You are here: American University Information Technology IT Security Protecting Sensitive Data

Back to top

Protecting Sensitive Data

The Information Age has brought with it the ability to share, store, and transmit data with the click of a mouse. The risky part of this equation is that storage and transmission of sensitive data across computer systems can be difficult to protect, increasing the need for vigilance.

In the paper world, if a document is marked "Classified" or "Confidential", we can easily protect it by placing it face-down on our desk when someone walks by that does not have a need to know, lock it in a file cabinet when it is not being used, or when needing to share use a courier or hand-deliver to the appropriate person, and finally when it is no longer needed we can shred it. We need to take these same precautions in the computer world.

Computer systems are complex. They can include operating system software, applications and programs, databases, hardware components, and networks. Each of these elements requires a different method for protecting the data. Adding to the complexity is the dynamism in terms of the way the systems and their parts interact and their requirement for frequent updates to fix bugs or protect against the latest hack attack. All of this collectively underscores the need for each of us to take responsibility to protect the sensitive data we handle.

OIT is here to help, if you ever have questions about the security of a system or an electronic document you are handling. In general, Information Security professionals suggest that protecting sensitive data requires a combination of people, processes, polices, and technologies.

Avoid Identity Theft

Deter. Detect. Defend. 

The Federal Trade Commission is the country's leading resource for providing information on Identity Theft. Identity theft occurs when someone uses your personally identifying information (like your name, Social Security number, or credit card number), without your permission, to commit fraud or other crimes. The FTC estimates that as many as 9 million Americans have their identities stolen each year. Read more online.

Encrypt Your Data

A mathematical algorithm used to scramble elements, rendering them undecipherable without special keys or passwords to unlock.

Whole disk encryption software ensures that no unauthorized user may access the device, read data, or use the device as a tool to enter AU's network. If a device gets into unauthorized hands, the data is securely protected, even if the hard disk is removed. The entire hard disk is completely encrypted and requires your authentication, as the owner, before the data can be accessed.

See the frequently asked questions regarding workstation encryption.

  • GMail: Email messages sent via Gmail are encrypted by default, thereby reducing the probability of interception.
  • Office 365: You can encrypt individual messages by adding [Encrypt] to the subject line.

Protecting Your Privacy

Cookies can be used to track your web site activities, though that activity is seen as anonymous to the ad network. In other words, it cannot find out your real name or your credit card numbers, for example. Typically the information it has learned about your browsing habits is used to display ads targeted to your interests when you visit those sites. Some people consider behavior like this to be a violation of their privacy.

Most major web browsers allow the user to manage their cookies. Each browser has a different set of instructions and they will change depending on the version. The easiest way a user can manage their cookies is to open their browser, select "Help" from the menu and search using the keyword "cookie." Most browsers will return a result that says "enable/disable cookies."

  • The Electronic Frontier Foundation (EFF) was founded in 1990 - well before the Internet was on most people's radar - and continues to confront cutting-edge issues defending free speech, privacy, innovation, and consumer rights today.
  • The Privacy Rights Clearinghouse (PRC) is a nonprofit consumer organization with a two-part mission -- consumer information and consumer advocacy. It is primarily grant-supported and serves individuals nationwide.

Secure Data Removal

Electronic files, that have been thrown into your computer's emptied Trash or Recycling Bin, can be recovered from your computer with freely available computer utilities. If you are handling sensitive data that is no longer needed, you should use one of the following tools to prevent the risk of exposure.

The Apple site provides step-by-step instructions for OS X on support.apple.com.

Kill Disk is AU's software of choice. There is both a free and for-fee version.

CNET (Computer Network Recommendations)

Least Privilege and Need to Know

You should always consider the principle of least privilege, if you are in a position to grant access to computer accounts, applications, locks to file cabinets, doors, safes, etc. It instructs us to only provide what is expressly needed to perform the job, no more. Ask yourself does the person need to know?

In the event a security exploit occurs, we want to reduce or contain the amount of damage the attacker can do.

Practical Security Solutions explains:

Think of yourself as the owner of an estate that has locks on the doors, gates, windows, a vault, and a few cabinets in select rooms. In order to enforce least privilege, you grant access based on the function that is required to carry it out. So, the gardener would only be given keys to the gate, no need for access to the house. The housekeeper would get access to the house, but not the locked cabinets and vault. The butler would get access to the house and perhaps, one of the locked cabinets (liquor, so you can be served your favorite beverage), but not the vault. You, as the owner have access to everything. Each function has been granted only the access necessary to perform the specific function, nothing more.