Protecting My Data

At the university, many of us deal with a large quantity of data every day.ÌýSome of this data is considered sensitive and is vital to the ×îÐÂÌÇÐÄVlog’s business operations.

By understanding which data is considered sensitive, you can help the ×îÐÂÌÇÐÄVlog safeguard its most important assets.Ìý

  • Step 1: Identify

    You cannot secure what you don't know.

    • The first step is to make an inventory of the information you use as part of your research, teaching, and administrative work, and identify where they are located.ÌýÌý
    • If the source information is contained within an application or database, make sure you take any data exports, dumps or reports from the application into consideration as well.

    Examples of types of dataÌý

    Examples of where data might be stored

    • Research dataÌý

    • Research recordsÌý

    • Clinical trial dataÌý

    • Draft papersÌý

    • Teaching materialsÌý

    • Student recordsÌý

    • Financial dataÌý

    • HR recordsÌý

    • ×îÐÂÌÇÐÄVlog U: and S: drivesÌý

    • Personally owned laptopÌý

    • µþ´Ç³æÌý

    • ³¢²¹²ú´¡°ù³¦³ó¾±±¹±ð²õÌý

    • Dropµþ´Ç³æÌý

    • Within business application (e.g., PeopleSoft or HPE Content Manager)Ìý

    • USB memory stickÌý

    • Mobile device (iPhone, iPad, etc)Ìý

    • See the storage webpage for more informationÌý

  • Step 2: Classify

    Distinguish what's important from what's notÌý

    • The next step is to categorise the identified information into what is sensitive and what is not.ÌýÌý
    • It is often useful to set up a common language to facilitate this categorisation process.
    • You may want to define a more fine-grained classification to suit the needs of your own division. For example, you could create Sub-Class 3A - Medical Records, 3B - Top Secret Research, etc.Ìý
    Classification Description
    Class 4 "Restricted"

    Example:

    • Classified defence research

    • Identifiable medical data

    • Data protected under the US Government HIPPA

    • Data protected under the ×îÐÂÌÇÐÄVlogn Government DISP

    Class 3 "Confidential"Ìý

    ·¡³æ²¹³¾±è±ô±ð:Ìý

    • Personally identifiable data (TFN, home address, phone number, DOB, etc)Ìý

    • Credit card dataÌý

    • Medical records and patient dataÌý

    • Defence related research

    • Student academic recordsÌý

    Class 2 "×îÐÂÌÇÐÄVlog Internal"

    ·¡³æ²¹³¾±è±ô±ð:Ìý

    • Unpublished research dataÌý

    • Teaching materials (PowerPoint, Word, recorded lectures, etc)Ìý

    • Non-sensitive and de-identified research dataÌý

    • Normal business administration recordsÌý

    Class 1 "Public"

    ·¡³æ²¹³¾±è±ô±ð:Ìý

    • Course description / synopsisÌý

    • Published papersÌý

    • Information on public websiteÌý

    If you are unsure if a piece of data is Class 4, Class 3 or Class 2, ask yourself:Ìý

    • If the data were to be exposed to major media, would it hurt the reputation of yourself, your work/research unit, or the ×îÐÂÌÇÐÄVlog?Ìý
    • Would an exposure violate ×îÐÂÌÇÐÄVlog policies, privacy laws, or other laws and regulations?Ìý
    • Would unauthorised exposure to a malicious person be detrimental to the success of your work?Ìý
    • Would you suffer a significant setback for your work if the data was lost permanently?Ìý
    • Does the data contain personal or personally identifiable data?Ìý

    If the answer to any of the questions is 'YES' then consider the data Class 3 or Class 4.Ìý

  • Step 3: Protect

    Protecting sensitive information from unauthorised access, corruption and accidental loss is vital to upholding the ×îÐÂÌÇÐÄVlog’s world-class research and teaching standards, as well as comply with laws and regulations.

    In the interests of efficiency and economy, the level of protection should be commensurate with the value of the information asset or the impact to the ×îÐÂÌÇÐÄVlog if security is compromised.

    The provides a common framework for classifying the ×îÐÂÌÇÐÄVlog’s information assets in order to determine the appropriate level of security protection. The guidelines have been developed to be sufficiently generic so that theyÌýcan be applied to all areas within the ×îÐÂÌÇÐÄVlog. Areas may choose to elaborate on this guideline to meet their specific needs.

    Here are some SecureITÌýtips to safely manage your data:Ìý

    Stop and think before you share dataÌý

    Sharing information is an important part of achieving a productive learning and teaching environment at the ×îÐÂÌÇÐÄVlog. Some information, however, is sensitive and may harm you or the ×îÐÂÌÇÐÄVlog if it gets in the wrong hands.Ìý

    Criminals can use sensitive information against the ×îÐÂÌÇÐÄVlog to tarnish our brand and impact the teaching and learning prospects of the ×îÐÂÌÇÐÄVlog.Ìý

    Discretion should be used when sharing any of the following information:Ìý

    • Personally identifiable informationÌý
    • Medical andÌýheathÌýinformationÌý
    • Student recordsÌý
    • Financial informationÌý
    • Research data and intellectual propertyÌý

    Always protect your sensitive filesÌý

    Keeping your sensitive files secure plays an important role in protecting the ×îÐÂÌÇÐÄVlog's data. Storing sensitive information in the cloud or on local hard drives can have serious consequences, including data loss (due to a device failure) or data theft (due to lost or unattended equipment).Ìý

    The ×îÐÂÌÇÐÄVlog currently offers two locations where students and staff can securely store their filesÌý

    U: driveÌý

    The U: drive, or User drive, is a private online storage location offered to every student and staff member. Your U: drive is automatically mapped when you login to any ×îÐÂÌÇÐÄVlog computer. The data stored on your U: drive is backed up nightly and is protected from other users.Ìý

    *Please note: U: drive storage capacity is limited to 2GB for students and 5GB for staff.Ìý

    S: driveÌý

    The S: drive, or Shared drive, is a centralised online storage location where staff can share files with colleagues. Access to files on S: drive can be restricted to staff members residing in a particular Faculty, Division, Branch, Area or team. S: drive is backed up nightly.Ìý

    Ìý

    Be mindful if you are storing data in the cloudÌý

    Many internet companies offer online storage for your photos, emails and documents. The term commonly used to describe this service is called cloud storage. Box is a cloud storage and collaboration service that is university-endorsed and supported.Ìý³¢²¹²ú´¡°ù³¦³ó¾±±¹±ð²õÌýis a cloud-based electronic research notebook system that is also university-supported. Dropbox, Apple iCloud, Microsoft OneDrive, and Google Drive are all cloud storage options that are not endorsed or supported by the ×îÐÂÌÇÐÄVlog of Adelaide.Ìý

    While cloud storage may feel like a hassle-free way to manage your data, it has some very real security implications that should be considered.Ìý

    • Before storing any of your data in the cloud you should consider:Ìý
    • Would the cloud provider tell you if they were hacked and your data was stolen?Ìý
    • Is your data being backed up?Ìý
    • Is your data being shared with advertising companies?Ìý
    • What happens if the cloud provider goes bankrupt or is taken over?Ìý
    • Are employees of the cloud provider allowed to view and share your data?Ìý

    When it comes to university-endorsed systems such as Box andÌýLabArchives, you can be confident that the ×îÐÂÌÇÐÄVlog has asked and answered these questions on your behalf. While you use these systems, be aware of the type of data you are storing and de-identify personal details. Also, keep an eye on who has been given access to the files and remove people's access when it is no longer appropriate.Ìý

    Always read your cloud provider’s privacy policy and data storage policy before storing any sensitive information in the cloud. If your questions cannot be answered in these documents you should contact your cloud provider directly.Ìý

    Avoid storing and accessing sensitive data on public or shared computersÌý

    Public computers often contain hidden programs that can secretly record your passwords, emails and banking information. Hackers will also use publicÌýwifiÌýhotspots to (surreptitiously) intercept your traffic and steal your passwords and other private information.Ìý

    Hackers can use this information to commit identity fraud or other cybercrimes.Ìý

    Ìý