This document is a living document that is subject to change. Please reference this site instead of printing a hard copy to ensure you are viewing the most current answers to questions regarding this data security initiative.
Q: Why is there a need to have a University data security initiative?
A: Data loss and identity theft are growing threats impacting every industry around the world, from retail to higher education. The loss of data and identity theft can cause tremendous damage to individuals financially and psychologically. Businesses can incur massive financial loss as well irreparable damage to their reputation. Georgetown University recognizes all of these risks to its students, faculty, staff and alumni, and is moving to mitigate these risks immediately by aggressively enhancing current security efforts.
Q: Do I have a role in this University data security initiative?
A: Yes. The University data security initiative requires collaboration between faculty, staff and students who work for University departments to be most successful. This initiative demands a change in the way the University conducts business and handles confidential information. Below are some steps you can take now as a member of this initiative:
• Read the Interim Policy on the Use, Collection, and Retention of Social Security Numbers by Georgetown University.
• Read the Acceptable Use Policy.
• Read the Information Security Policy.
• Read the Record Retention Policy.
• After reviewing the Record Retention Policy, identify files on your computer that have confidential information. Delete files that have this information if you are not required to keep them for your business process per the Record Retention Policy.
• Contact the University Information Security Office (UISO) at email@example.com or by phone at 202-687-3031 to have this deleted information permanently erased from your computer.
• If you are required to maintain confidential data for your business process, work with your department manager or Dean to move your data to the secure Phoenix Enterprise File System (EFS).
• Ensure that your office is locked when you are away from it for any period of time.
• Ensure that your computer screen is locked if you have to leave your computer unattended for any amount of time
• Lock up all removable storage devices in a closet or drawer
Q: What is the University-wide Task Force on data security?
A: The University-wide Task Force on data security, led by Senior Vice President Spiros Dimolitsas, is designed to engage leaders on all campuses to identify a variety of critical business, academic and research functions that utilize confidential data. The team is also tasked with implementing practical changes to enable individuals to more securely conduct work that utilizes confidential data. Visit Sr. VP Dimolitsas’ website to access more information about this Task Force.
Q: Do managers and Deans have any specific requirements in supporting this initiative?
A: Department managers and Deans are integral to communicating the importance of data security and the steps their staff should follow in order to protect confidential data. In addition, below are specific steps for managers and Deans to follow:
• Make security a priority within your office.
• Regularly discuss security related issues with your staff members and encourage them to bring forward concerns.
• Discuss with your staff how they use confidential data, where it is stored and how it is to be protected.
• Review your office's business processes on a regular cycle to implement best practices which call for the removal of Social Security numbers (SSN) from all forms and processes that do not require it.
• Proactively engage University Information Services (UIS), 202-687-4949, ext. 1; University Counsel, 202-687-6457; Risk Management, 202-687-6622; and the Compliance Office, 202-687-8562; when questions or concerns arise.
• Maintain responsibility for the confidential data that you share with other University offices by asking how the data is being used and stored, affirming that it is not being reused shared or stored insecurely.
Q: What data is considered confidential?
A: Unauthorized disclosure of confidential information could seriously and negatively impact an organization and/or its employees. The University considers the following data as examples of confidential data.
• Information protected by federal laws and regulations such as academic records (Family Educational Rights and Privacy Act), health care information (Health Insurance Portability and Accountability Act) and financial information (Gramm- Leach-Bliley Act)
• Personally-identifiable information
o Name and date of birth stored together
o Place of birth
o Traditional password identifiers
Mother’s maiden name
Name of favorite pet
o Bank account numbers
o Income tax records
o Driver’s license number
o Credit card number
o Passport number
• Security data and credentials authorizing access (i.e., password)
• Information collected via University business operations (i.e. contracts)
These examples are not comprehensive and are subject to change.
Q: What is PII?
A: PII, or Personally Identifiable Information, is classified as a subset of confidential information. It is personally-identifiable information in electronic form that can put your identity at risk if it is lost or stolen. Some examples of this information include:
• Name and date of birth stored together
• Place of birth
• Traditional password identifiers
o Mother’s maiden name
o Name of favorite pet
• Bank account number
• Income tax record
• Driver’s license number
• Credit card number
• Passport number
This information is subject to change.
Q: What can I do now to support the University data security initiative?
A: You can review your PC or laptop for confidential data. UIS is looking for you to target the following confidential data immediately:
• Credit card numbers
• Bank account numbers
• Driver’s license numbers
• Passport numbers
• Donor information
• Name and birth date stored together
If you find any of the data targets listed above, please follow these steps:
1. Delete the confidential data from your PC or laptop.
2. Contact the UISO (firstname.lastname@example.org or 202-687-3031) and request that someone from the Remediation Team erase the data from your PC or laptop.
In addition, never use SSNs as an identifier for individuals. You should be using the GUID number, the nine-digit number on the front of the GOCard, as an identifier for students, faculty, staff and alumni.
Q: Does this mean that the University will stop asking for Social Security numbers altogether?
A: No. University faculty and staff may ask individuals for their SSN in order to conduct day-to-day business if the collection of that information is required by law.
Where approved, staff members who elicit SSNs from individuals must provide those individuals, orally or in writing, with a statement explaining why this information is being requested. No request for SSNs shall be made by, or made in such a manner as to invite response by, e-mail.
Q: I have to work with confidential data as part of my job. How can I support this data security initiative?
A: There are a few steps that you need to take to make sure your confidential data is being protected:
1. Review the University’s Record Retention Policy and ensure that you are in compliance with file/record maintenance requirements.
2. Delete files that you are not required to keep per the University’s Record Retention Policy.
3. Move all files with confidential information that must be kept by you to the Phoenix Enterprise File System (EFS), the University’s secure storage space, or GUShare.
Q: I travel often for work and working with confidential data is a part of my job. How do protect my data while I’m travelling?
A: If you are required to travel and you work with confidential data, please contact the UISO immediately at 202-687-3031 or via e-mail at email@example.com for an assessment by the security team to make sure that your laptop has the required security tools in place (i.e., VPN, encryption software).
In addition, meet with your manager to discuss whether or not you should be using a Secure Laptop issued by UIS for your work. This laptop is equipped with 2-factor biometric authentication and encryption software. If you are a candidate for this laptop, please contact UIS at 202-687-4949, ext. 1 or via e-mail at firstname.lastname@example.org for more information.
Note: Employees who telecommute or work from a site where they need VPN access to work within the Phoenix EFS environment should meet immediately with their supervisor to discuss their business process. If the telecommute or remote work situation is necessary, obtain approval from your manager to participate in the Secure Laptop program. Your manager will need to coordinate the purchase of your secure laptop with UIS, 202-687-4949, ext. 1 or email@example.com.
Q: What exactly is Phoenix EFS? Is there a cost to use it?
A: Phoenix EFS is the University’s secure storage space of choice for the maintenance of all confidential information. If your department does not have space on Phoenix or needs more space on Phoenix, please contact UIS at 202-687-4949, ext. 1 or firstname.lastname@example.org.
There is usually a cost of $100 annually for 2 gigabytes of space on Phoenix EFS. UIS is waiving this fee for a limited time in order to move all confidential data to a secure storage space as quickly and efficiently as possible.
Q: How can I safely share confidential information with another department that has to use it for their business process?
A: The most secure transmission of confidential information is through GUShare. Follow these guidelines to securely transmit confidential data via this channel:
• Contact the individual who is supposed to receive the document and ensure that they have space on Phoenix EFS. They must have space on Phoenix in order to work with confidential data.
• Save the confidential information in a document on Phoenix and upload it to GUShare.
• Ensure that when you save the document, it is protected with a password.
• Send the document as a password-protected link to the intended individual.
• Contact the recipient by phone to give them the password for the link.
• Confirm with the recipient that they will save the document to Phoenix if they need to work/modify the data.
• Instruct them to delete the data from their space on Phoenix when they are finished working with the data.
• Instruct them to contact the University Information Security Office at email@example.com after they have deleted the data to find out how to erase the data from their computer.
Q: How do I gain access to GUShare?
A: All faculty and staff are eligible for access to GUShare. All you have to do is activate your account. Visit the UIS GUShare website to find out how to activate your account.
Q: Is there a training course for GUShare?
A: UIS offers training for GUShare. This training class is available free of charge to all Main Campus, Law Center and Medical Center faculty, staff, and degree-seeking students, and to MedStar faculty. MedStar employees who are not faculty may attend for a $20 fee per class.
Q: What is the difference between GUShare and the Phoenix EFS?
A: GUShare is a secure storage area where confidential data can be stored and safely transmitted to other departments or individuals. However, documents cannot be edited in this secure environment. In order to conduct edits, the document has to be downloaded to a laptop or PC. This can potentially put the confidential data in an insecure environment.
Phoenix is a secure storage area that allows for effective collaborative work, such as editing, and maintenance in a secure environment. This is the recommended storage area for all documents containing confidential information.
Q: I share SSN data with other departments all the time. Is there anything I can do to better secure my data other than working in the Phoenix EFS environment?
A: Yes. As part of the University-wide Task Force on Data Security, University leaders are seeking to identify and change business practices that involve using SSNs on a regular basis. With the exception of circumstances where SSN usage has been approved by the UISPO, you must use GU Identification numbers (the nine-digit number on your GO Card) instead of SSNs for identification purposes.
If your department has been approved to use SSNs as a part of its traditional business process, below are some steps you should follow to ensure the protection of confidential data:
• Immediately meet with the person you are sharing data with to confirm that they are approved to use SSNs as a part of their business process. If they are not approved to use this type of data, STOP sharing SSN data now with them and request that they obtain approval to use SSNs.
• If they are not approved to use SSNs, coordinate a meeting between your department supervisor and their department supervisor to discuss changing business processes to accommodate the use of GU ID’s instead of SSNs.
If your department has not been approved to use SSNs as a part of its traditional business process, below are some steps you should follow to ensure the protection of confidential data:
• Immediately meet with your division supervisor to discuss using Georgetown ID’s instead of SSNs for identification purposes.
• Notify the UISPO at firstname.lastname@example.org or 202-687-5784 about the issue and solicit assistance in helping your department transition from using SSNs to GU IDs for identification purposes.
• Coordinate a meeting with the person you are sharing data with to request that they change their business processes as well if they are not approved to use SSN data.
• Suggest a meeting between your department supervisor and their department supervisor to discuss changing business processes to accommodate the use of GU ID’s instead of SSNs.
Q: I work with employee data and some of those individuals do not
have GU identification numbers (GUID). They are only identified by their SSN. Can I continue to use their SSN as their personal identifier?
A: UIS has assigned GUID numbers to all individuals who
who have personal data in Genesys (employees) and/or SIS+ (students). DO NOT use SSNs as an identifier for those individuals. For more questions or concerns about this project, please contact the UIS Help Desk at 202-687-4949.
Q: Why am I not allowed to e-mail confidential data? Isn’t the University’s e-mail system secure?
A: The University’s e-mail system is not a secure channel for sending confidential data as an attachment or text imbedded in an e-mail message.
• As an attachment, once the e-mail is opened, it is automatically saved to your temporary folder on your computer’s hard drive. Even if you save the document to a folder and then delete it when you are done, there is still the copy that exists in your temporary files folder.
• If you send the information in the body of the e-mail message, there is no protection for the data if an unauthorized individual views the e-mail.
• If you accidentally send the attachment or imbedded text to an unauthorized individual, they automatically have access to the document since there are no protection controls (i.e. password, encryption) on it.
Q: Can I use a USB key to maintain confidential data if the key is encrypted?
A: No. Refrain from using USB keys, other portable devices or any non-University issued devices to store confidential data.
Q: What can I do to physically protect my computer and removable equipment (i.e., external hard drives)?
A: Make sure that all laptops and University-issued removable storage mediums (i.e., external hard drive, memory stick) are locked in your desk. If you have an office, please make sure that these items are locked in a desk or closet, or placed out of sight, in a locked office when you are not occupying the office.
You should also make sure that your computer screen is locked when you are away from your computer for any period of time.
Q: My office has computers and removable equipment (i.e. external hard drive, memory stick) that are not being used. Where can I put them where they will be safe?
A: Contact the UIS Helpdesk at 202-687-4949, ext. 1 or send an e-mail to email@example.com to have any computers or removable technology equipment in your area that are not being used picked up to be scanned for confidential information. If any information is found, it will be erased. This equipment will be returned to you if requested.
Q: I need to transfer a computer previously used by a former employee to a new employee. Do I need to do anything?
A: Yes. Please contact the UISO at 202-687-3031 or via e-mail at firstname.lastname@example.org before transferring a computer from one person to another. The security team will scan the computer to make sure that no confidential information is on the computer being transferred. If confidential information is found, the security team will erase the data and return it to you for use by the new employee.
Q: If I delete SSN’s on my own, are they gone forever?
A: Deleting anything on your computer does not mean it is gone forever. In order to make sure confidential data is removed from your PC or laptop, please contact the UISO at 202-687-3031 or via e-mail at email@example.com. Someone from the UIS Remediation Team will come out to erase the confidential data from your computer, permanently removing it from your PC or laptop.
Q: More than one person has come to my machine to erase ePI. Shouldn’t this process involve only one visit?
A: In February and March 2008, The UIS Remediation team used manual software tools to scan approximately 600 high risk computers for SSNs. This tool was only able to search for SSNs. The team is now using a RSA remote tool. This second scan using the RSA tool will provide verification and greater confidence that the confidential data has been removed.
Q: What do I do with my paper documents that have confidential information in them?
A: If you have hard copy documents that contain confidential information, please follow these steps:
• Read the Record Retention Policy
• All documents that can continue to be maintained in your office must be stored in a secure, locked area.
• If you have to dispose of documents with confidential data, per the Record Retention Policy, please coordinate a meeting with your manager to discuss the safest way for you to discard of the documents (i.e. shredding)
• If you need assistance with securely discarding your documents, please contact the UISO for guidance at 202-687-3031 or via e-mail at firstname.lastname@example.org.
Q: Is there anything I should not be doing with my confidential data?
A: As a quick reference, below are some things you should never do if you are working with confidential data:
• If you are not approved to work with confidential data as part of your traditional business process, STOP NOW. Consult with the UISPO at 202-687-5784 immediately about changing your business process to begin using GU IDs instead of SSNs.
• If you are approved to work with confidential data, never do the following:
o Send your confidential data to someone not approved to work with confidential data
o E-mail your confidential data as an attachment or text imbedded in an e-mail message
o Save confidential data to your local drive
o Download and save data to an unencrypted or encrypted non-University issued removable device (i.e. external hard drive, memory stick)
Q: Who do I contact if I have questions about the data security initiative?
A: Please contact the University Information Security Office at 202-687-3031 or via e-mail at email@example.com for more information about this initiative.
For policy-related questions, please contact the University Information Services Policy Officer at 202-687-8571 or via e-mail at firstname.lastname@example.org.
Revised June 16, 2008