Data Security for Faculty and Staff
University of Florida employees are required to keep restricted information safe from unauthorized access.
Restricted data is defined as
Data in any format collected, developed, maintained or managed by or on behalf of the university, or within the scope of university activities, that are subject to specific protections under federal or state law or regulations or under applicable contracts. Examples include, but are not limited to medical records, social security numbers, credit card numbers, Florida driver licenses, non-directory student records and export controlled technical data.
Please read the UF Data Classification Policy for more information on the Restricted, Sensitive and Open classifications. The Data Classification Guidelines includes sample classifications for common data types used at UF.
Legislation establishes personal and institutional liability and fines for breach of private data.
Employees working with health related information must also be aware of HIPAA issues. For more information, see the UF Privacy Office.
The UF Information Security Office strongly advises against the transfer and storage of restricted data on personally managed machines.
Below are things you should do to help protect the data you work with.
Three things you should always do…
A lot of restricted information is stored on computers. By doing these three things you significantly decrease your chance of giving an intruder access to your data.
Transmission of Data
Most users can use a Virtual Private Network connection to encrypt communication from an untrusted network, such as from home or on a wireless network. For more information on VPN and to download the UF VPN software, visit this link.
UF Policy requires that all portable computing and storage devices that are used with University Data, regardless of ownership, must be fully encrypted. This means that even personal smartphones, tablets and laptops used by faculty and staff must be encrypted if they use them to conduct university business. We have extensive resources to assist in encrypting personal devices. Portable usb ‘flash drives’ must also be encrypted – more information.
Lock or Turn Off Your PC When Away
Everytime you step away from your computer, even if just for a minute, you should lock your workstation. If you’re not sure how to do this please refer to your operating system’s manual or consult your Information Security Manager.
Strategically Place Monitors
Set up monitors so that shoulder-surfing is difficult. If restricted information is viewable from over your shoulder, then it’s not secure.
Safely Lock Up Equipment & Media
All equipment with restricted data should be locked safely away when not in use or unattended, whether behind doors or under locked cases. Please advise your department’s Information Security Manager of all unlocked equipment.
Dispose of Sensitive Information Properly
Restricted information in paper form should be shredded and electronic data should be rendered unreadable. All old computers should be turned over to unit IT staff for proper disposal. The Information Security Office offers a Media Disposal Service to ensure that electronic media is securely disposed of.
No Unauthorized Computer Changes
Before allowing anyone to install new hardware and software on university systems, please obtain approval and guidence from you department’s Information Security Manager. This also applies to personally managed computers that contain university restricted data on it.
Faxes, Printers and Photocopiers
Immediately pickup sensitive material from faxes, printers and copiers. The longer this information is unattended the better chance for someone else to access it.
Beware of ‘Tailgaters’ and Supervise All Visitors
If you have a badge-protected room beware of persons following behind, or ‘tailgating’ on your entry. Make sure you know who they are, otherwise turn them away. When meeting with outside guests such as vendors, students, visiting professors, etc.. make sure you are with them at all times.