Policy

PG--Information Storage

________________________________________
Document Number: REDFLAG--106
Revision #: 2.0
Document Owner: VP of Business and Finance
Date Last Updated: 04/25/2018
Primary Author: VP of Business and Finance
Status: Approved
Date Originally Created: 12/14/2011
________________________________________
General Description

Description:
Information about storage of information relative to the Red Flags Identity Theft Policy.

Purpose:
Delineation of policy.

Scope:
All faculty, staff, students, and administrators

Responsibility:
Administration
VP of Business and Finance
________________________________________
Requirements

Relevant Knowledge: 
Current University policy
Federal statutes
Local statutes
Standard company policies
Standards of good practice
State statutes

Terms and Definitions:
Additional training
Corrective Action
________________________________________
Policy Provisions

1. Information Storage

Storing Confidential and Sensitive Information is a normal function of conducting business at the University. Employees shall only store CSI for legitimate business needs and those needs related to their individual job responsibilities.


1.1 Hard Copy Storage

1.1.1 On-site storage
On-site storage refers directly to CSI stored within any University facility.

1. Employees Personal Belongings
The University will provide all personnel with a secure place to store personal belongings. Employees are responsible for keeping personal items secure during work hours.

2. CSI Stored in a Workspace
Confidential and Sensitive Information stored in an office, cubicle, reception area, cash register, or other workspace must be kept in locked desks, cabinets, closets, or lockers when not in use.

3. File Rooms and Storage Rooms
File and storage room doors must be closed and locked when unattended by authorized personnel.

4. Records Storage
Company, customer, transaction, and service provider records will only be stored when there is a legitimate business need. Any records in storage beyond the legal statute of limitations will be appropriately disposed of by designated employees.


1.1.2 Off-site storage

Off-site storage refers to any place CSI is stored outside of designated University facilities.

1. Approved Storage Facilities
CSI may only be stored in facilities authorized by University Administration.

2. Storage Service Providers
All storage service providers must comply with the service provider oversight policies in this Identity Theft Prevention Policy.



1.2 Soft Copy Storage

Company representatives shall only store CSI on University authorized computers, telecommunications, or other electronic devices. A list of approved equipment will be maintained by the company’s Identity Theft Prevention Officer or Information Technology Professional.

1. Encryption

All CSI stored on portable electronic devices or electronically transmitted must be encrypted.

2. Portable Electronic Devices

Portable electronic devices must be secured when not in use. The physical security of these devices is the responsibility of the authorized user. These include laptop computers, cell phones (specifically smart phones), jump drives, thumb drives, external hard drives, etc.





________________________________________
Performance Evaluation

Performance Metrics:
Compliance with standard policy and procedure
Compliance with federal mandate

Consequences:
Further training
________________________________________
Subject Experts

The following may be consulted for additional information.

VP of Business and Finance