Whether on your computer, portable media, a departmental, central or remote server, the level of protection should match the inherent value of the data -- whether your own Personally Identifiable Information (PII) or Brown information.
Should it be critical, restricted data, the handler should observe the requirements listed in the Policy on the Handling of Brown Restricted Information, which includes the following storage requirements:
- Brown Restricted Information in electronic format must be stored on a server centrally-managed by Computing and Information Services (CIS) and not on a workstation, laptop, portable storage device, or locally-managed server. Exceptions must be reviewed and approved in writing by the University's Chief Information Security Officer.
- An approved local machine must be in a physically secure location and require a unique logon with a strong password for each individual with authorized access (i.e. shared accounts and passwords are prohibited). Security logs must be enabled and periodically reviewed by the locally-approved department.
- Brown Restricted Information must be housed on a server or approved workstation that meets current operating system, hardware and software support levels.
- Brown Restricted Information in any hard copy format must be stored in locked cabinets or offices, and not be able to be accessed by unauthorized persons.
In addition, data at rest, whether personal or Brown's, should be periodically backed up. If it is restricted, the handler should observe the BRI policy, which states that:
- It is the responsibility of everyone entrusted with Brown Restricted Information to back it up and store it in a secure and controlled location.
- Backup of Brown Restricted Information should be encrypted if technically feasible.