��ū�컨��

00:04

Today I'm joined by Raina Collins, Senior IT risk and compliance analyst at the University of Alaska System Office of Information Technology to talk about data security and privacy.

In our positions here at the University there are so many of us that are handling sensitive information, and data security and privacy are really critical issues. And many of us have a large digital footprint. By footprint, I'm referring to all of the documents, emails, videos, images and also our transaction records.Having this large digital footprint heightens our vulnerability to data breaches, which can result in identity theft, financial harm and damage to the University's reputation.

When I'm thinking about the compliance concerns here, these include, legal, regulatory obligations surrounding the data handling, storage, and retention. Managing this extensive data and controlling access is really challenging.

Raina, so many employees viewing this video have a large data footprint with the university, including years worth of emails and stored documents, knowing that this presents an exposure risk to the university. How do you suggest going about trimming back that risk?

01:19

I'd suggest starting with identifying the contents of the data that you have. Data can consist of emails, photos, videos, documents, spreadsheets and all kinds of unique file types. There's also a difference between working documents and documents for retention. Hint: emails are considered working documents.

• Working documents are actively used during day-to-day operations. They serve as tools for collaboration, decision-making, and ongoing task management.

• Documents for retention are retained for legal, operational or historical reasons. They're not actively used in daily work but are preserved for compliance, reference or recordkeeping. ��ū�컨�� OIT is currently working to develop tools and resources to help people identify the kind of data they have, so stay tuned.

Also there's one caveat: although ��ū�컨�� emails are regarded for document retention as "working documents", they are retained indefinitely through Google, and in that sense, are closer to retention documents.

This is why it's important to know the content of your data.

Now that we know what the data is, let's discuss location. Throughout ��ū�컨��, data can be stored in our Google workspace environment, Microsoft 365, department file sharers, Onbase or other dedicated data repositories.

So now that we've defined the what, and the where, let's discuss how much.

In many cases, the systems mentioned above have seemingly limitless capacity for storage, which can contribute to years worth of data and documents being stored.

As you noted already, this creates an extensive footprint. Our recommendation is to really look at what kind of data you produce, evaluate its sensitivity, then determine if you have to keep it for regulatory purposes or if it's just a nice to have. For things that you must keep for retention reasons, you can work with the OIT Records and Information Management office to help you determine where to keep them. For things that are for your own convenience or departmental record keeping, you should save it in a secure location that is appropriate for the type of data that it is.

Let's look at permissions more closely. Google Drive and Microsoft 0365 are designed to allow for easy sharing of data both internally with our co-workers, and externally with our stakeholders. This helps create efficiency in our work products, and allows us to collaborate worldwide. However the possibility of oversharing creates many kinds of cyber-security vulnerabilities.

There are many Federal requirements in place to protect ��ū�컨�� data, and in support of them, we recommend you do a routine audit of your storage locations. Look at who those files are shared with, and then remove access where appropriate. Delete files that you no longer need, or find them a secure and permanent home. This type of review should always be done after employees leave or if they transfer outside of your department. But if this doesn't happen often, then at least annually.

04:05

Looking at the security of the data, in what instances are University employees expected to be, encrypting their emails, and using secure file transfer for their documents? Also, how do we go about that?

Wherever there's a need to send protected sensitive or private data, users should employ added encryption to keep their messages secure. ��ū�컨�� users can leverage our large and secure file transfer service at securefiles.alaska.edu which allows ��ū�컨�� account holders to exchange secure emails within ��ū�컨�� or with external stakeholders. We do not recommend sending secure, private or sensitive email messages via Gmail or Outlook.

Also to note, sometimes the best way to protect sensitive information is to avoid the temptation to put it in your keyboard in the first place. Rather than sending an email then deleting it, pick up the phone. Take care to not write anything in an email that you're not ready to read in a newspaper. And on that topic, consider the use of ��ū�컨�� emails for personal business. While it is generally allowable under regent's policy, it's not always the best idea. ��ū�컨�� emails are subject to public records requests, and unless there's a statutory shield that protects them, they may have to get delivered into the hands of a third party. It isn't precluded to use ��ū�컨�� for emails for personal reasons, but it may not be the best practice overall.

05:26

Do you have any pointers for supervisors to help implement solid access controls, to limit who can access the sensitive information? For example, to ensure that employees only have access to the data that they need for performing their duties for the university? Also what can supervisors do to make sure that access is removed as their employees transfer to different departments or leave the university?

Absolutely. Supervisors can establish solid access controls, as I mentioned earlier, by establishing departmental policies that outline how their department will manage their data.It'll identify the roles surrounding data management and conducting regular reviews of access permissions, thereby aligning them with their employees' specific roles and responsibilities. That way they're ensuring that their employees are only accessing the data that is required for their job tasks.

They can also develop departmental policy on onboarding and offboarding, which creates a systematic process for granting and revoking access when employees first join or when they transition to other departments, or if they leave the university entirely. We would suggest as part of the departmental policy to set up a schedule -- such as every 12 months -- to review these permissions even if they are still employed, because this would capture any role changes within the department.

06:44

In closing, we cannot really over-stress how important it is to really understand what data you're generating.

For instance the music department data is going to be completely different from research data, however they both might both deal with student related data. So if you're understanding what you're managing and the requirements of that data, is critical to managing data access wisely.

If you need further assistance including individualized help please contact OIT Security Operations at ua-oit-security@alaska.edu or visit OIT's website.