Protecting KU Data
At KU, security is a shared responsibility. During the course of your day at KU, you access many types of information, some of it sensitive and/or confidential. To maintain privacy and data security at KU, you are required to handle data and information properly.
- Understanding what type of data is sensitive
- Following proper handling procedures to maintain privacy
- Keeping physical areas secure
- Protecting mobile devices that are easily lost or stolen
KU Data Classification Policy Levels
The KU Data Classification and Handling Policy details three levels of data and the security protections required for the handling of data at each level. All KU employees are responsible for classifying and handling data according to the policy. Below is an excerpt from the policy describing three data classification levels. Please read the full policy at KU Data Classification and Handling Policy.
Level I – Confidential Information Protection – Stop! Special care is required
High risk of significant financial loss, legal liability, public distrust or harm if this data is disclosed.
Examples of Level I Data:
- Data protected by HIPAA (health information)
- Data protected by FERPA
- (Student information including grades, exams, rosters, official correspondence, financial aid, scholarship records, etc.)
- Personally Identifiable Information (PII)
- Individually identifiable information created and collected by research projects
- Data subject to other federal or state confidentiality laws
- Personnel data
Level II – Sensitive Information Protection: Be Very Cautious
Moderate requirement for confidentiality and/or moderate or limited risk of financial loss, legal liability, public distrust or harm if this data is disclosed.
Level III – Public Information Protection: Proceed with Awareness
Low requirement for confidentiality (information is public) and/or low or insignificant risk of financial loss, legal liability, public distrust or harm if this data is disclosed.
Proper Handling of Sensitive Data
Help maintain privacy by doing the following:
- Adopt a clean desk and clear screen policy
- Lock your screen when you step away from your desk
- Set your the timeout for your screen at 10 minutes or less
- Don't retain un-needed data (electronic or paper)
- Destroy sensitive data in the proper way:
What to Do if You Find Improperly Stored Data?
For Electronic Records:
Immediately contact the KU IT Security Office at email@example.com or 785-864-9003.
For Paper Records:
Immediately contact the KU Office of Institutional Compliance at 785-864-6204 or email firstname.lastname@example.org.
Maintaining Physical Security
To maintain the privacy and security of KU information, it is important to maintain security in the physical spaces where data, information and computer equipment are stored.
Remember to always:
- Lock exterior and inter-office doors during non-work hours.
- Close and lock windows during non-work hours.
- Do not let unknown individuals into secure or private areas.
- Be aware of people attempting to follow you into secure or private areas, known as "tailgating."
- Avoid using secondary exits unless necessary and, make sure the door locks behind you.
- Keep paper documents containing sensitive information in locked cabinets and keep accurate records of who has keys.
What to Do if You See an Unknown Individual in a Secure or Private Area
Politely ask for identification. If you observe activity that poses a direct threat to the life or safety of any individual, immediately contact the KU Public Safety Office at 911 or call 785-864-5900.
Best Practices for the Security of Mobile Devices
Mobile devices include laptops, tablets, smartphones and removable storage devices (e.g., thumb drives, external hard drives). Smartphones and tablets are incredibly powerful computers that are just as susceptible to security issues and malicious attacks as desktop and laptop computers. Mobile devices create an even greater danger because they are easily lost or stolen.
See Mobile Security tips and best practices to help improve mobile device security.
Complete Your Annual KU IT Security Awareness Training
All KU faculty and staff are required annually to complete the IT Security Awareness Training Course » in KU's Talent Development System.
Take the course: IT Security Awareness Training Course »
Is Your Department Subject to Red Flag Rules?
Red flag rules are used to detect and deter identity theft. Check with your department to see if it is subject to red flag rules and complete any required training.
What Constitutes a Security Breach?
"Security breach" is the unauthorized access to a system, device, application or data by circumventing security policies, practices, procedures or mechanisms.
KU Research Security Support
Many KU researchers engage in research that involves the collection or use of identifiable private information. Federal law and KU policy provide specific guidance for protecting identifiable research information.
The IT Research Support Team and KU Information Technology, in partnership with the Office of Research, offer specialized services to meet the needs of KU researchers, including security-related support, Research File Storage, access to the Advanced Computing Facility, and research websites.
See Research Security Support for information and resources.