Data Protection Guide
Protecting GW institutional data from unauthorized access or use is critical to maintaining the confidentiality, integrity, and availability of all data stored, processed, printed, and/or transmitted by faculty, staff and, where applicable, third parties. Throughout its lifecycle, institutional data must be protected in a manner that is consistent with contractual or legal requirements. Additionally, data protection measures must be reasonable and appropriate for the classification level. For example, a document that contains regulated and public information must be managed and protected in accordance with requirements for regulated information.
This guide outlines data protection measures for GW Institutional data. When procuring software or third-party services that will involve access to or use of institutional data, Faculty and Staff are required to follow GW’s Procurement process to ensure compliance with GW privacy and security protocols.
View Physical Security Best Practices.
Data Category Risk Level | Regulated High Risk | Restricted Medium Risk | Public Low Risk |
|---|---|---|---|
| Network | All network traffic must be encrypted in transit using at least TLS v1.1.(TLS v1.2 is strongly encouraged). It’s always preferable to use the strongest cipher available when transmitting Regulated Information, especially when transmitting to a third party. | All network traffic must be encrypted in transit using at least TLS v1.1.(TLS v1.2 is strongly encouraged). | No limitations |
| Workstations or Mobile Devices - GW-owned or approved (Desktop, laptop, phone, tablet) | Regulated data may be accessed and processed using GW-owned or approved workstations or mobile devices (such devices are configured and managed by the university and must be encrypted). The following security controls must be in place: • Strong Password • Encryption • Remote wiping capability • Registered and managed by the GW IT mobile device management service. | Restricted data may be be accessed and processed using GW owned or approved workstations or mobile devices (such devices are configured and managed by the university and must be encrypted). The following security controls must be in place: • Strong Password • Encryption • Remote wiping capability • Registered and managed by the GW IT mobile device management service. | No limitations |
| Personally Owned Devices (Desktop, laptop, phone, tablet) | Regulated information may not be downloaded, stored or synchronized on personally owned workstations or mobile devices. GW Storage systems approved for regulated information may be accessed but not installed.
| Restricted information may not be downloaded, stored or synchronized on personally owned workstations or mobile devices. GW Storage systems approved for restricted information may be accessed but not installed.
| No limitations |
| Storage | Regulated information may be stored only on GW IT hosted or approved servers or services (such as file sharing or collaboration services, cloud- based services, cloud-based back-up and recovery services, etc.) Documents containing regulated data may be stored in the following GW systems:
Never store regulated information on laptops or mobile devices, including USB and external hard drives. Regulated data in physical form (paper, media) should be secured (locked) at all times and | Restricted data may be stored on departmental, GW IT hosted or approved cloud-based systems. Documents containing restricted Data may be stored in the following GW systems:
Restricted data in physical form (paper, media) should be secured at all times and access should be restricted only to authorized users, with a legitimate business need. | No limitations |
| Access | Access to regulated data must be limited to only authorized individuals (staff, faculty), who have a legitimate reason to access it (on a business “need to know” basis). Data Custodians are responsible for all access and permissions to regulated data in their custody. Data Custodians must:
| Access to restricted data must be limited to only authorized individuals (staff, faculty), who have a legitimate reason to access it. Data Custodians are responsible for all access and permissions to restricted data in their custody. Data Custodians must:
| No limitations |
Transmission (Emailing) | Use only secure methods to transmit regulated information.Do not include regulated information in the body of an email or as an attachment. To transmit (email) regulated data to another university email address, use links instead of attachments. Store the regulated information in GW Box and email a link to the file. Regulated data must be encrypted during transmission outside GW network. If there is a business need to email regulated data to non-university recipients, it must be encrypted. To activate encryption of your university email account, submit a GW email Encryption Access Request to GW IT. Emailing regulated information to or from a personal email address is strictly prohibited. | Use only secure methods to transmit restricted information. To transmit (email) restricted data to another university email address, use links instead of attachments. Store the restricted information in one of the approved storage systems listed above, and email a link to the file. Restricted data must be encrypted during transmission outside GW network. If there is a business need to email restricted data to non-university recipients, your email account must be encrypted. To activate encryption of your university email account, submit a GW email Encryption Access Request to GW IT. Emailing restricted information to or from a personal email address is strictly prohibited. | No limitations |
| Reproduction | Avoid printing or copying regulated data. The minimum necessary prints / copies may be made only by permission of originator or designates. Working copies (prints) containing regulated data should be secured at all times and permanently destroyed (shredded) when no longer needed. Regulated data should never be printed or copied using a public (non-GW) device. As a general rule, employees are not allowed to take regulated data in physical form off campus (or to make unofficial copies). | Avoid printing or copying restricted data. Only the minimum necessary prints / copies may be made. Working copies (prints) containing restricted data should be secured at all times and permanently destroyed (shredded) when no longer needed. Restricted data should never be printed or copied using a public (non-GW) device. As a general rule, employees are not allowed to make unofficial copies of restricted data. | No limitations |
| Disposal | Regulated data must be disposed of by using GW IT approved measures, to protect against unauthorized access or disclosure. Regulated information must be destroyed in a manner such that the information can neither be reconstructed nor be readable. | Restricted data must be disposed by using GW IT approved measures, to protect against unauthorized access or disclosure. | No limitations |
- Physical Security Best Practices
Physical security is the protection of personnel, hardware, software, networks, and data from physical actions and events that could cause serious loss or damage to an institution. When it comes to institutional data physical security controls, faculty and staff should follow the best practices below.
- Restrict physical access to computers when you are away from your office or workspace. For example, locking the door or using security cables or locking devices.
- Secure access to computers and mobile devices by requiring passwords (except for public computers with no Non-Public Information, such as those in the library or in labs). Passwords are integral to security. Follow the GW IT Identity and Access Management Standard for selecting secure UserID passwords and how to reset them. Log out when finished using a GW system.
- Secure access to your computers using a screen saver or built-in lock feature when you are away from your office or work space.
- Maintain possession or control of your mobile devices and apply appropriate safeguards to the extent possible to reduce the risk of theft and unauthorized access.
- In the event that a GW-owned computer or mobile device containing Non-Public Information is lost or stolen, contact GW IT ([email protected]) immediately.
- Applicable University Policies