Protecting Sensitive Data

Protecting Sensitive Data in Electronic Format and Best Practices for Backing Up Sensitive Data

The Office of Information Technology (OIT) provided this guidance for the Office of Research Integrity Assurance to share with faculty and other researchers who possess sensitive data, particularly those data that involve human subjects and for which confidentiality is essential. Detailed safeguard recommendations for protecting sensitive data are posted on OIT's site at

These safeguards are highlighted here:

  • Store data only on a laptop/desktop with whole disk encryption. This will protect the data in the event the machine is stolen.
  • Back up the data regularly to a professionally-managed file server that is protected and backed up on a routine schedule. Talk with OIT or a CSR for more information on options.
  • Back up data to a tape or drive that is managed by OIT or the researcher's unit. Back ups should be encrypted and stored in a physically secure location.
  • Machines on which data reside should be fully patched with the latest security patches.
  • Limit access to the data strictly to those with legitimate need. For example, do not store data on a public-facing web server or Prism account.

Sensitive Servers/Processes

If your unit supports a server housing sensitive data, you should use the following checklist to ensure that appropriate controls and processes are in place to mitigate the risk of exposure of the data.

The server should be in a physically secured room with appropriate access control to the room.
Consoles for systems that store and/or transmit sensitive data should be physically secured to prevent unauthorized use.
All physical access controls and procedures for accessing the Sensitive Servers should be documented.
The server should be kept up to date with the latest security patches.
A change control process for testing and deploying new patches should be in place.
Security patches should be installed as soon as possible after they are available, but no later than 1 month after their release.
For new systems, verify that all security patches are installed before the system is put into production.
User passwords on the systems should be encrypted/hashed.
If using a cryptographic solution for hard disk, file, or external drive encryption, document the solution.
If using a cryptographic solution for hard disk, file, or external drive encryption, document the key management processes and procedures.
Protect encryption keys against both disclosure and misuse.
Encrypt access to sensitive databases (e.g. Passwords, ids, data streams).
Install recommended Antivirus Solution (McAfee EPO).
Limit access to computing resources and sensitive information to only those individuals whose job requires such access.
Access rights assigned to privileged User IDs are restricted to the least privilege necessary to perform the job.
Only active users with appropriate USERIDs should have access. Inactive accounts should be removed ASAP.
All accounts should be unique to an individual (no shared accounts).
User authentication should occur with a uniques user name and password.
Do not permit group or shared accounts without approval from Internal Audit.
Process should exist for adding, deleting, and modifying user ID’s and credentials.
Immediately disable access for terminated users.
Passwords should change every 90 days.
Password length must be at least 7 characters.
Passwords must contain a mix of numeric, special, and alpha characters.
New passwords should be different from the last 4 used.
Password policy and procedures should be distributed to all users.
Limit repeated login attempts by locking out after XX tries.
Monitor system logs for failed login attempts.
Change any vendor-specific defaults before you place a system on the network (e.g. passwords, SNMP community strings, unnecessary accounts, unnecessary services).
Disable unnecessary services.
Configure system security parameters (e.g. Windows GPO policies).
Enable appropriate logging/auditing subsystems.
Implement patching process (monitor for new patches and apply them).
Implement AUTOMATED audit trails to reconstruct the following events:
  • All actions taken by any individual with operating system-level root or administrative privileges
  • Successful/Failed login attempts
  • Initialization of the audit logs
Register the server with OIT-IS as a Sensitive Server so that it will be scanned weekly for vulnerabilities.
Document process to recover from a system failure.
Develop and implement backup processes.

The foregoing is a subset of the Data Protection Safeguards for managing a server housing sensitive data. For a complete list of the safeguards, refer to:

For instructions on building a secure server, OIT recommends the CIS Benchmarks/Scoring Tools at

May 2012