Information Protection and Security

Departments maintaining NPPI are responsible for that information and any disclosure of it.  No departments should have faculty/staff/students storing NPPI locally (on any equipment or workstations).

Departments must determine

• To what extent they store confidential/personal/sensitive information. This includes FERPA, GLBA, HIPAA and NJ Identity Theft compliance
• If the stored information is legally acceptable
• How the information will be protected

If the information is not necessary

• Take steps to substitute SSNs for a unique identifier
• Arrange for a third-party to store credit card, bank numbers, or other sensitive information if appropriate
• Delete unnecessary electronic data
• Shred any unnecessary hard copy data

If the information is necessary-provide a plan to include

• Faculty and staff training in the handling of personal/confidential information (appropriate distruction of discarded hard and electronic copies, environmental issues, etc.) and security awareness (social engineering, identity theft, nondisclosure agreements)
• Encrypt your sensitive data transmissions All OIT and central services (RULink, eden, RCI, crab, clam, andromeda, pegasus) email and web services using the standard Rutgers password must be handled using SSL or SSH.
  • Secure Sockets Layer (SSL) is a commonly used means of encryption for accessing your email. Secure Shell (SSH) or Secure File Transfer Protocol (SFTP) should be used (rather than Telnet ) to move or transfer files. Check your department services to determine the level of security offered. Your laptop must be configured to enable encryption. 
  • SSL
    SSH

•  Virtual private networks (VPN) provide an encrypted connection between a user's distributed sites over a the Internet. Use a VPN from home or while traveling. The VPN will encrypt all traffic between the University's VPN and your computer. If you use an outside ISP or a wireless connection at home, using the VPN system will prevent others on the network from seeing your traffic. The Rutgers University Office of Information Technology recommends using the Cisco VPN Client which encrypts all communication going out to the Internet from your computer. Never send private/confidential information over the Internet without encryption as your account can be compromised and the information you are sending easily accessible to anyone. Unencrypted information puts you, your department, and the university at risk by allowing your information and password to be read by others. 
• PGP (pretty good privacy) is available as freeware for encryption for email, however, the user should be well versed prior to sending confidential information. PGP encrypts email by matching public keys to user identity so that only the intended recipient can read it. Free versions of PGP are available for noncommercial use. There are also commercial versions. 
• Depending on choices and systems, other encryption software is commercially available though not necessarily approved, supported or endorsed by the university: 
  • OIT purchased McAfee Endpoint Encryption (formerly Safeboot Encryption) for use within the university.  There is no charge to university departments for the software.   
• Ensure the selection of complex passwords
• Configure antivirus on machines to update automatically
• Patch systems and software
• Sanitize machines of data prior to discarding or sending for repair
• Shred discarded hard copy documents

 Available scanning tools

• Spider (Cornell) searches files for a limited set of regular expressions. Default regular expressions focus on social security numbers and credit card numbers.
  •   Spider for Windows powerpoint intro (attached below)
• SENF (Univ. Texas) now allows for user-specified file extension and folder exclusion. Using the files senf_extensions.conf (for file extensions) and senf_folders.conf (for folders), users can specify items one-per-line for SENF to exclude during its scan.
• SSN file scanner (Educause) scans all the files in that directory and below, looking for strings within the files of the forms 123-45-6789 and 123456789 - it then runs an SSN validation function on the numbers, in an attempt to find files containing SSNs (WinXX systems).