Desktop Data Assessment FAQ
Why are we conducting this desktop assessment?
The University is obligated by law and policy to adequately secure protected Level 1 information. Although we have an inventory of all campus servers, including the level of protected data stored on the servers, we do not have a similar inventory of desktops containing the most confidential of campus information.
Additionally, a recent information security audit finding requires the campus to "conduct an assessment of all campus computers to ensure security of protected information."
In 2009, 6,000 University of Washington employees were notified that their names and social security numbers were on a computer system that was hacked. This story is a good example of why protected Level 1 data needs to be kept in the proper, secure location. For more information, see the Seattle Times article.
Access the survey here: https://webapps.csueastbay.edu/secure/audit
What is "protected Level 1 information"?
Protected Level 1 information can cause the most serious harm to individuals and to the campus as a result of unauthorized access. Much of this information is protected by statutes, regulation, other legal obligation or mandate.
Campus Protected Level 1 information includes:
- PINs (Personal Identification Numbers)
- Passwords or credentials
- Birth date combined with last four of SSN
- Name with credit card number
- Name with Tax ID (SSN)
- Driver's license number, state identification card, and other forms of national or international identification
- Medical records related to an individual
- Psychological Counseling records related to an individual
- Bank account or debit card information
- Vulnerability/security information related to the campus or a system
- Prospective Student data
- Worker's compensation or disability claims
- Campus physical plant detail
- Employee evaluations (often stored on local hard drives, and they should not be)
- Student Home addresses, personal telephone numbers or personal email addresses
- Parents and other family members names
Student record information:
Generally any information that will become a part of a student's transcript and records, which are protected under FERPA and other regulations. This kind of data should not be stored on local computers, such as desktops and notebooks.
This data should only exist on campus secure storage, either on-campus secure storage or portable secure storage, as discussed later in this FAQ. If this kind of data is currently stored on a local computer, it will need to be moved to secure storage.
Such Student record information includes the following:
- Educational records (Excludes directory information)
- Courses taken
- Test Scores
- Advising records
- Educational services received
- Disciplinary actions
Are EmplIDs or CSU East Bay IDs (NetIDs) numbers considered protected Level 1 information?
EmplIDs or CSU East Bay IDs (NetIDs) are not considered Level 1 data on their own. It is considered Level 1 if a combination of data such as EmplID, driver's license, and name all exist in the same report.
Where can I find more information about data classification?
The CSUEB Data Classification Standard document can provide more information about data classification. It also includes an appendix that lists the laws and regulations that were considered in writing this standard.
You can find the CSUEB Data Classification Standard here:
What if I don't know whether I have protected Level 1 information on my desktop?
Typically, documents containing confidential data include Excel spreadsheets, Word documents, or database files. Look through the files on your computer, such as those in your "My Documents" (Windows) or "Documents" (Mac) folder to determine if you have any files of those types containing protected Level 1 information.
If you are still unsure whether or not you have protected Level 1 information on your desktop or notebook computer, please contact the Information Security Office at firstname.lastname@example.org for assistance.
What if I only have protected Level 1 information about myself on my desktop?
This assessment does not apply to your own "protected information" stored on your desktop. It does apply to protected Level 1 information about other students, faculty or staff.
What if I have multiple desktops or a desktop and a laptop?
The survey should be completed for each State, Foundation, and ASI-owned machine that you use.
I don't have a University computer - I use my own. Do I still need to complete the survey?
If you are using your own personal desktop or laptop, we would still like for you to take the survey. Please enter "self" in the "Property Tag" field.
Do I need to complete this survey for lab computers?
No, this is only for individual desktop or portable computers.
What should I do if I have protected Level 1 information stored on my desktop?
If you have protected Level 1 information on your desktop, the best thing you can do is delete or move the data.
The University has determined that Protected Level 1 information belongs on enterprise servers housed in our data center. As such, each employee has been provided easily accessible space on those servers. These servers are much more secure than your desktop or notebook computer and all backups of these servers are encrypted.
If you already have a place on a campus server for saving protected data, such as the T drive for some areas of PEMSA, you can continue to use that location.
If you do not already have a process in place for saving protected data, ITS is providing a new location on a secure server for each Faculty and Staff member.
Directions for accessing this secure server: http://www.csueastbay.edu/its/training/resources.html
Look for the article titled "Secure Data Storage".
For assistance with the secure server storage, contact the Service Desk (servicedesk.csueastbay.edu)
Those instructions are for those using computers on campus. What about those who are using computers off-campus?
You may use a portable storage device for off campus work only if it is a device that provides full drive encryption via built-in cryptographic hardware.
We ask that you register this device with the Information Security Office (email@example.com) by forwarding the make, model and serial number of the device to us. This is both for inventory purposes (we must keep an inventory of Level 1 data locations) and for reporting lost devices containing Level 1 data.
The campus Information Security Office has tested and can recommend the following products, we will expand this list as time and resources permit:
IronKey encrypted USB Thumb Drives - www.ironkey.com
- Any level of this product is fine, either the Basic or Personal models.
Apricorn encrypted external portable hard drives (250 GB and up) - http://www.apricorn.com/product_detail.php?type=family&id=65
- This company offers several varieties, some with stronger encryption and some with biometric capabilities, all are acceptable. However, the specific model that is linked to is sufficient.
NOTE: Both of these products are compatible with Windows, Mac OS X, and varieties of Linux.
How do I access the survey?
Access the survey here: https://webapps.csueastbay.edu/secure/audit
Who should I contact if I have more questions?
Please contact the Information Security Office at: firstname.lastname@example.org