If your computer holds confidential data, it must be kept secure.
Only authorized individuals should have accounts on a computer that contains confidential data. If this is not the case, the data must be encrypted, so that unauthorized individuals cannot access the data. If you need to encrypt data, check with your department’s technical support staff to find out what encryption solutions are recommended.
Escrow your password if you encrypt!
If you encrypt university data, you should not be the only person who knows the password needed to unlock it and you should not use your NetID password for this purpose. Your department should have a process to securely store a copy of the password, so that data can be retrieved should you become incapacitated or forget your password. Otherwise, if something should happen to you, the university will lose access to your work. Check with your department’s technical support staff about current practices in your area.
PGP, a no-fee service provided by IT Security, escrows passwords automatically and provides the option for multiple, role-specific key recovery personnel. This ensures simplified access to encrypted data in the event of an emergency. See the PGP Encryption Services.
The requirement to escrow the password you use for encryption is University Policy 5.3, Use of Escrowed Encryption Keys.
The same requirements apply to mobile devices with confidential data stored on them. Smart phones and other portable media such as external hard drives, USB thumb drives, CDs, DVDs, tapes, and diskettes are small and easy to lose, posing a significant risk. If they ever leave a secure location, any confidential data must be encrypted.
Also see Specific Requirements for Confidential Data.
Handling paper documents with confidential data
When you work with printed material containing confidential data, handle it responsibly:
For full details, see Policy 5.10, Information Security, Security of Paper Documents.
