EMORY UNIVERSITY
                       Search & Secure - Policy/Guidelines/Checkpoint


                       University Policy

                       One of Emory's fundamental responsibilities is to secure the personal, financial, medical and
                       academic information entrusted to us by our faculty, staff, students, parents, alumni, donors,
                       patients, and research participants. In order to further this goal, President Wagner has initiated
                       a comprehensive Search and Secure initiative across both Emory University and Emory
                       Healthcare to identify, inventory, and secure any sensitive information stored on unsecured
                       media. Each school, business unit, and clinical unit at Emory has been tasked with this
                       responsibility.
                       Categories of sensitive information can include, but are not limited to:

                            Social security numbers, including partial social security numbers (last 4 digits)
                            Name and EMPLID numbers associated together
                            Protected health information (PHI) as defined by HIPAA
                            Student records and prospective student records (see
                              http://www.registrar.emory.edu/students/ferpa.html for more information)
                            Credit/debit card numbers, P-Card numbers, and other PCI cardholder data
                            Financial aid information
                            Bank account numbers
                            Information protected by non-disclosure agreements (NDAs) or other third party data
                              that Emory is legally or contractually obligated to protect (Note: the security
                              provisions contained in NDAs and contractual agreements may vary significantly, so
                              robust security measures may not be required in all situations.)
                            Law enforcement and investigative records
                            Employee related data (HR forms, insurance information, etc.)
                            Alumni Records

                       Types of media that may contain sensitive information:

                            Paper media
                            Electronic media (PCs, CDs, DVDs, flash drives, SD cards, external hard drives, floppy
                              disks, backup tapes, etc.)
                       Examples of a secure location include:

                            Desk drawers, file cabinets, or safes that are:
                                 o  Locked 24 hours a day when not in use
                                 o  Accessible only by individuals who are authorized to access the data
                                 o  Are of sufficient quality and strength to prevent being opened by brute force
                                 o  Not readily removable from their location
                            Storage rooms, closets, and offices that are:
                                 o  Locked 24 hours a day when not in use
                                 o  Accessible only by individuals who are authorized to access the data
                                 o  Are of sufficient construction quality, design, and strength to prevent being
                                     accessed by brute force. Walls should be of solid construction, and the room
                                     should not be vulnerable to intrusion through the walls, from under the floor,
                                     or through the ceiling.
                            Server Rooms that:
                                 o  Are locked 24 hours a day
                                                                                       May 30, 2013  Page 8