Restricted Information Cleanup & Control
Information is classified "RESTRICTED" when its loss or mishandling would expose the University to fines or disclosure costs that are mandated by legislation or contract. Examples include medical and healthcare information, credit card numbers, and social security numbers. Authentication secrets, such as passwords, personal identification numbers (PINs), and stored biometrics, are also considered Restricted information.
University departments transmitting or storing Restricted information must either stop accepting and cleanup this classification of information or implement the encryption controls specified in the University's Information Classification and Protection Policy. This page provides resources for cleaning up or applying the required encryption controls to Restricted information.
- Download the Restricted information cleanup quick reference guide.
Cleanup Restricted Information
When possible, cleanup is the preferred way to deal with Restricted information
- Stop accepting it
- Remove what remains.
Find Restricted Information
Chances are your computer hard disk or network drive has some old (and unexpected) stores of social security or credit card numbers. Each department or faculty member needs to search for Restricted information on their computers and systems. The following resources are available to assist in that search:
- Learn how to download and use the SENF "sensitive number finder" to look for social security and credit card numbers in your electronic files.
- Schedule a discovery appointment for your department. Colleagues from IT will be available to help you think through where Restricted information may be found and how to deal with it.
Remove Restricted Information
The general rule for the removal of Restricted information is to:
- Completely identify the records to be removed.
- Report the proposed removal to your supervisor.
- On approval, delete the records.
Control Restricted Information
Some job functions require the use of Restricted information and therefore cleanup is not an option.
Social Security Numbers and Miscellaneous Restricted Information
If your department must handle social security numbers (e.g. financial aid, admissions) or other Restricted information, this information must be placed under an encryption control when stored temporarily or permanently on a computer or network drive, or when transmitted across the network. Please contact the IT Information Security Office for consulting on how to apply the mandatory encryption controls to your information.
HIPAA & Payment Card Restricted Information
Some departments have additional requirements beyond encryption in handling Restricted information over and above the University's required encryption controls.
- If your department wishes to accept payment cards you must contact both Finance and the IT Information Security Office (ISO) before you make any commitment, contract or action to do so. Existing payment processors and business partners are contacted yearly by Finance with assistance from ISO. If you are not in this cycle, your payment card acceptance is likely unauthorized.
- If your department wishes to collect patient health information (billing, diagnoses, treatments, etc) you must have approval from the University HIPAA Privacy Officer (HR) and HIPAA Security Officer (ISO). Existing departments that accept patient health information are contacted yearly for review by these officers. If your department or process is not being reviewed annually by these officers, it is likely unauthorized.
IT, Information Security and the Client Services departments will work with your department, as needed, to help apply controls and re-engineer the flow of Restricted information. Please make all arrangements through the Information Security office, x4040 or firstname.lastname@example.org.
Assurance Services or Information Security may conduct audits for restricted information in your department. The purpose of the audit will be to measure progress in policy compliance and to identify further work that needs to be done.