Effective Date | October 3, 2023 | Policy Owner | Information Technology Services (ITS) |
---|---|---|---|
Last Reviewed Date | July 1, 2024 | Approved By | Vice President for IT and CIO/CISO; President's Council; GLBA Committee |
Review Cycle | Annual | Policy Contact | Information Security & Compliance Analyst |
Purpose
This Clean Desk and Clear Screen Policy is designed to establish a culture of data security and trust for all faculty, staff, and students at New York Tech. An effective clean desk and clear screen effort involving the participation and support of all members of the New York Tech community can greatly enhance the protection of paper and electronic records that contain Confidential and Restricted Data. As part of this effort, staff, faculty, and student workers must adhere to this policy.
Scope
This policy applies to all University faculty, staff, and student workers, who handle or have access to University Data, including Confidential or Restricted Data on paper, screen displays, removable storage media, and any computing devices that contain or display Confidential or Restricted Data, regardless of location.
Definitions
Data Classification – University Data is classified according to the level of confidentiality needs, legal requirements, and minimum standard protections:
- Confidential Data – Information which is legally regulated, and data that would provide access to Confidential or Restricted data.
- Restricted Data – Information where a decision was made to not publish or make public. Data protected by contractual obligations.
- Public Data – Information which there is no expectation of privacy or confidentiality.
University Data – Those data, regardless of format, or classification, maintained by New York Tech or a party acting on behalf of New York Tech that contain information on past, current, or future students, employees, or donors/friends. University Data (electronic and paper) includes information stored in any University database, file system, storage medium, or paper. All University Data, whether maintained in a central database, copied into other data/file systems, or printed onto paper, remain the property of the University.
Policy Statement
When faculty, staff and student employees are away from their desks for any length of time, Confidential and Restricted data must be secured, and computing devices must be placed in a locked screen state. General rules apply:
- All hard copy records containing Confidential and Restricted Data must be securely shredded or disposed of in designated confidential waste containers when ready for disposal (see Secure Shredding; login required). Under no circumstances should this information be placed in regular trash receptacle.
- Employees must never leave access cards, office keys, or filing cabinet/drawer keys out and unattended. Keys and access cards must remain with the owner or secured at all times.
- All documents and records containing Confidential or Restricted Data must be secured in a locked drawer or filing cabinet when left unattended for any period of time.
- All computing devices that provide access to Confidential or Restricted Data must be logged off or protected using a screen lock controlled by a password or similar user authentication mechanism.
- In accordance with the Data Security and Access Management Policy, certain Confidential Data (Social Security number, Driver's license number, State/Federal ID card number, Passport number, or Financial account numbers) must not be stored on mobile devices (laptops, tablets, etc.) or on removable media devices (i.e. optical disk, USB, flash drive or portable hard drive) whether or not they are encrypted and designed to handle and protect other categories of Confidential or Restricted Data.
- Faxes and print jobs containing Confidential or Restricted Data must be retrieved immediately from the device. When using a shared printer, the "Secured Print" functionality must be used.
If in doubt or unsure of how to handle University Data, personnel should check with their supervisor or contact Information Security at infosec@nyit.edu.
Related Internal Policies
Regulatory References
- Federal Legislation
- HIPAA (Health Insurance Portability and Accountability Act)
- FRCP (Federal Rules of Civil Procedure, a.k.a. eDiscovery)
- USA Patriot Act
- FERPA (Family Educational Rights and Privacy Act)
- GLBA (Gramm-Leach-Bliley Act)
- FISMA (Federal Information Security Modernization Act)
- State Regulations:
- SHIELD Act (New York's Stop Hacks and Improve Electronic Data Security Act)
- Individual State Security and Privacy Regulations
- Associations
- PCI DSS (Payment Card Industry Data Security Standard)
- International
- GDPR (European Union's General Data Protection Regulation)
- PIPEDA (Canadian Personal Information Protection and Electronic Documents Act)
- PIPA (British Columbia's Personal Information Protection Act)
Violations
Violations of the policy may result in loss of data access privileges, administrative sanctions (including termination or expulsion), as well as personal civil and/or criminal liability.