Storage

Securely dispose of all critical information unless you absolutely cannot do business without storing your own copy.

Do you really need to store it?

Is it absolutely necessary to retain a copy on a user’s individual computer or department server? Or, does the university maintain the same information elsewhere? Rather than creating another copy that will require special protections, access and view the information from its primary university source.

Use Secure Shell (SSH), virtual private network (VPN), remote desktop, or other methods using strong cryptography to connect to the main storage location.

Use a secure storage location

Not all storage locations are acceptable for critical information. Critical information in electronic format must be professionally secured to prevent it from being compromised or stolen:

  • Ask your department which storage service is professionally secured for critical information storage.
  • Never store this information on your desktop, laptop, mobile device, USB drive, flash drive, or any media unless (a) the information is properly encrypted and (b) the senior executive officer of your unit has provided prior written approval confirming a critical business need to do so. For more information, see the Mobile Device Security Standard IT-12.1.

Ensure paper records are kept in locked file cabinets/storage rooms or are otherwise access controlled. If you store paper records in University Archives or other shared locations, ensure that these records are not accessible to others storing records in the same location. (Note: The IU Warehouse is no longer approved for storing university-internal, restricted or critical institutional data. A list of approved vendors is available on the Purchasing website.)

Safeguards

  • Encrypt critical information at rest if you store it electronically.
  • Always log off or lock your workstation when you step away, even for a moment.
  • For more ways to safeguard critical information see the article Best Practices for Computer Security.
  • Some information, like payment card or health information, can have special requirements (e.g., PCI DSS and HIPAA).

For more PCI DSS information, see page, PCI DSS - What You Should Know.

For more HIPAA information, see the HIPAA Privacy and Security page.