IT-4 Standard for Protecting Sensitive Information


1. Purpose

All members of the university community share in the responsibility for protecting information resources to which they have access. The purpose of this document is to establish minimum standards and guidelines to protect against accidental or intentional damage or loss of data, interruption of university business, or the compromise of sensitive information.

2. Additional authority

The following federal laws and standards help guide the content of this document:

3. Scope

This standard applies to all students, faculty, staff, contractors, consultants, temporary employees, guests, volunteers, and all other entities or individuals with access to sensitive information through University of Maryland or its affiliates. This standard also applies to all university information resources, including those used by the university under license or contract.

4. Definitions

Sensitive information is defined as information that is classified in the top two tiers of IT-2: Data Classification Standard.

5. Standards

All members of the university community are users of University of Maryland's information resources, even if they have no responsibility for managing the resources.
Users include students, faculty, staff, contractors, consultants, temporary employees, and guests. Users are responsible for protecting the information resources to which they have access. Their responsibilities cover both computerized and non-computerized information and information technology devices (e.g. paper, reports, books, film, microfiche, microfilms, recordings, computers, removable storage media, printers, phones, fax machines, etc.) that they use or possess. Users must follow the information security practices set by the CIO, as well as any additional departmental or other applicable information security practices.

Users are expected to be familiar with and adhere to all university policies and exercise good judgment in the protection of information resources. They must be familiar with this document and other information-related policies, approved practices, standards and guidelines, including but not limited to the university’s standards regarding acceptable use, access and privacy.

6. Requirements

Physical Security

Departments and users must provide physical security for all information technology devices at all times. Physical security must be provided at an appropriate level based on the criticality and sensitivity of data stored and/or processed by the devices. Departments and users must be aware that some data types may require specific physical security controls be in place in order to comply with federal laws and standards.

Access to Information

Access to sensitive information must be restricted, electronically and physically, to only persons with a documented business reason for such access. Administrators with the authority to grant access must receive and retain requests to add users. This request must include the business reason for granting the access along with any details regarding expiration of the access if it is meant to be only temporary. Additionally, users must be required to sign a non-disclosure agreement (NDA) before their access to the sensitive information is granted. Administrators must conduct regular reviews of system access (at least annually) to ensure all users are still active employees and still require access to the information.

Access to sensitive information must be protected through the use of multi-factor authentication (MFA). User accounts must require the use of strong passphrases that adhere to the USM IT Security Standards. The university’s Central Authentication System (CAS) is the expected mechanism for achieving these requirements. Alternative authentication systems must be approved by the University Chief Information Security Officer.

Information Storage

Sensitive information must be kept in a place that provides a high level of protection against unauthorized access and must not be removed from the university.

Distribution and Transmission of Information

Sensitive information that is transmitted electronically, transported physically, or spoken in conversation must be appropriately protected from unauthorized interception. For electronic transmissions, utilize encrypted transmission methods (e.g. HTTPS for web content). Do not transmit sensitive information via email unless using a university-approved secure messaging system. Ensure that sensitive information is only ever distributed to persons or institutions with a documented business reason to receive such information. When sensitive information is shared using a shared storage solution (e.g. Box organizational account or SecureShare), ensure that those users it is shared with cannot in turn share the information with additional users that should not have access.

When sensitive information must be shared with another institution, ensure that it is done so by applying the highest security controls utilized by the two institutions. For example, if the University of Maryland requires stricter security than the institution the information is being shared with then the University of Maryland's security controls must be applied.

Destruction and Disposal of Information and Devices

Sensitive information must be disposed of in such manner as to ensure it cannot be retrieved and recovered by unauthorized persons. Physical documents containing sensitive information must be shredded prior to disposal. Electronic information must be securely deleted from all locations where stored (i.e. hard drive, network, cloud, etc.) when no longer needed or no longer valid. On Mac computers be sure to use the Secure Empty Trash option. On Windows-based computers, users may use the built-in Cipher or SDelete commands, or they may instead utilize appropriate third-party tools.

When hard drives or other devices known to have contained sensitive information reach end-of-life, utilize a secure destruction method to destroy the devices and ensure that information cannot be recovered. The university’s Division of Information Technology offers a free Storage Destruction Service to campus that satisfies this.

Computer Security Best Practices

System administrators and users must follow a set of computer security best practices to help minimize risk of exposure or loss of sensitive information.

Incident Handling and Reporting

Users must report suspected compromises of information resources, including contamination by computer viruses and phishing attempts, to their manager and the IT Security Operations Center (soc@umd.edu, 301-226-HACK) who in turn will proceed in accordance with the Incident Response Procedure. Incidents must be reported on the same business day users become aware of the compromise.

Additional information regarding reporting a security incident is provided by the Division of Information Technology.

Security Awareness

DIT shall provide appropriate security awareness training to all faculty and staff members with access to sensitive information. This training must be provided at the start of employment with the university as well as regularly (at least annually) as a refresher. Training must cover current and common threats as well as appropriate user behaviors. The university provides many free video resources through the Division of Information Technology and LinkedIn Learning.

Accessing Sensitive Information While Traveling

Apply the following practices, in addition to all others listed in this document, when accessing sensitive information while traveling:

7. Enforcement

Violations of this standard will be handled consistent with university disciplinary procedures applicable to the relevant individuals or departments. Failure to comply with this standard may also result in the suspension of access to network resources until standards have been met. Should University of Maryland incur monetary fines or other incidental expenses from security breaches, the university may recoup these costs from the non-compliant department, school, or auxiliary organization.

8. Version Information

Version: 3.0

Date: 05 November 2020