On This Page:
- 1. KNOW how data is classified at UMass Amherst
- 2. IDENTIFY: Have an accurate inventory of the sensitive data in your department
- 3. PURGE: Keep what’s necessary, delete what’s not
- 4. SECURE: Handle, store & dispose of sensitive data securely
- 5. DOCUMENT the business processes that require the use of sensitive data
- 6. RESPOND: Know how to respond to potential data security incidents
- 7. UNDERSTAND the consequences of a security breach
State and federal legislation and University policies mandate that campus departments take appropriate steps to protect the sensitive data available to them.
To comply with these requirements and enable the University to respond in case of a security breach, academic and administrative departments are required to:
‘Sensitive data’ is a blanket term used to designate classes of data with a high level of sensitivity that the University is legally or contractually required to protect. At UMass Amherst, sensitive data refers to:
- Restricted data (e.g., Social Security Numbers, ethnicity information, bank account numbers, medical records)
- Confidential data (e.g., education records, student/employee IDs, students'/parents' financial records)
For more information, see Data Classification at UMass Amherst
Departments must develop a strategy for keeping track of the sensitive data available to them:
Have an up-to-date inventory of departmental devices that contain sensitive data.
Use Spirion software to locate sensitive data on desktops, laptops, servers, and other media. UMass Amherst Information Technologies (UMass Amherst IT) recommends that Spirion scans be scheduled at least quarterly.
For more information about sensitive data in practice, see Understand Sensitive Data at UMass Amherst
University policies require departments to collect, distribute, and retain only the minimum amount of sensitive data, and delete it when it is no longer needed. Departments must review their business requirements for sensitive data and purge sensitive data on an ongoing basis.
The following are general requirements for handling, storing, and disposing sensitive data securely. Other, more specific requirements may apply, depending on the type of data and the context in which data is being used.
Faculty, staff, and students working with sensitive data should:
- Not use, store, or display Social Security Numbers unless required by law.
- Only use the sensitive data essential to the performance of assigned tasks.
- Use caution when disseminating sensitive data and only do so within the confines of the law and University policies. If in doubt, assume data is confidential and cannot be shared.
For more information on handling education records, see the FERPA Tutorial (pdf, 151k) and Instructors' Guide to Information Security (pdf, 1130k).
Departments must choose a storage solution for all sensitive data available to them. Options include secure file servers, physically secure hard drives, etc. UMass Amherst IT also offers a secure storage service for a fee. Contact the IT Help Center to discuss the best storage option(s) for your department.
UMass Amherst IT strongly recommends that faculty, staff, and students transfer all sensitive data from laptops and portable storage media to more secure alternatives, and physically secure all areas where sensitive data is stored (e.g., locked cabinets).
UMass Amherst IT provides departments, faculty, and staff with a convenient, no cost way to destroy and dispose of hard drives, backup tapes, and other magnetic media that contain sensitive data. This service is designed to help University departments comply with state and federal laws, and University policies. Hard Drive & Magnetic Tape Destruction
For compliance purposes, departments must identify the business processes that require them to use sensitive data and maintain internal documentation on:
- The types of sensitive data available to them
- The contexts in which sensitive data is used
- The methods for collecting, storing, and sharing sensitive data
This documentation should be reviewed annually and updated as necessary.
Computers compromised by malware are the most common data security incidents on campus. Departments can choose to handle portions of an incident internally using the Malware Incident Response Checklist or contact the IT Help Center as soon as possible.
If a data security incident is suspected, it is critical that the system remain intact as changes can destroy valuable data related to the incident. The owner or primary user of the infected machine should not run anti-virus software or attempt to back up data.
For more information on how to respond to different types of potential incidents, see our Data Security Incidents pages.
Security breaches can have serious, long-lasting consequences. The reputation of the individual department as well as the University may be adversely affected. Departments may:
- Be held financially responsible for the cost of the breach
- Risk legal action
- Face increased inquiries and audits from federal and state agencies
- Incur additional fines and penalties