Summary
This policy outlines the requirements for safeguarding controlled sensitive data stored on electronic and hardcopy media, ensuring secure handling, storage, and disposal. It mandates encryption, labeling, physical security, and strict disposal procedures while aligning with applicable laws and regulations.
Body
Status: Draft
Last Revision Date: 21 September 2023
Statement of Purpose
The organization is responsible for safeguarding controlled sensitive data, whether stored digitally on electronic media or physically on paper. Secure disposal of such data is just as critical as its protection during active use.
For example, a past payroll report containing Social Security numbers may no longer serve a business purpose, but it must still be securely disposed of to prevent unauthorized access.
Furthermore, protecting data "in situ" is not enough—physical access to the media storing the data must also be controlled. Unrestricted access to a data center, for instance, poses a significant organizational risk.
Policy Summary
Both electronic media and hardcopy materials containing controlled sensitive data shall be safeguarded with appropriate access controls and securely disposed of when no longer needed.
This policy is subject to and superseded by all applicable regulations and laws.
Policy
Portable Electronic Media
Portable electronic media containing confidential and/or private information (e.g., USB drives, CDs, DVDs, floppy disks, tapes, etc.) must adhere to the following security protocols:
-
Physical Security: These media shall be physically controlled and secured by the user at all times.
-
Labeling: Media containing controlled sensitive data shall be clearly labeled as such.
-
Storage: Secure storage locations shall be used for all portable electronic media.
-
Encryption: Data stored or transported on portable media must be encrypted using methods specified in Policy 109.
-
Data Transfer Restrictions: Portable electronic media shall not be used to transfer data to an insecure device or any device outside the control of Clackamas Community College without prior written approval from the ITS CIO/CISO.
-
Secure Wiping: Before reuse for non-secure data transfer or connection to an insecure device, portable media must undergo a secure wipe procedure.
Hardcopy Media
Hardcopy materials containing controlled sensitive data (e.g., paper receipts, reports, faxes, etc.) must adhere to the following security procedures:
-
Possession and Handling: When removed from a secured Clackamas Community College office environment, employees must maintain possession of the data at all times and take steps to minimize the risk of loss, theft, or unauthorized viewing.
-
Storage: Printed reports containing controlled sensitive data shall be retained, stored, or archived only in secure office environments for the minimum necessary duration. Secure environments include locked file cabinets or safes, protecting documents from unauthorized access (e.g., by custodial or maintenance personnel).
-
Workspaces: Hardcopy controlled sensitive data shall not be left in unsecured or unlocked containers or in open workspaces when not in active use.
-
Labeling: All hardcopy materials containing controlled sensitive data must be clearly labeled as such.
-
Secure Delivery: When third-party delivery of confidential or private data is necessary, a secured courier service or an approved, trackable delivery method must be used, as approved by the CIO/CISO.
Storage and Disposal
-
All electronic and hardcopy media containing controlled sensitive data within the Data Center shall be stored securely and inventoried quarterly by the CISO, server managers, and department managers.
-
Electronic media shall be destroyed in accordance with Policy 103.
-
Hardcopy shred bins shall remain locked at all times until shredding occurs. Employees must cross-cut shred printed materials containing confidential and/or private information.
Exemptions
None.
Exceptions
Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).