5.1 Special Procedures for Securing Sensitive Documents

Many records fall under the provisions of laws and regulations that impose additional security and retention requirements designed to prevent unauthorized access to those records. Examples of such laws are the Health Information Portability and Accountability Act, which regulates access to Protected Health Information, and the Gramm-Leach-Bliley Act, which regulates access to non-public financial information about a University customer (student or other parties purchasing services from the University). The UNT Record Retention Schedule indicates the retention period of these records, but in addition to the retention procedures, users of documents falling under the provisions of those laws and regulations should be aware of the following security guidelines:

  • Workstation screens should not be visible to anyone but the authorized user of secure documents
  • Workstations used to view or edit secure documents should be protected with a screen saver that requires a password to re-activate the screen after it goes into sleep mode
  • Only authorized persons may use a machine on which secure documents are viewed or edited (no sharing of a workstation, in other words.)
  • A person with password access to secure data is prohibited from sharing his or her password with others.
  • Passwords must be changed periodically in compliance with UNT standards.

State and federal regulations may also require that some or all of the following access monitoring controls be implemented:

  • who is logged into which work station; how long they are logged in;
  • the nature of files that are accessed;
  • how long a workstation is idle after an employee logs in;
  • irregular patterns in employee logins;
  • and manager review of access logs to determine any potential security risks.

State and federal regulations require that security assessments be conducted periodically by the manager of a department with secure data. Depending on the nature of secure documents that the department uses, these assessments might be conducted once a month, but must be conducted at least twice a year. At least once a year, the manager must certify compliance with applicable state and federal security regulations, and must identify areas of security risk as well as improvements in security processes that have been implemented as a result of the security assessment.