MENU
L3Harris Commons

Transmission and Use of Sensitive Information

Transmission, Use of, and Security of Sensitive Information

Applies to:Original Policy Date:Date of Last Review:Approved By:
University staff, faculty, visiting faculty, students, alumni, contractors, volunteers, guests or agents of the administration, and external individuals and organizations accessing network services. January 1, 2018

March 2024
September 26, 2023
February 14, 2022

Ryan Petersen

Purpose

This policy defines security protections that must be used to guard information that the University is responsible for maintaining, using, and transmitting.

Scope

This policy applies to all systems, and all users of the University network services, including, but not limited to, staff, faculty, visiting faculty, students, alumni, contractors, volunteers, guests or agents of the administration, and external individuals and organizations accessing network services.

Statement

Sensitive information may only be used for the purposes for which the information was intended. Sensitive information may not be transferred to third parties without the approval of university administration and in accordance with all applicable laws, including The Privacy Act, the Gramm Leach Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Family Education Right to Privacy Act (FERPA).

Information Data Owners must establish controls to safeguard the confidentiality and integrity of sensitive data to prevent unauthorized access directly or during transmission over an electronic communications network.

Sensitive data examples include, but are not limited to, social security numbers, bank account numbers, account passwords, and credit card numbers.

Disclosure of sensitive data is permitted only in cases with documented approvals. In permitted cases, the sensitive information must include a written statement detailing exactly which information needs to be protected by the person receiving the information and how the information may and may not be used. Approval must be granted by the University President or his/her representative.

If sensitive information is transferred using electronic means outside of the university network, the data must be encrypted in such a way as to prevent disclosure to unauthorized persons and must not be transmitted through email communications.

  • Encrypted communications which MAY NOT be used include, but are not limited to, email, FTP, and websites that are not prefixed with https:// in their address.
  • Encrypted communications which MAY be used include but are not limited to, SSH, Secure FTP (SFTP), and https://.

Using email to transmit sensitive data is not allowed, even if the data is encrypted.

Storage of sensitive data, including Personally Identifiable Information and Personal Health Information, is only permitted on encrypted media such as an encrypted hard drive or USB drive. When using removable media (USB/portable), the media must be securely stored when not in use and only accessed by approved users. 

Cloud services are available for sensitive data storage. Requests for cloud services must be approved by Information Technology prior to use.

All software products that transmit sensitive data over the University network must encrypt the data while in transit across the network. If the software does not support this, special arrangements must be made with the Information Technology department in order to set up hardware encryption devices for the software in question. If the software product is deemed to be incompatible with the hardware encryption devices, the software may not be used on the network.

Sensitive information may not be placed on publicly accessible web servers, FTP sites, or any other publicly accessible server or service unless all of the following conditions are met:

  • The server utilizes encryption to encrypt the transmission of data.
  • The server's operating system is up-to-date with the latest vendor-supplied security patches.
  • The information is restricted to authorized users by utilizing, at a minimum, usernames and passwords.
  • The information is stored on an area of the server that unauthorized persons do not have access.

Sensitive information may not be stored on a computing or storage device and removed from the University campus unless all of the following conditions are met:

  • The user of the device has authorization from the University administration to remove the information from the University campus.
  • The data is stored in an encrypted format that requires, at a minimum, a password to decrypt.
  • The computing device is owned by the University.
  • The device must be physically secured when not in use. Physically securing a device requires, at a minimum, a lock and key to prevent access to the device from unauthorized personnel.

Use of Social Security Numbers

  • Social Security Numbers are prohibited from being used as a primary identifier for any member of the University, past or present.
  • Social Security Numbers must not be electronically stored by any individual, except for those individuals and departments that have a requirement to do so for governmental and organizational purposes.
  • Social Security Numbers must not be stored in any file, document, or database located on a personal computer, USB drive, or any other portable media.
  • Social Security Numbers must not be stored on any server, except those servers designated as being secure storage locations for this information

Definitions

Term

Definition

Encryption The process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge; often referred to as a key or password.
Portable computing or sensitive device Any electronic or storage device capable of storing information in a digitial format

Sensitive data

Any classified information that can be used to identify you or another person that must be protected and is inaccessible to outside parties unless specifically granted permission. 

Examples include, but are not limited to: social security numbers, medical records, bank account numbers, credit card numbers, University administrative computer data (employee records, student records, electronic documents that contain confidential information), account passwords, and research data.

Unauthorized persons

Anyone who does not have a valid Florida Institute of Technology job-related requirement to view the sensitive information in question.

Enforcement

Violators of this policy will be subject to disciplinary action based on the severity of the offense and impact to the university, up to and including termination of employment.

Edit Page