Permissible Storage for Restricted Data | Search on Data Profile | When to Destroy

Restricted data are those which the University has legal, regulatory, policy or contractual obligations to protect. Access to restricted data must be strictly and individually controlled and logged. The release of such data has the potential to create major damage to the institution. (Such damage may be legal, academic [loss or alteration of intellectual property], financial, or intangible [loss of reputation]).

Employees should at a minimum apply the following safeguards as listed below. Information Technology staff who administer devices must follow the Minimum Security Baseline, per University Guideline ADG02.

SAFEGUARDS Available Training
Passwords – never share your password and avoid writing it down in a location that can be accessed by others.Passwords video

Email – never send this information via email without first encrypting.Email video

Sharing – only share this information with trusted entities who have a need to know. When sharing, be sure to encrypt first or use a secure and approved method (check with your local IT staff).Social engineering video

Storing - store this data in approved locations only. If you are storing your data in a location that is not listed as a permissible storage location, check with your local IT staff to see if there is a better location.Where data can be stored

Mobile Devices - encrypt USB or external hard drives. Use a passcode on your mobile device. If you lose your mobile device or if it is stolen, report it to your local IT staff.Mobile security video

Telecommuting video
Physical Location - lock offices, cabinets and other areas where this data is stored either in paper or electronic format.Physical security video

Full suite of SANS videos are available on a variety of topics (all videos are less than 6 minutes)Access the full suite of videos

Penn State Mark
The Pennsylvania State University @2014
Privacy | Legal