Restricted Information Cleanup & Control
Information is classified "RESTRICTED" when its loss or mishandling would expose the University to fines or disclosure costs that are mandated by legislation or contract. Examples include medical and healthcare information, credit card numbers, and social security numbers. Authentication secrets, such as passwords, personal identification numbers (PINs), and stored biometrics, are also considered Restricted information.
University departments transmitting or storing Restricted information must either stop accepting and cleanup this classification of information or implement the encryption controls specified in the University's Information Classification and Protection Policy. This page provides resources for cleaning up or applying the required encryption controls to Restricted information.
- Download the Restricted information cleanup quick reference guide.
Cleanup Restricted Information
When possible, cleanup is the preferred way to deal with Restricted information
- Stop accepting it
- Remove what remains.
Find Restricted Information
Chances are your computer hard disk or network drive has some old (and unexpected) stores of social security or credit card numbers. Each department or faculty member needs to search for Restricted information on their computers and systems. The following resources are available to assist in that search:
- Learn how to download and use the SENF "sensitive number finder" to look for social security and credit card numbers in your electronic files.
- Schedule a discovery appointment for your department. Colleagues from IT will be available to help you think through where Restricted information may be found and how to deal with it.
Remove Restricted Information
The general rule for the removal of Restricted information is to:
- Completely identify the records to be removed.
- Report the proposed removal to your supervisor.
- On approval, delete the records.
Control Restricted Information
Some job functions require the use of Restricted information and therefore cleanup is not an option.
Social Security Numbers and Miscellaneous Restricted Information
If your department must handle social security numbers (e.g. financial aid, admissions) or other Restricted information, this information must be placed under an encryption control when stored temporarily or permanently on a computer or network drive, or when transmitted across the network. Please contact the IT Information Security Office for consulting on how to apply the mandatory encryption controls to your information.
HIPAA & Payment Card Restricted Information
Some departments have additional requirements beyond encryption in handling Restricted information over and above the University's required encryption controls. Please access the links below for your department's appropriate inventory.
- Payment Card Restricted Information Inventory: Through this page, you will learn how to fill out the Payment Card Industry's (PCI) questionnaires for your departmental credit card acceptance. Download the Payment Card Quick Reference Guide for payment card restricted information inventory.
- HIPAA ePHI Restricted Information Inventory: Through this page, you will learn how to fill out the Health Insurance Portability and Accountability Act (HIPAA) Electronic Protected Health Information (ePHI) Computer and System Inventory.
Information Security, Innovative Development, and the Enterprise Information Systems departments will work with your department, as needed, to help apply controls and re-engineer the flow of Restricted information. Please make all arrangements through the Information Security office, x6655 or firstname.lastname@example.org.
Several effective and user-friendly technologies have been identified to apply encryption for the access, storage, and transmission of Restricted information. Learn more about the available tools or services and their availability on the "Control Restricted Information" page.
Auditing Services or Information Security may conduct audits for restricted information in your department. The purpose of the audit will be to measure progress in policy compliance and to identify further work that needs to be done.