Protecting Sensitive Information at UH
The University of Hawai?i (UH) is an extensive and multifaceted organization dedicated to the highest standards of scholarship and service, which requires an open flow of information and communication. Unfortunately, over the last decade, the emergence of increasing abuse by criminals of personal information used by universities, such as social security numbers and credit card or other banking information, has challenged the decentralized culture of free flow of information. In order to protect the personal, confidential information it is entrusted with, UH must comply with local and state laws and federal requirements such as but not limited to: FERPA, HIPAA, PCI, FTC and FISMA.
University Data Governance and Data Classification Policies
E2.215 Institutional Data Governance - Established to provide principles governing the management and use of data and information at the University, including, but not limited to, the collection and creation, privacy and security, and the integrity and quality of that data and information.
E2.214 Data Classification Categories - Established to organize UH Institutional Data into data classification categories based on the different levels of security risk and penalties that may result from inadvertent exposure and inappropriate disclosure of those data. The categories are: Public, Restricted, Sensitive, and Regulated.
Other related policies can be found here: https://www.hawaii.edu/infosec/policies/
Data Categorizations:
Institutional Data—data the University of Hawai?i uses for administrative and academic duties—can be categorized based on different levels of security risk and penalties that may result from inadvertent exposure and inappropriate disclosure of that data.
- Public: Institutional Data where access is not restricted and is subject to open records requests. This includes student directory information and public employee information.
- Restricted: Institutional Data used for UH business only. Restricted data will not be distributed to external parties except under the terms of a written memorandum of agreement of contract. Examples include UH email, UH ID number and UH ID card.
- Sensitive: Institutional Data subject to privacy or security considerations or any Institutional Data not designated as public, restricted, or regulated. Examples include student grades, student and employee date of birth and salary information. UH research data or other UH intellectual property is also considered Sensitive Data.
- Regulated: Institutional Data where inadvertent disclosure or inappropriate access requires a breach notification in accordance with HRS §487N or is subject to financial fines. Driver’s license numbers, Social Security Number (SSN) and personal financial or health information fall within this category.
Additional examples can be found at: https://datagov.intranet.hawaii.edu/institutional-data-classification-levels/ [UH Login Required].
What is Personally Identifiable Information (PII)?
Personally Identifiable Information (PII) is the type of information that needs to be protected because the inadvertent disclosure or inappropriate access requires a breach notification or is subject to financial fines. Information such as Social Security Numbers, Driver’s License numbers or Hawai?i Identification Card numbers, Financial Account numbers, PCI-DSS information, and Health information, including anything covered by the Health Insurance Portability and Accountability Act (HIPAA) are categorized as "Regulated" by the University of Hawai?i.
Minimum Security Standards
As part of the UH Data Classifications (EP2.214) technical guidelines for each data classification category shall be followed to prevent the inadvertent exposure and inappropriate disclosure of Institutional Data that are considered protected data. The latest minimum security standards are available at https://www.hawaii.edu/infosec/minimum-standards/.
Do you handle PII, "UH Sensitive", or "UH Regulated" data?
Any UH employee or UH affiliated individual that accesses PII must acknowledge the online General Confidentiality Notice (GCN) found at https://www.hawaii.edu/its/acer/. The General Confidentiality Notice identifies some examples of PII (note that it is not exhaustive). The document also identifies the responsibilities of people who have access to such information.
You will also need to take the Information Security Awareness Training found in Laulima. This brief course goes over various topics, such as data breaches, securing information, and UH policies. A link to the Security Awareness Training could be found here: https://www.hawaii.edu/infosec/training/.
Do you store "UH Regulated" data electronically or in paper format?
Per Hawai‘i State Law and UH Policy, any individual, department, or unit storing Personally Identifiable Information, regardless if it is paper or electronic, needs to be reported. For the University of Hawai‘i, this information needs to be reported in the Personal Information Survey site. The information survey MUST be reviewed and updated annually.
Information Security Program Requirements: Server Registration and Personally Identifiable Information Scanning:
Any server operating on the University of Hawai‘i network (regardless if it is behind a firewall) must be registered in the Server Registration database, accessible here: https://www.hawaii.edu/its/server/registration/. Servers will also need to be scanned for vulnerabilities and personally identifiable information annually. More information on this requirement can be found here: https://hawaii.edu/askus/1312.
PII Scanning with Spirion (formerly Identity Finder): To determine if your server contains PII, a scan using Spirion or Find_SSN will be required. Spirion is available for Windows and Mac. To learn more, visit https://www.hawaii.edu/askus/1297. To scan Linux or Solaris servers use Find_SSN: http://www.hawaii.edu/askus/1323.
If your server contains PII, ensure that a corresponding Personal Information Survey is filled out.
ScanUH: This is a vulnerability scanning tool that will return a fairly detailed, technical report. To scan your computer or server for vulnerabilities, go to: https://scanuh.hawaii.edu/.
Information Security is ALL OUR Responsibility
Remember: Everyone is responsible for the privacy of protected information. This task should not be left for one person to accomplish. It requires everyone’s understanding and participation to be effective. Everyone should know and understand the procedures of securing data at the University of Hawai‘i.
