

i

Computer/ System Security Requirements

I keep my operating system and application software patches up-to-date.

I regularly (at least monthly) check my programs for out of date software and update accordingly.

I have anti-virus software installed, set to automatically update and scan my system regularly.

I use complex passwords (University Password Policy) to protect my computer(s), devices, & applications and never share them with anyone.

I manage and protect my encryption keys (key escrow).

All of my important information is stored on my home (H:) or on my department shared (L:, S: etc.) drive space, which is backed up.

I have discussed with my supervisor and completed training requirements related to my position. Examples of training could be, FERPA, HIPAA or Security Awareness.

I have my �rewall con�gured and activated on my device(s).

I do not use an account with elevated access for my day-to-day work (i.e. Administrator Account).

I consult with my IT Support sta� or HelpDesk before purchasing or using any cloud based application.

I ensure and have appropriate licenses for all software and applications installed and running on my machine(s)

Sensitive/ Protected data

I know what restricted (Level III) or protected (Level II) data is.

I store high sensitivity/restricted (University Level III) information on a secure department �le server (or within university web applications), instead of locally on my workstation, laptop, tablet, or other mobile device.

If I must store Level III information on a workstation, laptop, tablet, or other mobile device, I work with my local IT support sta� to implement encryption on the device.

I always use secure end-to-end encryption (e.g., “https” for web sites, “sftp” for �le transfers) when communicat-ing any sensitive information.

I know which �les I work with that contain restricted (University Level III) information, and where those �les are stored.

I regularly run the Identity Finder software program on my desktop to ensure it doesn’t store any social security, credit card numbers or passwords.

If Identity Finder �ags �les with Level III data, I promptly delete, edit, or move them to a secure location. I do not share restricted or protected institutional data without appropriate authorization from the business owner for that data.

Work Area Security

I make sure my computer’s screen is password locked while I am away from the device.

I secure restricted information on any media (e.g., paper, electronic, including USB drives and DVDs), locking them up in a desk drawer or �le cabinet.

I never reply with personal information or click on suspicious links requested in an e-mail.

I know to check with my local IT Support or call the Help Desk (4-HELP) if ever I have any doubts determining the legitimacy of any requests for information.

I question anyone who requests my personal information, and verify that they have the authority to make the request.