Information Security at the University of Hawaii
National Cyber Security Awareness Month
October is National Cyber Security Awareness Month: a collaborative effort between the government and industries to ensure every American has the resources they need to stay safer and more secure online. Come back each week of October for a new page detailing different security information about online safety, protecting personally identifiable information, home networks, and IoT devices.
Week 2: Protecting Personally Identifiable Information @ UH
Protecting Personally Identifiable Information (PII) is everyone's responsibility at the University of Hawaii. Understanding what is PII and how to protect it is extremely important to ensuring that the data does not get into the wrong hands or inadvertently exposed. If you suspect that data has be exposed, or someone is inappropriately handling sensitive information, please report it at firstname.lastname@example.org (or see Report Security Issues or Incidents).
What is Personally Identifiable Information?
Personally Identifiable Information (PII) is the type of information that needs to be protected because the inadvertent disclosure or inappropriate access requires a breach notification or is subject to financial fines.
Below is what is considered "Regulated" and must be protected:
- First name or first initial in combination with:
- Social Security Number
- Driver License Number or Hawaii Identification Card Number
- Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account
- Payment Card Industry Data Security Standard (PCI-DSS) information
- Health Information, including anything covered by the Health Insurance Portability and Accountability Act (HIPAA)
New University Data Governance and Data Classification Policies
E2.215 Institutional Data Governance - Established to provide principles governing the management and use of data and information at the University, including, but not limited to, the collection and creation, privacy and security, and integrity and quality of that data and information.
E2.214 Data Classification Categories - Established to organize UH Institutional Data into data classification categories based on the different levels of security risk and penalties that may result from the inadvertent exposure and inappropriate disclosure of those data.
This includes information that is subject to open records requests and information that is under public records or the UH directory.
This information will not be distributed external parties except under the terms of a written memorandum of agreement or contract. The data must also be maintained in a physically secured location.
This information includes any data subject to privacy or security considerations or any Institutional Data not categorized as public, restricted, or regulated. The data must also be physically secured.
This includes data where any data breach must be documented in a breach notification. This data includes Social Security Numbers, Driver's license or Hawaii identification card numbers, or financial account numbers, access codes, or passwords that would provide access to someone's account. Any PCI-DSS information or HIPAA information is also considered regulated.
See Technical Guidance for examples and information on how to protect information at each data classification level. Any information that is categorized as Regulated must be declared on Server Registration forms AND on the Personal Information Survey.
New University HIPAA Policy and HIPAA Compliance Officer
JT Ash, the University of Hawaii HIPAA Compliance Officer can be reached at email@example.com or (808) 956-7241
The HIPAA Policy can be found here: http://www.hawaii.edu/policy/e2.217
HIPAA Policy Highlights:
- The University of Hawaii is a Hybrid Entity
- Covered Components fall under HIPAA
- Each Covered Component must designate a Unit HIPAA Coordinator
- Unit's workforce must complete HIPAA training
- Unit must complete a Risk Assessment
- Unit must provide and post a Notice of Privacy Practices (NOPP)
More information and a list of covered components can be found on the HIPAA website located here: http://www.hawaii.edu/infosec/hipaa/
Do you handle PII, "Sensitive", or "Regulated" data?
If at any point you handle or view any sensitive data or regulated data, you must acknowledge the online General Confidentiality Notice, found at https://www.hawaii.edu/its/acer/. The general confidentiality notice identifies the types of information that is considered sensitive and confidential (note that it is not exhaustive). The document also identifies the responsibilities of people who have access to sensitive information.
You should also take the Information Security Awareness Training found in Laulima. This brief course goes over various topics, such as data breaches, securing information, and policy. A link to the Security Awareness Training could be found here: http://www.hawaii.edu/infosec/training/.
Do you store "Regulated" data electronically or in paper format?
According to Hawaii Revised Statutes (HRS) 487N-7, any personal information system (regardless if it is paper-based or electronic) needs to be reported. For the University of Hawaii, this information needs to be reported in the Personal Information Survey site. This information survey MUST be reviewed and updated yearly.
Examples of what needs to be reported:
- Hard copies of employee new hire paperwork
- External Hard Drive that contains a backup of employee information which includes social security numbers
- A departmental file share that contains fiscal documents
Are you responsible for a server running on the UH Network?
If you are hosting a server on the University of Hawaii network (regardless if it is behind a firewall) MUST be registered on the Server Registration site. In addition to registering your server, it must be scanned for vulnerabilities and sensitive information yearly. More information on this requirement can be found here: http://hawaii.edu/askus/1312.
Examples of what needs to be registered:
- A departmental Network Attached Storage (NAS)
- A hypervisor sitting behind a departmental firewall
- A web server hosting a departmental application or website
Information Security is ALL OUR Responsibility
Remember: Everyone is responsible for the protection of sensitive information. This task should not be left for one person to accomplish. It requires everyone's understanding and participation to be effective. Everyone should know and understand the procedures of securing data at the University of Hawaii.
If you have any questions, feel free to contact the Information Security Team at firstname.lastname@example.org.
US-CERT Vulnerability Alerts
The United States Computer Emergency Readiness Team (US-CERT) provides the latest updates about current threats and vulnerabilities. You can subscribe to their feed to get the latest updates about ongoing vulnerabilities and other cyber threats.
Visit https://www.us-cert.gov/ to learn more.
Don't Fall for Phishing:
Stop. Examine. Ask. Report.
S.E.A.R. the Phish
SEAR the Phish
Stay Informed! Follow us and like us: