Information Protection and Security

Dear Colleagues,

Each year we issue a reminder regarding the need to protect personal
confidential information to which we have been granted access in order
to fulfill the requirements of our job functions. The protection of
this information, also known as "Non-Public Personal Information"
(NPPI), is mandated by federal and state law, as well as Rutgers policy
(e.g., Rutgers Policy 50.3.9, http://policies.rutgers.edu).

All units and staff members that create, store, or transmit such
information are required to do so in a manner which protects NPPI.
Personal information includes, but is not limited to, financial and
health information, social security numbers, and driver license numbers.
The following recommendations establish expectations and guidance
regarding how to appropriately secure and manage NPPI in order to ensure
compliance and reduce the likelihood of compromising such data. We ask
that you take this opportunity to meet with your staff to review the
guidelines in order to ensure a mutual understanding of expectations,
and adherence to the standards.

Securing Hard Copy Records

If you have hardcopy records of personal information (e.g. paper payroll
documents, DVD's or tape backups with personal information) please
confirm that they are kept in locked cabinets behind locked doors. The
retention and appropriate disposition of these records should be
effectuated in accordance to the Rutgers Records Management Policy
50.3.10.

If there is a need to transmit these records to another department or
external agency, the documents should be transmitted in a sealed
envelope or other packaging, marked confidential, and addressed to a
specific recipient. Where applicable, instructions should be provided
regarding the return, storing, or appropriate disposal of documents
containing NPPI.

Securing Electronic Records

If you are maintaining personal information in electronic form, access
should be strictly controlled or the information should be encrypted.
Due to the vulnerability of information on portable devices, such as
laptops or USB memory sticks, we recommend that all information on these
devices, and not just personal information, be encrypted. The Office
of Information Technology - Division of Information Protection and
Security (OIT/IPS) can provide guidance and recommend several open
source and commercial encryption tools that provide the necessary
functionality and security. For assistance contact OIT/IPS at
732-445-8011 or rusecure@rutgers.edu.

If you are unsure whether your electronic systems hold personal
information OIT/IPS has tools that can help. Such personal information
is often found in locally developed databases, personnel systems and
spreadsheets, email files, class rosters, and files created by faculty
and staff. The Cornell Spider and the Sensitive Number Finder (SENF)
can facilitate the identification of such information. These tools,
with instructions for their use, are available at
http://rusecure.rutgers.edu/nppi .

Additional information regarding how to locate and protect electronic
versions of personal information can also be found at the RUSecure web
site (http://rusecure.rutgers.edu). If you have any questions regarding
the above, please contact OIT/IPS at 732-445-8011 or email
rusecure@rutgers.edu.

Thank you for your continued support of the university's information
protection initiatives.

Sincerely,

Bruce Fehn
Senior Vice President for Finance & Administration