You are here

Temple University Encryption Guidelines

Review Date/Issuing Authority

Effective Date: April 26, 2012
Review Date:  July 28, 2016
Issuing Authority:  Chief Information Security Officer

Policy

Not Applicable

Scope

This guideline applies to all University employees and faculty who in the course of their job at Temple must send confidential or regulatory protected information electronically outside of Temple’s network.

Purpose

Sensitive information and information protected by regulations, such as FERPA, HIPAA, GLBA, and others, must be protected when leaving Temple University’s network.  In order to appropriately protect these information assets, measures must be taken to ensure that the confidentiality, integrity and availability of the data are not compromised.   This procedure outlines the steps that the employee should take prior to sending sensitive or regulatory protected information

Definitions

  1. Education Records - Any record (in handwriting, print, tapes, film, electronic, or other medium) maintained by the university or an agent of the university that is directly related to a student unless noted in the law as an exception.
  2. Electronic Media –Technology used to hold electronic or digital data in any form.  Hard, floppy or optical disks, USB drives, memory sticks, magnetic tape, wire, wireless, cable and fiber are among examples of technology.
  3. Internet – A global network made up of more than 100,000 interconnected groups of computers in over 100 countries comprised of commercial, non-profit, academic and government entities.  The Internet is commercialized into a worldwide information highway, providing potential access to information or services on every subject known to mankind.
  4. Non Public Information (NPI) – the definition given to information that should be given special protections to ensure that it is not disclosed to anyone unauthorized under the Gramm-Leach-Bliley Act (GLBA).
  5. Protected Health Information (PHI) – the definition given to information that should be given special protections to ensure that it is not disclosed to anyone unauthorized under the Health Insurance Portability and Accountability Act (HIPAA).
  6. Regulatory Protected Information – Data which is protected by law and includes, but is not limited to, PHI, NPI, and Educational Records.
  7. Sensitive Information – Any information that is not for public consumption and if that information were exposed could cause harm, embarrassment, our financial losses to the University or any of its employees, students, or alumni.

Guidelines

  1. Once it is determined that you need to send information that is either confidential or under regulatory control over the Internet you must contact the Information Security Department at 215-204-7077 or at CISO@temple.edu to work out a procedure for sending the information securely.
  2. Do not send attachments, such as Excel spreadsheets, Word documents, etc, using only password protection and assume that this will protect your sensitive documents during transmission.
  3. For transmission needs that occur on a regular basis, the Information Security Department will work with you to establish a secure process.
  4. Do not assume that because the recipient has a temple email address that the email will remain inside of Temple’s network.  Many users forward their email to accounts outside of Temple.  Once the email leaves our network, it is no longer protected.
  5. All regulatory protected information, such as NPI, PHI, and Education Records, must be securely sent or you put yourself and the University at risk of penalties, fines, and other legal consequences.
  6. If you are not sure about the sensitivity of your document, please ask your supervisor for guidance.  If necessary, contact our legal department.
  7. Look for alternative ways to send sensitive or regulatory controlled information, such as through the US Postal System or express shipping.
  8. Ensure that when sending sensitive or regulatory protected information using electronic media such as memory sticks, CDs, DVDs, floppy disks, tapes, etc, that you conceal and protect the media so that it is not readily distinguished as electronic media.  Depending on the media type and the sensitivity of the information, it may be desirable to encrypt the information on the electronic media.  If the information contains Social Security Numbers, by policy you must protect this data as outlined in 04.75.12 Social Security Number Usage Procedures.