This document establishes a culture of security and trust for employees at Northern Illinois University (NIU). An effective clean desk effort involving the participation and support of NIU employees can greatly protect paper documents that contain sensitive information about our students, employees, donors, alumni, parents, and friends. All employees that handle Restricted and Private Data should familiarize themselves and comply with these guidelines.

Regulations and Guidance

• Electronic Communication Act of 1986
• Fair Credit Reporting Act 
• Family Educational Rights and Privacy Act of 1974 (FERPA)
• Gramm-Leach-Bliley Act
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Illinois Freedom of Information Act
• Illinois Identity Protection Act
• Illinois Unemployment Insurance Act
• ISO 27001 Information Security
• Payment Card Industry Data Security Standards (PCI DSS)

Underlying Principles

NIU affirms that the mutual trust and freedom of thought and expression essential to the academic mission of NIU rests on an expectation of privacy and that the privacy of those who live, work, study, teach, and conduct research in a university setting will be respected.

Various departments within NIU accumulate information about members of the university community, e.g., for purposes of payroll, employment, enrollment, and investigations. Data are also created, though not necessarily compiled or retained on a personally identifiable basis, as a necessary byproduct of doing business. It is the intent of the University to protect personal information and data from being disclosed or released, except for legitimate University purposes. NIU employees must safeguard all data containing personally identifiable information (PII) as defined by the Information Security Policy. 

Keep a Clean Desk

When employees are away for extended periods from their desks, such as a lunch breaks or meetings, sensitive working papers containing Restricted or Private data should be placed in locked drawers or a locked office.  At the end of the working day, an employee should tidy his or her desk and put away all office papers that contain Restricted or Private data or lock his or her office.  NIU provides locking desks and filing cabinets for this purpose.

• Allocate time in your calendar to clear away your Restricted or Private paperwork.
• Always clear your workspace of Restricted or Private paperwork before leaving for long periods of time.
• Any Restricted or Private information must be removed from the desk and locked in a drawer or locked in the office.
• Lock your desk and filing cabinets at the end of the day. Don’t keep the keys in your easily-discoverable desk drawer.
• If you have mobile devices such as laptops or smart phones, lock your door at the end of the day or lock them in drawers.
• If you are storing any Restricted or Private data on external media like CDs or USB drives, secure them in a locked drawer. Don’t keep these media in your computer when unattended.
• Computer workstations must be locked when the workspace is unoccupied.
• Computer workstations should be shut down completely at the end of the work day unless otherwise instructed by local computing support staff.
• Keys used for access to Restricted or Private information must not be left at an unattended desk.
• Never write your passwords on a sticky note nor try to hide them anywhere in your office.
• Printed paper containing Restricted or Private information should be immediately removed from the printer.
• All Restricted or Private documents should be cross-cut shredded when no longer needed and NIU’s Data Retention Policy permits.
  • If you are unsure of whether a duplicate piece of Restricted or Private documentation should be kept, discuss it with your supervisor before shredding.
• Never leave your access cards or keys out anywhere; always keep them with you. Notify University Police immediately if access cards or keys are missing.
• Enable a password-protected screen saver.

Compliance

• The University treats misuse of its data seriously and will pursue and address violations.
• Anyone aware of possible violations of these standards should report them immediately to an appropriate person (e.g. their supervisor, the system administrator, or Department Head/Chair, etc.).
• Alleged serious or repeated violations must be reported to the CISO.
• Reports of violations will be treated as confidential.