On This Page:
- 1. KNOW how data is classified at UMass Amherst
- 2. IDENTIFY: Have an accurate inventory of the sensitive data in your department
- 3. PURGE: Keep what’s necessary, delete what’s not
- 4. SECURE: Handle, store & dispose of sensitive data securely
- 5. DOCUMENT the business processes that require the use of sensitive data
- 6. RESPOND: Know how to respond to potential data security incidents
- 7. UNDERSTAND the consequences of a security breach
State and federal legislation and University policies mandate that campus departments take appropriate steps to protect the sensitive data available to them.
To comply with these requirements and enable the University to respond in case of a security breach, academic and administrative departments are required to:
1. KNOW how data is categorized at UMass Amherst
‘Sensitive data’ is a blanket term used to designate categories of data with a high level of sensitivity that the University is legally or contractually required to protect.
For more information, see Institutional Information and Research Data Categorization Examples
2. IDENTIFY: Have an accurate inventory of the sensitive data in your department
Departments must develop a strategy for keeping track of the sensitive data available to them:
- Have an up-to-date inventory of departmental devices and IT services that contain sensitive data, and the data they hold.
- Use Tenable software to locate sensitive data on desktops, laptops, servers, and other media. UMass Amherst IT recommends that Tenable DLP scans be scheduled at least quarterly.
For more information about sensitive data in practice, see Understand Sensitive Data at UMass Amherst
3. PURGE: Keep what’s necessary, delete what’s not
University policies require departments to collect, distribute, and retain only the minimum amount of sensitive data, and delete it when it is no longer needed. Departments must review their business requirements for sensitive data and purge sensitive data on an ongoing basis, in accordance with the Records Retention schedule.
4. SECURE: Handle, store & dispose of sensitive data securely
The following are general requirements for handling, storing, and disposing sensitive data securely. Other, more specific requirements may apply, depending on the type of data and the context in which data is being used.
Handling Requirements
Faculty, staff, and students working with sensitive data should:
- Not use, store, or display Social Security Numbers unless required by law.
- Only use the sensitive data essential to the performance of assigned tasks.
- Use caution when disseminating sensitive data and only do so within the confines of the law and University policies. If in doubt, assume data is confidential and cannot be shared.
For more information on handling education records, see the FERPA Tutorial (pdf, 151k) and Instructors' Guide to Information Security (pdf, 1130k).
Storage Requirements
Departments must choose a storage solution for all sensitive data available to them. Options include secure file servers, physically secure hard drives, etc. UMass Amherst IT also offers secure storage options. Contact the IT Help Center to discuss the best storage option(s) for your department.
UMass Amherst IT strongly recommends that faculty, staff, and students transfer all sensitive data from laptops and portable storage media to more secure alternatives, and physically secure all areas where sensitive data is stored (e.g., locked cabinets).
Disposal Requirements
The UMass Amherst Office of Waste Management provides departments, faculty, and staff with a convenient, no cost way to destroy and dispose of hard drives, backup tapes, and other magnetic media that contain sensitive data. This service is designed to help University departments comply with state and federal laws, and University policies. Hard Drive & Magnetic Tape Destruction
5. DOCUMENT the business processes that require the use of sensitive data
For compliance purposes, departments must identify the business processes that require them to use sensitive data and maintain internal documentation on:
- The types of sensitive data available to them
- The contexts in which sensitive data is used
- The methods for collecting, storing, and sharing sensitive data
This documentation should be reviewed annually and updated as necessary.
6. RESPOND: Know how to respond to potential data security incidents
If a data security incident is suspected, it is critical that the system remain intact as changes can destroy valuable data related to the incident. For example anti-virus software, data backups and software re-installations should not be done until an investigation can be initiated.
For more information on how to respond to different types of potential incidents, see our Data Security Incidents pages.
7. UNDERSTAND the consequences of a security breach
Security breaches can have serious, long-lasting consequences. The reputation of the individual department as well as the University may be adversely affected. Departments may:
- Be held financially responsible for the cost of the breach
- Risk legal action
- Face increased inquiries and audits from federal and state agencies
- Incur additional fines and penalties