Data Management and Cleanup

Do you know what's on your computer?
Sensitive Data Cleanup
Data Retention and Disposal
Safe Disposal Procedures
Copier Data Security
PACS Surplus Property Procedures
Office Moves & Renovations Physical Secuirty
Other Data/Physical Security Resources

Do you really know what is on your computer, how much data you truly have? Digital data is growing at an exponential rate. While much of that data is necessary to have, there are time limits on the retention of things, security measures that need to be in place for certain things, and there are probably a lot of documents, data, and information that you don’t in fact need at all. Many people still wonder why data security should be at the top of their agenda. UA InfoSec is here to tell you why and to assist you with all of your data management issues through best practices, training, and awareness of data retention issues.

Here are some resources that cover data management as a whole:

The Federal Trade Commission (FTC) has published Protecting Personal Information: A Guide for Businesses, a plain-language handbook with practical tips on securing sensitive data.
UA InfoSec created a more condensed version, Office Security @ UA.
The interactive tutorial of the Protectiong Personal Information Guide (from which the above video was taken) is a great way to learn and understand the guide.

Faculty Sensitive Data Cleanup Project

What is Sensitive Data? It’s quite simply any data that must be kept secure. It includes personal data such as a social security number, financial data such as credit card information, and anything else that can be used to facilitate identity theft. It also includes federally protected data such as student information and medical information, as well as passwords, account information, restricted data, and any other unique identification such as a driver’s license number. A primary source of risk in higher educational institutions is the retention of old data, particularly class rosters. Many schools, like the U of A, once used Social Security Numbers as Student IDs. While this may not have been an issue prior to the internet, it certainly is in the 21st century.

To assist faculty members in reducing their risk, the Information Security Office, in cooperation with the Faculty Senate, has developed a sensitive data checklist. This "low tech" way of cleaning up data will not only reduce risk for faculty, departments, and the university at large, it will help in getting rid of old data that is taking up space on computers all over campus.

Download and print your checklist below, and then use it to step through your class rosters.

Data Retention and Disposal

Records retention has always been about as fun as going to the dentist: you don’t want to do it, but it’s necessary for your well-being. Some believe that they should archive, anything and everything forever, just to be on the safe side. But that's not quite right either. In records-retention land, there is no "safe side." Keeping too much information is a risk too. If you retain a record for too long, it's very expensive, you expose yourself and the university to litigation risks, and you might even be violating privacy rights.

Deadly Sins of Record Retention

1. Not understanding what a record actually is.

The first step to a good records management program is simply identifying what of your data is actually a record.

Should I Retain or Dispose of this Document? Chart will allow you to identify if your data is a record or not and what you need to do with it.
UA Record Retention Dos and Don'ts will help you understand what needs to be kept and what does not.

2. Retaining unnecessary documents.

Just because you can't see it, doesn't mean it's not there. It is hard to realize the amounts of digital data we actually store on our computers. Saving every file we receive or create is easy and we don't really think twice about it. However, over the years those documents really add up and take up valuable storage space. While keeping important documents and following record retention schedules is necessary for some data, a lot of the data that we store doesn't fall into those categories at all. It is important to go through and clean up

How Much Data do you Really Have? is a quick visual on what all of your digital data looks like if it were on paper.

3. Assuming that document retention is someone else's job

Records retention and data management is a “hot-potato issue.” Everyone gets thrown the hot potato, and everyone wants to throw it back because they don't want to bother with it. However, you are responsible for your data.

A Botanist's Guide to Data Management is an easy to understand data cycle that shows you what needs to be considered in every step of data growth.

4. Not following retention schedules

Retention periods depend on the type of record and the department. A data retention policy weighs legal and privacy concerns against economics and need-to-know concerns to determine the retention time, archival rules, data formats, and the acceptable means of storage, access, and encryption.

The UA Records Management and Archives site offers services to all university units and departments for record management.
RMA has Retention and Disposition Schedules to assist you with data management.

5. Not deleting information after the retention period

Once the retention period ends, that’s when the real work begins. Many people believe that data deletion is not as important as their other work so they put it off. Retention schedules are created for a reason. They are necessary in order for the university to meet legal and business data archival requirements. By not following the deletion process after the retention period, makes not only yourself, but also the university, susceptible to legal and privacy violation issues.

6. Not disposing of old records properly

When what's considered "public information" outlives its usefulness, users or administrators can just delete it and forget about it, but when its sensitive data, the delete button doesn’t mean a thing. Simply pressing the delete button, emptying the Recycle Bin or even formatting the drive doesn't get rid of files. The digital information still remains on the drive we are using and if the information is deemed classified or confidential, it must immediately be shredded, burned, degaussed, or overwritten to a Department of Defense level standard.

Safe Disposal Procedures

It is important to properly handle data erasure and disposal of electronic media (e.g. PCs, CDs, USB drives) in order to protect confidential and sensitive data from accidental disclosure. Before discarding your computer or portable storage devices, you need to be sure that data has been completely erased or "wiped".

Read/writable media (including your hard drive) should be "wiped" using Department of Defense (DOD) compliant software. Software that meets DOD compliance standards can be downloaded from the Internet at no cost.
Shred CDs and DVDs. This type of media should be physically destroyed.
Media that does not have a need to be re-used or contains sensitive or private data that cannot be "wiped" should be physically destroyed.
The FTC's Pitch It: Give Personal Info the Shred Carpet Treatment article provides tips on how to properly dispose of your data.

To properly clear off old data from a flash drive, hard-disk drive, solid-state drive, or hybrid hard drive check out PCWorld’s how-to article Free Tools to Wipe Your Drives Securely.

Copier Data Security

Most people don’t think much about their copiers, but they should. Copiers are smart machines that can do the obvious, copy, but can also print, scan, fax, and email documents. Copiers require hard disk drives to manage the many jobs they receive; but did you know that the copier’s hard drive also stores all of the data that goes through it? If you don’t take steps to protect that data, it can be stolen from the hard drive, either by remote access or by extracting the data once the drive has been removed.

The FTC’s Copier Data Security: A Guide for Businesses includes everything you need to know about copiers and their data.
UA InfoSec’s Digital Photocopier Security page has steps on how to protect copiers on campus.

Procurement and Contracting Services: Surplus Property

UA InfoSec partnered with PACS to create a policy for proper copier and data security upon disposal.

The Surplus Property Office is charged with disposition and reutilization of all University of Arizona property following State guidelines.
For the policies regarding disposal of university property see the Surplus Property - Program Information page.

Office Moves & Renovations Physical Security

While it is always important to be mindful of data/physical security for computing devices, it is especially important to safeguard this type of equipment during office renovations, moves, travel, or disposal of devices. These types of events have the potential to create scenarios when there is a higher risk for computer and identity theft.

UA InfoSec's Safeguarding Computer Equipment: During Office Moves & Renovations explains why you are more at risk and what you can do to lower that risk.

Other Data/Physical Security Resources

Sensitive and personal information is in everyone’s files and having a sound security plan in place to collect only what you need, keep it safe, and dispose of it securely is necessary to help you meet your legal obligations to protect that sensitive data. The FTC has tons of resources at their Data Security page to help you with all of your physical/data security needs.
Guard Privacy & Online Security is a great online resource for everything you need to know for the best protection against all known Internet threats.
UA InfoSec's June 2012 Monthly Update covers data/physical security and the July 2012 Monthly Update is a roadmap to data cleanup.