Protect Sensitive Data
- Securing and protecting IT resources and sensitive data at your company is a shared responsibility. Laws and company policies help define this responsibility, which applies to business owned and managed computers, as well as to personally owned devices used to access sensitive company information.
The following guidelines include links to resources that are designed to help you meet your responsibility of protecting sensitive data.
- Access Only the Data You are Authorized to Access
Don't request access unless you truly need it and remove access when no longer appropriate.
Work With Data Responsibly
- Comply with laws, policies, and regulations when handling specific types of data.
Applicable laws, regulations, or company policies and standards govern specific forms of data (for example, health information, credit card data) and may apply to the care of your sensitive data.
- Follow Information Security Risk Management guidelines to help protect sensitive data.
- Follow the Information Security Risk Management guidelines, including the RECON risk assessment process, to reduce the risks of storing and using sensitive data.
- Take extra care when traveling.
- Take extra care when working from home or away from campus.
You are responsible for adequately safeguarding sensitive company information when you work from home and access company systems and applications—whether you are using a company-owned or personally owned device.
For guidance on securing your personally owned devices and home network, see Secure Your Devices.
- If you use personal devices with sensitive data, you will have extra responsibilities.
If you work with sensitive data from your own devices or from self-managed devices, you are expected to secure and properly manage them to protect that data. For details, see: Your Responsibilities for Protecting Sensitive Data When Using Your Own Devices.
Never use personal accounts to maintain or share the university's sensitive data.
Personal accounts are those you sign up for yourself for your own use. These are different from accounts that the university makes available to you and for which it has a contract with the vendor, such as Box or Google.
See Use of Personal Accounts and Data Security for more information.
Use cloud services responsibly
Some cloud services include features to securely protect sensitive data, and some don't. You may need to take additional precautions yourself to configure cloud services appropriately. Learn more at Safely Use the Cloud.
Store Data in the Appropriate Places
Learn where specific types of data can be safely stored.
The Sensitive Data Guide is an interactive tool to assist faculty, staff, and researchers in making informed decisions about where to safely store and share sensitive data using IT services available on the UM-Ann Arbor campus. It is particularly important to be careful with cloud computing resources; see also Safely Use the Cloud.
If you are working with HIPAA data, ITS offers some HIPAA-aligned services.
See how your unit and ITS can work together to ensure HIPAA standards are maintained via ITS HIPAA-Aligned Services.
If you use Box at U-M, learn how to use it securely.
Use Box Securely With Sensitive Data provides the guidelines for using the features and functionality of Box at U-M that are approved for use with sensitive data.
Properly Manage Devices Used with Sensitive Data
Follow device security rules.
Be sure the equipment you are using to interact with sensitive data is being properly secured to work with it. See Manage Your Workstation.
If you are interacting with sensitive data on a personal device, you will also need to review:
Your Responsibilities for Sensitive Data & Your Personal Devices
Secure Your Personal Devices (Video)
Securely dispose of media that has ever held, stored, or transmitted sensitive data.
When you are done with computers, other devices, hard drives, DVS, scanners, etc. that have interacted with sensitive data, you must take special care to dispose of them properly, since that data may still be recoverable. See Securely Dispose of U-M Data and Devices for instructions.