Page 8 - Flipbook test Policy & Procedure_Neat
P. 8
EMORY UNIVERSITY
Search & Secure - Policy/Guidelines/Checkpoint
University Policy
One of Emory's fundamental responsibilities is to secure the personal, financial, medical and
academic information entrusted to us by our faculty, staff, students, parents, alumni, donors,
patients, and research participants. In order to further this goal, President Wagner has initiated
a comprehensive Search and Secure initiative across both Emory University and Emory
Healthcare to identify, inventory, and secure any sensitive information stored on unsecured
media. Each school, business unit, and clinical unit at Emory has been tasked with this
responsibility.
Categories of sensitive information can include, but are not limited to:
Social security numbers, including partial social security numbers (last 4 digits)
Name and EMPLID numbers associated together
Protected health information (PHI) as defined by HIPAA
Student records and prospective student records (see
http://www.registrar.emory.edu/students/ferpa.html for more information)
Credit/debit card numbers, P-Card numbers, and other PCI cardholder data
Financial aid information
Bank account numbers
Information protected by non-disclosure agreements (NDAs) or other third party data
that Emory is legally or contractually obligated to protect (Note: the security
provisions contained in NDAs and contractual agreements may vary significantly, so
robust security measures may not be required in all situations.)
Law enforcement and investigative records
Employee related data (HR forms, insurance information, etc.)
Alumni Records
Types of media that may contain sensitive information:
Paper media
Electronic media (PCs, CDs, DVDs, flash drives, SD cards, external hard drives, floppy
disks, backup tapes, etc.)
Examples of a secure location include:
Desk drawers, file cabinets, or safes that are:
o Locked 24 hours a day when not in use
o Accessible only by individuals who are authorized to access the data
o Are of sufficient quality and strength to prevent being opened by brute force
o Not readily removable from their location
Storage rooms, closets, and offices that are:
o Locked 24 hours a day when not in use
o Accessible only by individuals who are authorized to access the data
o Are of sufficient construction quality, design, and strength to prevent being
accessed by brute force. Walls should be of solid construction, and the room
should not be vulnerable to intrusion through the walls, from under the floor,
or through the ceiling.
Server Rooms that:
o Are locked 24 hours a day
May 30, 2013 Page 8