On This Page:
- 1. KNOW how data is classified at UMass Amherst
- 2. IDENTIFY: Have an accurate inventory of the sensitive data in your department
- 3. PURGE: Keep what’s necessary, delete what’s not
- 4. SECURE: Handle, store & dispose of sensitive data securely
- 5. DOCUMENT the business processes that require the use of sensitive data
- 6. RESPOND: Know how to respond to potential data security incidents
- 7. UNDERSTAND the consequences of a security breach
State and federal legislation and University policies mandate that campus departments take appropriate steps to protect the sensitive data available to them.
To comply with these requirements and enable the University to respond in case of a security breach, academic and administrative departments are required to:
‘Sensitive data’ is a blanket term used to designate categories of data with a high level of sensitivity that the University is legally or contractually required to protect.
For more information, see Institutional Information and Research Data Categorization Examples
Departments must develop a strategy for keeping track of the sensitive data available to them:
- Have an up-to-date inventory of departmental devices and IT services that contain sensitive data, and the data they hold.
- Use Tenable software to locate sensitive data on desktops, laptops, servers, and other media. UMass Amherst IT recommends that Tenable DLP scans be scheduled at least quarterly.
For more information about sensitive data in practice, see Understand Sensitive Data at UMass Amherst
University policies require departments to collect, distribute, and retain only the minimum amount of sensitive data, and delete it when it is no longer needed. Departments must review their business requirements for sensitive data and purge sensitive data on an ongoing basis, in accordance with the Records Retention schedule.
The following are general requirements for handling, storing, and disposing sensitive data securely. Other, more specific requirements may apply, depending on the type of data and the context in which data is being used.
Faculty, staff, and students working with sensitive data should:
- Not use, store, or display Social Security Numbers unless required by law.
- Only use the sensitive data essential to the performance of assigned tasks.
- Use caution when disseminating sensitive data and only do so within the confines of the law and University policies. If in doubt, assume data is confidential and cannot be shared.
For more information on handling education records, see the FERPA Tutorial (pdf, 151k) and Instructors' Guide to Information Security (pdf, 1130k).
Departments must choose a storage solution for all sensitive data available to them. Options include secure file servers, physically secure hard drives, etc. UMass Amherst IT also offers secure storage options. Contact the IT Help Center to discuss the best storage option(s) for your department.
UMass Amherst IT strongly recommends that faculty, staff, and students transfer all sensitive data from laptops and portable storage media to more secure alternatives, and physically secure all areas where sensitive data is stored (e.g., locked cabinets).
The UMass Amherst Office of Waste Management provides departments, faculty, and staff with a convenient, no cost way to destroy and dispose of hard drives, backup tapes, and other magnetic media that contain sensitive data. This service is designed to help University departments comply with state and federal laws, and University policies. Hard Drive & Magnetic Tape Destruction
For compliance purposes, departments must identify the business processes that require them to use sensitive data and maintain internal documentation on:
- The types of sensitive data available to them
- The contexts in which sensitive data is used
- The methods for collecting, storing, and sharing sensitive data
This documentation should be reviewed annually and updated as necessary.
If a data security incident is suspected, it is critical that the system remain intact as changes can destroy valuable data related to the incident. For example anti-virus software, data backups and software re-installations should not be done until an investigation can be initiated.
For more information on how to respond to different types of potential incidents, see our Data Security Incidents pages.
Security breaches can have serious, long-lasting consequences. The reputation of the individual department as well as the University may be adversely affected. Departments may:
- Be held financially responsible for the cost of the breach
- Risk legal action
- Face increased inquiries and audits from federal and state agencies
- Incur additional fines and penalties