OSU Navigation Bar

The Ohio State University

Department of Statistics

Cockins Hall
rollover image OSU Statistics Home

design element

OSU Statistics

Home

News

Research & Consulting Groups

People

For Visitors

For Prospective Students

For Current Students, Staff & Faculty

Contact Us

rollover image

For Current Students & Faculty

rollover image

Courses

rollover image

Links

rollover image

Computer Support

rollover image

Internal Documents

rollover image

webmail

Data Security Policies

For the following 'sensitive data' is defined as anything that falls under the SSN (Social Security Number), FERPA (Student Data), and HIPPA (Medical Privacy) laws.

State Law and OSU Policy makes the Department liable for the financial costs of compromised data.

Our prime source of this data is SSNs on rosters and grade reports. Due to pressure from the IT community the Registrar is removing SSNs from these reports by Autumn 2007. However, this data will be with us for years to come left in files, buried in e-mail, and hidden in web caches to name a few places. NOTE: rosters, even without SSNs are still sensitive enrollment data.

In the end, in our environment, it is up to the user to safeguard sensitive data. We simply don't have the desire or the manpower to enact the draconian measures necessary to enforce this centrally.

Summary of OSU Policies

  1. Sensitive electronic data cannot be stored on non-OSU owned machines, or non-OSU owned portable storage devices.

  2. Sensitive physical data should not be left in unlocked areas, such as open offices, on printers, in the mail room, etcetera.

  3. Sensitive electronic data should be encrypted. This is especially important on laptops and portable storage devices. See the Resources section at the end of this document.

  4. Sensitive data in any form needs to be destroyed appropriately.

Additional Statistics Recommendations

  1. Instructors should go over data security guidelines at the beginning of every quarter with their TAs/RAs/graders.

  2. E-mail should not be forwarded to non-OSU mail servers.

  3. Do not give sensitive information to a non-OSU e-mail address. It is not possible to verify if GMail/Yahoo/MSN/etcetera address is the intended recipient. Use an OSU address instead.

  4. Unencrypted sensitive data should not transferred over networks.

  5. No sensitive data should be stored on portable storage, such as CDs, USB drives, iPods, portable hard disks, PDAs, phones, etcetera. It is simply too easy to misplace these devices. In the case where it is unavoidable the file should be encrypted, or securely deleted immediately after transfer.

  6. We strongly recommend that all laptops use blanket encryption for all user data.

Destruction/Non-proliferation of Data

  1. Merely deleting files or reformatting a disk is NOT sufficient to destroy data. Special steps must be taken to truly erase data. See the Resources section at the end of this document.

  2. Erasing data in a Microsoft Office or OpenOffice document may not actually erase the data due to layers of undo and journaling. Thus use 'Save As' to create a new document with a different name and then delete the old document. At this point you can rename the new document to the old name.

  3. Sensitive data on paper should be cross cut shredded as a disposal method.

  4. Keep in mind that sensitive data can easily proliferate, due to copying to portable storage, rosters cached in the browser's web cache, stored in various e-mail folders, printing, backups. It is important to erase copies quickly when you are done with them.

Resources

OSU Statistics Recommended Tools for Encryption and Data Erasure

CIO's Buckeye Secure Site

CIO's Policy Site

Ohio State University logo

Home   |   News   |   Research & Consulting Groups   |   People
For Visitors   |   For Prospective Students   |   For Current Students & Faculty
Contact Us

If you have trouble accessing this page, or need an alternate format contact webmaster@stat.osu.edu.