MUSC Information Security Guidelines: Data Protection

Author: Richard Gadsden
Version: 0.6
Date: 09 Jul 2007
Status: DRAFT


1   Purpose and Scope

These guidelines are intended to help MUSC faculty, staff, students, and other workforce members understand that MUSC's protected information should not, as a general rule, be stored on end-user computing, storage, or communication devices, including but not limited to desktop computers, laptops, tablets, PDAs, thumb drives, memory cards, or communication devices such as cell phones or smart phones.

As a general rule, MUSC's protected information should be stored in electronic form only within formally recognized and documented information systems, where the information can be stored on secure servers that are administered and operated by qualified information technology professionals.

If exceptional circumstances dictate an unavoidable business requirement to store protected information on an end-user device, then these guidelines outline the steps that the end-user should follow to manage the risks appropriately.

2   Applicable MUSC Policies

3   Applicable MUSC Procedures

4   Guidelines

4.1   Authorization

Protected information should not be stored on an end-user device without permission. The written authorization should include documentation of the business need, and the scope and duration of the authorization being granted. The written authorization to store protected information on an end-user device should come from the institutional owner of the data.

4.2   Minimization

Both the types, and the amounts, of protected information stored on the end-user device should be minimized. The number of locations where the protected information is stored should be minimized, and the protected information should be securely removed (purged) from the device as soon as it is no longer needed.

4.3   Inventory

A complete and accurate inventory of the protected information that is stored on an end-user device should be maintained, and stored independently of the device. The inventory should be kept in sufficient detail to permit an incident response team to identify, and if necessary to notify, the individuals who are at risk of having their personal information disclosed if the device is lost or stolen.

4.4   Encryption

Any protected information that is stored on an end-user device should be stored only in an encrypted format.

4.5   Physical Security

End-user devices containing protected information need to be kept physically secure by the end-user responsible for the device. In particular, these devices should not be left unattended in any location where theft is a reasonably anticipated and avoidable risk.

4.6   Incident Reporting

If an end-user device containing protected information is lost or stolen, the end-user responsible for the device should immediately report the incident. (See Incident Reporting Procedure.)

5   Recommended Procedures

5.1   Requesting Authorization

If you need to request permission from an institutional data owner to store protected information on a device, and you do not know who the institutional owner is, then please contact the Information Security Office (Richard Gadsden, (843)792-8307,

5.2   Minimizing Stored Information

In addition to keeping excess information from being stored on a device in the first place, you should thoroughly and completely remove sensitive files and records as soon as they are no longer needed. To remove protected information, the physical space that it occupied on the device's storage media should be physically overwritten. The space should not simply be marked as available for re-use by other files or records -- which, unfortunately, is exactly what happens by default when files are simply "deleted" in most operating environments.

Procedures for securely removing a file or record from a device vary, depending on your operating environment. If a "secure delete" function is not built into your system, then software to perform this function will need to be added to the system.

If you need specific recommendations for your device's operating environment, please contact your departmental IT support, or contact the OCIO-IS Help Desk at (843)792-9700.

5.3   Maintaining an Inventory

An automated backup of the contents of the end-user device, to a secured backup system, is a simple and effective way to maintain an accurate inventory of the information that is stored on the device. If there is no automated backup procedure (e.g. an automated daily backup) in place for the device, then you should perform a complete manual backup whenever there are changes to the protected information stored on the device, or as soon as possible thereafter. You should ensure that all backup media are stored in a secure location, separately from the device itself.

Backup media that contain copies of protected information must be kept physically secure, retained only as long as operationally necessary, and securely disposed of when no longer needed.

If you need help setting up a secure backup procedure, please contact your departmental IT support, or contact the OCIO-IS Help Desk at (843)792-9700.

5.4   Encrypting All Stored Data

If protected information must be stored on an end-user device, then the information should be stored in an encrypted form. To ensure that any protected information that is stored on a device is encrypted, you should encrypt the entire storage device.

Typically, you will use a password or passphrase to unlock the encryption while you are using the device. You should choose this password carefully, and maintain its secrecy; you should never leave the encryption password written down anywhere that it could be lost or stolen with the device itself. The encryption password should be independent of any other password used with the device.

If you need help setting up encryption for a device, please contact your departmental IT support, or contact the OCIO-IS Help Desk at (843)792-9700.

5.5   Maintaining Physical Security

If you must leave a device unattended, then a locked drawer or cabinet, inside your home or office, is generally considered the safest location for it. A secure location in your home or office is generally recommended over locking the device in your vehicle, even in the trunk. (If your vehicle is stolen, everything in the trunk will go with it.)

Some of the places you should generally avoid leaving a device unattended:

  • vehicles
  • hotel rooms
  • meeting rooms
  • class rooms
  • checked baggage

5.6   Reporting Incidents and Suspected Violations

If a device containing protected information is lost or stolen from your custody, then you should immediately report it.

Also, if you encounter any situation, in which you have reason to believe that these data protection guidelines are being violated, then you should report the situation as a suspected security incident. For example, if you observe someone downloading sensitive information onto an end-user device without authorization, or if you find an unsecured end-user device that appears to have sensitive information stored in it, then you should report it.

Finally, please note that while many networked computer applications within the MUSC enterprise are designed to allow authorized users to access sensitive information, these applications should avoid storing any sensitive information on the end-user devices that are used to access the applications. If you discover that an MUSC network application is storing sensitive information on an end-user device in violation of these guidelines, then you should report it as a suspected security incident.

You should follow the appropriate Incident Reporting Procedure to report all known and suspected security incidents.