4 The Basics of Information Security

Maintaining Confidentiality, Integrity, and Availability

4.1 Maintaining Confidentiality of Information

4.1 Maintaining Confidentiality of Information

4.1.1 Confidentiality and Open (Public Records)

Most types of university information (records) are defined as either "Confidential" or "Open" (public) within UNT Policy 10.10, the University Records Retention Schedule. Information that is classified as confidential cannot be disclosed or disseminated to the public (people who aren't employees of the university with a need to know this information). Much of the information about our students (grades, financial aid status, Social Security numbers, etc.) is confidential.

4.1.2 Protecting Confidential Information about Students

All of us--faculty members, custodians, administrative assistants, secretaries, computer support staff, vice presidents--have a responsibility to protect information about our students from public disclosure. It doesn't matter whether this information is on the central computer, on a printout, a computer screen, a diskette, a CD-ROM, etc. The Family Education Rights and Privacy Act (FERPA) of 1974, guarantees students the right to protect all information that is not classified as "open directory" information.

Some of the records, other than student records, which are designated as confidential include:

  • Apprenticeship Records (Internships)
  • Client Records (From Institutes)
  • Counseling Notes
  • Employee Insurance Files
  • Employee Security Records
  • Federal Tax Records
  • Fines Records, Paid and Unpaid
  • Fingerprint Cards
  • First Report of Alleged or Occupational Disease
  • Investigation Records
  • Legal Case Records
  • Library Circulation Records
  • Medical Records
  • Reports- Laboratory
  • Request for Name Change- Employee
  • Request for Student Transcripts
  • Request for Tuition Assistance
  • Research Data
  • Statement of Truth-in-Lending
  • Veterans Administration Records

4.1.3 Protecting Open Directory Information

Open Directory Information about students may or may not be flagged to be "withheld from the public", which means that this information can not be posted on bulletin boards or on websites inappropriately.  To be certain that a student’s record is not protected check with the Registrar's Office. 

The following items are considered open director information for students:

  • student's full name
  • address (local, permanent, and e-mail)
  • University assigned e-mail address
  • telephone listing (local, permanent)
  • birth date, birth place
  • major field of study
  • dates of attendance
  • degrees and awards received
  • most recent previous school attended
  • classification
  • participation in officially recognized activities and sports
  • weight and height of athletic team members
  • photograph
  • enrollment status (undergraduate, graduate, full-time or part-time)

Some students request that open directory information also be withheld from the public. These students are identified within Enterprise Information System (EIS). Please see FERPA Compliance at UNT or contact the Registrar's Office for additional information (http://www.unt.edu/ferpa/index.html). All UNT employees who regularly deal with student information should attend FERPA training, available through the Registrar's Office. Open directory information includes general information (as listed) but ALL OTHER STUDENT INFORMATION IS CONFIDENTIAL!

4.1.4 Public Information about State of Texas Employees

Unless otherwise restricted, the Texas Public Information Act (also known as the Texas Open Records Act) does not prohibit the disclosure of the records of Texas state agencies- this includes universities. Some information about employees who work for Texas state agencies (including UNT) can be disseminated to the public. This information includes (but is not limited to):

  • employee name
  • sex
  • ethnicity
  • salary
  • dates of employment
  • title
  • home and mailing addresses, home phone numbers, social security numbers, or information that reveals whether the employee has family members, except when an employee has indicated in writing that he does not wish this information to be disclosed.

Employees may restrict disclosure of their social security number, home address, and home telephone number, by contacting Human Resources. Requests for information from the public should be referred to the university attorney. See http://www.oag.state.tx.us/AG_Publications/txts/2004publicinfohb_3_01.shtml for more information about the act.

4.1.5 How can you help to ensure confidentiality of information?

  • When in doubt don't give it out!
  • Identify confidential information as "CONFIDENTIAL" on the print-out pages, diskette, screen, etc.
  • Choose good passwords, and keep them secret. Passwords are confidential too!
  • Log out and/or lock the office when you're away from your desk.
  • Don't permit another person to use your computer account.
  • Use special care when posting grades (assign random numbers, don't use part of Social Security numbers).
  • Secure print-outs and other documents. Retrieve your print-outs as soon as possible. Don't leave confidential or sensitive documents laying out in plain view.
  • Use CONFIDENTIAL paper recycling bins. Make sure discarded diskettes and tapes are unreadable.
  • Attend FERPA training- send your student workers too!

4.2 Maintaining the Integrity of Information

Is the information accurate? Is it complete? How do we know?

Unless our information is accurate and complete, it's pretty much useless and it may even be dangerous. Almost all of our data is sensitive in this respect. Grades, salaries, research data, and most other records and documents must be protected from unauthorized modification or destruction. How?

  • Check your work for accuracy and completeness.
  • Choose good passwords, and keep them secret.
  • Log out and/or lock the office when you're away from your desk.
  • Don't permit another person to use your computer account.
  • Use virus detection/protection software.
  • Make sure you have backups (on paper, diskettes, tape, or file server).
  • Control (specify, understand, document) who has access to the data that you manage. Control what kind of access they have. Can they update some or all records? Can they update only some parts of a record or all parts of a record?
  • Check references when hiring.

4.3 Ensuring the Availability of Information

4.3 Ensuring the Availability of Information

4.3.1 Reacting to a Disaster

Every office should have a contingency plan to address disasters or problems such as fire, theft, water damage, vandalism (including data loss from virus or hackers), loss of key employee, hardware failure, network unavailability, etc. The Computing and Information Technology Center (CITC) must plan for the loss of the enterprise information system and other critical systems needed for the business operations of the University. Other departments must plan how they will cope if their own systems are damaged, or if CITC administered systems are unavailable for an extended period (possibly up to three weeks). Contingency plans should address the most critical functions, such as registering students, paying employees and vendors, disbursing financial aid, etc.

Contingency Plans are basically made up of procedures and lists. Sometimes simple plans are the best and they're certainly better than no plan at all. Procedures should address how to accomplish basic tasks without computers/networks: who does what, what should be done first/second/..., how do you restore files from backup, etc.

Lists should include:

  • Names of key personnel (faculty, staff, computer support staff, back-up support, building representatives, safety emergency coordinators, emergency services personnel, etc.)
  • key personnel contact information (telephone/cell number, pager numbers, etc.)
  • critical data, hardware, and software
  • critical documentation
  • critical supplies and equipment
  • vendor contact information (business name, telephone number, address, contact name, etc.)
  • emergency procedures (building coordinator plans, evacuation plans based on type of disaster, test dates, etc.; contact Risk Management for more information)
  • storage location of critical back-up data
  • date of the last review of all elements of the contingency plan

A contingency plan is never really "finalized." Some of the information in the lists change frequently and should be updated and disseminated. Departments should test their plans periodically to ensure that contingency procedures are still practical, files can be restored, etc. Plans should provide short as well as extended periods when critical resources may be unavailable. See the “Checklist Criteria For Business Recovery” (sponsored by FEMA) guide for more information on developing a contingency plan, http://www.fema.gov/ofm/bc.shtm.

4.3.2 BackUp (Make an Extra Copy Of) Your Files

In the event of a disaster, will you be able to recover the files that have been lost? Your files (electronic data, e-mail correspondence, etc.) should always be backed up (copied) and placed in a secure location- especially those files that you do not use on a daily basis, yet may be critical to your office operations.

Here are a few ideas to help you with the Backup process:

  • Add "Backup Files" to your weekly or monthly "to-do" list.
  • Know how often the files on your department's file server are backed-up.
  • Backup what you can't replace on your hard drive.
  • Backup, or "archive" your important e-mail messages (see your computer support person if you need assistance).
  • Keep a Backup in a secure location- somewhere other than your office.
  • Make use of folders or directories to simplify the Backup chore.
  • Use version numbers in filenames, keep several recent versions.
  • If you need assistance, contact the computer support person in your department.

4.3.3 Preventing a Disaster

Several measures may actually help to prevent a disaster. These could include:

  • Perform regular updates to the contingency plan.
  • Perform periodic risk assessments to determine what is vulnerable.
  • Have an up-to-date contingency plan in place and distributed to key personnel.
  • Make sure your critical files are backed-up up at least once a week.
  • Ensure the physical security of your office/computer areas.
  • Choose good passwords and keep them secret.
  • Log out and/or lock the office when you're away from your desk.
  • Do not allow any other person to use your computer account.
  • Use virus detection/protection software.