The law requires that HSU and its employees, consultants, and independent contractors maintain the confidentiality, security, and integrity of all personally identifiable information (PII) stored and/or used by anyone associated with the University. How HSU classifies confidential data is described in the Data Classification Standards.
Information is stored in many forms, including paper, digital, video, film, and more, and securing confidential and/or personally identifiable information includes protecting it on-screen, in storage, and on its destruction. If PII is leaked, there are serious consequences for both the individuals concerned and the University. For these reasons, HSU has a comprehensive data protection policy designed to ensure that no confidential information is accessible by anyone not authorized to do so, that PII is stored only when authorized, and that PII is not stored on computers not owned by HSU.
The first level of protection for all data, not just confidential data, is the use of the HSU User Name and Password. This is part of HSU's authentication and authorization infrastructure, and you are responsible for keeping it secure. Please acquaint yourself of the CSU Responsible Use Policy, which explains your responsibilities, freedoms, roles, and campus usage.
HSU provides two additional layers of protection: software that identifies which information needs to be protected, and software that actually secures that information. HSU uses software that runs under Windows (Vista and later), Mac (OS X 10.4 and later) and Linux (Ubuntu, Fedora, and Red Hat) to achieve these goals.
Check out the Data Classification Standards to learn how different types of information are categorized for the purposes of information security.
Learn more about how computer systems and other devices that have been used to store confidential data can be safely transferred, recycled, or destroyed to ensure that information can never be retrieved by anyone.
Please consult ITS before you begin to check your system for Level I data; they will be able to help you with the tools you need to complete the survey and provide the results to the information security office.
Once PII has been identified, appropriate steps can be taken to protect it. This will usually involve encryption, and should only be undertaken by experienced technical personnel; if encryption goes wrong, the data will likely be lost forever.
All activities related to the protection of sensitive and/or confidential data must be undertaken with the assistance of qualified IT personnel.
If you discover PII on your computer that you need to continue to store, print and complete the PII Storage Authorization Form and return it to your supervisor or to ITS directly. This information will need to be encrypted, so please work with ITS to ensure this is done as soon as possible.
When protected data on your system is no longer required, or when your hard drive or entire system is replaced, the data must be overwritten multiple times to ensure that it cannot be recovered. IT staff have access to a number of sophisticated tools to accomplish this task.
The management of PII on campus is covered by the HSU Executive Memo regarding Protected Information and by the CSU Responsible Use Policy. A number of other CSU policies as well as state and federal laws also address various issues around the use and misuse of confidential information.