If your computer holds confidential data, it must be kept in a secure university location, or it must be physically locked down, or the confidential data must be encrypted.
This means that if confidential data is on a computer that ever leaves your office, it must be encrypted. If you are in a location where people can walk up to your computer to access the confidential data you work with, your computer needs to be physically secure with a locking cable, or the data must be encrypted.
The same requirements apply to mobile devices like smart phones and PDAs and to portable media such as external hard drives, USB thumb drives, CDs, DVDs, tapes, and diskettes. Since mobile devices are fairly small and easy to lose, they can pose a significant risk. If they ever leave a secure location, any confidential data must be encrypted.
In addition, only authorized individuals should have accounts on a computer that contains confidential data. If this is not the case, the data must be encrypted, so that unauthorized individuals cannot access the data.
If you need to encrypt data, check with your department’s technical support staff to find out what encryption solutions are recommended.
If you encrypt university data, you should not be the only person who knows the password needed to unlock it. Your department should have some process to securely store a copy of the password, so that data can be retrieved should you become incapacitated or forget your password. Otherwise, if something should happen to you, the university will lose access to your work. Again, check with your local IT support about current practices in your area. (Note that this requirement to escrow the password used for encryption is university policy -- Policy 5.3 Use of Escrowed Encryption Keys.) Remember, you should not use your NetID password for this purpose.
WARNING: Password protection in Word and Excel is not the same as encryption.
Microsoft Office 2007 includes a utility for appropriately strong encryption of documents. See the step-by-step procedure for more information.
Note: The password-protection feature in older versions of Word and Excel is not sufficient to fulfill the requirement of encrypting confidential data. Similar facilities in other applications may or may not provide strong enough encryption. If you need to encrypt data, check with your department’s technical support staff to find out what encryption solutions are used in your department.
See Protecting University Data for more about types of data at Cornell, including specific requirements for confidential data.
