Restricted Information Cleanup & Control

Overview

Information is classified RESTRICTED when its loss or mishandling would expose the University to fines or disclosure costs that are mandated by  legislation or contract. Examples include medical and healthcare information, credit card numbers and social security numbers. Authentication secrets, such as passwords, PINs and stored biometrics, are also considered RESTRICTED information.

University departments transmitting or storing RESTRICTED information must either stop accepting and cleanup this classification of information or implement the encryption controls specified in the University's Information Classification and Protection Policy. This page provides resources for cleaning up or applying the required encryption controls to RESTRICTED information.

• Download the quick reference guide to RESTRICTED information cleanup.

CLEANUP Restricted Information

When possible, cleanup is the preferred way to deal with RESTRICTED information

1. stop accepting it
2. Remove what remains.

Find RESTRICTED Information

Chances are your PC hard disk or network drive has some old (and unexpected) stores of social security or credit card numbers. Each department or faculty needs to search for RESTRICTED information on its computers and systems. The following resources are available to assist in that search:

• Learn how to download and use the SENF "sensitive number finder" to look for social security and credit card numbers in your electronic files.
• Schedule a discovery appointment for your department - colleagues from IT will be available to help you think through where RESTRICTED information may be found and how to deal with it.

Remove RESTRICTED Information

The general rule for removal of restricted information is to:

1. Completely identify the records to be removed.
2. Report the proposed removal to your supervisor.
3. On approval, delete the records.

Control Restricted Information

Some job functions require the use of RESTRICTED information and therefore cleanup is not an option.

Social Security Numbers and Miscellaneous RESTRICTED Information

If your department must handle social security numbers (e.g. financial aid, admissions) or other RESTRICTED information, this information must be placed under an encryption control when stored temporarily or permanently on a computer or network drive, or when transmitted across the network. Please contact the IT Information Security Office for consulting on how to apply the mandatory encryption controls to your this information.

HIPAA & Payment Card RESTRICTED Information

Some departments have additional requirements beyond encryption in handling RESTRICTED information over and above the University's required encryption controls. Please access the "Learn How" links below for your department's appropriate inventory.

• Payment Card RESTRICTED Information Inventory
  Learn how to fill out the Payment Card Industry's questionnaires for your departmental credit card acceptance. Download the Payment Card Quick Reference Guide for payment card restricted information inventory.
• HIPAA ePHI RESTRICTED Information Inventory
  Learn how to fill out the HIPAA ePHI Computer and System Inventory.

Consulting

Information Security, Application Systems and Development and the C2C departments will work with your department, as needed, to help apply controls and re-engineer the flow of RESTRICTED information. Please make all arrangements through the Information Security office, x6655 or infosec@pepperdine.edu

Technology

Several effective and user friendly technologies have been identified to apply encryption for the access, storage, and transmission of RESTRICTED information. Learn more about these technologies and their availability on the control resources page.

Audit

Auditing Services or Information Security may audit for restricted information in your department. The purpose of the audit will be to measure progress in policy compliance and to identify further work that needs to be done.