Secure Office Guidelines


Information Technology @ GVSU
Adopted: December 2, 2009 Dean’s Council

  1. PURPOSE


    It is the responsibility of all employees of the University to protect sensitive data against loss or theft. Awareness, education and practice of the following guidelines can assist in this matter. These guidelines are in place to help protect employees, customers, contractors and the university from damages related to the loss or misuse of sensitive information.

    This document refers to securing sensitive data and physical hardware within an office environment or mobile environment where data may be referenced (at home or on a laptop). It is not meant to address electronic data stored on university servers.

  2. GOALS

    In order to effectively protect and secure university data, the following goals have been established:

    a) Create, distribute and annually review the “Secure Office Guidelines” document

    b) Train all staff members whose jobs relate to sensitive data on both the “Secure Office Guidelines” and Information Security Best Practices

    c) Train departmental managers to be aware of the importance of the guidelines and the need to enforce them

  3. STAFF TRAINING

    Employee awareness and education is an integral part of securing sensitive data for the university. The following guidelines will be enforced to ensure proper training:

    a) Upon hire, the Secure Office Guidelines and Setting Strong Password documents are emailed to the new employee

    b) Secure Office Guidelines and Setting Strong Password documents are sent annually to all employees via email

    c) Internal training, specific to each area, will be provided to employees who have access to sensitive data

    d) Information Technology will provide Best Practices information at IT seminars and offer to attend annual departmental meetings to cover the below topics:

    1. Awareness of Social Engineering schemes
    2. Secure Office Guidelines
    3. Strong Password creation
    4. Data storage
    5. Data encryption
    6. Backups
    7. Anti-virus and Anti-spyware tools
    8. Non-secure technologies
       
  4. GENERAL OFFICE SECURITY PRACTICES

    The following guidelines should be followed within office suites, individual offices or workrooms and mobile locations where data may be referenced:

    a) Keys or keycards used for access to sensitive data should not be left unattended

    b) Passwords should not be written down and left in accessible locations

    c) Make certain passwords aren’t common information such as date of birth, names of children, pets, telephone numbers, etc.

    d) When you leave your workstation, lock your computer with Control-Alt-Delete or Windows-L

    e) Lock up laptops, USB drives, external drives, etc. when unsupervised

    f) Printouts containing sensitive data should be removed from networked printers immediately and filed appropriately in secure cabinets

    g) Dispose of sensitive data on hard copy by shredding immediately

    h) Departmental front desk staff should confirm identity of all visitors (GVSU staff/student workers or non-GVSU employees) who are entering their area(s)

    1. Employees should feel comfortable requesting what unit someone is from and the purpose of their visit
    2. Employees should feel comfortable confirming meeting prior to allowing staff member/student employee to proceed within their departmental areas
    3. Confirm with the GVSU employee they are scheduled to meet
    4. Non-GVSU employees must be escorted to/from meeting area/work area
    5. Request ID if necessary
    6. Provide front office staff the ability to view your calendar or print a schedule of your meetings in advance so they will expect attendees

    i) All staff should be responsible to watch for or listen to any unusual activity (keep their ears and eyes open at all times and to be cognizant of their surroundings – especially during busy days

  5. SENSITIVE INFORMATION

    Sensitive data can be distributed via hard copy or electronic means within an office. When given the choice, store data electronically versus printing a hard copy. Consider scanning a document to store it electronically versus hard copy.

    a) “Sensitive information” includes but is not limited to the following items, whether stored in electronic or printed format:

    1. All FERPA protected data*
    2. Credit card number (in part or in whole)
    3. Credit card expiration date
    4. Cardholder name
    5. Cardholder address
    6. Social Security Number
    7. Business Identification Number
    8. Employer Identification Number
    9. Paychecks
    10. Paystubs
    11. Benefit information
    12. Giving information/history
    13. Health information
    14. Content of external grants or contracts


    b) Securing hard copy sensitive data:

    1. Lock cabinets containing sensitive data when not in use or when away for extended periods of time
    2. Storage rooms containing sensitive data should be locked at the end of the day or when unsupervised
    3. Desks, workstations, common work areas, printers, and fax machines should be cleared of all sensitive data when not in use
    4. Whiteboards, dry erase boards, writing tablets, etc. should be erased, removed or shredded when not in use
    5. Documents to be shredded should be done so immediately or locked up until shredding can occur
    6. At the end of the day, all sensitive data should be in a locked drawer or cabinet


    c) Securing electronic sensitive data. Please contact Information Technology if there are questions in how you are storing/sharing sensitive data electronically.

    1. Refrain, when possible from storing sensitive data on your personal computer hard drive or any external personal devices
    2. If storing sensitive data is required on your personal computer hard drive or an external device, encryption and password protection should be applied
    3. Engage the screensaver, with password, when workspace is unoccupied or lock your computer with Control-Alt-Delete or Windows-L
    4. Computer workstations should be shut down completely at end of work day
    5. Lock laptop or external devices containing sensitive data when not in use
    6. Make certain data and/or PC work station screens are not visible to the public (e.g. near windows, entry/exit doors, etc.)
    7. If email is used to share sensitive data, encryption and/or password protection should be used. The following statement should accompany the body of the email:
      "This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited."

 

*See information regarding FERPA data at www.gvsu.edu/registrar and click on ‘FERPA – Access to Student Records’

Page last modified December 8, 2011