Overview
When handling sensitive data, it is important that it is protected while in use, stored appropriately and disposed of properly when it is no longer needed. This quick reference provides guidance on data handling based on classification and medium. For more information on data classification please see The Data Classification Quick Reference, the Information Asset Classification & Management policy, and the Data Security Classification Table.
Information
General Safeguards for Moderate Risk (Amber) Data and High Risk (Red) Data:
- Share only with those authorized
- Use caution while discussing in public places
- Secure paper-based information in locked desk/office/cabinet when not in use
- Report possible or actual loss immediately to the Information Security Office or your supervisor
| Activity by Data Classification |
Moderate Risk (Amber) |
High Risk (Red) |
| Printing or copying |
Do not leave unattended on printers or copiers. |
Only print if you absolutely need to. Do not leave unattended on copiers/printers. |
| Mailing paper-based info |
Put in a sealed envelope/box and send via interoffice or USPS mail. |
Put in a sealed envelope/box and send via FedEx/UPS/USPS mail with tracking/delivery confirmation where feasible. |
| Storing electronic files on work or personal computer (including mobile devices) |
The University would prefer this work be done on a University issued computer. If a personal computer must be used, it should adhere to UO personal device guidance, including device password, anti- virus,
up-to-date patches, and encryption. |
Never put red data on a personal computer. UO issued computer must meet UO Minimum Information Security Control Standard, including device password, anti- virus, up-to-date patches, encryption, and system
management. |
| Storing files on external portable storage media |
Physically protect the media. |
USB stick, CD/DVD, back-up tape, etc. must be encrypted and password protected.
|
| Sharing files with authorized individuals |
Use approved collaboration tools and share with specific authorized individuals, not anonymous or guest links. |
Use approved collaboration tools and share with specific authorized individuals, not anonymous or guest links. |
| Sending data/files to authorized individuals |
Use email and send only to those authorized to view it. |
Encrypt when transmitting data both internally and externally: Use a UO-supported Secure File Transfer method (e.g. OneDrive, SFTP). On website forms, use HTTPS. |
| Engaging vendors to store or process data |
Ensure vendor/hosting agreement includes UO’s data security addendum. |
Engage the Information Security Office for a security review and include UO’s data security addendum in the vendor/hosting agreement. |
| Deleting electronic files |
Use the standard Delete/”X” commands and empty the trash bin. |
Use a secure delete or overwrite data. |
How to dispose/recycle paper
Low Risk (Green) data may be recycled
Moderate Risk (Amber) and High Risk (Red) data must be securely shredded
How to dispose of devices and/or prepare them for recycling or upgrade
USB sticks and external hard disk drives should be reformatted before discarding
Mobile phones should be "reset" before being discarded. Resetting these devices removes all data from the device.
If a CD has Moderate Risk (Amber) or High Risk(Red) data, shred the CD to dispose of it.
Contact local IT Support for pick-up or drop-off, they will remove data and prepare it for recycling.