To go directly to the College of Agriculture security audit:  http://www.itap.purdue.edu/assessment/security/

Audit Scope

Within the College of Agriculture, all workstations, desktops, notebooks and tablets, etc, must be assessed.  This includes office machines, test machines, machines in common areas, notebooks that are in a pool for anyone to use, machines used by students, etc.

Definitions of Data Types

The university has provided the following definitions of data types:

Public -- Information which may or must be open to the general public. It is defined as information with no existing local, national or international legal restrictions on access. Example: Course Catalog

Sensitive -- Information whose access must be guarded due to proprietary, ethical, or privacy considerations. This classification applies even though there may not be a civil statute requiring this protection.  Example: Employee Benefit Selections

Restricted -- Information protected because of protective statutes, policies or regulations. This level also represents information that, by default, is not protected by legal statute, but for which the Information Owner has exercised their right to restrict access.  Example: Student Academic Record (FERPA)

“How do I know if it is sensitive or restricted data?” This is the most common question to date.  Here are some guidelines:

–         Contact the source of the data and ask the data type classification.

–         If the data points to an identity of individual, it should be treated as sensitive/restricted data.

–         If you are still unsure, error is on the side of caution. Treat the data as sensitive/restricted.

For further information on policies and procedures governing sensitive/restricted data, please consult the following http://www.itap.purdue.edu/security/policies/policies/dataConfident.cfm for data classification information that will help you determine what data is considered “restricted.”  Restricted data includes Social Security numbers, credit card information, protected health information, FERPA-related data, etc. This data may be contained within databases, Word documents, Excel spreadsheets, etc.  All staff members should be aware of the classification and handling guidelines for the particular data you handle. 

>>Action 1 - Removal and/or movement of all Sensitive/Restricted Data -Workplace

       Computer Hard Drive on Workstation/Desktops/Laptops/Tablets

–         Review all files stored on your computer’s hard drive.  This includes, but is not limited to:

§         Desktop

§         ‘C’ Drive (e.g., my documents)

§         Removable drives

–         Move ‘necessary’ data files containing sensitive/restricted data from the desktop to a secure network server to house.  ‘Necessary’ is defined as ‘required to conduct official university business.’

§         Contact IT professional for assistance if you are not clear on saving to a secure network drive.

–         Delete all data or data files containing sensitive/restricted data on the desktop, etc.

§         Sensitive/restricted data can be removed from a file and resaved (e.g., form 17 travel form can be opened, SS# deleted and the file saved.)

§         If the file is no longer needed, deleting is the best option.

Network Drive

–         Review all files on a network drive.

§         Contact an IT professional for assistance if you need assistance identifying network drive.

–         Delete all unnecessary data or data files containing sensitive/restricted data on the network.

§         Sensitive/restricted data can be removed from a file and resaved (e.g., form 17 travel form can be opened, SS# deleted and the file saved.)

–         If the file is no longer needed, deleting is the best option.

>>Action 2 - Removal of all Sensitive/Restricted Data – Equipment Outside of Purdue

       Computer Hard Drive on Workstation/Desktops/Laptops/Tablets & Non-Purdue Network

       Drives

–         Review all files stored on your home computer’s hard drive.  This includes, but is not limited to:

§         Desktop

§         ‘C’ Drive (e.g., my documents)

§         Removable Drives

–         Delete all data or data files containing sensitive/restricted data on the desktop.

 >>Action 3 – Complete a Security Audit

–         Each individual will be requested to complete an online audit form where they will acknowledge that they have moved all sensitive data from their equipment, both at home and at work.

–         The form is IP-address restricted, so if you are off-campus and want to fill out the form, you will need to establish a VPN connection to do so.

–         Please use the following URL to access the online form:  http://www.itap.purdue.edu/assessment/security/

Questions about this assessment may be directed towards your IT professional.  Again, the deadline for submission is September 2, 2005.

Thank you for your cooperation, time, and effort.