Office of Information Technology

Protecting Sensitive Data


The Information Age has brought with it the ability to share, store, and transmit data with the click of a mouse. The risky part of this equation is that storage and transmission of sensitive data across computer systems can be difficult to protect, increasing the need for vigilance.

In the paper world, if a document is marked "CLASSIFIED" or "CONFIDENTIAL", we can easily protect it by placing it face-down on our desk when someone walks by that does not have a need to know, lock it in a file cabinet when it is not being used, or when needing to share use a courier or hand-deliver to the appropriate person, and finally when it is no longer needed we can shred it. We need to take these same precautions in the computer world.

Computer systems are complex. They can include operating system software, applications and programs, databases, hardware components, and networks. Each of these elements requires a different method for protecting the data. Adding to the complexity is the dynamism in terms of the way the systems and their parts interact and their requirement for frequent updates to fix bugs or protect against the latest hack attack. All of this collectively underscores the need for each of us to take responsibility to protect the sensitive data we handle.

OIT is here to help, if you ever have questions about the security of a system or an electronic document you are handling. In general, Information Security professionals suggest that protecting sensitive data requires a combination of people, processes, polices, and technologies.

 

Encryption

A mathematical algorithm used to scramble elements, rendering them undecipherable without special keys or passwords to unlock.

  • Protecting your workstation
  • Protecting your e- mail
    • Lotus Notes: OIT has secured the transmission of e-mail for Lotus Notes users for mail that is transferred from one @american.edu account to another @american.edu account.
    • GMail: You can configure Gmail to encrypt everything that is sent between the computer you are using and the Gmail servers, thereby reducing the probability of interception.
       

Protecting Your Privacy

Managing Cookies

Cookies can be used to track your web site activities, though that activity is seen as anonymous to the ad network. In other words, it cannot find out your real name or your credit card numbers, for example. Typically the information it has learned about your browsing habits is used to display ads targeted to your interests when you visit those sites. Some people consider behavior like this to be a violation of their privacy.

Most major web browsers allow the user to manage their cookies. Each browser has a different set of instructions and they will change depending on the version. The easiest way a user can manage their cookies is to open their browser, select “Help” from the menu and search using the keyword "cookie." Most browsers will return a result that says "enable/disable cookies."

 

Privacy Software

Always read critically. The OIT does not monitor or endorse the web sites listed below.

Below are links to a collection of Free Privacy Software. Note: OIT is offering these links for your convenience; however, we are not prepared to provide support for the software listed as they are changing regularly.

 

Learn More about Organizations Working to Protect Your Privacy

 

Secure Data Removal

Electronic files, that have been thrown into your computer's emptied Trash or Recycling Bin, can be recovered from your computer with freely available computer utilities. If you are handling sensitive data that is no longer needed, you should use one of the following tools to prevent the risk of exposure:

 

Avoid Identity Theft

Deter. Detect. Defend.

The Federal Trade Commission is the country's leading resource for providing information on Identity Theft. Identity theft occurs when someone uses your personally identifying information (like your name, Social Security number, or credit card number), without your permission, to commit fraud or other crimes. The FTC estimates that as many as 9 million Americans have their identities stolen each year. Read more online.

 

Least Privilege and Need to Know

You should always consider the principle of least privilege, if you are in a position to grant access to computer accounts, applications, locks to file cabinets, doors, safes, etc. It instructs us to only provide what is expressly needed to perform the job, no more. Ask yourself does the person need to know?

Why is least privilege important? In the event a security exploit occurs, we want to reduce or contain the amount of damage the attacker can do.

Practical Security Solutions explains:

Think of yourself as the owner of an estate that has locks on the doors, gates, windows, a vault, and a few cabinets in select rooms. In order to enforce least privilege, you grant access based on the function that is required to carry it out. So, the gardener would only be given keys to the gate, no need for access to the house. The housekeeper would get access to the house, but not the locked cabinets and vault. The butler would get access to the house and perhaps, one of the locked cabinets (liquor, so you can be served your favorite beverage), but not the vault. You, as the owner have access to everything. Each function has been granted only the access necessary to perform the specific function, nothing more.