Handling Confidential Information 448-01-25-10-01

(New 10/16/2024 ML #3873) 

View Archives

 

 

This policy identifies requirements to safeguard confidential information from unauthorized access, disclosure, alteration, and destruction. Its primary aim is to maintain the confidentiality, integrity, and availability of all confidential information. The policy applies to all employees, contractors, and third-party vendors who access, handle, or manage the integrated eligibility system or confidential information.

 

1. Workspace Security:

  • When leaving your workspace, activate the password-protected screen saver or log off your computer.

  • Secure confidential information by placing it in a secure area and avoid leaving it in view of unauthorized personnel.

  • Ensure monitors are positioned to prevent unauthorized viewing or turn them off.

 

2. Remote and Telework Security:

  • When teleworking, ensure the use of a Virtual Private Network (VPN) and Multi-Factor Authentication (MFA).

  • Telework and Alternative Work Site Wireless Network Connection:

    1. Avoid using wireless network connections when possible.

    2. If using a wireless network connection:

      1. Check encryption of router; turn on encryption if off. Encryption level must be of the same standard as Federal Information Processing Standards (FIPS)-validated or National Security Agency (NSA)-approved encryption.

      2. Only access secure websites (i.e. those that begin with “https”).

      3. A wireless intrusion detection system must be employed.

      4. Update login credentials on Wi-Fi router to increase complexity and uniqueness.

      5. Update the complexity and uniqueness of passwords for all other devices not approved by DHS IT, NDIT or Human Service Zone authorized contractors that are connected to wireless network (Alexa, Google Home, e-readers, tablets, etc.).

        • Any internet connected device can be used as an access point to all other devices connected to the wireless network.

        • If possible, disconnect all other devices from the wireless network.

 

3. Password Management:

  • Do not share passwords with co-workers and keep them secure.

  • Change passwords regularly and use complex, unique combinations.

 

4. Information Storage and Disposal:

  • Save information to network drives to ensure backup.

  • Shred or burn sensitive information according to office procedures.

  • Close all programs and shut down your computer properly at the end of each day.

 

5. Virus and Malware Protection:

  • Report any virus activity immediately to the information technology department.

 

6. Access to computer, mobile device and associated electronic device operating system must be limited to DHS IT, NDIT or Human Service Zone authorized contractors to prevent changes to device configuration.

 

7. Computers, including laptop computers, and associated electronic devices must contain remote wipe and/or kill switch functionality to remove sensitive information. If a device cannot be remotely wiped, the device must be configured to purge all data automatically after 4 consecutive unsuccessful attempts are made to gain access.

 

8. All non-agency owned devices must be reported to the Office of Safeguards 45 days prior to usage unless remote access is through a virtual desktop infrastructure (VDI) environment.

  • VPN login to agency network

  • MFA authentication to validate identity

  • VDI components segregated from personal components

 

9. Mobile devices, excluding laptop computers, must:

  • Contain remote wipe and/or kill switch functionality to remove sensitive information. If a device cannot be remotely wiped, the device must be configured to purge all data automatically after 10 consecutive unsuccessful attempts are made to gain access.

  • Require encryption at rest.

  • Wireless personal area networks must be disabled that allow connection to a computer via Bluetooth or neat field communication (NFC) for data synchronization.

  • Access to digital camera, global positioning system (GPS) and universal serial bus (USB) interface must be disabled to the extent possible.

  • If computer, mobile device, and associated electronics are lost or stolen, staff must immediately report to their supervisor and DHS EA Central Office at (701) 327-2332 or send an email to the EA Assistant Director.

 

10. Collaborative Computing Devices (ex. Whiteboards, cameras, microphones) that may be used to communicate must:

 

1. Provide an explicit indication of use to all users present at the device.

Example: Teams meeting or Zoom meeting, if the meeting is being recorded a message should be displayed on the screen to advise all participants of the recording.

 

2. Prohibit remote activity of collaborative computing devices.

11. Electronic Device Management:

  • Encrypt all devices containing sensitive information. Ensure devices are listed with the appropriate office and kept secure.

  • Avoid downloading or printing sensitive information. If unavoidable, secure and destroy printed materials properly.

 

12. Monitoring and Compliance:

  • Inspect telework and alternative work site locations annually for compliance with safeguard requirements.

 

13. Adhere to the Acceptable Use of IT Resources Policy as stated in the Human Resources Manual and Human Service Zone Manual.

 

14. Wireless Network and Device Security

  • Network Security:

    1. Avoid using wireless networks when possible. When necessary, ensure router encryption meets FIPS or NSA standards.

    2. Access secure websites and use a wireless intrusion detection system.

    3. Update router and device passwords regularly and limit the number of connected devices.

1. Access Control: 

  • Maintain an authorized list of personnel with access to areas containing FTI.

  • Control physical access and ensure cleaning and maintenance personnel are accompanied by authorized staff in restricted areas.

  • Prohibit and document "piggybacking" or "tailgating" into restricted areas. Report unauthorized access attempts.

 

2. Safeguarding FTI:

  • Use Minimum Protection Standards for systems with access to FTI.

  • Ensure that physical and environmental risks are minimized by positioning your work environment to prevent unauthorized access and damage.

  • FTI must not be downloaded or stored on any computer, mobile device or associated electronic device. If downloaded or stored, computers, mobile devices and associated electronic devices must have agency-approved security access control devices installed.

  • FTI must not be printed. If printed, FTI must be protected by securing in a locked drawer or other secure container and access to work area must be restricted behind a locked door. All printed FTI must be destroyed by either burning or shredding.

    1. Burning – material must be burned in a manner that produces enough heat to burn the entire document, leaving only ash.

    2. Shredding - use crosscut shredders which produce particles that are 1 mm x 5 mm (0.04 in. x 0.2 in.) in size (or smaller). If shredding deviates from the above specifications, FTI must be safeguarded until it is rendered unreadable through additional means, such as burning.

Emails containing confidential information must adhere to the following:

 

1. Emailing FTI received through any interface is prohibited.

2. Ensure the subject line does not include any client-identifying information.

3. Include the following email disclaimer:

 

-----------Confidentiality Statement-----------

This transmission is intended only for the use of the individual to whom it is addressed and may contain information that is made confidential by law. If you are not the intended recipient, you are hereby notified any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please respond immediately to the sender and then destroy the original transmission as well as any electronic or printed copies. Thank you.

 

4. Emails sent containing confidential information must be encrypted.

5. Double-check that the email is being sent to the correct source.

6. When accepting information through email, care must be taken to ensure the email does not contain any suspicious activity. Immediately report suspicious activity to the ND IT Department.

1. Faxing FTI received through any interface is prohibited.

2. Ensure the subject line does not include any client-identifying information.

3. Include the following disclaimer:

 

-----------Confidentiality Statement-----------

This transmission is intended only for the use of the individual to whom it is addressed and may contain information that is made confidential by law. If you are not the intended recipient, you are hereby notified any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please respond immediately to the sender and then destroy the original transmission as well as any electronic or printed copies. Thank you.

 

4. Double-check that the fax is being sent to the correct source.