Policy

PG--Information Storage

PG--Information Storage
Policy

________________________________________
Document Number: REDFLAG--106 Revision #: 1.0
Document Owner: Executive VP Date Last Updated: 08/17/2012
Primary Author: Executive VP Status: Approved
Date Originally Created: 12/14/2011
________________________________________
General Description
Description: Information about storage of information relative to the Red Flags Identity Theft Policy.

Purpose: Delineation of policy.

Scope: All faculty, staff, students, and administrators

Responsibility: Administration
Executive VP
VP of Business and Finance
________________________________________
Requirements
Relevant Knowledge: In order to comply with this policy you should know:
Current University policy
Federal statutes
Local statutes
Standard company policies
Standards of good practice
State statutes
Terms and Definitions: Additional training

Corrective Action
________________________________________
Policy Provisions
1. Information Storage

Storing Confidential and Sensitive Information is a normal function of conducting business at the University. Employees shall only store CSI for legitimate business needs and those needs related to their individual job responsibilities.


1.1 Hard Copy Storage

1.1.1 On-site storage

On-site storage refers directly to CSI stored within any University facility.

1. Employees Personal Belongings
The University will provide all personnel with a secure place to store personal belongings. Employees are responsible for keeping personal items secure during work hours.

2. CSI Stored in a Workspace
Confidential and Sensitive Information stored in an office, cubicle, reception area, cash register, or other workspace must be kept in locked desks, cabinets, closets, or lockers when not in use.

3. File Rooms and Storage Rooms
File and storage room doors must be closed and locked when unattended by authorized personnel.

4. Records Storage
Company, customer, transaction, and service provider records will only be stored when there is a legitimate business need. Any records in storage beyond the legal statute of limitations will be appropriately disposed of by designated employees.


1.1.2 Off-site storage

Off-site storage refers to any place CSI is stored outside of designated University facilities.

1. Approved Storage Facilities
CSI may only be stored in facilities authorized by University Administration.

2. Storage Service Providers
All storage service providers must comply with the service provider oversight policies in this Identity Theft Prevention Policy.



1.2 Soft Copy Storage

Company representatives shall only store CSI on University authorized computers, telecommunications, or other electronic devices. A list of approved equipment will be maintained by the company’s Identity Theft Prevention Officer or Information Technology Professional.

1. Encryption
All CSI stored on portable electronic devices or electronically transmitted must be encrypted.

2. Portable Electronic Devices
Portable electronic devices must be secured when not in use. The physical security of these devices is the responsibility of the authorized user. These include laptop computers, cell phones (specifically smart phones), jump drives, thumb drives, external hard drives, etc.





________________________________________
Performance Evaluation
Performance Metrics: Compliance with standard policy and procedure
Compliance with federal mandate

Consequences: Further training
________________________________________
Subject Experts
The following may be consulted for additional information.
Executive VP

VP of Business and Finance