Computing Devices and Sensitive Data PolicyLast updated: September 22, 2015
A number of academic departments are engaged in activities that require faculty, staff, researchers and students to have access to restricted and/or sensitive data. This is a category of data that Duke is either required by law to protect, or which Duke protects to mitigate institutional risk. Classifications of these data types are provided by the Duke IT Security Office. In these cases, personnel who fit this category must abide by strict safeguards regarding access to data, e-mail, departmental computers, personal laptops and other electronic devices. For this reason, the following policies apply:
- Computers – To prevent access to information and resources unless authorized, computers must be configured with appropriate technical controls.
- Duke owned computers accessing sensitive data must be enrolled in Trinity Technology Services’ device management programs to receive regular patches. They must also have the managed antivirus client installed to receive up-to-date antivirus protection. Assistance for enrollment in both programs can be coordinated by departmental IT support staff.
- Personal laptops should have an up to date antivirus client installed as well as being patched regularly. Duke currently provides the Symantec antivirus client free on the Duke Software download site. You are encouraged use Windows Update, Apple Software Update, or an application like Secunia PSI to identify programs on your computer in need of security update. Please note that Windows XP no longer receives security updates and should not be used.
- Both Duke owned and personal computers must have security policies in place requiring the user to enter a valid user ID and password. User accounts will be configured to lock after 10 unsuccessful login attempts.
- Both Duke owned and personal computers must have security policies in place that limit the time that an unattended, logged-in system is vulnerable to unauthorized use. Systems should be configured to launch a password-protected screen lock after a maximum of 15 minutes of inactivity.
- Laptop Encryption – Duke owned and/or personal laptops must be encrypted. Assistance for this process can be coordinated by departmental IT support staff, to make sure that your machine has the appropriate encryption. Currently the recommended programs are FileVault2 for Macintosh computers, and Bitlocker for Windows machines. Documentation related to this configuration is available at the Duke IT Security Office web site.
- Smartphones – Both Duke owned and personal smartphones must be secured. Assistance for this process can be coordinated by departmental IT support staff. Information on how to secure your personal smartphone is also available on the Duke IT Security Office Web Site.
- E-mail – Managing different methods of communication for projects that may or may not include protected or sensitive information related to projects is complicated, opening up the potential to accidentally transfer sensitive material outside of protected Duke services. For that reason, the following policies should be enforced.
- All Duke related communication, regardless of whether it contains sensitive information or not, must be conducted within the Duke managed e-mail system. Departmental IT support staff can work with users to help configure or make recommendations for configuring IMAP clients to provide access to Duke e-mail services.
- Forwarding of Duke e-mail to non-Duke managed e-mail services (g-mail or other) is prohibited. Use of these services should be reserved for personal correspondences only.
- Portable Data Storage – If protected storage environments are not easily accessible for activity related to working with protected and/or sensitive data, then use of portable storage devices can be supported. Any portable storage devices (thumb drives, attachable external hard drives) should be encrypted using methods identified by the Duke IT Security Office or departmental IT support staff.
Groups of users covered under the TCAS IT Security Policy
- Department Chairs
- Finance & Adminstration (F&A) staff
- Grant administrators
- Directors of Undergraduate Studies
- Directors of Graduate Studies
- IT professionals
- Departmental Admins for Deans, Chairs, F&A staff
- Anyone (faculty, staff, students) directly with FERPA protected information
- Anyone (faculty, staff, students) working with sensitive data – connection with IRB, ORS
- Anyone (faculty, staff, students) with data use agreement requiring confidentiality
Trinity A&S departments requiring full staff compliance due to data security concerns
- Academic Advising
- Academic Deans
- Academic Resource Center
- Dean of Faculty Office including Divisional Deans
- Faculty Affairs
- Finance & Administration
- Trinity Technology Services
Non-Trinity A&S units TTS supported by TTS requiring full staff compliance due to data security concerns
- Center for Health Policy & Inequalities Research (CHPIR)
- Duke Global Health Institute (DGHI)
- Duke Engage (including HUB unit)
- Duke Performances
- Financial Aid
- Global Education Office for Undergraduates (GEO)
- Institutional Research
- Office of the Provost
- Student Loan
- Student Information Services and Systems (SISS)