����ӰԺ

Only use cloud services that have been approved for use by the University IT department. 

Cloud services approved by the University may be used to store all classifications of data according to the University’s Data Classification System; however, users must obtain permission from their information security officer before storing any data classified as DCL4. 

Use two-factor authentication when available. Also use passwords that meet password standards.  

• Devices must require a password that meets or exceeds the password policy. 
• Users should avoid keeping research data on devices when possible. 
• Encrypt sensitive data including data on laptops, smartphones, tablets, or other devices, and encrypt the drives themselves when practical. 
• Ensure all software is patched and up to date. Also, make sure your anti-virus signatures are updated. 
• Immediately report any lost/stolen devices to your IT Professionals. 

Data encryption transforms plain text files into a format that prevents unauthorized users from opening the files and reading the contents. There are two types of encryption that should be considered: data at rest and data in transit. The former protects stored data while the latter protects data as they are being transmitted between parties over a public network. 

Unless otherwise specified, it is recommended that the highest level of data encryption be used within the limits of availability and feasibility. Contact your IT representative for assistance.

Researchers should be aware of local laws regarding the legal status of confidential research information that could be confiscated by police, customs agents or other government officials. Confidential or proprietary research information also may be subject to export control regulations; check with the UM Export Control Office (exportcontrols@missouri.edu) before travel. 

Personally identifiable information (e.g., IP addresses, PHI) must be kept separate from the data. 

Paper Records (e.g., consent forms, data files, medical records, etc.): 

Paper files related to human subjects’ participation in research must be securely stored on campus. Access to files should be restricted to key personnel and supervised by the principal investigator(s) of the study. Locked file cabinets ought to be used and preferably located in secured locations (i.e., locked office or laboratory). 

In the event that research activities are not carried out on campus and it is necessary to maintain the consent forms at the research site, copies of the signed consent forms should also be stored in a secure University location (either as a paper copy or in digital form).    

Consider using encryption to limit access to portable media. Confidential or restricted data should not be stored on portable media. 

Data that are in hard copy or reside on portable media should be treated as though it were cash, with appropriate controls in place. Such media must be encrypted and stored in a secure locked facility with access granted to the minimum number of individuals required to efficiently carry out research.   

• Do not expose research infrastructure to the Internet, including web servers, unless authorized. 
• Use a “least privilege” philosophy and ensure that file system permissions prevent access to data by unauthorized users. 
• Encrypt sensitive data transmitted over a network (e.g. use HTTPS, , encrypted files) 
• Destroy data that is no longer needed, either by secure deletion or media shredding. This also includes backups and archives. Destroy sensitive data on systems or media that will be disposed of or sent in for repair. 

Use of centrally provided research computing systems is required unless otherwise excepted by University IT. 

UM System offers a Microsoft 365 Government Community Cloud, High Security environment designed to meet the stringent security requirements required to handle the government’s most sensitive Controlled Unclassified Information data. This infrastructure includes secure Microsoft 365 office productivity tools, Microsoft Azure, project virtual workstations, support for on-premises computing resources and access to Zoom for Government teleconferencing. Additionally, our IT Research Support Solutions team offers individual researcher support and a dedicated security team to ensure that the researchers have the highest level of support and security for their projects. 

Data classification requirements must be followed for all server administration. 

All servers must be housed in data centers managed by the University IT department. For servers that have been approved to be outside of central data centers; restrict physical access to all servers, network hardware, storage arrays, firewalls and backup media only to those that are required for efficient operations. Follow least privilege rules. 

Mobile Devices 

• Set the device to require a passcode. 
• Enable GPS tracking functionality so that a stolen device may be tracked. 
• If your smartphone or tablet is configured to connect to the University email system, notify the central IT department's security team in the event of theft. The device may be able to be wiped remotely. 

Laptops 

Using a departmental loaner laptop containing no sensitive information in lieu of taking a personal or University-owned device that contains any type of sensitive or restricted data. 

Encryption is recommended in all cases. It is required for computers containing DCL4 data. U.S. laws and regulations may limit your ability to travel internationally with export-controlled data, even when encrypted.  In addition, it is illegal to take encrypted devices to certain countries, which may result in the confiscation of devices.  Check with the UM Export Control Office (exportcontrols@missouri.edu) prior to travel. 

Avoid connecting to public Wi-Fi and use the University's VPN, when possible, to secure network data. 

The University has developed an information security program to guide University employees through the appropriate steps in protecting University data. Although the program deals in large part with data maintained electronically, it also provides guidance on dealing with hard copy information.

At the heart of the program is the Data Classification System. To apply security measures in the most appropriate and cost-effective manner, data stored electronically must be evaluated and assigned a Data Classification Level. (DCL) of 1, 2, 3 or 4. The DCL of the data establishes the extent and type of information security measures that must be implemented. 

The information security program also has requirements for access control, asset management and mandatory reporting of information security incidents, and will continue to evolve as threats to the University’s information change and measures for addressing those threats evolve. 

IT security begins with you! You are potentially making yourself and the University vulnerable to security breaches and to the loss or compromise of important and sensitive information if you: 

• Have a weak password 
• Leave your computer unlocked and unattended 
• Store private or confidential data in a non-encrypted or non-protected way 
• Fail to back up important information  

Social engineering – the hottest scam going: No legitimate organization, including the University or your bank, will ever ask you for your account information or password. You should never provide this information to anyone at any time, especially through email. An ever-increasing number of scams are created daily to trick you into providing your password or other account information, such as bank accounts and credit card numbers. Don't fall for it. Contact your IT support person, the IT help desk or your campus information security office if you receive a suspicious email or phone call. 

IT security breaches can put sensitive information at risk. A breach of IT security could be as simple as accidentally sending an email attachment to the wrong person, or as serious as having your laptop stolen in an airport. Regardless of seriousness, all information security incidents or suspected incidents should be reported . 

Mobile devices, like laptops and USB drives, are convenient ways to capture and store data, but are also particularly vulnerable to security breaches with consequences as severe as seeing sensitive research data in the newspaper. Encryption is one way to improve the security of these devices. Consult with your IT support person about how to obtain encryption software.