October is National Cybersecurity Awareness Month, and over the next four weeks Rice’s Office of Information Technology will share tips and information about how to stay safe and be a conscientious Internet user.
The golden rule — do unto others as you would have them do unto you — is sound advice, even in the context of the cyberworld.
Rice faculty, staff and even some students are entrusted to handle protected, private information every day, from student and health records to bank account and credit card information to employee data. “We should protect this information just as we expect others to handle our private information correctly and safely,” said Marc Scarborough, chief information security officer for Rice’s Office of Information Technology.
Employees have been trained on how to handle this kind of information and how to recognize it, and departmental policies and procedures are in place to help protect the information consistently. Rice University Policy 808 describes what kind of data is protected. Protected data is classified as confidential and sensitive. The general distinction between the two is simple: Information that has legal protection obligations, like Social Security numbers and student records, is classified as “confidential.” Proprietary and internal information, like employee IDs and university infrastructure information, is classified as “sensitive.”
“We must use caution when receiving, handling and storing private information,” Scarborough said. He offered these tips for best practices:
— Train new additions to departments when they arrive (and, in some cases, annually).
— When data appears in places where it would not normally appear, like an unencrypted email or in a public Google search result, report it to the Information Security Office (firstname.lastname@example.org or 713-348-5735).
— If you have questions about the best ways to receive, store and send protected information, contact the Information Security Office to learn how tools and technology can be used to safeguard confidential and sensitive information.
“We handle private information every day,” Scarborough said. “Not only must we protect this information, but we also have an obligation to let someone know if we see an issue with how protected information is handled or if we make a mistake ourselves. We should be timely in our reporting. The longer a record remains in the open, the longer it remains at risk.”