Miami University Confidential Information Guidelines and Technical Standards

A. Guidelines

  1. All employees with job duties that require them to handle confidential information are required to safeguard such information and only use it or disclose it as expressly authorized or specifically required in the course of performing their specific job duties.
  2. Misuse of confidential information can be intentional (acts and/or omissions), or a product of negligence or inadvertence. Misuse includes but is not limited to:
    • Accessing information not directly germane or relevant to the employee's specifically assigned tasks
    • Disclosing, discussing and/or providing confidential information to any individual not authorized to view or access that data, including but not limited to third parties, volunteers, vendors and other University employees
    • Reckless, careless, negligent, or improper handling, storage or disposal of confidential data, including electronically stored and/or transmitted data, printed documents and reports containing confidential information
    • Deleting or altering information without authorization
    • Generating and/or disseminating false or misleading information, and
    • Using information viewed or retrieved from the systems for personal or any other unauthorized or unlawful use.
  3. Employees who have been assigned passwords to work with systems that generate, store or manage confidential information bear the responsibility for preserving the complete confidentiality of such passwords to ensure against unauthorized use by any other person. Employees who negligently or intentionally share their system passwords or accounts with anyone else for any reason will be held responsible for any resulting misuse of the system by others.
  4. Entity accounts and other shared accounts that may contain confidential information may only be accessed by employees who have a legitimate need to do so in order to fulfill his or her job responsibilities. No one else is permitted to access those accounts.
  5. Employees who have any reason to believe or suspect that someone else is using their passwords must immediately notify their supervisor.
  6. Employees are prohibited from logging onto University databases and administrative systems with their passwords and then permitting another person to access information in those databases and/or systems.
  7. Student education records are governed by the Family Educational Rights and Privacy Act (FERPA) and applicable University policy (see MUPIM Section 3.22 and MUPIM section 19). FERPA-protected student education records must not be disclosed under any circumstances absent the express consent of the University student (or former student) or as authorized by the University's Office of General Counsel or the University's Registrar. Although FERPA also permits the University to disclose student directory information (as defined by FERPA), no such information may be disclosed until the Office of the Registrar has confirmed that the student has not elected to block his or her directory information, as permitted by FERPA.
  8. Employees are expected to:
    • Identify confidential information and materials
    • Proactively seek information regarding and comply with any technical standards, restrictions on the use, administration, processing, storage or transfer of the confidential information in any form, physical or electronic
    • Learn about and comply with any technical standards and procedures regarding the appropriate handling of such information and materials
    • Understand their responsibilities related to information security
  9. Employees who have access to confidential information are expected to know and understand associated security requirements, and to take measures to protect the information, regardless of the data storage medium being used, e.g., printed media (forms, work papers, reports, microfilm, microfiche, books), computers, data/voice networks, physical storage environments (offices, filing cabinets, drawers), and magnetic and optical storage media (hard drives, diskettes, tapes, CDs, flash drives). Computer display screens should be positioned so that only authorized users can view confidential information, and confidential information should be discarded in a way that will preserve confidentiality (e.g., in a shred box, not in a trash can or recycling bin).
  10. In many instances, employees will be required or expected to attend training relevant to the information/materials being handled. Employees who are hired into positions that require adherence to government-mandated compliance (e.g., HIPAA, Medicare Compliance, grant and contract administration, pathogens or select agents) will be subject to strict procedures for handling such materials, must attend all mandated training sessions, and comply with compliance-specific policies and applicable law.
  11. Employees must notify the University of any violation of these guidelines. Employees may report their concerns immediately to their supervisor, department head, Information Security Officer (513-529-9252) or Office of General Counsel ( 513-529-6734).
  12. Concerns regarding the confidential data may be reported to the University's EthicsPoint hotline at 1-866-294-9544.
  13. Employee misuse of confidential information and/or the systems in which the information is stored is a serious breach of job responsibilities and may result in discipline up to and including termination of employment.

B. Technical Standards

  1. Transferring files with confidential information from one system to another
    Transfers of files containing confidential information to or from a Miami system must use SSH, SCP, SFTP, or a site-to-site VPN connection. When possible, those transfers should also use PGP encryption or GPG encryption.
  2. Transferring files with confidential information to or from a Miami user
    Transfers of files containing confidential information to or from a Miami user must use PGP encryption, GPG encryption, password-protected ZIP files with AES-256 encryption, or Miami’s FileLocker solution.
  3. Accessing confidential information on wireless networks
    Confidential information can only be accessed on wireless networks if the wireless network is running WPA2-Personal or WPA2-Enterprise encryption, or if the user first connects to the Miami VPN. At Miami, the only acceptable wireless network for accessing confidential information is MU-Wireless.