Members of the University community and authorized contractors and affiliates interact with a wide spectrum of sensitive data for numerous reasons. Federal and state regulations require organizations and individuals to protect sensitive data. With computing resources so widely in use throughout Drew, the responsibility to safeguard computers and data extends to all members of the University community.
Drew University expects members of the University community to employ reasonable and appropriate administrative, technical, and physical safeguards to protect the computer and data resources that they use and the sensitive data stored on these resources. Access to computer and data resources are privileges extended to members of the University community and are limited to authorized persons for approved purposes only.
This policy provides specific guidance to University employees in the protection of institutional data and supplements the existing Network User Agreement.
Members of the University community are expected to adhere to the following guidelines to safeguard their office and personal computer and any other device used to access Drew information.
Do not give physical access to computers to unauthorized persons.
Take appropriate precautions to prevent theft and damage.
Where possible, position monitors to prevent casual viewing by visitors or passersby.
Install anti-virus software and keep virus definitions up to date. This will be managed automatically for on-campus University-issued computers but is your responsibility on personally owned devices.
Install operating system and software patches (i.e. from Windows Update or Apple’s Software Update) in a timely manner. This will be managed automatically for on-campus University-issued computers but is your responsibility on personally owned devices.
Use a locking screensaver or other mechanism to prevent unauthorized use of the computer when it is unattended.
Do not leave your computer unattended without locking it or logging off.
Do not install or use Peer-to-Peer file sharing software; these programs typically enable unauthorized remote access to the contents of the computer without any password .
Take care to secure your Drew uLogin ID and password on home computers from unauthorized use by others. Do not elect to save your uLogin password in web browsers or other software.
Mobile Phones and Tablets
Connect your mobile phone or tablet to the Drew University email system (Google Apps) using Google Sync or Android Sync according to Drew’s instructions.
Set up your phone or tablet to require a password or PIN in order to unlock the device.
For Android devices, install the device policy app. For all devices, allow Drew to remote lock or wipe your device if it is lost or stolen.
Immediately report a lost or stolen device to the University Technology Service Center so that appropriate action can be taken to lock or wipe the device.
Secure all computer accounts with passwords. While University-issued computers will require a uLogin password to log in, passwords should also be established on any home computers or other personally owned devices used to access Drew information.
Use strong passwords. Strong passwords consist of at least eight characters. They should not be dictionary words or readily guessable. They should include a mixture of upper and lower case letters, numbers, and special characters.
Do not use the same password for multiple accounts. Your Drew uLogin password should not match the password used with any non-University account including work-related non-Drew web sites and all personal accounts.
Do not keep passwords in plain text in a computer file or in plain sight on paper. Passwords should neither be sent in an e-mail nor provided verbally by telephone.
Passwords for sensitive websites or email accounts should not be saved on the computer.
Shut down web browsers, email programs, or other applications that might store passwords temporarily when they are not in use.
Drew has partnered with Duo Security to offer two-factor authentication to the community. Two-Factor authentication adds an additional layer of security to your uLogin account by adding an additional step to the login process. In addition to logging in with your password (something you know), you will also be required to confirm the login is from an authorized user with something you have, either a key-fob style token, or by using an app on your smartphone.
Two-factor authentication is available to all members of the University community. Employees, including all full and part-time faculty, staff, and contractors with access to Drew systems, are required to enroll their uLogin accounts in the two-factor authentication service.
Authorized members of the University community have access to Personally Identifiable Information (PII) for individuals such as students, employees, or others with whom the University has contact. This policy provides for additional safeguards for data classified as PII.
Personally identifiable information (PII) is defined as an individual’s first name or initial, and last name, in combination with any one or more of the following:
Social Security number (SSN)
Drivers license number or State-issued Identification Card number
Home address and birthdate
Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password such as expiration date or mother’s maiden name that could permit access to an individual’s financial account
Medical information (any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional)
Health insurance information (an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records)
Personally Identifiable Information is stored in approved University information systems, such as Banner, Raiser’s Edge, or PyraMED. Wherever possible, users who need to work with PII should work with it inside of the central information system. PII should not be downloaded to a personal computer or otherwise transferred outside of Banner or another database without an explicit business need that cannot be addressed through other means.
The Drew ID number (also known as the Banner ID, Constituent ID, or SPRIDEN_ID) is a unique 9-digit ID number assigned to all members of the Drew community independently of any state or federal ID number including the SSN. The Drew ID is not considered PII and should be used in any reports or displays where it is necessary to uniquely identify individuals in lieu of the SSN. The Drew ID number serves as the unique person key in all University information systems.
Transfer of data to external service providers and contractors must be accomplished using secure means. Drew engages the services of a number of companies to assist the University in its mission and many of these firms, such as insurance companies, recruitment marketing firms, and IT service providers, require information on students or employees. Authorized individuals executing contracts for services with such vendors must coordinate with University Technology to perform a technical and security review if any data is to be sent from the University’s central information systems. UT will work with the University representative and the third-party firm to arrange a secure means of exchanging data, in which sensitive information is transmitted over encrypted channels directly between the University’s system and the provider’s system and in which the use of PII is minimized. This technical and security review should be performed before contracts are executed and commitments are made.
Reports including PII. Reports developed using the Argos reporting tool or other tools may not include PII. The use of names and Drew ID numbers is acceptable if necessary to uniquely identify students and employees. Any exceptions to this rule require a specific business justification wherein work cannot be accomplished without PII on the report. Since birthdate, SSN, and address information is directly accessible to authorized users within the University’s information systems, user convenience is not acceptable justification for including PII in a downloaded or printed report.
In cases where it is necessary for PII to be downloaded or printed and stored outside of the University’s central databases, certain precautions must be taken:
PII on paper documents. Paper documents containing Personally Identifiable Information may not be taken off-site unless in a locked container. Storage of documents containing PII on-site should be in locked filing cabinets and shredded when records retention rules allow the documents to be destroyed.
PII in email. Email is not considered a secure medium and PII should not be sent via email wherever possible. In cases where email is being used for a routine exchange of PII with an external provider, the university department involved should work with UT and with the service provider to find an alternative. If an alternative is not available or where it is likely that the University will exchange incidental PII with a particular external organization, the department should work with University Technology to ensure that the mail system is configured to use encrypted connections to that domain. In any case, PII sent or received through email should not be kept in a user’s Drew email account. Any messages containing PII should be deleted, including expunging from the Trash and Sent folders, as soon as they are processed.
PII downloaded to personal computers (University or personally owned). If PII is to be downloaded to a personal computer, including Argos reports opened in Excel and other data extracts, the hard drive of that computer must be protected with full-disk encryption. Full-disk encryption is available with modern versions of both Mac OS and Windows and University Technology can provide instruction on its use. Files containing PII may not be transferred to flash drives or other portable storage devices unless those devices are encrypted.
Please note that the full-disk encryption policy applies even if files containing PII will only be downloaded to a workstation temporarily and will not be saved permanently. Most reporting tools, including Argos, will save any generated reports in a temporary file which could be retrieved later. Full-disk encryption safeguards all of the files on the hard drive, including temporary files.