. .

What's New?

Gramm-Leach-Bliley Training New training created for those with access to customer information at the university.

Units Can Access Information Security Monthly Status Reports via Web Form Colleges and administrative units can submit their monthly information security status reports online using a web form. Use the links below to access the form and download instructions.

Hot Topics

Incident Response

Best Practices

  1. Electronic Files
  2. Computers
  3. Network
  4. Portable Storage Devices
  5. Paper
  6. Phone or Fax

Electronic Files

  • Password protect sensitive files. Choose a unique password and avoid easily identifiable information, such as mother's maiden name, birth date, phone number or a series of consecutive numbers.
  • Use encryption especially when transmitting files with personal information and when storing files on CD, DVD, or portable devices.
    • Windows users can encrypt files and folders with Microsoft's Encrypting File System (EFS). Mac File Vault allows built-in encryption of folders in Mac OS X or higher. Read: Instructions.
  • Keep sensitive files in a secure location with limited access and away from non-sensitive files. Identify who requires access to the electronic files and how the information is distributed.
  • Delete files from all locations (hard drive and network) when no longer valid. Do not hold onto old queries or reports that contain SSN or other personal information. Be sure to wipe files from network and hard drives. Empty your computer's recycle bin and clear temporary file folders.
  • Avoid using SSN as an identifier. Ask: Is there another way of identifying a user? Is SSN needed in the file?
  • Avoid emailing sensitive files. If email is necessary, use encryption and password protection. Do not email the password.
  • Always work with your unit's IT professionals when implementing new technologies. These individuals can help assist with the identification of appropriate tools and methods. Use the Office of Information Technology as a resource.

Computers

  • Install a firewall on your network. Work with your unit's IT professional or the Office of Information Technology when considering network or computer firewalls.
  • Keep software updated; use anti-virus, anti-spam, and anti-spyware software. Use the computer operating system's automatic update functions to check for software updates. Free anti-virus, anti-spam, and anti-spyware is available for university members. Update these as well.
  • Use password protected screen savers. Use a password protected screen saver to block unwanted views to personal information. Do not leave the password in a visible location.
  • Manage access to sensitive information. Use authentication to manage access to sensitive information.
  • Delete all sensitive files and personal information before discarding a computer. The hard drive can also be destroyed in order to prevent any chance of identity theft.
  • Limit access and never share passwords. Password protect logins. Always log out when leaving a computer station.
  • Never use the "remember my password" function. Also change passwords frequently and avoid using easily identifiable information for a password.
  • Always work with your unit's IT professionals when implementing new technologies. These individuals can help assist with the identification of appropriate tools and methods. They can also provide departmental standards and policies. Use the Office of Information Technology as a resource.

Network

  • Implement secure firewalls and security event logging. Firewalls help keep information safe while event logging provides security alerts and auditing trails.
  • Use secure means of transactions and communications. Use a Virtual Private Network (VPN) connection when connecting to networks. Confirm that ftp transfers are secure.
  • Do not use SSN in user ID/password or require it for user account creation.
  • Make passwords unique, such as a combination of letters, numbers, and symbols. Do not choose "easy to guess" passwords. Change passwords frequently.
  • Use secure wireless connections. Network authentication, data encryption, secure servers will help protect your information and data.
  • Regularly monitor compliance with privacy policies and train staff on safe information handling.
  • Encrypt backups and/or store in secure locations.
  • Avoid displaying SSN and where possible, remove SSN as primary identifier.

Portable Storage Devices

  • Avoid storing personal information on portable storage devices, such as thumb drives, CDs, DVDs, laptops, PDA, mobile phones, Blackberries, etc.
  • Protect sensitive information through encryption and password protection.
  • Do not leave in open or unlocked areas, such as your home, car, or workplace. Mobile devices containing personal information should never be left in public places or locations susceptible to theft, such as your car or home.
  • Use locked laptop stations to prevent theft. These are available through most laptop retailers and can offer secure options for your laptop.
  • Wipe portable devices clean before discarding or giving to others. Be sure to erase all sensitive information on devices before discarding. Shredding options are available for CDs and DVDs. Mobile phones can store personal data in their memory - be sure to remove this before recycling.

Paper

  • Limit display of personal information. Do not leave paper containing personal information on desks or in open view; avoid printing SSN unless required by law.
  • Store paper in a secure location such as a locked filing cabinet. Know who has access to the location.
  • Shred paper with personal information before discarding. Be sure to follow unit's Records Retention and Disposition Schedule.
  • Limit distribution of documents with sensitive information. Know who is receiving documents and maintain responsible information-handling practices during exchange.
  • Avoid bringing paper to unsecure locations such as your home or car.
  • Determine whether it is necessary to have SSN on paper documents. Why is SSN used on the document? Is there other information that would suffice?
  • Empty file cabinets, desks, etc. before sending to Ohio State's Surplus. Be sure to remove and properly destroy any documents that may be left in materials sent to Surplus.

Phone/Fax

  • Be aware of disclosing sensitive information over the phone. Verify the caller. Do not disclose personal information to a third party without the individual's prior approval and proper documentation.
  • Obtain permission before leaving personal information on voice mail or answering machines.
  • Be aware of conversations involving personal information. Can the conversation be easily heard?
  • Avoid asking for SSN over the phone. Is there another way to identify the caller? Use name and date of birth to verify identity before asking for SSN.
  • Notify the fax recipient in advance that confidential materials are being transmitted. Indicate on the cover letter that the materials are confidential. Confirm that the materials have been received.
  • Remove or mask SSN when faxing.
  • Know whether the fax machine is in a secured or public area.